@sputnik, welcome to the community!
The rule is turned off.
1 Like
Hi @lleachii,
Thank you for the welcoming 
I have tried all the rules and they were also active. I have disabled but let them in to show, what I have tried. What rule do you refer to?
This one?
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '443'
option name 'HTTPS forward'
option family 'ipv4'
option src_port '443'
option dest 'lan'
option enabled '0'
Thanks,
Sputnik
I'm not sure it matters, since all of those those with option enabled are set to 0.
Nonetheless, if you are trying to Port Forward, you need to specify the IP of the HTTPS server:
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '443'
option dest_ip '192.168.22.130'
option dest_port '443'
option name 'HTTPS forward'
Not sure what this means, the routers should have at least 2 networks (WAN and LAN). If your server is on another Firewall Zone than LAN, change the option dest accordingly.
option dest_ip '192.168.22.130' is the IP of the server.
Server is in the Firewall Zone LAN.
I have read, that those external portscans like canyouseeme.org are not always reliable. Is there any other possibility to check, whether a port is open to the internet?
I have spend the whole Sunday figuring out, what is wrong with the port forward. Now I haven't changed anything and when I check my port 443 via canyouseeme.org, it shows, successful... I don't get it...
What wonders me now, is, why is 443 available?
Is it due to
config forwarding
option dest 'lan'
option src 'wan'
config forwarding
option dest 'lan'
option src 'wan'
You just said. Use a port scanner.
And BTW, your firewall is open - FIX THAT!!!
Change it to DROP - you should be "stealth" then.
Fix your firewall first.
I checked GRC ShieldsUP and it tells me
THE EQUIPMENT AT THE TARGET IP ADDRESS
ACTIVELY REJECTED OUR UPnP PROBES!
So looks like I am good.
When you say change it to DROP, are you referring to option input?
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option network 'wan wan6'
option input 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
Huh!!? UMMMMM...no (UPnP should be off, as it's not installed by default). You should run these two:
Yes!!!
You currently have your router exposed to the Internet!!!
These are the defaults:
1 Like
Thank you! I think I have messed it up some time ago 
I unfortunately can't find the Common Ports and All Service Ports links on the website.
That's all I have as options and in the submenues I didn't find it either.
I have tested Port 80 and 443 with canyouseeme.org, while all rules have been deactivated. Both were not reachable.
I have then activated both rules
Port 80 shows successful
Port 443 shows error
That doesn't make sense to me. I am back to my previous issue 
1 Like
The best way to test is with a separate Internet connection such as a smartphone (with wifi turned off, so it is going to the Internet via the cell network). Go to your public IP with the phone's browser.
And you will see LuCI, because that is where port 80 is going-- not your web server. You have set input ACCEPT as the default on the WAN zone, which is severely insecure. All ports of the router's OS are open to the Internet, which is why there is also a response on port 53. Needless to say this is tremendously insecure.
I would suggest clean up everything you have done with the firewall back to defaults, and start over.
1 Like
@lleachii, I have found now the links. I had to press proceed first.
The Common Ports scan shows me, that 80 and 443 is closed. Which would also fit as when trying my public IP with the mobile using cell network, as @mk24 suggested, it showed me a blank page. Using https://:443 it showed me an error.
@mk24, I didn't do much with the firewall. As far as I remember, I have added four rules. All for DHCP and DNS to be able to access the intern from other Firewall Zones and IP ranges.
I have now deleted all rules, that were not enabled.
What just came up my mind.
I had to setup a VLAN for my WAN socket (I think that is how it is called). This is some prerequisite of my ISP. The WAN needs to be tagged with VLAN ID 7, else I can not connect to the internet.
My LAN is on VLAN ID 1.
config interface 'lan'
option ifname 'eth1.1'
[...]
config interface 'wan'
option ifname 'eth0.7'
[...]
Might this be a reason, why the port forwarding doesn't work?
Do I need some setup for VLAN ID 7 port forwarding to VLAN ID 1?
@lleachii You have mentioned, that the interface needs to be a bridge in this post. My lan is already a bridge. But it bridges lan and two wifis (2GHz and 5GHz).
@mk24, I can't add the firewall config as a body due to limitation. Here is the current firewall config
Please see the other firewall rules in the first post, as I can not add the complete one due to body limitaiton to 32000 characters.
[...]
config include
option path '/etc/firewall.user'
config zone
option name 'guest'
option output 'ACCEPT'
option network 'guest'
option input 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option dest 'wan'
option src 'guest'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'Guest-DNS'
option src 'guest'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'Guest-DHCP'
option src 'guest'
config zone
option output 'ACCEPT'
option name 'home'
option network 'home'
option input 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option dest 'wan'
option src 'home'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'Home-DNS'
option src 'home'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'Home-DHCP'
option src 'home'
config forwarding
option dest 'wan'
option src 'lan'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option dest_port '443'
option name 'NextCloud HTTPS'
option dest_ip '192.168.22.130'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '80'
option dest_port '80'
option name 'NextCloud HTTP'
option dest_ip '192.168.22.130'
No, the tagging of 7 happens at layer 1. It isn't going to affect anything else.
An obvious question is are you sure your web server machine is listening on port 443?
1 Like
@mk24, I was out for a while and just came back. Thank you for clarifying the VLAN situation.
The server is not listening yet on 443, but when I try to get the let's encrypt certificate, it fails with a hint to a firewall issue.
I am open to activate the port 443 with any tool that might be used. I will check, if I can find something to test.
What confuses me is, that even with port 80, I can not reach the webserver.
