Model Xiaomi Mi Router 4C
Architecture MediaTek MT7628AN ver:1 eco:2
Target Platform ramips/mt76x8
Firmware Version OpenWrt 22.03.3 r20028-43d71ad93e / LuCI openwrt-22.03 branch git-22.361.69894-438c598
Kernel Version 5.10.161
- This version doesn't include
iptablesby default - you should provide all information
I don't think your rule has any effect - but here it is translated for UCI:
# in /etc/config/firewall
config redirect
option target 'DNAT'
option src '*'
option proto 'tcp'
option dest_port '12345'
option src_ip '10.42.0.0/24'
option name 'inna_redirect'
option dest '*'
Thanks,
Now I did this and added to that file:
config redirect
option target 'DNAT'
option src '*'
option proto 'tcp'
option dest_port '1111'
option src_ip '192.168.1.1/24'
option name 'inna_redirect'
option dest '*'
But when I do fw4 reload to reload firewall, I get the following warning or error:
Section @redirect[0] (inna_redirect) must not have source '*' for dnat target
I changed firewall file to this:
config redirect
option target 'DNAT'
option src 'lan'
option proto 'tcp'
option dest_port '1111'
option src_ip '192.168.1.1/24'
option name 'inna_redirect'
option dest '*'
But after reloading I still get the following error:
/dev/stdin:149:47-50: Error: transport protocol mapping is only valid after transport protocol match
ip saddr 192.168.1.0/24 counter redirect to 1111 comment "!fw4: inna_redirect"
This version doesn't include
iptablesby default - you should provide all information
I know iptables does not come by default in openwrt, but I installed that: opkg install iptables.
What information do you need?
Correct, I told you it might not work. You would properly configure/edit your firewall rule. I'm unable to guess or assume what the rule's intended function could be, so I wouldn't know how to edit it.
Why?
EDIT: Perhaps also, you could explain the firewall rule's function/purpose so we'd be better able to help you.
I want to forward all incoming requests to port 1111 (no matter whether it's from LAN or WiFi).
Port 1111 is a socks proxy running on the server.
So each connection goes through the socks proxy.
Update 1
I got the reason for error:
I changed from option src 'lan' to option src 'br-lan', but I still get the same error:
Section @redirect[0] (inna_redirect) option 'src' specifies invalid value 'br-lan'
You already made such a thread:
@frollic already noted:
See:
- Your private message offering me payment doesn't change anything
The interface name by default is lan - unless you changed it. Nonetheless, such a rule will not work.
لطفا از ارسال چند پست خودداری کنید.
Please refrain from making multiple posts.
Thanks,
I tried what all has been said, but finally I don't see my server's IP when I google what is my ip.
Neither I did mean to bother, nor to change anything. I just wanted someone to do that by paying his work (like you pay someone to fix your car).
شاید یک مانع زبانی وجود داشته باشد. امیدوارم بهترین ها برای تنظیمات شما باشد.
Perhaps there's a language barrier. I hope the best for your configurations.
ifconfig shows this and based on it, I tried different names:
root@OpenWrt:~# ifconfig
br-lan Link encap:Ethernet HWaddr MyMacAddress
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:102116 errors:0 dropped:0 overruns:0 frame:0
TX packets:129057 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:18078678 (17.2 MiB) TX bytes:105238226 (100.3 MiB)
eth0 Link encap:Ethernet HWaddr MyMacAddress
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:249088 errors:0 dropped:3 overruns:0 frame:0
TX packets:240785 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:130976840 (124.9 MiB) TX bytes:125935334 (120.1 MiB)
Interrupt:5
eth0.1 Link encap:Ethernet HWaddr MyMacAddress
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:102121 errors:0 dropped:5 overruns:0 frame:0
TX packets:141418 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:18078908 (17.2 MiB) TX bytes:105905720 (100.9 MiB)
eth0.2 Link encap:Ethernet HWaddr MyMacAddress
inet addr:192.168.0.125 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:133880 errors:0 dropped:0 overruns:0 frame:0
TX packets:99352 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:107883338 (102.8 MiB) TX bytes:19065004 (18.1 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:280 errors:0 dropped:0 overruns:0 frame:0
TX packets:280 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:27619 (26.9 KiB) TX bytes:27619 (26.9 KiB)
I appreciate you for saying in Farsi to help me understand, but I can understand English well and there's no such a barrier here.
just out of curiosity, why not point the clients directly to the proxy on port 1111 ?
1 Like
Incorrect:
See:
It's LAN.
Then again: you cannot make a firewall rule to Port Forward to a SOCKS Proxy.
1 Like
Let us suppose I'm one of the clients (my mobile phone is connected wireless).
Because I cannot set socks proxy in wifi settings of my mobile. I think it only accepts HTTP(s).
Aha, thanks.
Then you mean if I have HTTPS proxy, would it work with the same method?
No. I said no such thing (I'm not sure why you insist on attempts to Port Forward to proxies.). See:
Thanks, but I do not mean to set proxy in my mobile.
If I wanted to do this, then I would not have purchased the router.
(Perhaps a mod can close this duplicate thread now.)
(Since frolic told you exactly how to configure your devices to use the proxy at the router port 1111 - and I sent you links on how to set your mobile devices to use router port 1111, not sure what you mean since the proxy is on the router. I hope the best for your setup.)
1 Like
Thanks,
I'll re-read all the talks of this topic and the other one. I may miss a point or something in the talks of you and frolic.
1 Like
Your rule needs an option src_dport option to start working.
This is wrong. Fix it or just comment it.
config redirect
option target 'DNAT'
option src 'lan'
list proto 'tcp'
option src_dport '0-65535'
option dest_port '1111'
#option src_ip '192.168.1.0/24'
option name 'inna_redirect'
option dest '*'
1 Like
?
- This is a Port Forward - that's incorrect and would need to be a Traffic Rule; since
- The destination is any (FORWARD) and the intended destination is the router (i.e. INPUT)
- The OP is running a SOCKS5 like proxy at 1111/tcp
- I would assume the process is listening at 127.0.0.1 though and not 0.0.0.0
With or without option dest '*', the rule will be created in the dstnat_lan chain, redirecting all tcp traffic originating from the lan to port 1111 on the router.
table inet fw4 {
chain dstnat_lan {
meta nfproto ipv4 tcp dport 0-65535 counter packets 0 bytes 0 redirect to :1111 comment "!fw4: inna_redirect"
}
}
EDIT:
Sorry, I overlooked that
I meant this to be cleared
1 Like
(My bad, was still thinking iptables).
1 Like