Can't Open Port 80

bdika · February 8, 2021, 5:33pm

I have this redirect in my /etc/config/firewall:

config redirect
        option src 'wan'
        option target 'DNAT'
        option dest_ip '192.168.10.228'
        option dest 'lan'
        list proto 'tcp'
        option src_dport '80'
        option name 'gateway80'
        option dest_port '80'

I had the same for port 443. All the port open tools that I have tried say that port 80 and 443 are not open (connection refused).

When I try to install letsencrypt on the apache2 web server on internal machine 192.168.10.228 with:

sudo certbot --apache

I get the following error:

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: dikacloud.duckdns.org
   Type:   connection
   Detail: Fetching
   http://dikacloud.duckdns.org/.well-known/acme-challenge/N1lHFZ2yz_rHWetlskTTF3X9mFQ7l9flrOHn9o__npA:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

Which seems to indicate that the port is closed.

I had this working with no-ip but cannot get it to work with duckdns.

Here is my /etc/config/ddns entry:

config service 'duckdns'
        option service_name 'duckdns.org'
        option enabled '1'
        option domain 'dikacloud.duckdns.org'
        option password '9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb'
        option interface 'wan'
        option ip_source 'network'
        option ip_network 'wan'
#       option use_https '1'
#       option cacert '/etc/ssl/certs/ca-bundle.crt'
        option lookup_host 'dikacloud.duckdns.org'
        option username 'dikacloud'
#       option username 'bxxxxxxxxxx.com'
        option force_interval '72'
        option force_unit 'hours'
        option check_interval '10'
        option check_unit 'minutes'

I feel like I am missing something very obvious but all attempts to get this to work result in the same error message.

Any help would be much appreciated.

Thank you.

bdika

krazeh · February 8, 2021, 5:53pm

~~Remove this.~~

Edit: Misread the first post and as trendy points out this is not an issue.

trendy · February 8, 2021, 6:04pm

Actually this is correct.

@bdika verify that you get hits on the firewall iptables-save -c | grep gateway80

mk24 · February 8, 2021, 6:20pm

Does your router's wan interface have a public IP? Does your ISP allow incoming connections?

bdika · February 8, 2021, 11:21pm

@trendy this is the output of the command

# iptables-save -c | grep gateway80
[0:0] -A zone_lan_postrouting -s 192.168.10.0/24 -d 192.168.10.228/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: gateway80 (reflection)" -j SNAT --to-source 192.168.10.1
[0:0] -A zone_lan_prerouting -s 192.168.10.0/24 -d 135.23.172.137/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: gateway80 (reflection)" -j DNAT --to-destination 192.168.10.228:80
[1519:61188] -A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: gateway80" -j DNAT --to-destination 192.168.10.228:80

I'm not sure what this means, but it looks OK?

bdika · February 8, 2021, 11:25pm

@mk24 I am pretty sure the answer to both questions is yes. Is there any way I can definitively check?

mk24 · February 8, 2021, 11:28pm

The IPv4 Upstream IP shown on the status page must match your IP found by port scan sites.

You could temporarily locally open port 22 TCP which is the router's SSH server (make sure your password is secure). This should then appear as an open port on the port scan site.

krazeh · February 8, 2021, 11:42pm

When you say you had it working with no-ip do you mean the firewall rules?

trendy · February 8, 2021, 11:58pm

It is working fine and there are a lot of hits.
Is the address you have in duckdns the same as your wan IP?
`nslookup dikacloud.duckdns.org 8.8.8.8 ; . /lib/functions/network.sh; network_flush_cache; network_find_wan NET_IF; network_get_ipaddr NET_ADDR "${NET_IF}"; echo "${NET_ADDR}"

bdika · February 9, 2021, 12:09am

Yes, I assume the firewall rules were working because I was able to access my website on 192.168.10.228 from outside of my lan.

The ip's are different on one port scan tool but agrees with the duckdns.org site.

Yes they agree.

@trendy @krazeh @mk24
I am using a wireguard VPN. But it never made any difference with no-ip.

Thanks for your replies.

