[SOLVED] Do snapshot builds on WRT1900ACv2 have broken UDP port forwarding?

Help please!

Version:
OpenWrt SNAPSHOT r6951-22c16c5 / LuCI Master (git-18.138.53073-828202e)

I previously had udp SIP+RTP forwarding (ports 5060,10000-10010) working using a snapshot version of OpenWrt from about a month ago, but after upgrading to the latest this week (more than once to see if things changed) it seems that port forwarding is broken. I have, just to make sure, started from scratch using Luci to just configure this one thing.

Some relevent info, I have a static IP address from my ISP configured via DHCP from their residential gateway and on the router I can successfully see the UDP packets flowing to the router using the following:
tcpdump -i eth1.2 udp port 5060

However, on my server (that's running the target Asterisk endpoint), I get nothing passed on listening with the equivalent tcpdump. Oddly, tcp port forwarding (ssh) still works.

My config in /etc/config/firewall is:

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'udp'
	option src_dport '5060'
	option dest_ip '10.1.1.100'
	option dest_port '5060'
	option src_ip 'voip.provider.ip.addr'
	option name 'sip0'
	option src_dip 'external.ip.addr'

I'm not enough of an iptables expert to debug but here is the filtered dump:

fw3 print
Warning: Unable to locate ipset utility, disabling ipset support
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t filter -N reject
iptables -t filter -N input_rule
iptables -t filter -N output_rule
iptables -t filter -N forwarding_rule
iptables -t filter -N syn_flood
iptables -t filter -N zone_lan_input
iptables -t filter -N zone_lan_output
iptables -t filter -N zone_lan_forward
iptables -t filter -N zone_lan_src_ACCEPT
iptables -t filter -N zone_lan_dest_ACCEPT
iptables -t filter -N input_lan_rule
iptables -t filter -N output_lan_rule
iptables -t filter -N forwarding_lan_rule
iptables -t filter -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
iptables -t filter -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
iptables -t filter -N zone_wan_input
iptables -t filter -N zone_wan_output
iptables -t filter -N zone_wan_forward
iptables -t filter -N zone_wan_src_REJECT
iptables -t filter -N zone_wan_dest_ACCEPT
iptables -t filter -N zone_wan_dest_REJECT
iptables -t filter -N input_wan_rule
iptables -t filter -N output_wan_rule
iptables -t filter -N forwarding_wan_rule
iptables -t filter -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
iptables -t filter -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
iptables -t filter -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
iptables -t filter -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
iptables -t filter -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
iptables -t filter -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
iptables -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
iptables -t filter -A syn_flood -m comment --comment "!fw3" -j DROP
iptables -t filter -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
iptables -t filter -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
iptables -t filter -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
iptables -t filter -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
iptables -t filter -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
iptables -t filter -A zone_wan_input -p 2 -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
iptables -t filter -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
iptables -t filter -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
iptables -t filter -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
iptables -t filter -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
iptables -t filter -D zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -D OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -D FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
iptables -t filter -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
iptables -t filter -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
iptables -t filter -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
iptables -t filter -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
iptables -t filter -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
iptables -t filter -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
iptables -t filter -D zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
iptables -t filter -D INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -D OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -D FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
iptables -t filter -D zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
iptables -t filter -D INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -D OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -D FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A FORWARD -m comment --comment "!fw3" -j reject
iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule
iptables -t nat -N zone_lan_postrouting
iptables -t nat -N zone_lan_prerouting
iptables -t nat -N prerouting_lan_rule
