Hi all
I have moved my home router from a sunxi target running 19.07.2 to a Raspberry Pi4 solution, loaded with latest snapshot
I did not want to start from scratch so I have loaded and adapted the other router configuration.
It works except for a very strange issue with port forwarding
I have a TCP and UDP openvpn server on the router and I normally forward the TCP internal port to external 443 in order to minimize the chances to get filtered by public wifi proxy
So I have two rules saying:
External TCP:443 -> RouterIP:TCP:8094
External UDP:8095 ->RouterIP:UDP:8095
But I cannot connect to OpenVPN server neither on the TCP server nor on the UDP
The strage thing is that if for the TCP server I change the external port to be something else 443 like 8094 works! Instead I have not been able to make UDP work at all
Online port scanner on my public IP show port 443 filtered, I do not have particula rule that block such port (the configuration is identical to the old router that worked)
Can someone help me to troubleshoot the issue?
Thanks
Check if you have hits:
fw3 restart
reset counters, try to connect from both ports
iptables-save -c | grep DNAT
verify counters are not 0.
Actually, if the OpenVPN server is running on the router, what is the point of port forwarding and not run the server directly on 443?
This is the output of the second commmand:
root@MenionRouter:~# iptables-save -c | grep DNAT
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.32/32 -p tcp -m tcp --dport 5144 -m comment --comment "!fw3: aMule TCP (reflection)" -j DNAT --to-destination 192.168.182.192:5144
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.32/32 -p udp -m udp --dport 5134 -m comment --comment "!fw3: aMule UDP (reflection)" -j DNAT --to-destination 192.168.182.192:5134
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.32/32 -p tcp -m tcp --dport 6881 -m comment --comment "!fw3: Torrent first (reflection)" -j DNAT --to-destination 192.168.182.192:6881
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.32/32 -p udp -m udp --dport 6881 -m comment --comment "!fw3: Torrent first (reflection)" -j DNAT --to-destination 192.168.182.192:6881
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.32/32 -p tcp -m tcp --dport 6882 -m comment --comment "!fw3: Torrent second (reflection)" -j DNAT --to-destination 192.168.182.192:6882
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.32/32 -p udp -m udp --dport 6882 -m comment --comment "!fw3: Torrent second (reflection)" -j DNAT --to-destination 192.168.182.192:6882
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.32/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: OpenVPN TCP (reflection)" -j DNAT --to-destination 192.168.182.1:8094
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.32/32 -p udp -m udp --dport 8095 -m comment --comment "!fw3: OpenVPN UDP (reflection)" -j DNAT --to-destination 192.168.182.1:8095
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.32/32 -p tcp -m tcp --dport 6981 -m comment --comment "!fw3: qBitTorrent (reflection)" -j DNAT --to-destination 192.168.182.192:6981
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.32/32 -p udp -m udp --dport 6981 -m comment --comment "!fw3: qBitTorrent (reflection)" -j DNAT --to-destination 192.168.182.192:6981
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.32/32 -p tcp -m tcp --dport 8194 -m comment --comment "!fw3: OpenVPN backup TCP (reflection)" -j DNAT --to-destination 192.168.182.192:8194
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.32/32 -p udp -m udp --dport 8195 -m comment --comment "!fw3: OpenVPN backup UDP (reflection)" -j DNAT --to-destination 192.168.182.192:8195
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.32/32 -p tcp -m tcp --dport 8394 -m comment --comment "!fw3: OpenVPN TCP P0 (reflection)" -j DNAT --to-destination 192.168.182.10:8394
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.32/32 -p udp -m udp --dport 8295 -m comment --comment "!fw3: OpenVPN UDP P0 (reflection)" -j DNAT --to-destination 192.168.182.10:8295
[9:1888] -A zone_wan_prerouting -p tcp -m tcp --dport 5144 -m comment --comment "!fw3: aMule TCP" -j DNAT --to-destination 192.168.182.192:5144
[156:11750] -A zone_wan_prerouting -p udp -m udp --dport 5134 -m comment --comment "!fw3: aMule UDP" -j DNAT --to-destination 192.168.182.192:5134
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 6881 -m comment --comment "!fw3: Torrent first" -j DNAT --to-destination 192.168.182.192:6881
[17:2183] -A zone_wan_prerouting -p udp -m udp --dport 6881 -m comment --comment "!fw3: Torrent first" -j DNAT --to-destination 192.168.182.192:6881
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 6882 -m comment --comment "!fw3: Torrent second" -j DNAT --to-destination 192.168.182.192:6882
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 6882 -m comment --comment "!fw3: Torrent second" -j DNAT --to-destination 192.168.182.192:6882
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: OpenVPN TCP" -j DNAT --to-destination 192.168.182.1:8094
[1:42] -A zone_wan_prerouting -p udp -m udp --dport 8095 -m comment --comment "!fw3: OpenVPN UDP" -j DNAT --to-destination 192.168.182.1:8095
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 6981 -m comment --comment "!fw3: qBitTorrent" -j DNAT --to-destination 192.168.182.192:6981
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 6981 -m comment --comment "!fw3: qBitTorrent" -j DNAT --to-destination 192.168.182.192:6981
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 8194 -m comment --comment "!fw3: OpenVPN backup TCP" -j DNAT --to-destination 192.168.182.192:8194
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 8195 -m comment --comment "!fw3: OpenVPN backup UDP" -j DNAT --to-destination 192.168.182.192:8195
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 8394 -m comment --comment "!fw3: OpenVPN TCP P0" -j DNAT --to-destination 192.168.182.10:8394
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 8295 -m comment --comment "!fw3: OpenVPN UDP P0" -j DNAT --to-destination 192.168.182.10:8295
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_lan_vpn_usa_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_vpn_usa_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_vpn_usa_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_vpn_usa_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[187:17230] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[5:210] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
root@MenionRouter:~#
This because on the router LAN the 443 is taken by LUCI
No hits on 443.
The appropriate command in this case would be REDIRECT, as you want to redirect the packet to the router, but different port.
Regarding the udp port, you need a rule to open the port, the port forward is overkill.
The TCP 443 problem is the same if I forward it to another server in my LAN
I understand that the problem is that no connection is opened on 443, in fact online port scan shows me port filtered
How comes? I do not have any block rule in my firewall
Packets never reach your router -> ISP block.
Verify with tcpdump -i XXX -n tcp port 443
where XXX is the physical wan interface, e.g eth0.2 or pppoe-wan
Packet capture is taking place before firewall.
You were right
I needed to restart my ISP router, because switching DMZ from old router to new one seems that left something wrong in it.
Now it works, not the UDP but I thing it is a nother kind of problem, because I see TLS errors
Thanks
1 Like
system
Closed
June 1, 2020, 3:34pm
8
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.