Any other ideas?

vgaetera · February 9, 2021, 1:13am

opkg update
opkg install vpn-policy-routing
uci set vpn-policy-routing.config.enabled="1"
uci -q delete vpn-policy-routing.config.dest_ipset
uci -q delete vpn-policy-routing.lan_wan
uci set vpn-policy-routing.lan_wan="policy"
uci set vpn-policy-routing.lan_wan.src_addr="192.168.10.228"
uci set vpn-policy-routing.lan_wan.src_port="80 443"
uci set vpn-policy-routing.lan_wan.dest_addr="!192.168.10.0/24"
uci set vpn-policy-routing.lan_wan.interface="wan"
uci commit vpn-policy-routing
/etc/init.d/vpn-policy-routing restart

VPN Policy-Based Routing + Web UI -- Discussion

bdika · February 13, 2021, 3:54pm

@vgaetera Thanks for the script. It worked to help me get Letsencrypt wizard to complete successfully but when I go to an SSL testing website it fails and when I try to access my site from outside of my lan it fails.

So I think port 80 is open but I still cannot access my site from outside my lan.

Thanks so much for your help.

If there are any ideas as to why I cannot access my website outside of my lan, I would be happy to hear them.

Thanks to all.

bdika

vgaetera · February 13, 2021, 5:41pm

Capture HTTP/HTTPS traffic on OpenWrt when trying to access the site from the internet:

opkg update
opkg install tcpdump
tcpdump -vni any port 80 or port 443

bdika · February 21, 2021, 8:25pm

@vgaetera Thanks for the reply. I finally got a chance to run your command while my son was trying to connect from outside the lan and this is what I got ( I was limited to 32,000 characters, so I cut out some of what seemed to be repetitive):

14:24:32.585858 IP (tos 0x0, ttl 64, id 36046, offset 0, flags [DF], proto TCP (6), length 364)
    192.168.10.242.46976 > 172.217.164.227.80: Flags [P.], cksum 0x988b (correct), seq 2095294499:2095294811, ack 214232268, win 1369, options [nop,nop,TS val 37236879 ecr 4168669118], length 312: HTTP, length: 312
	HEAD /generate_204 HTTP/1.1
	Host: connectivitycheck.gstatic.com
	Connection: keep-alive
	User-Agent: Mozilla/5.0 (Linux; Android 8.0; Build/OPR2.170623.027.S25) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.57 Safari/537.36 CrKey/1.50.228700
	Accept-Encoding: gzip, deflate
	Accept-Language: en-US
	
14:24:32.585858 IP (tos 0x0, ttl 64, id 36046, offset 0, flags [DF], proto TCP (6), length 364)
    192.168.10.242.46976 > 172.217.164.227.80: Flags [P.], cksum 0x988b (correct), seq 0:312, ack 1, win 1369, options [nop,nop,TS val 37236879 ecr 4168669118], length 312: HTTP, length: 312
	HEAD /generate_204 HTTP/1.1
	Host: connectivitycheck.gstatic.com
	Connection: keep-alive
	User-Agent: Mozilla/5.0 (Linux; Android 8.0; Build/OPR2.170623.027.S25) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.57 Safari/537.36 CrKey/1.50.228700
	Accept-Encoding: gzip, deflate
	Accept-Language: en-US
	
14:24:32.585883 IP (tos 0x0, ttl 63, id 36046, offset 0, flags [DF], proto TCP (6), length 364)
    135.23.172.137.46976 > 172.217.164.227.80: Flags [P.], cksum 0x3085 (correct), seq 2095294499:2095294811, ack 214232268, win 1369, options [nop,nop,TS val 37236879 ecr 4168669118], length 312: HTTP, length: 312
	HEAD /generate_204 HTTP/1.1
	Host: connectivitycheck.gstatic.com
	Connection: keep-alive
	User-Agent: Mozilla/5.0 (Linux; Android 8.0; Build/OPR2.170623.027.S25) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.57 Safari/537.36 CrKey/1.50.228700
	Accept-Encoding: gzip, deflate
	Accept-Language: en-US
	
14:24:32.600485 IP (tos 0x0, ttl 58, id 42493, offset 0, flags [none], proto TCP (6), length 135)
    172.217.164.227.80 > 135.23.172.137.46976: Flags [P.], cksum 0x03ba (correct), seq 1:84, ack 312, win 269, options [nop,nop,TS val 4168670677 ecr 37236879], length 83: HTTP, length: 83
	HTTP/1.1 204 No Content
	Content-Length: 0
	Date: Sun, 21 Feb 2021 19:24:32 GMT
	
14:24:32.600498 IP (tos 0x0, ttl 57, id 42493, offset 0, flags [none], proto TCP (6), length 135)
    172.217.164.227.80 > 192.168.10.242.46976: Flags [P.], cksum 0x6bc0 (correct), seq 1:84, ack 312, win 269, options [nop,nop,TS val 4168670677 ecr 37236879], length 83: HTTP, length: 83
	HTTP/1.1 204 No Content
	Content-Length: 0
	Date: Sun, 21 Feb 2021 19:24:32 GMT
	
