Firewall - Port forwarding

cedbouc · August 16, 2023, 9:31pm

Hello,

Router Xiaomi XA3200 running under OpenWrt 22.03.5
Router is connected directly to my ISP where I obtained a public adresses from WAN side. From LAN side I have some Raspberry, Webcam, NAS, ... configured using IP fix address.

I finally successfully configured WAN side remote access for:

SSH remote access for OpenWRT
SSH and FTP remote access to my Raspberry

But I did not success to perform remote acces to my webcam, NAS, etc..

To be fair I tried many configuration on my firewall and finally remote access append for my Raspberry without changing something special....

Regarding my configuration, I only have LAN and WAN interfaces. I came back on standard configuration for my firewall zones (as shown below):

I only configured Port Forwarding tab, and with this configuration; I successfully remote access on OpenWRT through SSH and Rasp through FTP & SSH.

Using https://canyouseeme.org/:
I can see the ports open for OpenWrt and the (2) ports for Rasp ... but not for my Foscam and not my NAS. As you can see it is exactly the same configuration onPortForward... and all are enable.

If you can support me; I really passed hours of trying all the possible option combinations of rules, firewall zones, etc.. without success. But here using CanYouSeeMe it seems not normal to have ports closed and port open for the same configuration...
If you have some solution it could be useful.

ncompact · August 16, 2023, 9:35pm

I think it's a bad idea

the advice I give you is a VPN for example wireguard,
don't grant direct ssh/etc access from your wan

eduperez · August 16, 2023, 9:44pm

Many deices will not accept external connections (from outside the network where they are connected), perhaps this is your case. Try to create a SNAT rule, to masquerade those connections as if coming from the router.

cedbouc · August 16, 2023, 9:50pm

Just to be sure to understand. You mean the better will be to install a VPN Server on OpenWRT then to run a remote client connection ? If I do that I will have like an IP address from the LAN side in order to connect to any of my devices like if I was in local?

lleachii · August 16, 2023, 9:52pm

That's correct.

Client with VPN <> Remote IP <> OpenWrt Public IP <> LANIP of Foscam

With a VPN setup and connected, the client will use the LAN IP to access the device.

cedbouc · August 16, 2023, 9:53pm

I really tried all the possible combinations....
My concern is, even if the different devices have differents behavior, from the WAN side, ports shall be open and I should be able see it as open using CanYouSeeMe.org. Isn't it ?

lleachii · August 16, 2023, 9:54pm

Not necessarily - are the ports UDP or TCP?

cedbouc · August 16, 2023, 9:58pm

Good idea.
I will try it, to be fair I even do not think about that; thanks for this proposal. I planned to configured the router as I did by the past for my ISP router as NAT was the only solution available.

I just see a tuto for wiregard which seems easy enough to install.

lleachii · August 16, 2023, 10:00pm

Something else more simple and secure. You can use a key-based login for SSH and disable passwords. Your client would then need a SSH app that allows you to setup [TCP] tunnels to the destination LAN IPs.

Linux example for a remote HTTP server:

ssh -i /home/user/ssh.key root@<public_IP> -L 1234:192.168.1.x:80

BTW, you can use multiple -L arguments in a single ssh command.

In this example - would access the server at the URL: http://127.0.0.1:1234

eduperez · August 17, 2023, 9:15am

Looks like it's time to use 'tcpdump' and see those packets...

egc · August 17, 2023, 9:54am

If you have not done so I would certainly take this advice as e.g. your NAS will have its own firewall and will not allow traffic from outside.

To make it easy, just for testing, enable Masquerading on the LAN zone.

Note that the external ports must be unique, you cannot forward one port to multiple targets

cedbouc · August 17, 2023, 9:01pm

I installed Wireguard on my router, generated new keys, created the wg0 new interface, open fw UDP port, attached the new wg0 to my lan interface, created a new peer.
Then I tried to connect through the wireguard VPN android client using my cellphone.
But nothing really append... I do not see really log. If you have a way to debug using log, at least to see if a connection is coming to my WAN side.

ncompact · August 17, 2023, 9:04pm

opkg install tcpdump

cedbouc · August 17, 2023, 9:08pm

I already installed by the past tcpdump-mini.
But log are availbale on the Luci System Log only ?
Are there some verbose mode for firewall or WAN interface or Wireguard ? In order to at least check if request is coming from the VPN client ?

ncompact · August 17, 2023, 9:12pm

I recommend tcpdump not tcpdump-mini

Are there some verbose mode for firewall or WAN interface or Wireguard ?

wireguard:

wg show

firewall (depen add rule log to port wireguard)

wan example:

In order to at least check if request is coming from the VPN client ?

if you generated keys on both server and client that's only the one that can do the handshake...

But log are availbale on the Luci System Log only ?

clarify this point

cedbouc · August 17, 2023, 9:21pm

I try this:

But not a lot of thing append.

regarding wg show
it returns my public and private keeys and the listening port. Nothing else.
I will try from another client from a remote PC, just to check if it can be an issue from my cellphone.

ncompact · August 17, 2023, 9:26pm

port this rule on your router

iptables -I INPUT -p udp --dport 51820 -j LOG --log-prefix 'wireguard iptables: ' --log-level 7

or this command:

tcpdump -n -i wan 'udp port 51820' >> /tmp/wireguard-tcpdump.log

wireguard check status:

cedbouc · August 17, 2023, 9:29pm

I do not have IPTable I have the other NFTable

ncompact · August 17, 2023, 9:30pm

from firewall luci interface:

cedbouc · August 17, 2023, 9:32pm

Yes this one I configured it when I followed a tuto:

I put my port as allowed.