Configuration of Zyxel EX5512-T0 Router

Installing and Using OpenWrt
1

Hello all,

I have recently changed routers to a Zyxel EX5512-T0, and I have been attempting to port forward to little success. I had been running a Minecraft server on my previous router with no issues whatsoever, so I am fairly certain there is something wrong on this new router's end.

I have tried directly using the admin panel by logging into the router, but it displays an exceptionally limited and incapable version, as exampled in this Reddit post. The original poster recommended getting in contact with my ISP, but I was told to get in contact with the folks who provided the Router, Zyxel — in turn, they recommended I get in contact with my ISP. As you can imagine, there isn't a whole lot I can gather from cyclically being referred from one company to the other.

That all said, I've resorted to attempting to configure the firewall through SSH. Below is a concatenation of some relevant information.

Here is the OS release (cat /etc/os-release):

NAME="OpenWrt"
VERSION="21.02-SNAPSHOT"
ID="openwrt"
ID_LIKE="lede openwrt"
PRETTY_NAME="OpenWrt 21.02-SNAPSHOT"
VERSION_ID="21.02-snapshot"
HOME_URL="https://openwrt.org/"
BUG_URL="https://bugs.openwrt.org/"
SUPPORT_URL="https://forum.openwrt.org/"
BUILD_ID="unknown"
OPENWRT_BOARD="mediatek/ex5512t0"
OPENWRT_ARCH="aarch64_cortex-a53"
OPENWRT_TAINTS="no-all busybox"
OPENWRT_DEVICE_MANUFACTURER="OpenWrt"
OPENWRT_DEVICE_MANUFACTURER_URL="https://openwrt.org/"
OPENWRT_DEVICE_PRODUCT="Generic"
OPENWRT_DEVICE_REVISION="v0"
OPENWRT_RELEASE="OpenWrt 21.02-SNAPSHOT unknown"

Here is the router's current firewall config — all configuration blocks are default save for the final block (cat /etc/config/firewall):

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow_TR069'
	option proto 'tcp'
	option src 'wan'
	option dest_port '7547'
	option target 'ACCEPT'
	option cwmp_FirewallChainRule_instance '11'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config redirect
	option name			'mc-server'
	option src			'wan'
	option dest			'lan'
 	option dest_ip		'192.168.40.239'
 	option dest_port	'25565'
 	option proto		'tcp udp'
 	option target		'DNAT'
 	option enabled		'1'

Here is my game server's network configuration. I don't believe there's any configuration needed here, since I imagine this part wouldn't change between routers, but this is relevant nonetheless (iptables -L -n):

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0
DOCKER-ISOLATION-STAGE-1  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.2           tcp dpt:9443
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.2           tcp dpt:8000
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.4           tcp dpt:63036
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.4           tcp dpt:60666
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.4           tcp dpt:52837
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.4           tcp dpt:25575
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.4           tcp dpt:25565
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.4           tcp dpt:10826
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.4           tcp dpt:4246

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 25565,4246,8080,9092
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 25565,4246,8080,9092
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

To test, I have been using https://mcsrvstat.us/server/ to check if connection to my public IP was permitted; all of my tests thus far have concluded in inoperation.

TLDR:

I'm trying to port forward on my Zyxel EX5512-T0 router, which uses OpenWRT version 21.02-SNAPSHOT, to enable public access to my Minecraft server. My router's web panel is malfunct, and both my ISP and router manufacturer instruct me to speak with the other.

I appreciate any help on the topic. I will do my best to answer any questions left unaddressed by the above information. Thank you!

2

It appears you are using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

  1. Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
  2. Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
  3. Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

3

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.