DMZ and no access to ports on public ip?

Hi there

I've got a fiber router from my IP, but they lock the access (Web GUI) to it.

The private IP address class (LAN) of it is 192.168.254.1...

And it has a port forwared from any port to 192.168.254.2

So i can configure my own OpenWRT router as a DMZ - when i use the static IP 192.168.254.2 on its WAN port.

Then i'm able to configure a port forward, e.g. to port 80 from:

-> public ip xxx.xxx.xxx.xxx -> 192.168.254.2 (fiber router) - > 192.168.1.1 (my own OpenWRT router) -> 192.168.1.171 (win10 machine with apache)

BUT: When i try to enter the public ip xxx.xxx.xxx.xxx in browser (same computer where apache on port 80 is runnnig), there is no response on port 80.

When i use tor browser, a vpn connection or a separte internet connection on my mobile phone, port 80 gives me a reponse...

That problem is really really strange... does somebody have a hint for me? May be the problem on my own OpenWRT router or on the fiber router of my ISP?

Tracert:

Microsoft Windows [Version 10.0.17134.228]
(c) 2018 Microsoft Corporation. Alle Rechte vorbehalten.

C:\Users\zzz>tracert yyy

Routenverfolgung zu xxx.dyn.ftth.fcom.ch [yyy]
über maximal 30 Hops:

1 <1 ms <1 ms <1 ms OpenWrt.lan [192.168.1.1]
2 4 ms 8 ms 3 ms xxx.dyn.ftth.fcom.ch [yyy]

Ablaufverfolgung beendet.

C:\Users\zzz>

yyy = my public ip
xxx = my public ip written in a reverted way

port 80 on xxx.dyn.ftth.fcom.ch does also not respond on my own computer. (same computer where apache is running on port 80), but i also get a response from tor browser, with a vpn connection, from mobile phone. (so same as described before)

Then OpenWRT version i use is 18.06.1...

Thank you very much.

Best regards,
Jan

from http://192.168.254.2/ i will get a response. (from the same computer where apache is running, 192.168.1.171)

Regards,
Jan

Maybe i need to change something at this place?

access from a virtual machine (which runs on the host system 192.168.1.171 (=system where the apache runs on port 80) does also not work..

Regards,
Jan

...and same problem with older versions of OpenWRT.
Regards,
Jan

fwiw, sounds like a 'NAT loopback' problem.
In the past I have come across a few ISP supplied routers where NAT loopback was deliberately disabled apparently to improve security.
I'm no expert, but I'm wondering if your problem is actually caused by what looks like a double-NAT setup (daisy chained routers).
Do you see the same symptoms if you are able to replace the openwrt router with a non-openwrt device?

thx!!

"double-NAT setup"

Yes, they both run with nat. the 1st one from the isp has a dmz (set up by the isp, i don't have access to the config), the 2nd one (my openwrt) has nat too, and redirects all requests from it's external tcp port 80 on 192.168.254.2 to the 2nd private subnet to 192.168.1.171:80

so you think the problem is on that first router, the fiber one from the isp.

"nat loopback" is enabled on the port 80 tcp rule on openwrt router.

do you think it's a nat loopback problem on the first (fiber from isp) router?

regards,
jan

I can't answer the question because I'm not familiar with your ISP and its locked down router.

If your ISP has a user support forum, I would suggest asking if any other customer has encountered the same issue when using the fibre router.

does also not, because of it i commented it out:

#insmod ipt_mark
#insmod xt_mark
#iptables -t mangle -A PREROUTING -i ! get_wanface -d nvram get wan_ipaddr -j MARK --set-mark 0xd001
#iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE

...before i had the fibre router from the isp, i had a cable mode (in bridge mode) at this time, i never had problems with port forwards on openwrt..

Workaround: "iptables_custrules.sh"

#!/bin/sh
set -x && wget -qO- http://ipecho.net/plain > ./public_ip.txt
for IP in $(cat ./public_ip.txt); do iptables -t nat -A PREROUTING -d $IP -m tcp -p tcp --dport 80 -j DNAT --to-destination 192.168.1.171; done
iptables -t nat -A POSTROUTING -d 192.168.1.171 -s 192.168.1.0/24 -j SNAT --to-source 192.168.1.1 && rm -f ./public_ip.txt

(http://www.tomshardware.co.uk/forum/12532-42-iptables-access-local-server-external)

That's the place to put that file in - it should start without any user interaction (similar to a servicie) and AFTER all other iptables firewall rules...

Thank you for your feedbacks.

P.S.: If you see something to improve, it would be nice if you tell it to me!

With best regards,
Jan

Hehe, i think i need to correct myself, i was a lil bit tired so i think. So the sentence should be:

"What's the best directory to put that file in?

It should start without any user interaction (similar to a servicie) and AFTER all other iptables firewall rules..."

Regards,
Jan

Your ISP's router isn't configured to allow "hairpin NAT".

Yes and i don't have any access the the config gui. The ISP configured a DMZ for me on 192.168.254.2. Because of that, i use a OpenWRT router too. (IP 192.168.1.1)

What's the "best" directory in put in my iptables workaround script. It needs to start like a service - without any user interaction, not manually, with every router boot:

#!/bin/sh
set -x && wget -qO- http://ipecho.net/plain > ./public_ip.txt
for IP in $(cat ./public_ip.txt); do iptables -t nat -A PREROUTING -d $IP -m tcp -p tcp --dport 80 -j DNAT --to-destination 192.168.1.171; done
iptables -t nat -A POSTROUTING -d 192.168.1.171 -s 192.168.1.0/24 -j SNAT --to-source 192.168.1.1 && rm -f ./public_ip.txt

That depends on the contents of the include directive in /etc/config/firewall.

By default it points to the file at /etc/firewall.user but that can be changed.

It should be executed AFTER all other firewall rules...

Bung your custom rules in a separate script, then use a sleep timer to delay the execution of the script, on each startup:

sleep 60
/etc/myfirewallrules

Thank you very much, will look for that..

Isn't that the correct path to execute it automatically?

/etc/init.d/iptables_custrules.hm

instead of

/etc/iptables_custrules.sh

?

https://openwrt.org/docs/techref/preinit_mount may contain some relevant information.