Firewall - Port Forwards not getting any traffic

I am running a self made image without Upnp and I am trying to open ports via Firewall, which does not seem to work.Please help.

  • While I don't suggest, UPnP is not in the default image either, it can be installed
  • You provide no useful details in order to help you

Perhaps:

  1. What application are you using; or what ports do you have to open?
  2. Please show us a copy of the relevant firewall rules from /etc/config/firewall
  3. Please describe how you know the ports are not getting traffic and don't work
  4. Perhaps describe your: device, version of OpenWrt built/installed and ISP type
1 Like

I am using TL- WR740N ,4mb flash, also the image was compiled from libreCMC source code which has had the upnp removed from packages in like last 3 versions.

I've tried to compile an Open wrt image via make menuconfig,but selecting upnp in luci apps makes the opkg not removable which I can not have with 4 mb.

1.I am trying to open ports for Destiny 2. It's semi peer to peer.
2.Trying to SSH via Putty to get config and it's denying permissions, I will attack some screenshots from luci for now.
3.The game says that my NAT is strict after opening all the needed ports. Also watching luci/admin/status/iptables shows that I have no traffic through the ports.
4. TP Link WR740N v 5, libreCMC Frivolous Fred v1.4.9 r350-8e1abfa6 / LuCI branch (git-19.274.74267-8e1abfa) , PPPoE connection ISP.

libreCMC is not OpenWrt. You might want to ask here.

Ask there, not normal OpenWrt behavior. So no configs either...OK...
(pic is not what I asked; but I'm nearly certain most of your rules with ranges are incorrect)

OK, it would say 0 if you initiate traffic.

Assuming you get a public IP address...assuming this has worked for you before...I would suggest asking libreCMC.

If you installed OpenWrt, perhaps you will find more help in this forum.

1 Like

Really? If I installed Open WRT i'd get more help? That's toxic as fuck.

No, it's not toxic. I have 0 clue how a random software works. Plus, you're running an end of support device in OpenWrt. AND I did look up...when I saw that shocking response...your rules are wrong (despite I can't confirm it with a config).

You're welcome. Smh.

1 Like

What is wrong with the rules?

1 Like

http://unixetc.co.uk/2017/11/06/using-address-ranges-and-port-ranges-with-iptables/

Example 4 leads me to think that you don't specify ports in the LAN IP/destination portion of the rule in LuCI.

Hope this helps.

How would I go about specifying a port the LAN IP/destination portion of the rule in LuC, can you give me an example?

I'm not sure I understand, just remove the ports.

I noted that they shouldn't be specified, and you asked how to specify them. You only specify the destination LAN IP.

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option dest_ip '192.168.10.133'

Did what you recommended, NAT type is still strict though.

I don't see any of your rules from the screenshot in the posting. I hope this isn't because libreCMC (which OpenWrt isn't) places them somewhere else...

I'll provide an example:

config redirect
	option src 'wan'
	option name '30000-30009'
	option src_dport '30000-30009'
	option target 'DNAT'
	option dest_ip '192.168.10.133'
	option dest 'lan'
	option proto 'tcp'

Once added, you'll notice they'll be no destination ports listed on the right-hand side of your Port Forwards screen beside the LAN IP 192.168.10.133. This follows example No. 4 in the link I posted above.

If this doesn't work, and you have a Public IP, I honestly think you should ask libreCMC.

1 Like

I've just built an image based on openwrt's source code with working upnp and my NAT type is strict. What can be done to fix it?

