Ip address outside iprange are getting thru firewall

I'm pretty new at this, I hope I'm at the right place.?

I'm running a ovpn router with LEDE Reboot 17.01-SNAPSHOT r4020-c476954633 / LuCI lede-17.01 branch (git-19.271.72080-7b230b0)

and I'm having issues with an ip that's outside the firewalls port forward iprange that I've specified in the system.

this is the setting I have:

From IP range in vilfo0
Via any router IP at port 443

and when I'm monitoring the 443 port I'm getting this info:
07:49:28.088985 IP > server-h.52958: Flags [P.], seq 2864553083:2864553117, ack 2189864738, win 19, options [nop,nop,TS val 4085929821 ecr 1486368408], length 34

if I now have an iprange specified on port forward 443, why is then this constantly accessing my 443 port?

Is vilfo0 your WAN facing interface? Do you have a port forward active for 443 by any chance alongside that FW rule? Is the firewall rule in question getting any hits at all? Was the firewall or device restarted after you added the rule?

Have you tried port scanning your IP from an outside device, that isn't in that IP range?

Is the WAN zone set to DROP/REJECT input/forward?

PS. Try to post the rule itself from the firewall config (/etc/config/firewall), like:

config rule
	option dest_port '123'
	option src 'lan'
	option name 'Allow-Hikvision-IP-Camera-NTP'
	list src_ip ''
	option family 'ipv4'
	option target 'ACCEPT'
	option dest 'wan'
	list proto 'udp'

Vilfo0 is an incoming vpn, so yes, it's from the outside

config redirect
        option target 'DNAT'
        option dest 'lan'
        option src_dport '443'
        option dest_port '443'
        option proto 'tcp'
        option dest_ip ''
        option name 'vilfo-port-00:00:00:00:01:13-443-tcp'
        option src 'vilfo0'
        option src_ip ''

if the rule was triggered, I have no idea, is there a log for that?
I've tested from an outside computer, and I couldn't connect to 443 when I was outside the range.

I also did a nmap when scan from outside of the range, and didn't find anything, and the server didn't record any hits from me, but I found a new access attempt from livepatch.canonical.com
is it possible that some program on the server ims transmitting something OUT, on port 443? maybe I'm intercepting outgoing calls, and there's no fault in the firewall since I can't get In..

iptables-save -c -t nat | grep -e vilfo

You have misunderstood, that host replies back on a HTTPS request.


Your server is accessing the 443 on that IP.


that would explain a lot, so my server are using port 443 to connect to ?

No, your server is using 52958


why could I see this when I was monitoring 443? (I'm new, still learning)

Most likely the matching condition you used includes any source 443.


Perhaps you have not specified the destination host address filter.


tcpdump port 443 and '(tcp-syn|tcp-ack)!=0' - as I said, I'm new :slight_smile:

tcpdump port 443 and '(tcp-syn|tcp-ack)!=0'... still new.. :wink:

You don't need to reply twice (unless you have a crush with @vgaetera and you wanted to wink :smiley: )

This will match any src or dst port 443, tcp or udp. And since almost every page served now is encrypted, this will capture a lot of traffic. Use host and tcp port 443 and ...

tcpdump -ni any dst host WAN_IP and dst port 443

thx for the information, but now a newbie question, how do I monitoring just incoming signals, and is it possible to monitor all ports?

I answered @vgaetera too, didn't want to be rude :slight_smile:


There's a couple of ways:

tcpdump -ni any dst host WAN_IP
tcpdump -ni WAN_IFACE inbound

thx @vgaetera @trendy , I've learned a lot today.