I am a new OpenWRT user but have used other 3rd party firmwares in the past. I am trying to learn OpenWRT via Luci interface but it's quite complex.
I have a new Flint 2 router with latest WRT open on it, and am having a hell of a time trying to forward ports. I've tried everything under the sun and it's just not working. For instance, I will forward a port via the Luci gui, a random port #, and it won't work via testing it on canyouseeme. But some random ports WILL work For instance, if I try to forward port 59 (for mIRC), it will work!, When I disable it, the port checker cant see it, so that port # works properly. I cannot fathom what is wrong.
I havent messed with anything else in the properties of openwrt settings besides opening ports. I have Comcast(Xfinity) internet (2.1g) with a new modem/router combo(the white cube) which I have logged into and put into bridge mode so it won't interfere with my router. I have to assume that putting it into bridge mode worked and that it is not still blocking something on the backend that I cant see. So, no idea what the issue is and I really need to forward ports. I was about to revert to Flint2's oem original firmware, but figured Id come here and ask for help first.
When you test your port forwards, do you have a server and service up and running using those ports? The only way that a positive hit will be returned will be if there is both port forwarding and a corresponding server that is up and listening for inbound connections.
Let's take a look at your config to make sure there aren't any issues:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
Forgot to reply to your question: When you test your port forwards, do you have a server and service up and running using those ports? - I have no idea what that means but no I dont think I have a server or service up, I dont know. I'm using luci gui to access/modify OpenWRT, no terminal/cmd window.
Then what exactly are you trying to do with the port forwards? The whole point of port forwarding is to allow a service that resides on your lan to be accessible from the internet. If you don't have a server/service, where are you pointing your port forwards?
Oh ok I just didn't understand the terminology, sorry. Yes I see now. I suppose the server would be my NAS, and a service would be a game or program I use that requires a port opened. Both of these things I am trying to accomplish, but they won't open.
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option synflood_protect '1'
option flow_offloading '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
option masq '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HTTPS'
option src 'wan'
option src_dport '6667'
option dest_ip '192.168.2.121'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'FTP'
option src 'wan'
option src_dport '21'
option dest_ip '192.168.2.15'
option dest_port '21'
option family 'ipv4'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'utorrent'
option src 'wan'
option src_dport '60'
option dest_ip 'fda0:cda4:571::4f5'
option enabled '0'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'mirc'
option src 'wan'
option src_dport '58'
option dest_ip '192.168.2.121'
option enabled '0'
I see from reading the printout that my intended ports are there. Of them, only 21 works. Neither 58 or 60 work.
Do you want these services to be generally accessible to anyone on the internet? If this is for personal (or a small group of friends/family), you are much better off using a VPN because this provides a secure and encrypted connection between your remote location and your home network. Port forwarding, on the other hand, allows anybody to connect to your systems (thus relying on its local accounts and security posture to be robust against malicious attacks coming from the internet).
Let's take a look at port 58:
Obviously it is not enabled, so that's the first thing that needs to be fixed. Next, you need to have a destination port. Is it the same (58?) or is it some other port number that is listening on the .121 machine?
Additionally, have you verified that you can connect to that machine with the desired port (58 or whatever the internal port is) when you're on the same local network?
I only had VPN long ago and didn't use it much. I'm not familiar with installing/running one. I've always used port forwarding on routers, way back to the wrt54g days 20 yrs ago, and it never failed me. I care about security but im frustrated w/this now and just want it to work, so, maybe ill work on a vpn in future, but i just want to get this working you know?
So, port 58, it's just a random # I chose, because port 59 is set to be used in mIRC, and it works when I open it, so I went down 1 number to 58 just to try a random port #, and it wasnt open/didnt work. Why is this? Shouldn't any port # I open work when tested at a portchecker site?
In terms of destination port, I was under the impression you just needed to put a port # in the external port box, not internal port. I left internal port blank in some of these, figuring it wouldn't matter. I have tried filling internal port in with same # as external, though, and it made no difference; still failed. Does a service/server have to be looking/ready/open for port opening to work? I thought just opening any port in router would then allow it to be seen as open by portchecker, without any service to be waiting to receive it.
Probably you had a VPN service (useful for shifting certain privacy concerns from your local provider or government to the VPN service itself and/or for geo-ip related reasons).
It's not hard, and we can help if it might be useful and of interest. It's far more secure than using port forwarding.
Sure, it won't fail you from the perspective of functional access, but a lot has changed in 20 years, and the internet has become much more dangerous when it comes to botnets and other attack methods.
the VPN method is actually easier in many ways... but sure.
Using low-number ports randomly generally isn't the best idea, as many of them are reserved and/or commonly used for specific services (see this list). That's not to say it can't work, but it might cause complications.