The only time canyouseeme.org showed port 443 open was, when I have deleted all forwarding rules and had my firewall open to the internet, aka had my pants down... so it seems it is possible, but somehow the forwarding doesn't work accurate.
Port 80 is listening on the server. I can login to nextcloud via http://ip
Run some tests from the internet and verify that you have incoming traffic on the ports in question:
https://openwrt.org/docs/guide-user/firewall/misc/tcpdump_wireshark
1 Like
Hi @vgaetera,
Thank you for your suggestion!
I have tried the tcpdump on the WAN port of my router. I have used the port scanner from canyouseeme.org. Looks like it does listen.
root@OpenWrt:~# tcpdump -v -n -i pppoe-wan port 443 and src canyouseeme.org
tcpdump: listening on pppoe-wan, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
21:37:12.864103 IP (tos 0x0, ttl 52, id 0, offset 0, flags [DF], proto TCP (6), length 60)
52.202.215.126.443 > <WAN-IP>.60342: Flags [S.], cksum 0xa1b4 (correct), seq 1807119729, ack 2022007976, win 26847, options [mss 1460,sackOK,TS val 97348097 ecr 313597874,nop,wscale 7], length 0
21:37:12.958681 IP (tos 0x0, ttl 52, id 8043, offset 0, flags [DF], proto TCP (6), length 52)
52.202.215.126.443 > <WAN-IP>.60342: Flags [.], cksum 0x35cd (correct), ack 579, win 219, options [nop,nop,TS val 97348121 ecr 313597968], length 0
21:37:12.959009 IP (tos 0x0, ttl 52, id 8044, offset 0, flags [DF], proto TCP (6), length 189)
52.202.215.126.443 > <WAN-IP>.60342: Flags [P.], cksum 0x9d89 (correct), seq 1:138, ack 579, win 219, options [nop,nop,TS val 97348121 ecr 313597968], length 137
21:37:13.052738 IP (tos 0x0, ttl 52, id 8045, offset 0, flags [DF], proto TCP (6), length 52)
52.202.215.126.443 > <WAN-IP>.60342: Flags [.], cksum 0x32a6 (correct), ack 1126, win 228, options [nop,nop,TS val 97348144 ecr 313598059], length 0
21:37:13.052750 IP (tos 0x0, ttl 52, id 43709, offset 0, flags [DF], proto TCP (6), length 60)
52.202.215.126.39310 > <WAN-IP>.443: Flags [S], cksum 0x3ac4 (correct), seq 3909140621, win 26883, options [mss 1460,sackOK,TS val 97348144 ecr 0,nop,wscale 7], length 0
21:37:14.049835 IP (tos 0x0, ttl 52, id 43710, offset 0, flags [DF], proto TCP (6), length 60)
52.202.215.126.39310 > <WAN-IP>.443: Flags [S], cksum 0x1c7d (correct), seq 3909140621, win 26883, options [mss 8961,sackOK,TS val 97348394 ecr 0,nop,wscale 7], length 0
21:37:16.053818 IP (tos 0x0, ttl 52, id 43711, offset 0, flags [DF], proto TCP (6), length 60)
52.202.215.126.39310 > <WAN-IP>.443: Flags [S], cksum 0x37d5 (correct), seq 3909140621, win 26883, options [mss 1460,sackOK,TS val 97348895 ecr 0,nop,wscale 7], length 0
21:37:16.274919 IP (tos 0x0, ttl 52, id 8046, offset 0, flags [DF], proto TCP (6), length 1492)
52.202.215.126.443 > <WAN-IP>.60342: Flags [.], cksum 0x239e (correct), seq 138:1578, ack 1126, win 228, options [nop,nop,TS val 97348950 ecr 313598059], length 1440
21:37:16.274932 IP (tos 0x0, ttl 52, id 8047, offset 0, flags [DF], proto TCP (6), length 1492)
52.202.215.126.443 > <WAN-IP>.60342: Flags [.], cksum 0xaf48 (correct), seq 1578:3018, ack 1126, win 228, options [nop,nop,TS val 97348950 ecr 313598059], length 1440
21:37:16.274943 IP (tos 0x0, ttl 52, id 8048, offset 0, flags [DF], proto TCP (6), length 918)
52.202.215.126.443 > <WAN-IP>.60342: Flags [P.], cksum 0xf7c0 (correct), seq 3018:3884, ack 1126, win 228, options [nop,nop,TS val 97348950 ecr 313598059], length 866
^C
10 packets captured
17 packets received by filter
0 packets dropped by kernel
I got an Error, that the port is not open. I had the server not running at that moment.
So my router is receiving the requests. Now I need to check, if it is routed to the server, once I have setup the port forwarding?
Greetings,
Sputnik
Naturally.
Unless there is a response, a port scanner will say the port is not open. The router does not respond to packets that are forwarded, it only forwards them (and forwards any response from the LAN machine back.) So the server must be up for the port to be open.
You should see the packets leaving the LAN port of the router toward your server. In order for that to work, something has to exist at the server's IP address. It does not need to have port 443 open, but it does need to be answering ARPs.
2 Likes
@mk24, thank you for your feedback. Using tcpdump, I could find out, that there seems to be everything fine with the router and the forwarding. I could see, that port 443 is forwarded correctly. Also I have temporary set the port of sshd to 443 and checked, if the www.grc.com sees it as open. It was successful. So I guess there is another issue, which lays with let's encrypt. I will investigate into this direction.
Thanks all for helping and sharing your knowledge, it all helped me a lot.
Have a good day!
1 Like
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.