I can't open ports except for 80 and 443

betov · October 26, 2022, 5:20pm

Hello everyone, I have problems opening ports on my openwrt I have a small home server with some personal services and I was able to open ports 80 and 443 without problems, however, I have tried to open more ports and these do not open, could you help me please thank you very much

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'lan3'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan3'

config forwarding
        option src 'lan3'
        option dest 'wan'

config zone
        option name 'guestwifi'
        option output 'ACCEPT'
        option input 'REJECT'
        list network 'guestwifi'
        option forward 'REJECT'

config rule
        option name 'Guest-DHCP'
        list proto 'udp'
        option src 'guestwifi'
        option dest_port '67'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'lan3'

config zone
        option name 'dmz'
        option input 'REJECT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option log '1'
        option masq '1'
        list network 'dmz'

config rule
        option name 'Guest-DNS'
        option src 'guestwifi'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        list proto 'udp'
        option src 'dmz'
        option dest_port '67'
        option target 'ACCEPT'
        option name 'DMZ-DHCP'

config rule
        option src 'dmz'
        option dest_port '53'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'
        option name 'DMZ-DNS'

config forwarding
        option src 'dmz'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'dmz'

config zone
        option name 'lan4'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan4'

config forwarding
        option src 'lan4'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'lan4'

config zone
        option name 'dmzwifi'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'dmzwifi'
        option masq '1'

config forwarding
        option src 'dmzwifi'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'dmzwifi'

config rule
        option name 'DMZWIFI-DHCP'
        option src 'dmzwifi'
        option dest_port '67'
        option target 'ACCEPT'
        list proto 'udp'

config rule
        option name 'DMZWIFI-DNS'
        option src 'dmzwifi'
        option dest_port '53'
        option target 'ACCEPT'

config forwarding
        option src 'guestwifi'
        option dest 'wan'

config redirect
        option target 'DNAT'
        option name 'Let’sEncrypt'
        list proto 'tcp'
        option src 'wan'
        option src_dport '80'
        option dest_ip '10.10.2.2'
        option dest_port '80'
        option dest 'lan'

config redirect
        option target 'DNAT'
        option name 'Let’sEncrypt'
        list proto 'tcp'
        option src 'wan'
        option src_dport '443'
        option dest_ip '10.10.2.2'
        option dest_port '443'
        option dest 'lan'

config redirect
        option target 'DNAT'
        option name 'znc'
        list proto 'tcp'
        option src 'wan'
        option dest_ip '10.10.2.2'
        option src_dport '6502'
        option dest_port '6502'
        option dest 'lan'

config redirect
        option target 'DNAT'
        list proto 'tcp'
        option src 'wan'
        option src_dport '8448'
        option dest_ip '10.10.2.2'
        option name '[Matrix]Server'
        option dest_port '8448'
        option dest 'lan'

psherman · October 26, 2022, 5:24pm

I don't see anything wrong with your firewall file redirect statements.

Have you verified that the services of interest are up and running on 10.10.2.2 (znc on TCP 6502, and matrix server on tcp 8448)? Can you connect to them locally (i.e. while connected to 10.10.2.0/24 and pointing to 10.10.2.2:6502 or 10.10.2.2:8448)?

frollic · October 26, 2022, 5:24pm

... and is your ISP allowing it?

hnyman · October 26, 2022, 5:29pm

@frollic may be right that your ISP blocks some/most of the ports. That is one typical reason.

But one other piece of advice is to drop the special characters from the names. You have [ ] and ' in the redirct item names. Just stick to the pure alphanumeric chars... (I am so old-school that I am used to apps sneakily failing/frowning upon special chars)

betov · October 26, 2022, 5:45pm

Thanks for responding, locally I can access the services without problem; I am aware that they are different ports, however both MATRIX and ZNC require two extra ports, ZNC for the server and MATRIX for the federation

If I change the port to 443 I manage to connect to the Matrix federation, but I have trouble connecting to other servers, the matrix documentation recommends oar the port 8448
Matrix Federation

betov · October 26, 2022, 5:47pm

Previously I had a router asus and could open ports except for 25 that if I was blocked by my ISP