Also, the "random" port number usage depends on the method by which you're trying to access your service. For example, in a web browser, it's easy enough: http://mysite.com:port can work by simply using the appropriate port number. But if you're using an app or protocol or method that has an assumed/pre-programmed (and not user adjustable), you need to use the port that it is expecting.
Furthermore, the server/service on your lan must be listening and accepting inbound connections on the port you specify. That's why you need to specify the destination port. It can actually be different than the "external" (i.e. src_dport), but it does need to be consistent with the local server. So for example, if I want to run a web server that uses port 443, I can actually map my external port 23443 to port 443 if I want, then I would access the service from the internet using https://mysite.com:23443.
Both are required, as per the above.
The local service you're trying to forward must be listening on a given port, and that port must be the internal port number. You can test this by trying to connect locally (i.e. while connected to your lan).
Put bluntly, you can't just use random numbers for things.
Yes.
Simple analogy... you pick up the phone and dial a number. If someone answers, that gives you an indication that the connection (from your phone > phone services > their phone > the person answering) all works. That is what happens when a service responds to a port probe.
If they don't answer, you don't know what isn't working? Is it that the person is not home or otherwise unable/unwiling to answer? Or their phone is not working (broken, dead battery)? Or the phone is lost? or maybe the line to their home isn't working/out of coverage area? or there is a problem with their phone provider? or.... This is what happens when there is nothing to respond to the port probe.
And, fun fact, not all services will respond to a port probe (although most will).
When you navigate to Network > Firewall > Port Forwards, there is a checkbox for Enabled -- that is likely unchecked right now.
But, before you worry about that, start by making sure that you can reach the server on the desired port when on the same local network. Then, make sure that your port forward is complete with that port number for the destination port.
I didn't edit post quick enough. Yes, they were unchecked. That was just temporary; I have tried them as checked and doesn't work. They're enabled now, but still don't work, as usual. Maybe it's because something has to be listening on those ports on my end, and nothing is?
Also, I have been able to reach my NAS on my side via web browser. I have to type in the port, just as you said above, after the url, and it has been working fine. But, I can't open other ports. Maybe the issue is that other ports weren't listening? I was testing random ports just to see if port forward was working on router, and by testing I mean testing it by plugging them into canyouseeme.org, and if it didn't come back as open, I figured router wasnt working. Perhaps its because as you said, a device/program has to be listening, first, for it to work?
Hah, you're right. I just changed the listening port for irc's DCC server from 59 to 65, and 59 could no longer be seen by canyouseeme. That verified what you said about a device/app having to be listening for port to be visible by a portchecker site.I then checked port 65, and it was visible, naturally. Looks like the router or openwrt wasn't broken at all, it was just my antiquated and lacking understanding of port forwarding. Thanks
I'm still missing so much knowledge. Is there a way to check if ports are open, even if nothing is looking for them yet, perhaps via some tool or something internal, to just see if your router opened them? It couldn't be checked by a website, I assume, since that's outside your network and it would not be visible unless something was looking for that port.
I don't make this stuff up. Glad you're able to see that now.
It is not uncommon for people to have misunderstandings here.
Broadly speaking, I trust that a port is open on the router if I configure it as such. But that does nothing until/unless a service is on the other end of that.
As you now know, a service must be listening and answering in order to show up in a port scan.
But... you shouldn't open ports in general unless you have a reason to do so. And, remember that I said that this is not the preferred method anymore. It can be a liability in terms of the security of your devices and your data because the internet is crawling with malicious people and bots that will use either brute force or known security vulnerabilities in your end devices/services to gain access.
A VPN will provide significantly better security posture as well as easier configurations. For example, once configured, I can access all the services on my local network without needing to setup individual port forwards for each device. In essence, when I'm away from my home and I turn on the VPN, it's pretty much the same as me being in my home in terms of my access to my networked devices.
Not sure what you mean by this. But that "something" looking for a port from a security standpoint is basically the entire internet testing your configuration. No port is "safe" or unknown... the idea of security by obscurity is not a good approach. Bots will scan all ports for anything open/vulnerable. Put another way, the internet is the velociraptor and the your router is their cage.
It's essentially solved yes, I just have one more question that I believe relates to all this.
I was teamviewing a friend's pc, and tried my ip address in their browser just for kicks, and it went right to my router login page! I thought uh oh, did I change router settings in my quest to solve this dlemma? I remembered...on my way tot try to fix this port forward issue on my own, I remembered I changed a few settings on the 'Firewall - Zone' Settings page, such as changing the WAN to 'accept' inputs. I changed the WAN zone's input back to reject, and it no longer allowed me to login to luci from friend's remote (external) browser. But, I wanted to post the 'Firewall - Zone Settings' page here to make sure everything is set properly. I think maybe one more thing was set to reject, not sure. Maybe you can let me know, here's a screenshot of the page. Thanks!
