How to forward a port without using "Masquerading"?
the "Port Forwards" section for some reason does not want to work without the "Masquerading" functions
In the keenetic router, the original "client IP address is saved instead of being replaced with 192.168.1.1".
Why is there such a problem with saving the original IP address in openwrt?
You need to use DNAT. [OpenWrt Wiki] NAT examples
Firewall-NAT Rules
Chose tcp as protocol and you're be able to select port 22.
When I turn on port 443 forwarding, it stops accessing all sites, that is, I lose the ability to use the browser normally.
A web server with ports 80 + 443 is running on the virtual machine.
Running "luci" on http ports 2095 https 8443 does not help.
Hi.
Have You tried to click the litle box that enables the forward rule ?
what you want to achieve actually?
external traffic, from wan to your public ip forwarded to your internal web server ? could you pls try to update rule from 'forward to this device' to 'forward to lan', i.e. specify destination zone to lan.
If I enable this feature, then I will not be able to use the browser (I will not be able to log in to other sites except local ones)
192.168.1.168 - This is the address of the virtual machine, A website using ports 80/443 is running on the virtual machine, some kind of conflict with openwrt turns out for some reason, although I moved "luci" to 192.168.1.1:2095/8443 instead of 0.0.0.0:80/443.
192.168.1.1 is the local address of openwrt.
As grrr2 is asking - from where are You trying to access Your webpage ?
Is it from the internet or from another Pc on same network or..
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/firewall
This thread might be relevant:
From the external Internet, I'm trying to access the site located on port 80/443, about the IP address: the address is white, so the provider does not block anything from its side.
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
list network 'lan'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'ssh'
option src 'wan'
option src_dport '23'
option dest_ip '192.168.1.168'
option dest_port '22'
list proto 'tcp'
config nat
option name 'SNAT'
option src '*'
option target 'SNAT'
option snat_ip 'wan ip'
list proto 'all'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'DB'
list proto 'tcp'
option src 'wan'
option src_dport '3306'
option dest_ip '192.168.1.168'
option dest_port '3306'
config redirect
option target 'DNAT'
option name 'http'
option src 'lan'
option src_dport '80'
option dest_ip '192.168.1.168'
option dest_port '80'
option dest 'lan'
option enabled '0'
config redirect
option target 'DNAT'
option name 'https'
option src 'lan'
option src_dport '443'
option dest_ip '192.168.1.168'
option dest_port '443'
option dest 'lan'
option enabled '0'
option src for both of these rules should be wan, not lan. And you can leave uhttpd on the default ports.
config redirect
option target 'DNAT'
option name 'http'
option src 'wan'
option src_dport '80'
option dest_ip '192.168.1.168'
option dest_port '80'
option dest 'lan'
option enabled '0'
config redirect
option target 'DNAT'
option name 'https'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.1.168'
option dest_port '443'
option dest 'lan'
option enabled '0'
In this way?
This is a major issue:
Remove the lan network from the wan firewall zone.
Also, masquerading must be enabled on the wan zone in most cases.
if enable "Masquerading" then the players on the server will have the ip address 192.168.1.1, so "Masquerading" is not suitable.
Ok… so does your upstream router have a static route defined?