iptables -t nat -N postrouting_lan_rule
iptables -t nat -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
iptables -t nat -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
iptables -t nat -N zone_wan_postrouting
iptables -t nat -N zone_wan_prerouting
iptables -t nat -N prerouting_wan_rule
iptables -t nat -N postrouting_wan_rule
iptables -t nat -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
iptables -t nat -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
iptables -t nat -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
iptables -t nat -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
iptables -t nat -A zone_wan_prerouting -p udp -s voip.provider.ip.addr/255.255.255.255 -d external.ip.addr/255.255.255.255 -m udp --dport 5060 -m comment --comment "!fw3: sip0" -j DNAT --to-destination 10.1.1.100:5060
iptables -t nat -D zone_lan_prerouting -p udp -s 10.1.1.0/255.255.255.0 -d external.ip.addr/255.255.255.255 -m udp --dport 5060 -m comment --comment "!fw3: sip0 (reflection)" -j DNAT --to-destination 10.1.1.100:5060
iptables -t nat -A zone_lan_prerouting -p udp -s 10.1.1.0/255.255.255.0 -d external.ip.addr/255.255.255.255 -m udp --dport 5060 -m comment --comment "!fw3: sip0 (reflection)" -j DNAT --to-destination 10.1.1.100:5060
iptables -t nat -D zone_lan_postrouting -p udp -s 10.1.1.0/255.255.255.0 -d 10.1.1.100/255.255.255.255 -m udp --dport 5060 -m comment --comment "!fw3: sip0 (reflection)" -j SNAT --to-source 10.1.1.1
iptables -t nat -A zone_lan_postrouting -p udp -s 10.1.1.0/255.255.255.0 -d 10.1.1.100/255.255.255.255 -m udp --dport 5060 -m comment --comment "!fw3: sip0 (reflection)" -j SNAT --to-source 10.1.1.1
iptables -t nat -A zone_wan_prerouting -p udp -d external.ip.addr/255.255.255.255 -m udp --dport 10000:10010 -m comment --comment "!fw3: rtp" -j DNAT --to-destination 10.1.1.100:10000-10010
iptables -t nat -D zone_lan_prerouting -p udp -s 10.1.1.0/255.255.255.0 -d external.ip.addr/255.255.255.255 -m udp --dport 10000:10010 -m comment --comment "!fw3: rtp (reflection)" -j DNAT --to-destination 10.1.1.100:10000-10010
iptables -t nat -A zone_lan_prerouting -p udp -s 10.1.1.0/255.255.255.0 -d external.ip.addr/255.255.255.255 -m udp --dport 10000:10010 -m comment --comment "!fw3: rtp (reflection)" -j DNAT --to-destination 10.1.1.100:10000-10010
iptables -t nat -D zone_lan_postrouting -p udp -s 10.1.1.0/255.255.255.0 -d 10.1.1.100/255.255.255.255 -m udp --dport 10000:10010 -m comment --comment "!fw3: rtp (reflection)" -j SNAT --to-source 10.1.1.1
iptables -t nat -A zone_lan_postrouting -p udp -s 10.1.1.0/255.255.255.0 -d 10.1.1.100/255.255.255.255 -m udp --dport 10000:10010 -m comment --comment "!fw3: rtp (reflection)" -j SNAT --to-source 10.1.1.1
iptables -t nat -D PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
iptables -t nat -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
iptables -t nat -D POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
iptables -t nat -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
iptables -t nat -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
iptables -t nat -D PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -D POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -D PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -D POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t mangle -D FORWARD -p tcp -o eth1.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A FORWARD -p tcp -o eth1.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -D FORWARD -p tcp -o eth1.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A FORWARD -p tcp -o eth1.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu

It's highly unlikely fw3 is broken and is more likely that a required network package or packages are not installed for SIP (likely network related kmods, as well as ipset).

  • If not compiling your own image, I personally recommend dumping your installed packages prior to installing a new image:
    • opkg list-installed > /mnt/sda1/installed-pkgs_$(date "+%Y.%m.%d_%T")

  • Have you tried rebooting your server to ensure it's not the server?
    • I've occasionally had devices show network issues after flashing a new image and a reboot solves any wonkiness.

Please place all code, config, and log output within code boxes

  • Automatically:
    • Highlight output, then click the pre-formatted text button [ </> ] on the toolbar

  • Manually: (I prefer this way as it's faster)
    • Syntax Highlighed:
      • Three back ticks [ ``` ] on new line, output on next lines, three back ticks on new line
        OR
      • Three back ticks, whitespace, syntax [ ``` bash ] on new line, output on next lines, three back ticks on new line

    • No Syntax Highlighting:
      • Three back ticks, whitespace, "text" [ ``` text ] on new line, output on next lines, three back ticks on new line

Problem solved.

Turns out that I caused the failure by enabling some "DoS Defend" feature on my TL-SG2008 switch. After turning this "feature" off, I now get the packets sent to my server.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.