14:24:32.600501 IP (tos 0x0, ttl 57, id 42493, offset 0, flags [none], proto TCP (6), length 135)
    172.217.164.227.80 > 192.168.10.242.46976: Flags [P.], cksum 0x6bc0 (correct), seq 1:84, ack 312, win 269, options [nop,nop,TS val 4168670677 ecr 37236879], length 83: HTTP, length: 83
	HTTP/1.1 204 No Content
	Content-Length: 0
	Date: Sun, 21 Feb 2021 19:24:32 GMT
	
14:24:32.600503 IP (tos 0x0, ttl 57, id 42493, offset 0, flags [none], proto TCP (6), length 135)
    172.217.164.227.80 > 192.168.10.242.46976: Flags [P.], cksum 0x6bc0 (correct), seq 1:84, ack 312, win 269, options [nop,nop,TS val 4168670677 ecr 37236879], length 83: HTTP, length: 83
	HTTP/1.1 204 No Content
	Content-Length: 0
	Date: Sun, 21 Feb 2021 19:24:32 GMT
	
14:24:32.602066 IP (tos 0x0, ttl 64, id 36047, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.10.242.46976 > 172.217.164.227.80: Flags [.], cksum 0x7300 (correct), ack 84, win 1369, options [nop,nop,TS val 37236882 ecr 4168670677], length 0
14:24:32.602066 IP (tos 0x0, ttl 64, id 36047, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.10.242.46976 > 172.217.164.227.80: Flags [.], cksum 0x7300 (correct), ack 84, win 1369, options [nop,nop,TS val 37236882 ecr 4168670677], length 0
14:24:32.602091 IP (tos 0x0, ttl 63, id 36047, offset 0, flags [DF], proto TCP (6), length 52)
    135.23.172.137.46976 > 172.217.164.227.80: Flags [.], cksum 0x0afa (correct), ack 84, win 1369, options [nop,nop,TS val 37236882 ecr 4168670677], length 0
14:24:32.808079 IP (tos 0x0, ttl 64, id 9572, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.10.187.47876 > 95.217.163.246.80: Flags [S], cksum 0xa49d (correct), seq 1086192453, win 64240, options [mss 1460,sackOK,TS val 1782216620 ecr 0,nop,wscale 7], length 0
14:24:32.808079 IP (tos 0x0, ttl 64, id 9572, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.10.187.47876 > 95.217.163.246.80: Flags [S], cksum 0xa49d (correct), seq 1086192453, win 64240, options [mss 1460,sackOK,TS val 1782216620 ecr 0,nop,wscale 7], length 0
14:24:32.808126 IP (tos 0x0, ttl 63, id 9572, offset 0, flags [DF], proto TCP (6), length 60)
    10.65.140.14.47876 > 95.217.163.246.80: Flags [S], cksum 0xda01 (correct), seq 1086192453, win 64240, options [mss 1380,sackOK,TS val 1782216620 ecr 0,nop,wscale 7], length 0
14:24:32.935436 IP (tos 0x0, ttl 51, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    95.217.163.246.80 > 10.65.140.14.47876: Flags [S.], cksum 0xa922 (correct), seq 4043048311, ack 1086192454, win 65160, options [mss 1380,sackOK,TS val 2575342913 ecr 1782216620,nop,wscale 7], length 0
14:24:32.935449 IP (tos 0x0, ttl 50, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    95.217.163.246.80 > 192.168.10.187.47876: Flags [S.], cksum 0x740e (correct), seq 4043048311, ack 1086192454, win 65160, options [mss 1380,sackOK,TS val 2575342913 ecr 1782216620,nop,wscale 7], length 0
14:24:32.935453 IP (tos 0x0, ttl 50, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    95.217.163.246.80 > 192.168.10.187.47876: Flags [S.], cksum 0x740e (correct), seq 4043048311, ack 1086192454, win 65160, options [mss 1380,sackOK,TS val 2575342913 ecr 1782216620,nop,wscale 7], length 0
14:24:32.960759 IP (tos 0x0, ttl 64, id 9573, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.10.187.47876 > 95.217.163.246.80: Flags [.], cksum 0x9e7a (correct), ack 1, win 502, options [nop,nop,TS val 1782216783 ecr 2575342913], length 0
14:24:32.960759 IP (tos 0x0, ttl 64, id 9573, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.10.187.47876 > 95.217.163.246.80: Flags [.], cksum 0x9e7a (correct), ack 1, win 502, options [nop,nop,TS val 1782216783 ecr 2575342913], length 0
14:24:32.960786 IP (tos 0x0, ttl 63, id 9573, offset 0, flags [DF], proto TCP (6), length 52)
    10.65.140.14.47876 > 95.217.163.246.80: Flags [.], cksum 0xd38e (correct), ack 1, win 502, options [nop,nop,TS val 1782216783 ecr 2575342913], length 0
14:24:32.960761 IP (tos 0x0, ttl 64, id 9574, offset 0, flags [DF], proto TCP (6), length 147)
    192.168.10.187.47876 > 95.217.163.246.80: Flags [P.], cksum 0xa44c (correct), seq 1:96, ack 1, win 502, options [nop,nop,TS val 1782216783 ecr 2575342913], length 95: HTTP, length: 95
	GET /check_network_status.txt HTTP/1.1
	Host: archlinux.org
	Accept: */*
	Connection: close
	
