How do you open ports? nothing works for me

Bobosaurus · April 13, 2025, 12:20pm

My connection is PPPoE.
eth2 is my pc port and eth1 is my wan port.
And when using something like yougetsignal.com, gives the reply that the port is closed:

This is my firewall config:

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'Bobo'
        list network 'lan'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'wan'
        option dest 'lan'

This is how i`ve set up the rule:

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name '3074'
        option src 'wan'
        option dest_ip '192.168.1.2'
        list proto 'tcp'
        list proto 'udp'
        option src_dport '3074'
        option dest_port '3074'

Using tcpdump, i get something like this:

tcpdump -e -v -i eth2 tcp port 3074
tcpdump: listening on eth2, link-type EN10MB (Ethernet), snapshot length 262144 bytes
12:08:39.539616 92:71:02:13:84:ab (oui Unknown) > e0:d5:5e:2a:16:9d (oui Unknown), ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 52, id 37907, offset 0, flags [DF], proto TCP (6), length 60)
    198.199.98.246.48401 > Bobo.lan.3074: Flags [S], cksum 0xd750 (correct), seq 3201348792, win 14600, options [mss 1452,sackOK,TS val 4009566379 ecr 0,nop,wscale 8], length 0
12:08:40.535985 92:71:02:13:84:ab (oui Unknown) > e0:d5:5e:2a:16:9d (oui Unknown), ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 52, id 37908, offset 0, flags [DF], proto TCP (6), length 60)
    198.199.98.246.48401 > Bobo.lan.3074: Flags [S], cksum 0xd656 (correct), seq 3201348792, win 14600, options [mss 1452,sackOK,TS val 4009566629 ecr 0,nop,wscale 8], length 0
12:08:40.540197 92:71:02:13:84:ab (oui Unknown) > e0:d5:5e:2a:16:9d (oui Unknown), ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 52, id 33470, offset 0, flags [DF], proto TCP (6), length 60)
    198.199.98.246.48403 > Bobo.lan.3074: Flags [S], cksum 0x7e61 (correct), seq 677618456, win 14600, options [mss 1452,sackOK,TS val 4009566630 ecr 0,nop,wscale 8], length 0
12:08:41.539680 92:71:02:13:84:ab (oui Unknown) > e0:d5:5e:2a:16:9d (oui Unknown), ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 52, id 33471, offset 0, flags [DF], proto TCP (6), length 60)
    198.199.98.246.48403 > Bobo.lan.3074: Flags [S], cksum 0x7d67 (correct), seq 677618456, win 14600, options [mss 1452,sackOK,TS val 4009566880 ecr 0,nop,wscale 8], length 0
12:08:41.541440 92:71:02:13:84:ab (oui Unknown) > e0:d5:5e:2a:16:9d (oui Unknown), ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 52, id 63800, offset 0, flags [DF], proto TCP (6), length 60)
    198.199.98.246.48406 > Bobo.lan.3074: Flags [S], cksum 0x22f0 (correct), seq 1247271832, win 14600, options [mss 1452,sackOK,TS val 4009566880 ecr 0,nop,wscale 8], length 0
12:08:42.539779 92:71:02:13:84:ab (oui Unknown) > e0:d5:5e:2a:16:9d (oui Unknown), ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 52, id 63801, offset 0, flags [DF], proto TCP (6), length 60)
    198.199.98.246.48406 > Bobo.lan.3074: Flags [S], cksum 0x21f6 (correct), seq 1247271832, win 14600, options [mss 1452,sackOK,TS val 4009567130 ecr 0,nop,wscale 8], length 0

Dante · April 13, 2025, 12:39pm

Do you have a public IP or are you behind a CGNAT?

AndrewZ · April 13, 2025, 12:51pm

Check your host bobo.lan, from OpenWrt perspective everything works as it should.
We can see a forwarded packet with SYN flag set (that is [S], Start Connection) addressed to the internal host, but there is no response from the host back.

psherman · April 13, 2025, 1:00pm

Change the input rule back to reject:

Bobosaurus:

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

The current situation is very dangerous.

With respect to the question @Dante asked, post the first two octets (in bold: aaa.bbb.ccc.ddd) of the address you see here:

ifstatus wan | grep address

mk24 · April 13, 2025, 1:14pm

Why is there a Bobo network when Bobo is a device on the lan?
But it does look like an incoming connection attempt was properly forwarded to Bobo but the server did not respond. Check its firewall (needs to allow incoming 3074 from anywhere not just lan) and you can run packet captures directly on it.

Bobosaurus · April 13, 2025, 1:21pm

@Dante, i have a public ip, was under CGNAT but i changed that and i have a public ip now.
Also running the provider gpon device in bridge mode.

@psherman it`s just for testing.

ifstatus wan | grep address
                "addresses",
        "ipv4-address": [
                        "address": "79.119.0.0",
                        "ptpaddress": "10.0.22.222"
        "ipv6-address": [
                "ipv4-address": [
                "ipv6-address": [

@mk24 Bobo was eth2 on the interfaces tab, and i renamed it.

@AndrewZ how do i check that ?

AndrewZ · April 13, 2025, 1:25pm

As mentioned by @mk24 above - check local firewall, use Wireshark to capture what's coming in/out. And, obviosly, make sure you have a local server running and listening on 3074/tcp.

fkl7834456 · April 13, 2025, 1:44pm

You have such a rich question, what ports and why the most important thing
You didn't say anything like that