Logging Port Forwarding

phosty · April 9, 2024, 2:36pm

Hello,

I'm quite new to OpenWrt so I hope my question will be clear

I'm working with OpenWrt 23.05.2 (r23630-842932a63d) and I set up a port forwarding rule but it doesn't seem to work... So I would like to log the connection attempt but I don't know how to do it...

I tried to add a nftables rule but I don't know where are the logs... I couldn't find any information on the internet... Here is the the result I get with nft list ruleset

table inet fw4 {
	chain input {
		type filter hook input priority filter; policy drop;
		iifname "lo" accept comment "!fw4: Accept traffic from loopback"
		ct state established,related accept comment "!fw4: Allow inbound established and related flows"
		tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
		iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
		iifname { "wan", "pppoe-wan" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
		jump handle_reject
		tcp dport 8123 ct state new log prefix "New Home Assistant connection: "
	}
        ...
}

The relevant line here is the last obviously ^^ I found that command here

I'm up to any advice

Lynx · April 9, 2024, 2:37pm

Any logged entries will show up in logread.

I just tested the nftables log prefix myself using cake-qos-simple like so:

chain store-dscp-in-conntrack {
        ct mark set ip dscp or 128 log prefix "Try this: "
        ct mark set ip6 dscp or 128
}

and the associated logging works for me - see this logread snippet:

Tue Apr  9 15:42:01 2024 kern.warn kernel: [279178.808735] Try this: IN=br-lan OUT=wan MAC=xxx SRC=xxx DST=xxx LEN=611 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=60908 DPT=443 WINDOW=4096 RES=0x00 ACK PSH URGP=0

Be careful about this feature since there is potential for some serious logread spam! I think this feature is mostly used for temporary debugging to check things are working properly (albeit there may also be some uses when permanently enabled logging is desired).

eduperez · April 9, 2024, 2:44pm

I would use tcpdump to try and see the packets as they arrive on WAN and leave on LAN.

dave14305 · April 9, 2024, 2:51pm

You can add option log 'Test log prefix' to your redirect rule in /etc/config/firewall to enable the logging of that rule with that log prefix (or any other helpful prefix.

krazeh · April 9, 2024, 2:54pm

What's the rule you set up? What is the expected outcome?

phosty · April 9, 2024, 3:09pm

I set up this port forwarding (and two others similar)

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Synology'
	option src 'wan'
	list src_mac 'ff:ff:ff:ff:ff:ff'
	option src_dport '5000'
	option dest_ip '192.168.1.50'
	option dest_port '5000'

I get an ERR_EMPTY_RESPONSE from the browser

edit: the expected outcome is to have remote access to my synology

phosty · April 9, 2024, 3:09pm

I will try this ! thanks

phosty · April 9, 2024, 3:11pm

Thanks ! That's where I was looking, but couldn't see anything...
I suppose my port forwarding rule isn't working

egc · April 9, 2024, 3:16pm

Try again after removing this:

Save and Apply and reboot

The nft rule is under chain dstnat_wan this is my WG server rule you can see the packet counter indicating it works

    chain dstnat_wan {
            meta nfproto ipv4 udp dport 51830 counter packets 364 bytes 60664 dnat ip to 192.168.0.6:51830 comment "!fw4: WG-server6"

Edit: a port forward rules is a DNAT rule and a FORWARD rule (allowing the corresponding traffic) in the nft rule set this is done with:

        chain forward_wan {
                /* REDACTED */
                ct status dnat accept comment "!fw4: Accept port forwards"
                jump reject_to_wan
        }

phosty · April 9, 2024, 8:50pm

Hello !

Removing the list src_mac solved the connection problem, thanks !
But I added the mac address to restrict the connection to some devices... So how do I achieve that ?

egc · April 9, 2024, 9:01pm

The port forward is already only allowed to go to 192.168.1.50.

If you want to restrict access from the internet then you cannot do that by mac address but only by ip address

dave14305 · April 9, 2024, 9:02pm

The alternative solution is to setup a VPN server on the router and connect remotely via a VPN client to get access to the LAN.

phosty · April 9, 2024, 9:15pm

I meant to restrict the connection FROM some devices not TO... Sorry
I wanted to use only my phone to be able to connect and not every devices.

egc · April 10, 2024, 5:22am

We are talking about layer 3 traffic so that cannot work with MAC address.
It can work with ip address, but you are probably not using your phone from a fixed address so not possible.

Note I do not know to what you are port forwarding to, but consider setting up WireGuard to connect to your home which could be the safer option

phosty · April 10, 2024, 6:27am

Thanks ! I will try WireGuard

system · April 20, 2024, 6:30am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.