14:24:32.960761 IP (tos 0x0, ttl 64, id 9574, offset 0, flags [DF], proto TCP (6), length 147)
    192.168.10.187.47876 > 95.217.163.246.80: Flags [P.], cksum 0xa44c (correct), seq 1:96, ack 1, win 502, options [nop,nop,TS val 1782216783 ecr 2575342913], length 95: HTTP, length: 95
	GET /check_network_status.txt HTTP/1.1
	Host: archlinux.org
	Accept: */*
	Connection: close
	
14:24:32.960803 IP (tos 0x0, ttl 63, id 9574, offset 0, flags [DF], proto TCP (6), length 147)
    10.65.140.14.47876 > 95.217.163.246.80: Flags [P.], cksum 0xd960 (correct), seq 1:96, ack 1, win 502, options [nop,nop,TS val 1782216783 ecr 2575342913], length 95: HTTP, length: 95
	GET /check_network_status.txt HTTP/1.1
	Host: archlinux.org
	Accept: */*
	Connection: close
	
14:24:33.089990 IP (tos 0x0, ttl 51, id 46768, offset 0, flags [DF], proto TCP (6), length 52)
    95.217.163.246.80 > 10.65.140.14.47876: Flags [.], cksum 0xd28d (correct), ack 96, win 509, options [nop,nop,TS val 2575343068 ecr 1782216783], length 0
14:24:33.090005 IP (tos 0x0, ttl 50, id 46768, offset 0, flags [DF], proto TCP (6), length 52)
    95.217.163.246.80 > 192.168.10.187.47876: Flags [.], cksum 0x9d79 (correct), ack 96, win 509, options [nop,nop,TS val 2575343068 ecr 1782216783], length 0
14:24:33.090009 IP (tos 0x0, ttl 50, id 46768, offset 0, flags [DF], proto TCP (6), length 52)
    95.217.163.246.80 > 192.168.10.187.47876: Flags [.], cksum 0x9d79 (correct), ack 96, win 509, options [nop,nop,TS val 2575343068 ecr 1782216783], length 0
14:24:33.090022 IP (tos 0x0, ttl 51, id 46769, offset 0, flags [DF], proto TCP (6), length 255)
    95.217.163.246.80 > 10.65.140.14.47876: Flags [P.], cksum 0x519a (correct), seq 1:204, ack 96, win 509, options [nop,nop,TS val 2575343068 ecr 1782216783], length 203: HTTP, length: 203
	HTTP/1.1 200 OK
	Server: nginx
	Date: Sun, 21 Feb 2021 19:24:33 GMT
	Content-Type: text/plain
	Content-Length: 24
	Connection: close
	Cache-Control: max-age=0, must-revalidate
	
	NetworkManager is online[!http]
14:24:33.090029 IP (tos 0x0, ttl 50, id 46769, offset 0, flags [DF], proto TCP (6), length 255)
    95.217.163.246.80 > 192.168.10.187.47876: Flags [P.], cksum 0x1c86 (correct), seq 1:204, ack 96, win 509, options [nop,nop,TS val 2575343068 ecr 1782216783], length 203: HTTP, length: 203
	HTTP/1.1 200 OK
	Server: nginx
	Date: Sun, 21 Feb 2021 19:24:33 GMT
	Content-Type: text/plain
	Content-Length: 24
	Connection: close
	Cache-Control: max-age=0, must-revalidate
	
