I can't port forward

But what should happen when someone connects to each port? Right now you've got for example anyone who connects to your router on port 25565 will get connected to 192.168.1.1 which is presumably .,.. your router... so you're not even forwarding that port in a meaningful way. Please tell us what should happen when someone connects to each port?

Would have assumed you already figured out how to reach command line via SSH

The port should be open

I dont understand so much of routers, i've even said it in my frist comment

"up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 75957,
        "l3_device": "pppoe-wan",
        "proto": "pppoe",
        "device": "wan",
        "updated": [
                "addresses",
                "routes"
        ],
        "metric": 0,
        "dns_metric": 0,
        "delegation": false,
        "ipv4-address": [
                {
                        "address": "109.199.240.228",
                        "mask": 32
                }
        ],
        "ipv6-address": [

        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "0.0.0.0",
                        "mask": 0,
                        "nexthop": "195.24.88.24",
                        "source": "0.0.0.0\/0"
                }
        ],
        "dns-server": [
                "195.24.88.24",
                "195.24.88.1"
        ],
        "dns-search": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ]
        },
        "data": {

        }

:PREROUTING ACCEPT [1600:278195]
:INPUT ACCEPT [577:37871]
:OUTPUT ACCEPT [416:28776]
:POSTROUTING ACCEPT [7:504]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]

There is no port forwarding configured on the router.
Do a service firewall restart; iptables-save -c -t nat and post again here the output in preformatted text (the </> button).

1 Like

Let's try this again.

When a connection comes in to the routers wan interface on each port what machine will respond to it? What is the ip address of that machine? What software is running on that machine? What port is it listening on?

1 Like

This won't work. This defines a single IP on the WAN interface (i.e. there isn't space for an ISP router on a WAN network with a single /32 IP range - this has to be incorrect).

This is invalid anyway.

I recall you said you don't know routers...but we really need to know how you set this up and why you think it'll work...otherwise, I suggest you reset to defaults and try again.

You current issue is - even if the port forwards work, the router currently has no ISP to send/receive traffic from.

EDIT:

or...
Is this PPPoE?

Unfortunately I have no experience with PPPoE, but I guess it works as a Point-to-Point tunnel, so /32 netmask should be valid.

2 Likes

AAAH!

I didn't consider PPPoE. Thanks.

1 Like

Soooo, u found anything else i should do?

:confused: Yes...

  • You could answer us...do you use PPPoE?
  • If so, can you show the firewall config and ifstatus of the correct interface?

yes i use PPPoE

Ifstatus dont find anything when i search it up

Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @zone[1] (wan) cannot resolve device of network 'wan6'
Warning: Section @zone[1] (wan) cannot resolve device of network 'EtherIP'
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Zone 'lan'
   * Zone 'wan'
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Redirect 'WEBadm'
   * Redirect 'SSH'
   * Forward 'lan' -> 'wan'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
   * Redirect 'WEBadm'
   * Redirect 'SSH'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 filter table
   * Zone 'lan'
   * Zone 'wan'
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Forward 'lan' -> 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'
# Generated by iptables-save v1.4.21 on Sat Jun 22 08:15:31 2019
*nat
:PREROUTING ACCEPT [145:211971]
:INPUT ACCEPT [144:211931]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [1:40]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[140:206011] -A PREROUTING -m comment --comment "!fw3: user chain for prerouting" -j prerouting_rule
[1:291] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[139:205720] -A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A POSTROUTING -m comment --comment "!fw3: user chain for postrouting" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.1/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: WEBadm (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.1/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: SSH (reflection)" -j SNAT --to-source 192.168.1.1
[1:291] -A zone_lan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 109.199.240.228/32 -p tcp -m tcp --dport 8080 -m comment --comment "!fw3: WEBadm (reflection)" -j DNAT --to-destination 192.168.1.1:80
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 109.199.240.228/32 -p tcp -m tcp --dport 2222 -m comment --comment "!fw3: SSH (reflection)" -j DNAT --to-destination 192.168.1.1:22
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_wan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[139:205720] -A zone_wan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 8080 -m comment --comment "!fw3: WEBadm" -j DNAT --to-destination 192.168.1.1:80
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 2222 -m comment --comment "!fw3: SSH" -j DNAT --to-destination 192.168.1.1:22
COMMIT
# Completed on Sat Jun 22 08:15:31 2019

Guys new update = if i restart the firewall port forwarding is working on - 80,8080 but when i add new port they get closed once again

Fix those two warnings. You probably deleted the interfaces, but they are still in the wan zone.

Other than that something is messing up your firewall and it is not running properly, like here.
With a proper restart the rules are applied.

Besides the fact that your firewall is not working right even if it were I don't understand what those rules you show in the first post are designed to do. A whole bunch of them make no sense.

1 Like

I don't know how to fix this warnings but someone said "Just ignore them"

Like the "A242" rule:

it says: "if the router itself connects to itself on its WAN using as its source IP 192.168.1.1 then send it to itself on LAN on the same port."

So first off the first case will never happen, it will never connect on WAN to itself using its LAN IP address, second of all, if it somehow does do that then you're just connecting it to itself anyway...so there is no port forwarding going on there...

Which is why I say please describe what you're trying to accomplish and we can help you sort out those port forward rules. Otherwise even if you figure out what is going wrong in your firewall, you'll still never get anything meaningful out of those rules.

3 Likes