I can't port forward on 24.10.2

Installing and Using OpenWrt
1

I'm running OpwnWrt 24.10.2 on an Ubuquity Edgerouter X, and I'm trying to forward UDP port 5029 (for a game of ZDoom) to a specific computer in the network.

Before going into my configuration, I must say that I tried to forward this port on the ISP's router and it worked. So I am confident the ISP is not blocking this port.

Here is what it looks like in LuCI:

pic1
pic1971×207 8.89 KB

pic2
pic2923×602 22.4 KB

Here is the last entry is /etc/config/firewall:

config redirect
        option dest 'lan'
        option target 'DNAT'
        list proto 'udp'
        option src 'wan'
        option src_dport '5029'
        option dest_ip '192.168.1.100'
        option dest_port '5029'

And here is the output of uci show network; uci show firewall:

network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdf7:648d:e309::/48'
network.globals.packet_steering='1'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth1' 'eth2' 'eth3' 'eth4'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.wan=interface
network.wan.device='eth0'
network.wan.proto='pppoe'
network.wan.username='[reducted]'
network.wan.password='[reducted]'
network.wan.ipv6='auto'
network.wan6=interface
network.wan6.device='eth0'
network.wan6.proto='dhcpv6'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='REJECT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@redirect[0]=redirect
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].proto='udp'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].src_dport='5029'
firewall.@redirect[0].dest_ip='192.168.1.100'
firewall.@redirect[0].dest_port='5029'

What am I doing wrong?

2

The configuration looks correct, so run tcpdump to trace the traffic.

opkg update; opkg install tcpdump; \
tcpdump -nnvvi any udp and port 5029
3

Sure the source port from the connecting client is 5029?
If in doubt leave it blank.

4

src_dport

For DNAT, match incoming traffic directed at the given destination port or port range on this host.

https://openwrt.org/docs/guide-user/firewall/firewall_configuration#options4

5

Thanks. This wording confuses me Everytime.
(I try to avoid any nat and just use IPv6 :joy: )

6
7
  1. Thats PII
  2. Remove
  3. This output shows you're the transmitter, not the receiver. It shows you're sending data to a remote IP with a destination port of 5029/udp - you're not receiving on the port.
8

The request appears to be coming in on the pppoe-wan interface, but it is not being forwarded to 192.168.1.100 (and there is no reply).

Is it possible that you got it wrong and 92.x.x.x is a host on the internet (the initiator) and 85.x.x.x is the wan interface of the router?

Can we see the output of nft list chain inet fw4 dstnat_wan?

Don't forget to redact the public IPs or delete the whole trace as suggested above.

9

I just discovered that my antivirus is also a firewall and it has been blocking the zdoom server. Turning it off fixed the issue. I would have realized sooner but the problem did not occur with my ISPs router, which seems very odd to me.

In any case, turning of my software firewall fixed the issue.

A big thanks to everybody who took the time to respond!

10

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile: