Help with port forwarding CGNAT

Hello, I would like some help with port forwarding using CGNAT for Home Assistant access.
My ISP gave me 5 ports, but I can't access externally with IPV4, only with IPV6.

My IP is from
My ISP gave me the IP for external access.
The ip that my router takes 100.xx.xx.xx4

The released ports are from 4415 to 4419 (not the real ports).

I tried creating rules using Traffic Rules and Port Forwards and had no luck.

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config include
	option path '/etc/firewall.user'

config rule
	option src 'wan'
	option dest 'lan'
	option target 'ACCEPT'
	option dest_port 'XXXX'
	option family 'ipv6'
	option name 'HomeAssistant'

config rule
	option family 'ipv4'
	option src 'wan'
	option dest 'lan'
	option target 'ACCEPT'
	option src_port '4415'
	option name 'HA IPV4'
	list dest_ip ''
	option dest_port 'XXXX'

I don't know if the problem is with my ISP or some router configuration
Any suggestion?

First of all, these are rules and in IPv4 you need redirects (port forwards) not rules.
After you setup a redirect try to access it from the internet, not from your home network. For example switch your phone to mobile data only.
Then check with iptables-save -c -t nat | grep 4415 that there are hits on the firewall (the first numbers of the line). If you haven't hits, nothing reached the firewall. If there is something, then the packets were forwarded to the lan host.


I deleted Traffic Rules and created Port Forward

config redirect
	option target 'DNAT'
	option src 'wan'
	option src_dport '4415'
	option dest 'lan'
	option dest_ip ''
	option dest_port 'xxxx'
[0:0] -A zone_lan_prerouting -s -d 100.xx.xx.xx4/32 -p tcp -m tcp --dport XXXX-m comment --comment "!fw3: @redirect[0] (reflection)" -j DNAT --to-destination
[0:0] -A zone_lan_prerouting -s -d 100.xx.xx.xx4/32 -p udp -m udp --dport XXXX-m comment --comment "!fw3: @redirect[0] (reflection)" -j DNAT --to-destination
[7:420] -A zone_wan_prerouting -p tcp -m tcp --dport XXXX -m comment --comment "!fw3: @redirect[0]" -j DNAT --to-destination
[0:0] -A zone_wan_prerouting -p udp -m udp --dport XXXX -m comment --comment "!fw3: @redirect[0]" -j DNAT --to-destination

That's the result.

7:420 does that mean something has reached the firewall?

Yes, and it was forwarded to the .0.6 host. You can run a packet capture on the router and the host to verify that the packets indeed leave the lan interface and reach the host, if there is no response from the application.

1 Like

That worked.
Strange that I had already tested with port forwarding .

I'm using duckdns so I need to access duckdns:4415 for ipv4 and duckdns:xxxx for ipv6.

Any way to configure both ipv4 and ipv6 access through the same port or is it better to change the home assistant port and leave it as 4415?

I do not know if i was clear

I think it will be easier to change HA port to 4415, if you really want both IPv4 and IPv6 bound to the same port and you don't want to mess with DNAT in IPv6.

Thanks for the help

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.