Firewall - Port forwarding


  • Router Xiaomi XA3200 running under OpenWrt 22.03.5
    Router is connected directly to my ISP where I obtained a public adresses from WAN side. From LAN side I have some Raspberry, Webcam, NAS, ... configured using IP fix address.

I finally successfully configured WAN side remote access for:

  • SSH remote access for OpenWRT
  • SSH and FTP remote access to my Raspberry

But I did not success to perform remote acces to my webcam, NAS, etc..

To be fair I tried many configuration on my firewall and finally remote access append for my Raspberry without changing something special....

Regarding my configuration, I only have LAN and WAN interfaces. I came back on standard configuration for my firewall zones (as shown below):


I only configured Port Forwarding tab, and with this configuration; I successfully remote access on OpenWRT through SSH and Rasp through FTP & SSH.

I can see the ports open for OpenWrt and the (2) ports for Rasp ... but not for my Foscam and not my NAS. As you can see it is exactly the same configuration onPortForward... and all are enable.

If you can support me; I really passed hours of trying all the possible option combinations of rules, firewall zones, etc.. without success. But here using CanYouSeeMe it seems not normal to have ports closed and port open for the same configuration...
If you have some solution it could be useful.

1 Like

I think it's a bad idea

the advice I give you is a VPN for example wireguard,
don't grant direct ssh/etc access from your wan


Many deices will not accept external connections (from outside the network where they are connected), perhaps this is your case. Try to create a SNAT rule, to masquerade those connections as if coming from the router.

1 Like

Just to be sure to understand. You mean the better will be to install a VPN Server on OpenWRT then to run a remote client connection ? If I do that I will have like an IP address from the LAN side in order to connect to any of my devices like if I was in local?

1 Like

That's correct.

Client with VPN <> Remote IP <> OpenWrt Public IP <> LANIP of Foscam

With a VPN setup and connected, the client will use the LAN IP to access the device.

1 Like

I really tried all the possible combinations....
My concern is, even if the different devices have differents behavior, from the WAN side, ports shall be open and I should be able see it as open using Isn't it ?

Not necessarily - are the ports UDP or TCP?

Good idea.
I will try it, to be fair I even do not think about that; thanks for this proposal. I planned to configured the router as I did by the past for my ISP router as NAT was the only solution available.

I just see a tuto for wiregard which seems easy enough to install.


Something else more simple and secure. You can use a key-based login for SSH and disable passwords. Your client would then need a SSH app that allows you to setup [TCP] tunnels to the destination LAN IPs.

Linux example for a remote HTTP server:

ssh -i /home/user/ssh.key root@<public_IP> -L 1234:192.168.1.x:80

BTW, you can use multiple -L arguments in a single ssh command.

In this example - would access the server at the URL:

Looks like it's time to use 'tcpdump' and see those packets...

1 Like

If you have not done so I would certainly take this advice as e.g. your NAS will have its own firewall and will not allow traffic from outside.

To make it easy, just for testing, enable Masquerading on the LAN zone.

Note that the external ports must be unique, you cannot forward one port to multiple targets

1 Like

I installed Wireguard on my router, generated new keys, created the wg0 new interface, open fw UDP port, attached the new wg0 to my lan interface, created a new peer.
Then I tried to connect through the wireguard VPN android client using my cellphone.
But nothing really append... I do not see really log. If you have a way to debug using log, at least to see if a connection is coming to my WAN side.

opkg install tcpdump

I already installed by the past tcpdump-mini.
But log are availbale on the Luci System Log only ?
Are there some verbose mode for firewall or WAN interface or Wireguard ? In order to at least check if request is coming from the VPN client ?

I recommend tcpdump not tcpdump-mini

Are there some verbose mode for firewall or WAN interface or Wireguard ?


wg show

firewall (depen add rule log to port wireguard)

wan example:

In order to at least check if request is coming from the VPN client ?

if you generated keys on both server and client that's only the one that can do the handshake...

But log are availbale on the Luci System Log only ?

clarify this point

I try this:

But not a lot of thing append.

regarding wg show
it returns my public and private keeys and the listening port. Nothing else.
I will try from another client from a remote PC, just to check if it can be an issue from my cellphone.

port this rule on your router

iptables -I INPUT -p udp --dport 51820 -j LOG --log-prefix 'wireguard iptables: ' --log-level 7

or this command:

tcpdump -n -i wan 'udp port 51820' >> /tmp/wireguard-tcpdump.log

wireguard check status:

I do not have IPTable I have the other NFTable

from firewall luci interface:

Yes this one I configured it when I followed a tuto:

I put my port as allowed.