	NetworkManager is online[!http]
14:24:33.090032 IP (tos 0x0, ttl 50, id 46769, offset 0, flags [DF], proto TCP (6), length 255)
    95.217.163.246.80 > 192.168.10.187.47876: Flags [P.], cksum 0x1c86 (correct), seq 1:204, ack 96, win 509, options [nop,nop,TS val 2575343068 ecr 1782216783], length 203: HTTP, length: 203
	HTTP/1.1 200 OK
	Server: nginx
	Date: Sun, 21 Feb 2021 19:24:33 GMT
	Content-Type: text/plain
	Content-Length: 24
	Connection: close
	Cache-Control: max-age=0, must-revalidate
	
	NetworkManager is online[!http]
14:24:33.090252 IP (tos 0x0, ttl 51, id 46770, offset 0, flags [DF], proto TCP (6), length 52)
    95.217.163.246.80 > 10.65.140.14.47876: Flags [F.], cksum 0xd1c1 (correct), seq 204, ack 96, win 509, options [nop,nop,TS val 2575343068 ecr 1782216783], length 0
14:24:33.090260 IP (tos 0x0, ttl 50, id 46770, offset 0, flags [DF], proto TCP (6), length 52)
    95.217.163.246.80 > 192.168.10.187.47876: Flags [F.], cksum 0x9cad (correct), seq 204, ack 96, win 509, options [nop,nop,TS val 2575343068 ecr 1782216783], length 0

