I can't setting port forwarding. I seted at LuCi, I can't access from external network and internal network.
My environment is dual router. Real WAN is connected at ISP router. My router is connected ISP router's LAN. So My builiding router's WAN port is connected at ISP router's LAN.
I checked by nmap, it said closed. I checked by tcpdump, I can't check access.
There are Setting files.
# /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd91:f525:2327::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
# /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
# option fullcone '1'
option synflood_protect '1'
option forward 'ACCEPT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SSH'
option src 'wan'
option src_dport '2222'
option dest_ip '192.168.2.1'
option dest_port '22'
list proto 'tcp'
config rule
option name 'All OKay'
option src 'wan'
option dest 'lan'
option target 'ACCEPT'
option enabled '1'
list proto 'tcp'
list proto 'udp'
config rule
option name 'All Okay2'
option src 'wan'
option target 'ACCEPT'
option enabled '1'
list proto 'tcp'
list proto 'udp'
config rule
option name 'All OKay3'
option dest 'lan'
option target 'ACCEPT'
option enabled '1'
list proto 'tcp'
list proto 'udp'
config rule
option name 'All OKay4'
option src '*'
option dest '*'
option target 'ACCEPT'
option enabled '1'
list proto 'tcp'
list proto 'udp'
config rule
option name 'All OKay5'
option src 'lan'
option dest 'wan'
option target 'ACCEPT'
option enabled '1'
list proto 'tcp'
list proto 'udp'
config rule
option name 'SSH'
list proto 'tcp'
option src 'wan'
option src_port '2222'
list dest_ip '192.168.2.1'
option dest_port '22'
option target 'ACCEPT'
option enabled '1'
list proto 'tcp'
list proto 'udp'
Thank you for your message.
I do not want to be able to access the site from a public IP, but only from within the LAN provided by the ISP router. Eventually I will change the settings on the ISP router, but for now I am fine with only within the LAN of the ISP router.
Right now it is not accessible from within the LAN of that ISP router, i.e., not even from the network upstream of the OpenWrt router. It is also not accessible from within the OpenWRT router's LAN.
If I misunderstand, sorry.
Sorry, I won't make a wireless router. I want to make wired router. Still, Should I set up my openwrt device as a dump ap? but my device doesn't have wi-fi.
I'm having a lot of trouble understanding your diagram and what you are trying to achieve...
Do you want to have the BPi create an entirely separate network so devices behind the BPi are on a different network than the ISP router's LAN?
What specific connections are you attempting to make? for example (just making up some hosts):
192.168.2.5 > 192.168.0.23 ?
192.168.0.23 > 192.168.0.5 ?
Your firewall file appears to be wrong in many ways... I'd recommend deleting all of the following:
Yes, I want to have the BPi create an entirely separate network so devices behind the BPi are on a different network than the ISP router's LAN. @frollic Sorry,my words are wrong. I just need to be able to access the OpenWrt router port from a PC in the ISP's router LAN.
Is the ISP router's LAN a trusted network? If so, you can simply set the OpenWrt wan zone's input policy to accept. NOTE: Do not do this if the upstream network is not trusted!
test@TESTPC:~$ nmap 192.168.0.6 -p 2222
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-30 16:09 JST
Nmap scan report for 192.168.0.6
Host is up (0.00069s latency).
PORT STATE SERVICE
2222/tcp closed EtherNetIP-1
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
What device are you trying to connect to? From your previous diagram, it appears that your BPi is at address 192.168.0.17, but here you are trying to connect to 192.168.0.6.
What are you trying to connect to on port 2222? ssh runs by default on port 22, unless you changed it or maybe port 2222 is for another servce. If you have another service running on port 2222, you should check to make sure it's actually running.
Sorry, I did incomplete explantation and missetting.
When my router rebooted, Bpi's ip modified. So 192.168.0.17=>192.168.0.6. So I modified ISP router's setting.
But it didn't work.
test@TESTPC:~$ nmap 192.168.0.6 -p 22,2222
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-30 16:37 JST
Nmap scan report for 192.168.0.6
Host is up (0.0016s latency).
PORT STATE SERVICE
22/tcp open ssh
2222/tcp closed EtherNetIP-1
Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
yes, I can access 22-port. But I want to port forwarding.
I seted port forward 192.168.2.1:22=>WAN(192.168.0.6):2222. but it didn't work. I accessed at 192.168.0.6:2222, It refuse.
test@TESTPC:~$ ssh root@192.168.0.6 -p 2222
ssh: connect to host 192.168.0.6 port 2222: Connection refused
I don't understand.... why would you set a port forward from the lan to the wan? That's not going to work.
And why do you want the ssh server runing on port 2222?
But, based on what it appears you're trying to do... just change the port for the dropbear (ssh) service itself by editing the file /etc/config/dropbear
you'll see this... just change 22 to 2222 and then restart the router.
config dropbear
option PasswordAuth 'on'
option Port '22'
Indeed it is, just change the SSH port. However, I don't have enough LAN cables to connect other computers to the OpenWRT router, and I will rewire it when I start using the OpenWRT router as my main router, but not shortly then. So I am port-forwarding the SSH port to 2222 for testing purposes.
And I want to publish inside OpenWRT router's LAN computer port to outside OpenWRT router, ISP router's LAN.
I really don’t understand what you are trying to accomplish here. It seems that you are making unnecessary changes - the ssh port of the router shouldn’t have anything to do with how many things are connected, so your whole premise is very confusing.
But if you want to translate port 2222 > port 22 when connecting from the wan, you have the following options:
change the dropbear port as I already described.
add a new dropbear instance on port 2222
or make a port forward rule from souce zone wan source dport 2222, destination zone wan destination port 22
OK. I changed case.
I want to port forward any port. For example, I need port forward 192.168.2.2(Main PC):3389(Windows Rdp port)=>192.168.0.6 .
I tried it, but it didn't work.
test@TESTPC:~$ nmap 192.168.0.6 -p 3389
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-30 17:28 JST
Nmap scan report for 192.168.0.6
Host is up (0.00071s latency).
PORT STATE SERVICE
3389/tcp closed ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
NOTE: I executed nmap command at other linux pc. 192.168.2.2 is my main windows pc.
You should probably use this opportunity to upgrade to the latest version of OpenWrt. Install 22.03.3, do not keep settings during the upgrade. Then, make your necessary changes to the settings, and try again.
