I want forward the port 8989 from 192.168.2.232 to 192.168.0.32 using OpenWRT, my final objective is to connect to the app that is running in 192.168.2.232:8989 using 192.168.0.32:8989
This in my current configuration:
Thanks.
Erase this forwarding. Then use ssh to connect to the device and run the following:
uci add firewall redirect
uci set firewall.@redirect[-1].reflection='0'
uci set firewall.@redirect[-1].src='wan'
uci set firewall.@redirect[-1].name='forward'
uci set firewall.@redirect[-1].src_dport='8989'
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].dest_ip='192.168.2.232'
uci set firewall.@redirect[-1].dest='lan'
uci set firewall.@redirect[-1].dest_port='8989'
uci set firewall.@redirect[-1].src_dip='192.168.0.32'
uci commit firewall
service firewall restart
1 Like
Clear the source IP address. It matches the address the inbound connection attempt originally came from (the client), not the address you're forwarding to, nor the external one you're forwarding from.
1 Like
Hi, Thanks for you answer, i tired but it did not work.
Post here the output of iptables-save -t nat -c
1 Like
root@OpenWrt:~# iptables-save -t nat -c
# Generated by iptables-save v1.8.7 on Mon Feb 7 12:36:49 2022
*nat
:PREROUTING ACCEPT [14230:1063983]
:INPUT ACCEPT [12647:837573]
:OUTPUT ACCEPT [2653:202033]
:POSTROUTING ACCEPT [42:7753]
:DOCKER - [0:0]
:postrouting_docker_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_docker_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_docker_postrouting - [0:0]
:zone_docker_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[12460:792688] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[14230:1063983] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[14195:1057520] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[35:6463] -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpn_prerouting
[0:0] -A PREROUTING -i docker0 -m comment --comment "!fw3" -j zone_docker_prerouting
[0:0] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
[4151:424611] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[33:7148] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[4109:416858] -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpn_postrouting
[0:0] -A POSTROUTING -o docker0 -m comment --comment "!fw3" -j zone_docker_postrouting
[0:0] -A DOCKER -i docker0 -j RETURN
[0:0] -A zone_docker_postrouting -m comment --comment "!fw3: Custom docker postrouting rule chain" -j postrouting_docker_rule
[0:0] -A zone_docker_prerouting -m comment --comment "!fw3: Custom docker prerouting rule chain" -j prerouting_docker_rule
[33:7148] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[14195:1057520] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_vpn_postrouting -m comment --comment "!fw3: Custom vpn postrouting rule chain" -j postrouting_vpn_rule
[0:0] -A zone_vpn_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_vpn_prerouting -m comment --comment "!fw3: Custom vpn prerouting rule chain" -j prerouting_vpn_rule
[4109:416858] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[4109:416858] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[35:6463] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -d 192.168.0.32/32 -p tcp -m tcp --dport 8989 -m comment --comment "!fw3: forward" -j DNAT --to-destination 192.168.2.232:8989
[0:0] -A zone_wan_prerouting -d 192.168.0.32/32 -p udp -m udp --dport 8989 -m comment --comment "!fw3: forward" -j DNAT --to-destination 192.168.2.232:8989
COMMIT
# Completed on Mon Feb 7 12:36:49 2022
Zero hits on both, no packets ever arrived to the OpenWrt to be forwarded.
2 Likes
Hi, Thanks for you answer.
Is there anything else i can try?. I can access the app trough 192.168.2.232:8989
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
2 Likes
Hi, Thanks for your answer. This is the output.
