what do u want to answer.
host xxx.yz from internet provides same ip as executing host xxx.yz from local host.
dont know what do u mean by inbout test for another machine ...
but i know that tcpdump exists instead of your proposals ... i was expecting that someone know what the error is and can propose solution, apparently xy threads discussing similar issue, bug opened and no conclussion / solution.
I understand.
I want to see if setting a rule TO WAN works. That would be the redirect needed.
Packet:
- From lan to wan
- By default, this is firewalled
- This rule would allow the packet ad change it's DST to 10.0.1.104
config redirect
option target 'DNAT'
option src 'wan'
option proto 'tcp'
option src_dport '8123'
option dest_port '8123'
option src_ip '10.0.1.0/24'
option dest 'wan' #<--------NOTE WAN
option dest_ip '10.0.1.104'
option name 'REDIRECT_HTTP_LAN'
I apologize - you didn't configure the example rule for your scenario. Please try this.
whats the point of such a rule/config...
src and dest both wan? that doesnt make a sense as dest_ip is inside LAN not wan.
Again:
I apologize if that hasn't been made clear before.
BTW, you need to add an allow rule 
Reason:
In your case - WAN.
what is allow rule/ or add where?
firewall.@redirect[21]=redirect
firewall.@redirect[21].dest_port='8123'
firewall.@redirect[21].src='wan'
firewall.@redirect[21].name='hass'
firewall.@redirect[21].target='DNAT'
firewall.@redirect[21].dest_ip='10.0.1.104'
firewall.@redirect[21].proto='tcp'
firewall.@redirect[21].src_dport='8123'
firewall.@redirect[21].dest='wan'
firewall.@redirect[21].src_ip='10.0.1.0/24'
this is still not working. it doesnt work as i said... .
and using that rule i cant access it from remote machine anymore ...
so its Completely broken now.
and an allow rule.......
(I usually don't make the rules for people too....so please be patient with me creating a rule for you because you want to override traffic from WAN into LAN........this is the security risk I noted... )
config rule
option target 'ACCEPT'
option src 'wan'
option dest 'lan'
option name 'Allow_his_stuff'
option family 'ipv4'
option proto 'tcp'
option src_ip '10.0.1.0/24'
option dest_ip '10.0.1.104'
option dest_port '8123'
Reason, again....
(this is why this is not a suggested method to get around the firewall)
verify/test this rule - as I already explain the issue with this setup, and by looking at the rule, you hopefully understand why
so how is it possible it was working before i changed isp router? i dont get it at all.
there is no point to adding Messed rules;
it should work using Hairpin NAT not with some kind of mess ...
Again:
- I explained you should check the ISP router, but you asked me for settings n the OpenWrt
Perhaps I should leave this conversation, I apologize for bothering. I hope you find a solution.
Perhaps they have the same IP range on the WAN and LAN (of the OpenWrt)? 
Are both 10.0.1.0/24?
(that's all I can think of - they cant be numbered identically)
there is nothing to check on ISP router; what do u want me to check? asking to check something that u cant define?
ISP router has only ip forward rules... so as i can access that local ip from outside internet it means that forward rule is correcT! i cant access that local ip using domain name from local computers.
there is even option in my original port forwarding>
which apparently is broken/ or does nothing at all.
no
they dont have same IP range on wan and lan what nonsense is that.
wan is 192.168x
lan is 10.0.1x
yes u just messed up things/ thread ...
OK, I explained that - again it should work for 10.0.1.104 only (it's the ISP's not OpenWrt - that's what you changed) - and explained you how to test (using a machine with 10.0.1.104/32), but I guess you don't wish to do so. 
I hope you find a solution.
e.g. you cannot test "loopback" from 10.0.1.105...etc. - it [should] work from 10.0.1.104
i replaced router X with router Z ; and replicated same forward rule from X to Z .
I dont understand what u want/how to test. its not i dont wish, u are talking about some test.
apart of that i dont understand from where comes your assumption that someone asking here for a help is MASTER of openwrt/iptables/ etc.
Was this RULE in the OpenWrt?
No, not at all. Apologies if you got that from my writing.
I assume you mean the one pasted above, correct?
Alot of people mess this up believe it or not.
no it wasnt openwrt, its isp router ;
there is no point to discuss on that; as the behavior i am expecting has to be described / isolated ie maybe there is zero connection with ISP router, maybe there is connection as asked before maybe both routers has to support HAIRPIN NAT. the rule was simple as all these stupid isp boxes are dumb
and i am going to sleep because u even asking me questions like i am total idiot or in other case assuming that i am networking master.
1 Like
Thank you for this information! I asked for it many posts ago! 
Why is there as port mismatch?
If this is a port range, where is the matching OpenWrt rule?
But that seem OK.
the port mismatch is not important ; 8222 is port thats listening on isp router wan and even wan and lan are same ie 8123 it doesnt work...
there is no port range, its port X to port Y
openwrt rule was pasted multiple times
firewall.@redirect[21]=redirect
firewall.@redirect[21].dest_port='8123'
firewall.@redirect[21].src='wan'
firewall.@redirect[21].name='hass'
firewall.@redirect[21].target='DNAT'
firewall.@redirect[21].dest_ip='10.0.1.104'
firewall.@redirect[21].proto='tcp'
firewall.@redirect[21].src_dport='8123'
firewall.@redirect[21].dest='lan'
1 Like