bdmc
December 2, 2025, 9:29pm
1
It has been too long since I built an OpenWRT box. For a while I was using OpenWRT on several different machines, but recently I have been using commercial boxes.
Now I am trying to go back to OpenWRT and, apparently, missing something.
I have edited Port Forwards, and Firewall Traffic Rules, and think that I have those correct, but obviously not.
I can do an NMAP from both inside and outside the network, and the correct ports appear to be exposed. I have re-checked the destination IP address ( LAN machine that is supposed to handle E-Mail ) and used telnet to probe the correct ports.
From inside the network, telnet gets an answer, but not necessarily from Postfix. From outside the network, no answer.
What am I missing?
Thanks,
Many ISPs block SMTP, so that could be one major reason. If your ISP doesn't explicitly block it, you still could have other ISP related issues such as CG-NAT (in which case, it also won't work). Or you could have config issues.
Let's start by looking at the OpenWrt config to see if it's setup correctly.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
bdmc
December 2, 2025, 9:38pm
3
Thank you. Yes, that's why I have used 26 for that port for many years.
I will send that information in a second message.
B
Changing the port number can sometimes get around a block, but if the ISP really wants to block the traffic, they would do so based on the actual protocol, rather than just the port number.
bdmc
December 2, 2025, 9:45pm
5
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.93",
"hostname": "OpenWrt",
"system": "MediaTek MT7628AN ver:1 eco:2",
"model": "Netgear R6120",
"board_name": "netgear,r6120",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.2",
"revision": "r28739-d9340319c6",
"target": "ramips/mt76x8",
"description": "OpenWrt 24.10.2 r28739-d9340319c6",
"builddate": "1750711236"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd09:bf48:b39c::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth0.2'
option macaddr 'XX'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Mail4'
list proto 'tcp'
option src 'wan'
option src_dport '26'
option dest_ip '192.168.1.187'
option dest_port '26'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Bard8'
list proto 'tcp'
option src 'wan'
option src_dport '2121'
option dest_ip '192.168.1.248'
option dest_port '22'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Mail2'
list proto 'tcp'
option src 'wan'
option src_dport '2187'
option dest_ip '192.168.1.187'
option dest_port '2121'
config rule
option src 'wan'
option dest 'lan'
option name 'MailIn'
list proto 'tcp'
option src_port '26'
list dest_ip '192.168.1.187'
option dest_port '26'
option target 'ACCEPT'
config rule
option src 'wan'
option dest 'lan'
option name 'SSHIn'
list proto 'tcp'
option src_port '2121'
list dest_ip '192.168.1.247'
option dest_port '22'
option target 'ACCEPT'
config rule
option src 'wan'
option dest 'lan'
option name 'Bard9SSH'
list proto 'tcp'
option src_port '2122'
list dest_ip '192.168.1.249'
option dest_port '22'
option target 'ACCEPT'
config rule
option src 'wan'
option dest 'lan'
option name 'MailSSH'
list proto 'tcp'
option src_port '2187'
list dest_ip '192.168.1.187'
option dest_port '2121'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Bard9SSH'
list proto 'tcp'
option src 'wan'
option src_dport '2122'
option dest_ip '192.168.1.249'
option dest_port '22'
I see that I have a duplicate Port Forward, but that shouldn't be fatal.
Next?
You can check the ports without configuring any rule as shown here: [SOLVED] Port forwarding not working on wan - #8 by AndrewZ
bdmc
December 2, 2025, 9:48pm
7
Andrew,
I looked at your message, and discovered that I do not have tcpdump installed. Working on that.
Brian
bdmc
December 2, 2025, 9:50pm
8
Andrew,
Hmmm. tcpdump says that there is no "wan" device.
B
mk24
December 2, 2025, 9:52pm
9
Tcpdump uses the kernel interface names, which since it is swconfig, eth0.2 is the wan.
1 Like
bdmc
December 2, 2025, 9:53pm
10
Yes, that is what I tried.
I used telnet from outside the network, and see results from tcpdump going to port 26.
Brian
AndrewZ
December 2, 2025, 9:53pm
11
tcpdump --list-interfaces will give you the list of interfaces available on your hardware.
bdmc
December 2, 2025, 9:55pm
12
I used "ip a". Almost the same thing.
It appears that the traffic is getting through the firewall, doesn't it?
I will try restarting Postfix, although NMAP from inside the network shows that that port is active.
B??
AndrewZ
December 2, 2025, 9:58pm
13
When you run tcpdump on Wan, you test your ISP.
bdmc
December 2, 2025, 10:00pm
14
OK, slight side step.
When I telnet to the mail machine with port 26, Postfix should answer with a "EHLO" shouldn't it, not just a telnet prompt?
B
AndrewZ
December 2, 2025, 10:03pm
15
Not sure about Postfix, but
$ telnet smtp.google.com 25
Trying 2a00:1450:4025:401::1b...
Connected to smtp.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP a640c23a62f3a-b76f5a3f76fsi752431166b.799 - gsmtp
bdmc
December 2, 2025, 10:09pm
16
Yes, nothing like that.
OK, different but related, I also have port forwards for a couple of SSH connections coming in.
They don't work any better than Mail.
I tried the tcpdump on wan for the appropriate port, and do get a result. It looks like:
22:06:02.347127 IP outside.51528 > wan-address.2121: Flags [S], seq 1450071538, win 64240, options [mss 1460,sackOK,TS val 2083621276 ecr 0,nop,wscale 7], length 0
22:06:03.391354 IP outside.51528 > wan-address.2121: Flags [S], seq 1450071538, win 64240, options [mss 1460,sackOK,TS val 2083622321 ecr 0,nop,wscale 7], length 0
22:06:04.415166 IP outside.51528 > wan-address.2121: Flags [S], seq 1450071538, win 64240, options [mss 1460,sackOK,TS val 2083623345 ecr 0,nop,wscale 7], length 0
22:06:05.439156 IP outside.51528 > wan-address.2121: Flags [S], seq 1450071538, win 64240, options [mss 1460,sackOK,TS val 2083624369 ecr 0,nop,wscale 7], length 0
Brian
AndrewZ
December 2, 2025, 10:14pm
17
That means that ISP is not blocking these ports.tcpdump -i br-lan ! host 192.168.1.1 and dst port 22
bdmc
December 2, 2025, 10:18pm
18
I see a lot outgoing, but nothing incoming.
Hmm. Since I am connected to an outside machine to be able to do the incoming tests, I don't think that I can avoid the outgoing traffic.
bdmc
December 2, 2025, 10:21pm
19
OK, I tried a different SSH port, one of my redirect ports, and I got a result on tcpdump wan, but nothing on br-lan.
AndrewZ
December 2, 2025, 10:29pm
20
For port forwarding between WAN and LAN you only need "config redirect", not "config rule".
1 Like
