Hi all
I have moved my home router from a sunxi target running 19.07.2 to a Raspberry Pi4 solution, loaded with latest snapshot
I did not want to start from scratch so I have loaded and adapted the other router configuration.
It works except for a very strange issue with port forwarding
I have a TCP and UDP openvpn server on the router and I normally forward the TCP internal port to external 443 in order to minimize the chances to get filtered by public wifi proxy
So I have two rules saying:
External TCP:443 -> RouterIP:TCP:8094
External UDP:8095 ->RouterIP:UDP:8095
But I cannot connect to OpenVPN server neither on the TCP server nor on the UDP
Online port scanner on my public IP show port 443 filtered, I do not have particula rule that block such port (the configuration is identical to the old router that worked)
Can someone help me to troubleshoot the issue?
Thanks
Check if you have hits:fw3 restart reset counters, try to connect from both portsiptables-save -c | grep DNAT verify counters are not 0.
Actually, if the OpenVPN server is running on the router, what is the point of port forwarding and not run the server directly on 443?
This is the output of the second commmand:
root@MenionRouter:~# iptables-save -c | grep DNAT
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.32/32 -p tcp -m tcp --dport 5144 -m comment --comment "!fw3: aMule TCP (reflection)" -j DNAT --to-destination 192.168.182.192:5144
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.32/32 -p udp -m udp --dport 5134 -m comment --comment "!fw3: aMule UDP (reflection)" -j DNAT --to-destination 192.168.182.192:5134
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.32/32 -p tcp -m tcp --dport 6881 -m comment --comment "!fw3: Torrent first (reflection)" -j DNAT --to-destination 192.168.182.192:6881
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.32/32 -p udp -m udp --dport 6881 -m comment --comment "!fw3: Torrent first (reflection)" -j DNAT --to-destination 192.168.182.192:6881
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.32/32 -p tcp -m tcp --dport 6882 -m comment --comment "!fw3: Torrent second (reflection)" -j DNAT --to-destination 192.168.182.192:6882
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.32/32 -p udp -m udp --dport 6882 -m comment --comment "!fw3: Torrent second (reflection)" -j DNAT --to-destination 192.168.182.192:6882
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.32/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: OpenVPN TCP (reflection)" -j DNAT --to-destination 192.168.182.1:8094
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.32/32 -p udp -m udp --dport 8095 -m comment --comment "!fw3: OpenVPN UDP (reflection)" -j DNAT --to-destination 192.168.182.1:8095
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.32/32 -p tcp -m tcp --dport 6981 -m comment --comment "!fw3: qBitTorrent (reflection)" -j DNAT --to-destination 192.168.182.192:6981
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.32/32 -p udp -m udp --dport 6981 -m comment --comment "!fw3: qBitTorrent (reflection)" -j DNAT --to-destination 192.168.182.192:6981
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.32/32 -p tcp -m tcp --dport 8194 -m comment --comment "!fw3: OpenVPN backup TCP (reflection)" -j DNAT --to-destination 192.168.182.192:8194
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.32/32 -p udp -m udp --dport 8195 -m comment --comment "!fw3: OpenVPN backup UDP (reflection)" -j DNAT --to-destination 192.168.182.192:8195
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.32/32 -p tcp -m tcp --dport 8394 -m comment --comment "!fw3: OpenVPN TCP P0 (reflection)" -j DNAT --to-destination 192.168.182.10:8394
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.32/32 -p udp -m udp --dport 8295 -m comment --comment "!fw3: OpenVPN UDP P0 (reflection)" -j DNAT --to-destination 192.168.182.10:8295
[9:1888] -A zone_wan_prerouting -p tcp -m tcp --dport 5144 -m comment --comment "!fw3: aMule TCP" -j DNAT --to-destination 192.168.182.192:5144
[156:11750] -A zone_wan_prerouting -p udp -m udp --dport 5134 -m comment --comment "!fw3: aMule UDP" -j DNAT --to-destination 192.168.182.192:5134
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 6881 -m comment --comment "!fw3: Torrent first" -j DNAT --to-destination 192.168.182.192:6881
[17:2183] -A zone_wan_prerouting -p udp -m udp --dport 6881 -m comment --comment "!fw3: Torrent first" -j DNAT --to-destination 192.168.182.192:6881
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 6882 -m comment --comment "!fw3: Torrent second" -j DNAT --to-destination 192.168.182.192:6882
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 6882 -m comment --comment "!fw3: Torrent second" -j DNAT --to-destination 192.168.182.192:6882
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: OpenVPN TCP" -j DNAT --to-destination 192.168.182.1:8094
[1:42] -A zone_wan_prerouting -p udp -m udp --dport 8095 -m comment --comment "!fw3: OpenVPN UDP" -j DNAT --to-destination 192.168.182.1:8095
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 6981 -m comment --comment "!fw3: qBitTorrent" -j DNAT --to-destination 192.168.182.192:6981
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 6981 -m comment --comment "!fw3: qBitTorrent" -j DNAT --to-destination 192.168.182.192:6981
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 8194 -m comment --comment "!fw3: OpenVPN backup TCP" -j DNAT --to-destination 192.168.182.192:8194
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 8195 -m comment --comment "!fw3: OpenVPN backup UDP" -j DNAT --to-destination 192.168.182.192:8195
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 8394 -m comment --comment "!fw3: OpenVPN TCP P0" -j DNAT --to-destination 192.168.182.10:8394
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 8295 -m comment --comment "!fw3: OpenVPN UDP P0" -j DNAT --to-destination 192.168.182.10:8295
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_lan_vpn_usa_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_vpn_usa_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_vpn_usa_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_vpn_usa_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[187:17230] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[5:210] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
root@MenionRouter:~#
This because on the router LAN the 443 is taken by LUCI
No hits on 443.
The appropriate command in this case would be REDIRECT, as you want to redirect the packet to the router, but different port.
The TCP 443 problem is the same if I forward it to another server in my LAN
How comes? I do not have any block rule in my firewall
Packets never reach your router -> ISP block.tcpdump -i XXX -n tcp port 443 where XXX is the physical wan interface, e.g eth0.2 or pppoe-wan
You were right
I needed to restart my ISP router, because switching DMZ from old router to new one seems that left something wrong in it.
Now it works, not the UDP but I thing it is a nother kind of problem, because I see TLS errors
Thanks
1 Like
system
June 1, 2020, 3:34pm
8
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.