[0:0] -A zone_lan_postrouting -s 192.168.0.0/24 -d 192.168.0.124/32 -p tcp -m tc p --dport 8096 -m comment --comment "!fw3: Jellyfin (reflection)" -j SNAT --to-s ource 192.168.0.2
[0:0] -A zone_lan_postrouting -s 192.168.0.0/24 -d 192.168.0.124/32 -p udp -m ud p --dport 8096 -m comment --comment "!fw3: Jellyfin (reflection)" -j SNAT --to-s ource 192.168.0.2
[0:0] -A zone_lan_prerouting -s 192.168.0.0/24 -d 10.112.101.23/32 -p tcp -m tcp --dport 8096 -m comment --comment "!fw3: Jellyfin (reflection)" -j DNAT --to-de stination 192.168.0.124:8096
[0:0] -A zone_lan_prerouting -s 192.168.0.0/24 -d 10.112.101.23/32 -p udp -m udp --dport 8096 -m comment --comment "!fw3: Jellyfin (reflection)" -j DNAT --to-de stination 192.168.0.124:8096
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 8096 -m comment --comment "!f w3: Jellyfin" -j DNAT --to-destination 192.168.0.124:8096
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 8096 -m comment --comment "!f w3: Jellyfin" -j DNAT --to-destination 192.168.0.124:8096
All hits are 0, so no packet reached the firewall.
That is not what I asked...
1 Like
I have plugged the Raspberry directly to the lan port at home, by passing both powerline devices, and the IP is still the same 10.112.101.23/25 even though my public IP starts with 185...... when I check it via curl ifconfig.me command
If you don't have any control on the ISP lan port, then you cannot do much. Most likely you are behind CGNAT and you can only discuss it with your ISP, if they can offer you a public IP.
3 Likes
What about setting up VPN, would that help? I have IPVanish on my phone
It would, if you have a VPS or some other server with public IP on the internet and you can use it as a VPN server.
2 Likes
I have DigitalOcean account
Then you can try to setup a tunnel to your VPS in Digital Ocean and use the VPS public IP for your services which will be forwarded to the RPi. You won't need port forward on RPi anymore like this.
2 Likes
I will try it but I am a bit worried about the message I get Insufficient permissions to read UCI configuration
Where did that come from?
1 Like
2 Likes
The powerline devices should act as a long ethernet cable, and change nothing.
2 Likes
I think I have a bug in my installation. Port forwarding works on my old Mikrotik router with default settings, same for Archer C6 V2. The only time it doesn't work is when I use Raspberry Pi4 as my router.
So, if your old βTik router works and your c6 does not, check the IP address reported on the wan of each device. If you have Rfc1918 addresses in both cases, your upstream device (modem/modem-router combo) is likely the issue. You may need to change settings on the upstream unit (port forwarding or dmz, or dhcp reservation) to make the forwarding work properly.
Mikrotik and Archer works, all 3 - Mikrotik, Archer, Raspberry report the same RFC1918 address.
This my Firewall setup now
That's my portforwarding setup
Also my bridge settings
Why do you have eth0 and eth1 bridged?
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
Just from those screenshots, I can see that you have a bunch of things messed up. You may find it faster to reset to defaults and then setup the port forwards from there.
Here it is. Should only eth0 be bridged? That's my LAN connection
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd6b:7561:0c9a::/48'
config device
option name 'br-lan'
option type 'bridge'
option acceptlocal '1'
option bridge_empty '1'
list ports 'eth0'
config interface 'lan'
option device 'eth0'
option proto 'static'
option ipaddr '192.168.0.2'
option netmask '255.255.255.0'
option type 'bridge'
config interface 'wan'
option proto 'dhcp'
option device 'eth1'
option peerdns '0'
list dns '192.168.0.172'
option hostname '*'
option type 'bridge'
option delegate '0'
config device
option name 'eth1'
option macaddr 'B8:69:F4:B0:69:DE'
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option mtu_fix '1'
option input 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
list network 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
option reload '1'
config forwarding
option src 'wan'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'wan'
config redirect
option target 'DNAT'
option name 'Jellyfin'
option src 'wan'
option dest 'lan'
option dest_ip '192.168.0.124'
list proto 'all'
config rule
option name 'Jellyfin'
option src 'wan'
option dest 'lan'
option target 'ACCEPT'
list proto 'all'
config redirect
option target 'DNAT'
option name 'Plex'
option src 'wan'
option src_dport '32400'
option dest 'lan'
option dest_ip '192.168.0.124'
option dest_port '32400'