14:24:34.592490 IP (tos 0x20, ttl 64, id 13251, offset 0, flags [DF], proto TCP (6), length 232)
    192.168.10.228.33145 > 158.69.124.83.443: Flags [P.], cksum 0xf8ad (correct), seq 1:193, ack 1, win 64240, length 192
14:24:34.592490 IP (tos 0x20, ttl 64, id 13251, offset 0, flags [DF], proto TCP (6), length 232)
    192.168.10.228.33145 > 158.69.124.83.443: Flags [P.], cksum 0xf8ad (correct), seq 1:193, ack 1, win 64240, length 192
14:24:34.592510 IP (tos 0x20, ttl 63, id 13251, offset 0, flags [DF], proto TCP (6), length 232)
    10.65.140.14.33145 > 158.69.124.83.443: Flags [P.], cksum 0x2deb (correct), seq 1:193, ack 1, win 64240, length 192
14:24:34.618681 IP (tos 0x18, ttl 55, id 16458, offset 0, flags [DF], proto TCP (6), length 40)
    158.69.124.83.443 > 10.65.140.14.33145: Flags [.], cksum 0xc28a (correct), ack 193, win 42708, length 0
14:24:34.618693 IP (tos 0x18, ttl 54, id 16458, offset 0, flags [DF], proto TCP (6), length 40)
    158.69.124.83.443 > 192.168.10.228.33145: Flags [.], cksum 0x8d4d (correct), ack 193, win 42708, length 0
14:24:34.618696 IP (tos 0x18, ttl 54, id 16458, offset 0, flags [DF], proto TCP (6), length 40)
    158.69.124.83.443 > 192.168.10.228.33145: Flags [.], cksum 0x8d4d (correct), ack 193, win 42708, length 0
14:24:34.618698 IP (tos 0x18, ttl 54, id 16458, offset 0, flags [DF], proto TCP (6), length 40)
    158.69.124.83.443 > 192.168.10.228.33145: Flags [.], cksum 0x8d4d (correct), ack 193, win 42708, length 0
14:24:34.618710 IP (tos 0x18, ttl 55, id 16459, offset 0, flags [DF], proto TCP (6), length 40)
    158.69.124.83.443 > 10.65.140.14.33145: Flags [F.], cksum 0xc289 (correct), seq 1, ack 193, win 42708, length 0
14:24:34.618718 IP (tos 0x18, ttl 54, id 16459, offset 0, flags [DF], proto TCP (6), length 40)
    158.69.124.83.443 > 192.168.10.228.33145: Flags [F.], cksum 0x8d4c (correct), seq 1, ack 193, win 42708, length 0
14:24:34.618720 IP (tos 0x18, ttl 54, id 16459, offset 0, flags [DF], proto TCP (6), length 40)
    158.69.124.83.443 > 192.168.10.228.33145: Flags [F.], cksum 0x8d4c (correct), seq 1, ack 193, win 42708, length 0
14:24:34.618722 IP (tos 0x18, ttl 54, id 16459, offset 0, flags [DF], proto TCP (6), length 40)
    158.69.124.83.443 > 192.168.10.228.33145: Flags [F.], cksum 0x8d4c (correct), seq 1, ack 193, win 42708, length 0
14:24:34.619396 IP (tos 0x20, ttl 64, id 13252, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.10.228.33145 > 158.69.124.83.443: Flags [F.], cksum 0x3930 (correct), seq 193, ack 2, win 64239, length 0
14:24:34.619396 IP (tos 0x20, ttl 64, id 13252, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.10.228.33145 > 158.69.124.83.443: Flags [F.], cksum 0x3930 (correct), seq 193, ack 2, win 64239, length 0
14:24:34.619420 IP (tos 0x20, ttl 63, id 13252, offset 0, flags [DF], proto TCP (6), length 40)
    10.65.140.14.33145 > 158.69.124.83.443: Flags [F.], cksum 0x6e6d (correct), seq 193, ack 2, win 64239, length 0
14:24:34.641344 IP (tos 0x18, ttl 55, id 16460, offset 0, flags [DF], proto TCP (6), length 40)
    158.69.124.83.443 > 10.65.140.14.33145: Flags [.], cksum 0xc289 (correct), ack 194, win 42707, length 0
14:24:34.641355 IP (tos 0x18, ttl 54, id 16460, offset 0, flags [DF], proto TCP (6), length 40)
    158.69.124.83.443 > 192.168.10.228.33145: Flags [.], cksum 0x8d4c (correct), ack 194, win 42707, length 0
14:24:34.641358 IP (tos 0x18, ttl 54, id 16460, offset 0, flags [DF], proto TCP (6), length 40)
    158.69.124.83.443 > 192.168.10.228.33145: Flags [.], cksum 0x8d4c (correct), ack 194, win 42707, length 0
14:24:34.641361 IP (tos 0x18, ttl 54, id 16460, offset 0, flags [DF], proto TCP (6), length 40)
    158.69.124.83.443 > 192.168.10.228.33145: Flags [.], cksum 0x8d4c (correct), ack 194, win 42707, length 0
14:24:35.190052 IP (tos 0x0, ttl 58, id 36555, offset 0, flags [DF], proto TCP (6), length 67)
    104.26.10.153.443 > 10.65.140.14.34434: Flags [P.], cksum 0x398a (correct), seq 3674478800:3674478827, ack 2884301206, win 71, length 27
14:24:35.190070 IP (tos 0x0, ttl 57, id 36555, offset 0, flags [DF], proto TCP (6), length 67)
    104.26.10.153.443 > 192.168.10.152.34434: Flags [P.], cksum 0x0499 (correct), seq 3674478800:3674478827, ack 2884301206, win 71, length 27
14:24:35.190075 IP (tos 0x0, ttl 57, id 36555, offset 0, flags [DF], proto TCP (6), length 67)
    104.26.10.153.443 > 192.168.10.152.34434: Flags [P.], cksum 0x0499 (correct), seq 0:27, ack 1, win 71, length 27
14:24:35.190077 IP (tos 0x0, ttl 57, id 36555, offset 0, flags [DF], proto TCP (6), length 67)
    104.26.10.153.443 > 192.168.10.152.34434: Flags [P.], cksum 0x0499 (correct), seq 0:27, ack 1, win 71, length 27
14:24:35.190683 IP (tos 0x0, ttl 64, id 19257, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.10.152.34434 > 104.26.10.153.443: Flags [.], cksum 0x563d (correct), ack 27, win 501, length 0
