Issue with Port Forwarding/Firewall

Larg0 · August 23, 2020, 11:47am

Hello,
I'm having an issue with port forwarding on my OpenWRT (OpenWrt 18.06.2 r7676-cddd7b4c77 / LuCI openwrt-18.06 branch). Situation is fairly simple. I want to access LAN service from WAN. For this, i've created port forward rule:

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '20400'
        option dest_ip '192.168.0.81'
        option dest_port '20400'
        option name 'Forward20400'

However port status remains filtered after scanning it with nmap from external WAN. (Connection through LAN works OK)

Checked with tcpdump and got:

root@OpenWrt:~# tcpdump -pnvvi eth0.2 port 20400

tcpdump: listening on eth0.2, link-type EN10MB (Ethernet), capture size 262144 bytes
13:37:17.697743 IP (tos 0x0, ttl 53, id 52931, offset 0, flags [DF], proto TCP (6), length 60)
    <ip>.33092 > <external ip>.20400: Flags [S], cksum 0x27e8 (correct), seq 2095493138, win 65535, options [mss 1408,sackOK,TS val 1838631545 ecr 0,nop,wscale 9], length 0
13:37:17.976788 IP (tos 0x0, ttl 53, id 15420, offset 0, flags [DF], proto TCP (6), length 60)
    <ip>.33107 > <external ip>.20400: Flags [S], cksum 0xbd78 (correct), seq 1399603921, win 65535, options [mss 1408,sack

So it seems that firewall might be blocking it but config seems solid.
Any help would be appreciated. If more information is needed, let me know.

vgaetera · August 23, 2020, 12:16pm

Verify that OpenWrt is the default gateway for 192.168.0.81.
Make sure the firewall on 192.168.0.81 allows incoming connections from the internet.

Larg0 · August 23, 2020, 2:39pm

Thanks for your reply.
Yes host gateway is correct.
Regarding firewall config, I'm attaching it below:

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'tcp udp'
	option dest_port '20400'
	option name 'Zamel '

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'tcp'
	option dest_port '22'
	option name 'ssh'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'udp'
	option target 'ACCEPT'

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'lan'
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun0'

config zone 'wan'
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option forward 'ACCEPT'
	option input 'ACCEPT'

config include
	option path '/etc/firewall.user'

vgaetera · August 23, 2020, 3:03pm

Looks fine assuming this is the destination host 192.168.0.81.
Check tcpdump here.

Larg0 · September 12, 2020, 11:25am

Sorry for the late reply. Issue is with my parent's network and I didn't have a lot of time to work on this.

Thanks to @vgaetera for all replies.

In the end I managed to fix the issue by assigning static IP to this device instead of relying on DHCP. Don't know why. Maybe it's some underlying vendor issue of the device.

system · September 22, 2020, 11:25am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.