"config rule" is the "luci Firewall Rules," correct?
When I didn't have any success, I tried adding the rules. I will remove those. However, my reading of the config/firewall file says that it is going to reject everything from the wan.
"Zone Rule"
B
When you have port forwards, that dnat traffic is accepted.
ct status dnat accept comment "!fw4: Accept port forwards"
OK. I have edited the firewall file to remove those rules, but don't see any more success.
tcpdump wan doesn't see any traffic.
I would be happy to send any more files or data.
Sorry. Not quite correct.
I was still using Andrew's edited tcpdum br-lan command.
Using tcpdump wan, I do see traffic coming in.
Inside the network, nothing.
B
I can set up outgoing SSH and web connections, which is how I am talking to you.
Incoming, nothing.
Brian
Show the actual content of /etc/config/firewall
root@OpenWrt:/etc/config# cat firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Mail4'
list proto 'tcp'
option src 'wan'
option src_dport '26'
option dest_ip '192.168.1.187'
option dest_port '26'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Bard8'
list proto 'tcp'
option src 'wan'
option src_dport '2121'
option dest_ip '192.168.1.248'
option dest_port '22'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Mail2'
list proto 'tcp'
option src 'wan'
option src_dport '2187'
option dest_ip '192.168.1.187'
option dest_port '2121'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Bard9SSH'
list proto 'tcp'
option src 'wan'
option src_dport '2122'
option dest_ip '192.168.1.249'
option dest_port '22'
Looks good to me. Try rebooting and test again with the port of choice, like 2121 externally and 22 internally.
ssh: connect to host "outside DNS address" port 2121: No route to host
Since I have the SSH outgoing connection to allow me to do that command, tcpdump does see the traffic with that connection, but nothing incoming independently.
I was also able to ask my SMTP provider to do a test, but it got no answer, either.
Use the updated syntax from my earlier post.
No need to ask anyone, you can use the external web site as shown earlier.
Thank you. I hadn't got to that web site, just stopped at the tcpdump command.
Error: I could not see your service on "external IP" on port (2121)
this tells that there is no TCP connection established, however you should also check at the same time with tcpdump on LAN to exclude possible problems with the endpoint (local server).
Andrew,
I apologize for disappearing. The Forum decided that our conversation had been going on for too long, and forced me to stop.
Inside the network, if I use telnet to port 22 to the different machines, I do get an SSH response. ( banner )
However, as we saw yesterday, no access from outside.
Brian
P.S. I have a meeting in about 15 minutes, so won't take up much of your time.
B
As I told Andrew later yesterday, tcpdump of the WAN interface does show the incoming traffic, but it doesn't seem to get past the firewall.
If I try a telnet connection from inside the network to one of the SSH machines, I do see an SSH banner in response.
Frustrated.
Brian
Can you successfully send mail via your server when you set the smtp server to the local (lan) address and while you are on the same network?
That's an interesting thought.
I have to run to my meeting now, but will test afterwards.
So I would re-configure Postfix to use the local address as the "outgoing smarthost," correct?
Thanks,
Brian
You don't really need any server running to test your port forwarding rules. You don't even need your server PC being turned on.
This is what you should see with the rule working when testing [local] port 22 for example:
root@router:~# tcpdump -i br-lan ! host 192.168.1.1 and dst port 22
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), snapshot length 262144 bytes
22:25:00.831817 IP mypc.external.domain.xxxxx > myserver.local.domain.22: Flags [S], seq 2329345232, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
That was captured with the basic rule configured:
config redirect
option dest 'lan'
option target 'DNAT'
option name 'test'
list proto 'tcp'
option src 'wan'
option src_dport 'some_external_port'
option dest_ip '192.168.1.234'
option dest_port '22'