14:24:35.190683 IP (tos 0x0, ttl 64, id 19257, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.10.152.34434 > 104.26.10.153.443: Flags [.], cksum 0x563d (correct), ack 27, win 501, length 0
14:24:35.190708 IP (tos 0x0, ttl 63, id 19257, offset 0, flags [DF], proto TCP (6), length 40)
    10.65.140.14.34434 > 104.26.10.153.443: Flags [.], cksum 0x8b2e (correct), ack 27, win 501, length 0
14:24:35.253798 IP (tos 0x0, ttl 244, id 41584, offset 0, flags [none], proto TCP (6), length 40)
    51.222.143.1.36574 > 135.23.172.137.80: Flags [S], cksum 0x498a (correct), seq 1770610768, win 5840, length 0
14:24:35.253836 IP (tos 0x0, ttl 243, id 41584, offset 0, flags [none], proto TCP (6), length 40)
    51.222.143.1.36574 > 192.168.10.228.80: Flags [S], cksum 0xb19e (correct), seq 1770610768, win 5840, length 0
14:24:35.253840 IP (tos 0x0, ttl 243, id 41584, offset 0, flags [none], proto TCP (6), length 40)
    51.222.143.1.36574 > 192.168.10.228.80: Flags [S], cksum 0xb19e (correct), seq 1770610768, win 5840, length 0
14:24:35.253842 IP (tos 0x0, ttl 243, id 41584, offset 0, flags [none], proto TCP (6), length 40)
    51.222.143.1.36574 > 192.168.10.228.80: Flags [S], cksum 0xb19e (correct), seq 1770610768, win 5840, length 0
14:24:35.254475 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    192.168.10.228.80 > 51.222.143.1.36574: Flags [S.], cksum 0xda7d (correct), seq 3729063149, ack 1770610769, win 64240, options [mss 1460], length 0
14:24:35.254475 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    192.168.10.228.80 > 51.222.143.1.36574: Flags [S.], cksum 0xda7d (correct), seq 3729063149, ack 1770610769, win 64240, options [mss 1460], length 0
14:24:35.254499 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    135.23.172.137.80 > 51.222.143.1.36574: Flags [S.], cksum 0x7269 (correct), seq 3729063149, ack 1770610769, win 64240, options [mss 1460], length 0
14:24:35.369840 IP (tos 0x0, ttl 244, id 51318, offset 0, flags [none], proto TCP (6), length 40)
    51.222.143.1.11265 > 135.23.172.137.80: Flags [S], cksum 0x94e8 (correct), seq 898477003, win 5840, length 0
14:24:35.369876 IP (tos 0x0, ttl 243, id 51318, offset 0, flags [none], proto TCP (6), length 40)
    51.222.143.1.11265 > 192.168.10.228.80: Flags [S], cksum 0xfcfc (correct), seq 898477003, win 5840, length 0
14:24:35.369880 IP (tos 0x0, ttl 243, id 51318, offset 0, flags [none], proto TCP (6), length 40)
    51.222.143.1.11265 > 192.168.10.228.80: Flags [S], cksum 0xfcfc (correct), seq 898477003, win 5840, length 0
14:24:35.369882 IP (tos 0x0, ttl 243, id 51318, offset 0, flags [none], proto TCP (6), length 40)
    51.222.143.1.11265 > 192.168.10.228.80: Flags [S], cksum 0xfcfc (correct), seq 898477003, win 5840, length 0
14:24:35.370518 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    192.168.10.228.80 > 51.222.143.1.11265: Flags [S.], cksum 0x7253 (correct), seq 1411332764, ack 898477004, win 64240, options [mss 1460], length 0
14:24:35.370518 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    192.168.10.228.80 > 51.222.143.1.11265: Flags [S.], cksum 0x7253 (correct), seq 1411332764, ack 898477004, win 64240, options [mss 1460], length 0
14:24:35.370540 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    135.23.172.137.80 > 51.222.143.1.11265: Flags [S.], cksum 0x0a3f (correct), seq 1411332764, ack 898477004, win 64240, options [mss 1460], length 0
14:24:35.414821 IP (tos 0x0, ttl 118, id 30438, offset 0, flags [none], proto TCP (6), length 60)
    66.130.90.10.52120 > 135.23.172.137.443: Flags [S], cksum 0x0679 (correct), seq 1389895784, win 65535, options [mss 1460,sackOK,TS val 1559221205 ecr 0,nop,wscale 8], length 0
14:24:35.414865 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    135.23.172.137.443 > 66.130.90.10.52120: Flags [R.], cksum 0xd047 (incorrect -> 0x9f0e), seq 0, ack 1389895785, win 0, length 0
14:24:36.145288 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    192.168.10.228.80 > 51.222.143.1.31943: Flags [S.], cksum 0x2386 (correct), seq 3667061291, ack 734559637, win 64240, options [mss 1460], length 0
14:24:36.145288 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    192.168.10.228.80 > 51.222.143.1.31943: Flags [S.], cksum 0x2386 (correct), seq 3667061291, ack 734559637, win 64240, options [mss 1460], length 0
14:24:36.145315 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 44)
    135.23.172.137.80 > 51.222.143.1.31943: Flags [S.], cksum 0xbb71 (correct), seq 3667061291, ack 734559637, win 64240, options [mss 1460], length 0
14:24:36.245910 IP (tos 0x0, ttl 64, id 57352, offset 0, flags [DF], proto TCP (6), length 98)
    192.168.10.152.44054 > 151.101.126.110.443: Flags [P.], cksum 0x030a (correct), seq 1889102919:1889102965, ack 1874420010, win 501, options [nop,nop,TS val 2938340480 ecr 843237132], length 46
14:24:36.245910 IP (tos 0x0, ttl 64, id 57352, offset 0, flags [DF], proto TCP (6), length 98)
  
