Masquerading all output ports except 80,443

I had added a "lanp" interface isolated from the main "lan" in order to block its output to the net, and the devices that are connected to this interface will be forced to go through the Tinyproxy (installed in the router). It works well maybe a little slowdown at the DNS level.
Today, I have my son that his computer passes through this interface, he asks me to open several ports so that he can play minetest, minecraft, OBS Youtube…

To avoid adding several rules in Firewall, I decided to authorize all ports in MASQ except 80 and 443.

here's the firewall config:

config zone
        option name 'lanp'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'lanp'
        option forward 'ACCEPT'

config nat
        option name 'Out from Proxy'
        list proto 'tcp'
        list proto 'udp'
        list proto 'icmp'
        option src 'wan'
        option src_ip ''
        option dest_port '!80-443'
        option target 'MASQUERADE'

but, is not working for gaming and OBS....
is need forwarding rules ?
any help from you would be much appreciated.

Hardware: ASUS RT-AX53U
OpenWrt 22.03.3 r20028-43d71ad93e

In order to set this, your son's gaming device(s) will need to bypass said proxy you setup. You cannot simply tell the router to somehow forward packets "around" as you seem to be attempting.

Once that device uses normal internet connectivity, you can setup rules as you desire - but your son may find it works again after you take him off the proxy.

This stanza seem completely incorrect, even for a normal port forward.

This section is a valid "nat" rule definition, it will translate into the following nftables masquerade rules:

ip saddr tcp dport != 80-443 counter masquerade comment "!fw4: Out from Proxy"
ip saddr udp dport != 80-443 counter masquerade comment "!fw4: Out from Proxy"
meta l4proto icmp ip saddr counter masquerade comment "!fw4: Out from Proxy"

Whether it semantically makes sense in a wider context is another matter, but it is a valid firewall configuration section.

I never said it was invalid as not to produce a rule in nft. It just won't open some port for a gaming device on a LAN, with a WAN SRC network; but internal IP as SRC - thats using a proxy.

Your remark

made it sound so.

Because of the OPs desire:

Unless there's something about NAT I'm missing?

The OP will need to make a vaild rule to open the ports for his son's device, after he removes it from the proxy.

:bulb: Or set this up thru the proxy itself.

Without knowing your tinyproxy setup in detail I would say a proper solution would entail two things:

  1. change the rule that forcibly redirects forwarded traffic to tinyproxy to exempt the ip/port combination you want to whitelist
  2. add one or more port forwards from src zone wan towards dest zone lanp where you redirect the desired ports
1 Like

here some logs

09:41:41.553133 ARP, Request who-has tell, length 28
09:41:42.381350 ARP, Request who-has tell, length 28
09:41:42.381591 ARP, Reply is-at c8:7f:54:af:xx:xx, length 28
09:41:42.385127 IP > 12883+ A? (38)
09:41:42.385425 IP > 9052+ AAAA? (38)
09:41:42.395371 IP > 12883 2/0/0 CNAME, A (82)
09:41:42.396322 IP > 9052 2/0/0 CNAME, AAAA 2a00:7c80:0:1e8::f (94)
09:41:42.478205 IP > Flags [S], seq 1791469177, win 64240, options [mss 1460,sackOK,TS val 3759803530 ecr 0,nop,wscale 7], length 0
09:41:42.478593 IP > Flags [R.], seq 0, ack 1791469178, win 0, length 0
09:41:43.397997 IP > 0*- [0q] 4/0/0 (Cache flush) PTR Device.local., (Cache flush) A,

What are the logs showing?

How will they help us assist you with your son's gaming device?

Does he need to reach that DST IP?

If so, see @jow's suggestion:

This log is for accessing main server list of minetest on port 80, should passe trough proxy.
But the problem is not in this log. sorry

I assume you mean these are the DST IPs of your son's gaming server?


:spiral_notepad: I'm sure it's more than port 80, but start with creating the rule for port 80, you can add more later.


The same suggestion applies for the correct IPs and ports.

Otherwise, an alternative:


tinyproxy port is 8888, minecraft reach internet trough proxy but not game server port 25565

09:55:01.679975 IP > igmp v3 report, 1 group record(s)
09:55:03.922194 IP > 37910+ SRV? (48)
09:55:03.922976 IP > 37910 NXDomain 0/0/0 (48)
09:55:03.936477 IP > Flags [S], seq 1504213918, win 64240, options [mss 1460,sackOK,TS val 320075855 ecr 0,nop,wscale 7], length 0
09:55:03.936799 IP > Flags [R.], seq 0, ack 1504213919, win 0, length 0
09:55:04.750597 IP > Flags [F.], seq 3178235148, ack 1574920881, win 2003, options [nop,nop,TS val 203763869 ecr 1430035834], length 0
09:55:04.796070 IP > Flags [.], ack 1, win 501, options [nop,nop,TS val 1430101606 ecr 203763869], length 0
09:55:06.124099 IP > igmp v3 report, 1 group record(s)
09:55:06.336348 IP > igmp v3 report, 1 group record(s)
09:55:11.088982 IP > 56207+ SRV? (48)
09:55:11.089705 IP > 56207 NXDomain 0/0/0 (48)
09:55:11.093408 IP > Flags [S], seq 1181500727, win 64240, options [mss 1460,sackOK,TS val 320083012 ecr 0,nop,wscale 7], length 0
09:55:11.093724 IP > Flags [R.], seq 0, ack 1181500728, win 0, length 0

I need to allow all ports except 80, 443

  • I would simply remove his device from the proxy and then block it from accessing 80 and 443
  • Since you haven't explained to us how clients use the proxy, it's difficult for us to explain in detail how to configure bypassing it

his (Debian) computer is configured to use the proxy

  • So when when he needs to game, turn proxy off. :person_shrugging:
  • Setup rules as needed
  • Block 80 and 443

I don't have to give him permission for that

can you give me an example please

Ummm haven't explained anything that says you prevted you son from simply bypassing the proxy by turning it off. You haven't even explained why the peope on this second LAN use the proxy.

I assume they could simply disable it.

To forward all ports except 80 and 443 to your son's gaming device?

Yes, please :slightly_smiling_face:

  • rule blocking 80 and 443 SRC port in wan to <sons_ip> in lanp


  • forward all from wan to <sons_ip> in lanp

:warning: this usually isn't needed btw and is unsafe

If you need full UCI syntax, please let me know.

:spiral_notepad: you may need to use sons_mac instead of IP to encompass IPv6 too.