Paste here the following in preformatted text </>

uci show firewall
iptables -t nat -L -vn
1 Like

uci show firewall

firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable                                                                                                                                                             ' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-so                                                                                                                                                             licitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertise                                                                                                                                                             ment'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable                                                                                                                                                             ' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.miniupnpd=include
firewall.miniupnpd.type='script'
firewall.miniupnpd.path='/usr/share/miniupnpd/firewall.include'
firewall.miniupnpd.family='any'
firewall.miniupnpd.reload='1'

iptables -t nat -L -vn

Chain PREROUTING (policy ACCEPT 2109 packets, 166K bytes)
 pkts bytes target     prot opt in     out     source               destination
 2121  166K prerouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom prerouting rule chain */
  967 82847 zone_lan_prerouting  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_prerouting  all  --  pppoe-wan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
 1154 83498 zone_wan_prerouting  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain INPUT (policy ACCEPT 198 packets, 14733 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 234 packets, 16409 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 1 packets, 349 bytes)
 pkts bytes target     prot opt in     out     source               destination
  829 58669 postrouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom postrouting rule chain */
    1   349 zone_lan_postrouting  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
  828 58320 zone_wan_postrouting  all  --  *      pppoe-wan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_postrouting  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain MINIUPNPD (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain MINIUPNPD-POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_lan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
    1   349 postrouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan postrouting rule chain */

Chain zone_lan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
  967 82847 prerouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan prerouting rule chain */

Chain zone_wan_postrouting (2 references)
 pkts bytes target     prot opt in     out     source               destination
  828 58320 postrouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan postrouting rule chain */
  828 58320 MINIUPNPD-POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  828 58320 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_prerouting (2 references)
 pkts bytes target     prot opt in     out     source               destination
 1154 83498 prerouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan prerouting rule chain */
 1142 83014 MINIUPNPD  all  --  *      *       0.0.0.0/0            0.0.0.0/0
root@OpenWrt:~# clear
root@OpenWrt:~# iptables -t nat -L -vn
Chain PREROUTING (policy ACCEPT 2135 packets, 168K bytes)
 pkts bytes target     prot opt in     out     source               destination
 2147  168K prerouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom prerouting rule chain */
  967 82847 zone_lan_prerouting  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_prerouting  all  --  pppoe-wan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
 1180 85426 zone_wan_prerouting  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain INPUT (policy ACCEPT 198 packets, 14733 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 236 packets, 16561 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 1 packets, 349 bytes)
 pkts bytes target     prot opt in     out     source               destination
  831 58821 postrouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom postrouting rule chain */
    1   349 zone_lan_postrouting  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
  830 58472 zone_wan_postrouting  all  --  *      pppoe-wan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_postrouting  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain MINIUPNPD (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain MINIUPNPD-POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_lan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
    1   349 postrouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan postrouting rule chain */

Chain zone_lan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
  967 82847 prerouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan prerouting rule chain */

Chain zone_wan_postrouting (2 references)
 pkts bytes target     prot opt in     out     source               destination
  830 58472 postrouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan postrouting rule chain */
  830 58472 MINIUPNPD-POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  830 58472 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_prerouting (2 references)
 pkts bytes target     prot opt in     out     source               destination
 1180 85426 prerouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan prerouting rule chain */
 1168 84942 MINIUPNPD  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Also I want to mention that I have a Dynamic IP if that matters at all.

You haven't answered yet:

  • Do you get a public IP address?
  • Did this work for you before?

Is it Public, though?

  • What version?
  • Can you provide a copy of the rules from /etc/config/firewall?
  • You have to provide enough information to assist you.
  • If UPnP is working, does that mean it opened the ports for you without rules needed?
    • if so, perhaps you should ask in the Destiny 2 game forums.

Where are the rules?
Did you delete them?

  • Do you get a public IP address?
    When visit "What is my IP" it looks like public one.
    But in Luci it shows Private
    firefox_I1Cmu9ehlP
  • Did this work for you before?
    NAT type? No it was always Strict.
  • What version?
    OpenWrt 18.06.4 r7808-ef686b7292 / LuCI openwrt-18.06 branch (git-19.170.32094-4d6d8bc)
  • uci show firewall Where are the rules? Did you delete them?
    Yes, I am trying to see if it will work with just UPNP