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
option device 'lo'
config globals 'globals'
option ula_prefix 'fd95:27c5:3e18::/48'
option packet_steering '1'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
option device 'br-lan'
config interface 'wan'
option proto 'dhcp'
option device 'eth1'
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'vpn0'
option proto 'none'
option device 'tun0'
config interface 'docker'
option device 'docker0'
option proto 'none'
option auto '0'
config device
option type 'bridge'
option name 'docker0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option fullcone '1'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'ACCEPT'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config include 'zerotier'
option type 'script'
option path '/etc/zerotier.start'
option reload '1'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config include 'gowebdav'
option type 'script'
option path '/var/etc/gowebdav.include'
option reload '1'
config include 'luci_app_ipsec_server'
option type 'script'
option path '/var/etc/ipsecvpn.include'
option reload '1'
config include 'passwall'
option type 'script'
option path '/var/etc/passwall.include'
option reload '1'
config include 'passwall_server'
option type 'script'
option path '/var/etc/passwall_server.include'
option reload '1'
config include 'luci_app_pptp_server'
option type 'script'
option path '/var/etc/pptpd.include'
option reload '1'
config include 'socat'
option type 'script'
option path '/var/etc/socat.include'
option reload '1'
config include 'ssr_mudb_server'
option type 'script'
option path '/var/etc/ssr_mudb_server.include'
option reload '1'
config rule 'kms'
option name 'kms'
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '1688'
config include 'openclash'
option type 'script'
option path '/var/etc/openclash.include'
option reload '1'
config include 'shadowsocksr'
option type 'script'
option path '/var/etc/shadowsocksr.include'
option reload '1'
config include 'mia'
option type 'script'
option path '/etc/mia.include'
option reload '1'
config rule 'openvpn'
option name 'openvpn'
option target 'ACCEPT'
option src 'wan'
option proto 'tcp udp'
option dest_port '1194'
config zone 'vpn'
option name 'vpn'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option masq '1'
list network 'vpn0'
config forwarding 'vpntowan'
option src 'vpn'
option dest 'wan'
config forwarding 'vpntolan'
option src 'vpn'
option dest 'lan'
config forwarding 'lantovpn'
option src 'lan'
option dest 'vpn'
config include 'unblockmusic'
option type 'script'
option path '/var/etc/unblockmusic.include'
option reload '1'
config include 'softethervpn'
option type 'script'
option path '/usr/share/softethervpn/firewall.include'
option reload '1'
config include 'v2ray_server'
option type 'script'
option path '/var/etc/v2ray_server.include'
option reload '1'
config include 'wrtbwmon'
option type 'script'
option path '/etc/wrtbwmon.include'
option reload '1'
config zone 'docker'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'docker'
list network 'docker'
config rule
option name 'Allow-NFS-RPC'
option src 'lan'
option proto 'tcp udp'
option dest_port '111'
option target 'ACCEPT'
config rule
option name 'Allow-NFS'
option src 'lan'
option proto 'tcp udp'
option dest_port '2049'
option target 'ACCEPT'
config rule
option name 'Allow-NFS-Lock'
option src 'lan'
option proto 'tcp udp'
option dest_port '32777:32780'
option target 'ACCEPT'
config rule
option name 'r ports'
option src 'wan'
option target 'ACCEPT'
config redirect
option reflection '0'
option src 'wan'
option name 'forward'
option src_dport '8989'
option target 'DNAT'
option dest_ip '192.168.2.232'
option dest 'lan'
option dest_port '8989'
option src_dip '192.168.0.32'
You have a ton of stuff going on in your firewall with a whole bunch of include files and some VPN stuff (zero tier, OpenVPN, softether, etc.), shadow socks and much more. The VPNs alone could cause issues -- typically the routing tables make it such that egress must use the VPN tunnel, which means that inbound connections that are being port forwarded may have the reply lost through the tunnel. But aside from that, you have so many other includes that is is really hard to know what is happening on each one.
I have one idea for you to try:
remove the src_dip line from the section above. See if that works.
If it doesn't, fix your problem, you'll have to probably start disabling VPNs, shadow socks, and other things to see what is interfering. Once you've found it, you may be able to use Policy Based Routing (or VPN PBR) to resolve the conflict.
Meanwhile, what version of OpenWrt are you running?
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
ubus call system board
3 Likes
Also, is this router directly connected to the internet, or is it behind another (trusted) router/firewall?
I ask because your wan firewall zone has input=accept and forward=accept (which is very dangerous if the wan zone contains untrusted networks).
Hi.
My router OpenWrt router is behind mi ISP provided router.
ok... good.
That said, the system info would be useful as well.
Hi, thanks for your answer, most of the stuff was preinstalled when i bought the router.
Here is the output.
root@OpenWrt:~# ubus call system board
{
"kernel": "5.4.143",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 3",
"model": "Raspberry Pi Compute Module 4 Rev 1.0",
"board_name": "raspberrypi,4-compute-module",
"release": {
"distribution": "OpenWrt",
"version": "21.02-SNAPSHOT",
"revision": "r16281+14-6f8143fa4a",
"target": "bcm27xx/bcm2711",
"description": "OpenWrt 21.02-SNAPSHOT r16281+14-6f8143fa4a"
}
}
I tried all the previous suggestion and remove the VPN(it as no in use), but problem persist.
ouch!
if you don't need it, you should reinstall or reset openwrt ....
3 Likes
That should be a red flag. Especially given how much stuff is in that firewall config file... if you didn't put it there, you shouldn't trust it.
If you're not actively using those features, just start with a fresh install.
3 Likes
Hi.
I think that at this point the easier thing would be to start with a fresh install.
Thanks to everyone for their time.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.