Hello Guys, i need your help 
I need a NAT Rule on my openwrt device, its only a port forwarding.
From a tun to lan:
iptables -A PREROUTING -p tcp -m tcp -i tun0 --dport 8080 -j DNAT --to-destination 192.168.10.1:9090
This Rule solves a iptables: No chain/target/match by that name error.
Many thanks for inputs 
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c
You missed to specify the table nat (-t nat), but I'm sure trendy will help you solve your problem the right way.
Hi trendy,
thanks for your answer. 
{
"kernel": "5.4.179",
"hostname": "Router",
"system": "MediaTek MT7628AN ver:1 eco:2",
"model": "TP-Link",
"board_name": "tplink",
"release": {
"distribution": "OpenWrt",
"version": "21.02.2",
"revision": "r16495-bf0c965af0",
"target": "ramips/mt76x8",
"description": "OpenWrt 21.02.2 r16495-bf0c965af0"
}
}
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd42:74dc:997f::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'dhcp'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '0'
config device
option name 'wlan0'
option ipv6 '0'
config interface 'WLAN'
option proto 'static'
option ipaddr '172.16.10.1'
option netmask '255.255.255.0'
config interface 'tun0'
option proto 'none'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config nat
option name '45'
list proto 'tcp'
option src_port '4433'
option dest_ip '172.16.10.1'
option dest_port '8443'
option target 'MASQUERADE'
option src 'HOME'
option device 'eth0'
config zone
option name 'HOME'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option family 'ipv4'
list network 'tun0'
config forwarding
option src 'HOME'
option dest 'lan'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.7 on Wed Apr 6 10:14:54 2022
*nat
:PREROUTING ACCEPT [740:74448]
:INPUT ACCEPT [632:52524]
:OUTPUT ACCEPT [8:590]
:POSTROUTING ACCEPT [8:590]
:postrouting_HOME_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_HOME_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_HOME_postrouting - [0:0]
:zone_HOME_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[740:74448] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[110:22120] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[8:590] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[5:380] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A zone_HOME_postrouting -m comment --comment "!fw3: Custom HOME postrouting rule chain" -j postrouting_HOME_rule
[0:0] -A zone_HOME_postrouting -d 172.16.10.1/32 -o eth0 -p tcp -m tcp --sport 4433 --dport 8443 -m comment --comment "!fw3: 45" -j MASQUERADE
[0:0] -A zone_HOME_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_HOME_prerouting -m comment --comment "!fw3: Custom HOME prerouting rule chain" -j prerouting_HOME_rule
[5:380] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[110:22120] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Wed Apr 6 10:14:54 2022
# Generated by iptables-save v1.8.7 on Wed Apr 6 10:14:54 2022
*mangle
:PREROUTING ACCEPT [3768:406892]
:INPUT ACCEPT [3660:384968]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2915:547608]
:POSTROUTING ACCEPT [2915:547608]
COMMIT
# Completed on Wed Apr 6 10:14:54 2022
# Generated by iptables-save v1.8.7 on Wed Apr 6 10:14:54 2022
*filter
:INPUT ACCEPT [630:52328]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_HOME_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_HOME_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_HOME_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_HOME_dest_ACCEPT - [0:0]
:zone_HOME_forward - [0:0]
:zone_HOME_input - [0:0]
:zone_HOME_output - [0:0]
:zone_HOME_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[24:1737] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[3641:383545] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[3007:330865] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[38:1976] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[4:352] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[24:1737] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[2899:552347] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[2894:551967] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[5:380] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[38:1976] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_HOME_forward -m comment --comment "!fw3: Custom HOME forwarding rule chain" -j forwarding_HOME_rule
[0:0] -A zone_HOME_forward -m comment --comment "!fw3: Zone HOME to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_HOME_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_HOME_forward -m comment --comment "!fw3" -j zone_HOME_dest_ACCEPT
[0:0] -A zone_HOME_input -m comment --comment "!fw3: Custom HOME input rule chain" -j input_HOME_rule
[0:0] -A zone_HOME_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_HOME_input -m comment --comment "!fw3" -j zone_HOME_src_ACCEPT
[0:0] -A zone_HOME_output -m comment --comment "!fw3: Custom HOME output rule chain" -j output_HOME_rule
[0:0] -A zone_HOME_output -m comment --comment "!fw3" -j zone_HOME_dest_ACCEPT
[5:380] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[4:352] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -p tcp -m tcp --dport 80 -m comment --comment "!fw3: No MGMT (HTTP)" -j reject
[0:0] -A zone_lan_input -p tcp -m tcp --dport 22 -m comment --comment "!fw3: No MGMT (SSH)" -j reject
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[4:352] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[5:380] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[5:380] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[4:352] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
COMMIT
@pavelgl is right. However you'd better use the built-in system to apply settings which will be reapplied on startup or firewall reload, and will be backed up and transferred after an upgrade.
uci add firewall redirect
uci set firewall.@redirect[-1].dest='lan'
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].name='test-port-forward'
uci add_list firewall.@redirect[-1].proto='tcp'
uci set firewall.@redirect[-1].src='HOME'
uci set firewall.@redirect[-1].src_dport='8080'
uci set firewall.@redirect[-1].dest_ip='192.168.10.1'
uci set firewall.@redirect[-1].dest_port='9090'
uci set firewall.@redirect[-1].reflection='0'
uci commit firewall
service firewall restart
Thanks i will try, its possible to enter this in the web giu?
Not to enter it directly, but if you go to Network/Firewall/Port Forwards you can Add one and fill in the values.
thanks is into the port forward active but is not going. I checked the ip its oke. Where are this trouble shooing? Logs or tablefilter output? 
Post here the output of iptables-save -c -t nat
I hope you see mi mistake...
*nat
:PREROUTING ACCEPT [467:44232]
:INPUT ACCEPT [407:32052]
:OUTPUT ACCEPT [6:444]
:POSTROUTING ACCEPT [6:444]
:postrouting_HOME_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_HOME_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_HOME_postrouting - [0:0]
:zone_HOME_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[467:44232] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[60:12180] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[6:444] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[4:304] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A zone_HOME_postrouting -m comment --comment "!fw3: Custom HOME postrouting rule chain" -j postrouting_HOME_rule
[0:0] -A zone_HOME_prerouting -m comment --comment "!fw3: Custom HOME prerouting rule chain" -j prerouting_HOME_rule
[0:0] -A zone_HOME_prerouting -p tcp -m tcp --dport 8080 -m comment --comment "!fw3: test-port-forward" -j DNAT --to-destination 192.168.10.1:9090
[4:304] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[60:12180] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
The rule is there, but has no hits, so nothing came to the router.
Can this be a zone problem? The traffic comes from the tun0 and hits the device (port 8080), which should then forward the traffic to the destination (ip/port).
Nope, the zone is fine. Usually the problem lies with packets not forwarded from VPN endpoint, wrong IP used from the user, or bad DDNS used from the user.
You can verify yourself with opkg update; opkg install tcpdump; tcpdump -i tun0 -n -c 5 tcp port 8080 if there are any packets coming. Also the counters at the beginning of the iptables line must not be zero.
oke no space left from install the tcpdump. i will try dump by tunnel input.
Hi Trendy, i can now run a dump:
17:59:32.766024 IP 172.16.16.20.56338 > 10.1.1.10.4422: Flags [S], seq 2570047775, win 64240, options [mss 1356,nop,wscale 8,nop,nop,sackOK], length 0
The packets coming in from the tun0.
The counter goes up:
Then it needs a SNAT rule to change the source IP.
yes i take this is going. 
thaanks
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.