Does port forward require a traffic rule as well

Installing and Using OpenWrt
1

I have an RPi4 connected to a fibre WAN.

  • OpenWrt 22.03.5 r20134-5f15225c1e / LuCI openwrt-22.03 branch git-23.292.78392-9f66674

from which I forward 80/443 to

  • HAproxy VM[192.168.1.1/24] on proxmox (in order to route http, and manage LEcerts), and then a few Debian 10,11,12 VMs/LXCs for web services [192.168.1.10-16/24].

another RPi4 connected using pihole as DNS/DHCP/adblock [192.168.1.3/24]

Outgoing traffic is fine and VPN is fine. I have not made any network changes (that I can remember anyway), but in the last couple of days/weeks (not sure when it changed since I can normally just work via the WG VPN I have from home->work) I notice that I cannot access 80/443 from external.
Even a simple nc -vz <IP> 80 fails. Anything via WG works perfectly.

It COULD be that my ISP has decided to block these but I just wanna make sure that my configs are screwed up before I start a fight with them unnecessarily.
Is there anything glaringly wrong here?
(I have clipped out the detailed configs from some of the rules where they are stock-std unchanged)

root@openwrt:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
config rule
	option name 'Allow-Ping'
config rule
	option name 'Allow-IGMP'
config rule
	option name 'Allow-DHCPv6'
config rule
	option name 'Allow-MLD'
config rule
	option name 'Allow-ICMPv6-Input'
config rule
	option name 'Allow-ICMPv6-Forward'
config rule
	option name 'Allow-IPSec-ESP'
config rule
	option name 'Allow-ISAKMP'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option family 'ipv4'
	list network 'wg_s2s_a'
	list device 'wg_s2s_a'
	option name 'WG'

config forwarding
	option dest 'lan'
	option src 'WG'

config forwarding
	option src 'lan'
	option dest 'WG'

config rule
	option dest_port '80'
	option name 'http80'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option family 'ipv4'
	option dest '*'
	option src '*'

config rule
	option dest_port '443'
	option name 'https443'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option family 'ipv4'
	option dest '*'
	option src '*'

config redirect
	option dest_port '80'
	option src 'wan'
	option target 'DNAT'
	option proto 'tcp udp'
	option src_dport '80'
	option name 'roxyHTTP'
	option dest_ip '192.168.1.1'
	option dest 'lan'

config rule
	option dest 'lan'
	option target 'ACCEPT'
	option name 'WGvpn-in'
	option family 'ipv4'
	option src 'WG'

config redirect
	option dest_port '443'
	option src 'wan'
	option src_dport '443'
	option target 'DNAT'
	option dest 'lan'
	option name 'roxyHTTPS'
	option dest_ip '192.168.1.1'

config rule
	option src 'wan'
	option name 'IPv6'
	option family 'ipv6'
	option target 'DROP'
	option dest 'lan'
	list proto 'all'

config rule 'wg_s2s_51820'
	option name 'Allow-WireGuard-51820'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

root@openwrt:~# cat /etc/config/network

config interface 'loopback'

config globals 'globals'
	option ula_prefix 'fd13:6652:efb1::/48'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	list dns '192.168.1.3'
	option device 'br-lan'
	option ipaddr '192.168.1.254'

config interface 'wan'
	option proto 'pppoe'
	option password '*******'
	option username '*******'
	list dns '192.168.1.3'
	option peerdns '0'
	option device 'eth1'
	option ipv6 '0'

config interface 'wg_s2s_a'
	option proto 'wireguard'
	option private_key '************************'
	option listen_port '51820'

config wireguard_wg_s2s_a 's2s_vpn_site_b'
	option public_key '************************'
	option preshared_key '************************'
	option description 'Site B'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option endpoint_port '51820'
	list allowed_ips '192.168.99.0/24'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
1 Like
2

The Redirect rule should make the traffic rule redundant.

To be honest I would not enable http via the WAN, maybe SSH with a key but why not use the WG server to connect to your home exclusively?

3

I am aware of the dangers of http...I host a few small web pages, so I need it to be on (also for LE certs --tls-port=8765, but there's an /.well-known/certbot-req/ intercept rule on the proxy to shift the port). It will go via the proxy, which will enforce an https upgrade.
Primarily I need to know if my configs are causing the problem, or if the ISP is blocking me.

4

You can look at your firewall rules or run tcpdump to see if anything arrives on your port 80/443.

If you have fw4 something like:
nft list table inet fw4 | grep dport

1 Like
5

Thanks...I will try that

6

All this can be omitted if you add wg_s2s_a network in lan firewall zone.
And as mentioned earlier, the rules are not needed if you have the redirect. There is an implicit rule in the default firewall to forward packets coming from DNAT (redirect).

2 Likes
7

so if I delete those lines, how would change the lan zone config, like this?

config zone
        option name 'lan'
        list network 'lan'  'wg_s2s_a'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
8

I connected out to a remote machine which is outside my WG-vpn, and then used that to send in test packets while running this on the router...
tcpdump -i any -n (tcp port 22001 or tcp port 443 or tcp port 80 or tcp port 8765)
Nothing responded (even ports that I am pretty sure are not blocked and normally work eg 22001 etc).

Anyway, I reset the WAN interface, which resulted in some changes. Many of the ports started showing traffic, but "80 (http) : Network is unreachable" does indicate that port 80 is blocked?
while (if I understand correctly)
"8765 (?) : Connection refused" implies that the service is reachable, but down or misconfigured.

Thanks for the tcpdump hint...most useful.
I have contacted ISP support to ask about unblocking the ports and await their response.

9

Fixed

list network 'lan' 
list network 'wg_s2s_a'
10

implemented - thank you for the help & the patience with us noobies

11

If your default route is via a VPN, the replies from the servers will be routed out over VPN and then lost. The client made a request to your non-VPN IP and expects the reply to come from there.

There is a way to make this work but don't remember exactly how. It's more complicated than adding firewall rules since the issue is in the use of a single routing table.

12

Though I cannot be sure if I actually KNOW what you mean (based on my lack of knowledge), I think the default route is not via VPN?

#root@openwrt:~# ip r
default via 196.192.xxx.yyy dev pppoe-wan 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.xxx 
192.168.99.0/24 dev wg_s2s_a scope link 
196.192.xxx.yyy dev pppoe-wan scope link  src aa.bb.cc.dd
13

It's a vpn server, not a client. :slight_smile: