NAT not working

Hello,

I'm trying to connect to a raspberry from the internet but port forwarding doesn't work. I tried with this :

I don't think I made a mistake .I'm a beginner, can you help me?

Thanks !

Let's start with the following:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
ifstatus wan | grep address

For the last command, only share the first two octets (in bold: aaa.bbb.ccc.ddd).

Good evening,
here is what I get:

root@OpenWrt:~# ubus call system board
at /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
ifstatus wan | grep address{
        "kernel": "5.15.162",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Xiaomi Redmi Router AC2100",
        "board_name": "xiaomi,redmi-router-ac2100",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.4",
                "revision": "r24012-d8dd03c46f",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb3:ee03:0bcc::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'Tom-Net 2.4 GHz'
        option encryption 'psk2'
        option key '********'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'Tom-Net 5 GHz'
        option encryption 'psk2'
        option key '**********'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option src 'wan'
        option src_dport '2222'
        option dest_ip '192.168.1.78'
        option dest_port '22'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.1.78'
        option dest_port '80'

root@OpenWrt:~# ifstatus wan | grep address
        "ipv4-address": [
                        "address": "10.247.***.**",
        "ipv6-address": [
                "ipv4-address": [
                "ipv6-address": [

This is your problem... you're behind NAT. This may be another router in your home, or it may be at the ISP. But you do not have a publicly routable IP address, which means that you cannot get connections from the internet inbound on your wan.

2 Likes

I have the ISP router that I put in "bridge" mode

And I did a DDNS

In that case, there are two explanations for what is happening:

  1. The "bridge mode" isn't truly bridging -- it is still performing NAT masquerading/routing. If the ISP router has a public IP on its WAN and it is passing you an RFC1918 address, that means you may be able to setup port forwarding in the ISP router (pointing to the OpenWrt router).

or

  1. the ISP is not providing a public IPv4 address to you, in which case no settings on either router will fix that.

This is useful when you have a public IP, but has no impact now.. that's because the DDNS will always report a public IP, but it may not be the IP address on your wan. Specifically, when a carrier/ISP provides (CG-)NAT addresses, they have routers (like yours, but much bigger) that have a public IP address on their wan that is shared with many subscribers (just like how nominally a home router has a single IPv4 address on its wan that is shared with the dozens of devices on the lan). The IP address the DDNS reports is your 'apparent' public IP address, not necessarily the actual address on your wan.

Can you remove your ISP router, or is it a modem+router combo unit that is required for cable/dsl/cellular/fiber connectivity?

You probably need to ask your ISP if you can get a public IPv4 address.

3 Likes
  • It may be an apparent IP address but it changes several times a day, that's why I thought it was a dynamic IP address.
  • My ISP router is a modem+router combo unit, I can't remove it :unamused:

A bunch to unpack...

Dynamic IP addresses on a network device usually refers to DHCP (Dynamic Host Configuration Protocol). This is a method of automatically configuring the network interface by means of a DHCP server upstream and the network device in question being configured as a DHCP client. The frequency of the actual IP address changes may be high for some services or low or even (effectively) never for others. It depends on how the upstream network is configured at both a technical and policy level.

DDNS (Dynamic DNS) is a means of mapping a domain name (mysite.com) to an IP address. It doesn't necessarily mean that the IP address will be changing, but these services have a small client app that runs on a router or other computer that will poll for your external IP address and report that back to a server which maintains databases of these domain names and the IP addresses to which they map.

CG-NAT (Carrier Grade Network Address Translation) is how many providers run IPv4 networks when they do not have enough public IPv4 addresses to serve all their subscribers. Basically, they have a set of public IP addresses, and they share them across a larger number of customers. You can think of it like a single street address for an office or apartment building -- that is the public and shared address that the world can see, but there are many offices/apartments within that have addresses that are 'internal' to the building and wouldn't make any sense to the people on the street looking at the building's external address.

It sounds like there is a pool of public IP addresses that is used for a CG-NAT situation from the ISP, and that is likely why your apparent address is changing frequently.

In that case, contact your ISP and ask them:

  1. Does your ISP modem+router support true bridge mode (i.e. pass the ISP issued IP address directly to the next device downstream), and if so, how do you make sure it is active.
  2. Does your ISP modem+router have a public IPv4 address on its wan, or is it behind NAT/CG-NAT?
  3. If you are behind NAT/CG-NAT, can you get a public IPv4 address? Sometimes this may involve extra costs ("yes, you can do that, but it'll be +$x on your bill), other times they'll say "sure, no problem", or they might just say "no, that's not a service we offer".

ok, thank you for your responses, I will contact my ISP

Check if a "whats my IP" site reports the same IP that your router holds as "IPv4 Upstream" on OpenWrt's main status page. These must match for incoming connections to be possible. If they don't match, that means there is NAT somewhere between your router and the Internet.

Hello, I checked, my "IPv4 Upstream" is different from my IP on the Internet, it is the same as the address mentioned above.

Yes, that address is already behind NAT (it is an RFC1918 address). So the earlier discussion about contacting your ISP is your next step.

1 Like

I had to fight with my ISP but they finally changed my CGN IP to a public IP. Now NAT works. :star_struck: :champagne:

Thank you very much for your help

Great to hear, and glad you were successful with the isp.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.