	HEAD /generate_204 HTTP/1.1
	Host: connectivitycheck.gstatic.com
	Connection: keep-alive
	User-Agent: Mozilla/5.0 (Linux; Android 8.0; Build/OPR2.170623.027.S25) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.57 Safari/537.36 CrKey/1.50.228700
	Accept-Encoding: gzip, deflate
	Accept-Language: en-US
	
14:24:40.022292 IP (tos 0x0, ttl 64, id 36048, offset 0, flags [DF], proto TCP (6), length 364)
    192.168.10.242.46976 > 172.217.164.227.80: Flags [P.], cksum 0x8b1a (correct), seq 312:624, ack 84, win 1369, options [nop,nop,TS val 37238366 ecr 4168670677], length 312: HTTP, length: 312
	HEAD /generate_204 HTTP/1.1
	Host: connectivitycheck.gstatic.com
	Connection: keep-alive
	User-Agent: Mozilla/5.0 (Linux; Android 8.0; Build/OPR2.170623.027.S25) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.57 Safari/537.36 CrKey/1.50.228700
	Accept-Encoding: gzip, deflate
	Accept-Language: en-US
	
14:24:40.022313 IP (tos 0x0, ttl 63, id 36048, offset 0, flags [DF], proto TCP (6), length 364)
    135.23.172.137.46976 > 172.217.164.227.80: Flags [P.], cksum 0x2314 (correct), seq 312:624, ack 84, win 1369, options [nop,nop,TS val 37238366 ecr 4168670677], length 312: HTTP, length: 312
	HEAD /generate_204 HTTP/1.1
	Host: connectivitycheck.gstatic.com
	Connection: keep-alive
	User-Agent: Mozilla/5.0 (Linux; Android 8.0; Build/OPR2.170623.027.S25) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.57 Safari/537.36 CrKey/1.50.228700
	Accept-Encoding: gzip, deflate
	Accept-Language: en-US

I'm not sure what it means. I ran the command before getting my son to try and connect from outside the lan but could not make any sense of it.

Any insight would be much appreciated.

Thanks.

bdika

vgaetera · February 22, 2021, 2:45am

It looks like the request can reach the server but the reply is lost.

Collect the output and post it to pastebin.com redacting the private parts:

ubus call system board; uci show network; uci show firewall; \
uci show vpn-policy-routing; /etc/init.d/vpn-policy-routing support; \
ip address show; ip route show table all; ip rule show; iptables-save

bdika · March 5, 2021, 4:45pm

Hi vegaetera:

First of all, thank you for having patience with me. I have been quite busy lately and am not a computer professional.

I wasn't sure if I had to generate the output of your latest commands while trying to access my website from outside the lan or not. The attached output was generated by entering your commands but not while someone was trying to access the site from outside of the lan.

I wasn't sure what to redact, but I redacted most of the ip numbers. If I have redacted too much or not enough, please let me know.

Again, thank you for your help.

bdika

iplaywithtoys · March 5, 2021, 5:32pm

This might be a daft question - forgive me if so - but when this was working previously, was it with this very same router, with this very same configuration?

Is there any chance that uhttpd on the router itself might be intercepting the external queries to 80/tcp and 443/tcp?

If uhttpd is bound to 0.0.0.0, does it override DNAT if there's a conflict, or does it give way to DNAT?

bdika · March 7, 2021, 9:35pm

@iplaywithtoys

Thanks for the reply.

The same router definitely. The very same configuration (yes as far as I remember) but I was using NO-IP when it was working.

Sorry but I don't know or really understand this. How can I go about testing and responding back to you?

Thanks.

bdika

trendy · March 7, 2021, 9:54pm

What is the output of iptables-save -c -t nat | grep DNAT ?

iplaywithtoys · March 7, 2021, 10:08pm

Also, what are the outputs of netstat -anp | grep :80 and netstat -anp | grep :443 ?