Need help to make port forwarding working

Hello,

I'm new to OpenWRT and I'm trying to access a Proxmox server behind an OpenWRT router using port forwarding. However, I haven't been able to get it working.

Here is my setup:

The Proxmox web UI is served at the address 10.0.0.1:8006.

The OpenWRT router’s WAN interface (192.168.1.21) is connected to my ISP router.

Both the OpenWRT router and the laptop from which I am trying to access the Proxmox web UI are connected to my ISP LAN (192.168.1.0/24).

Here is my configuration:

image742×529 85.4 KB

The Proxmox server (10.0.0.1:8006) is pingable from the OpenWRT router, and I can access the web UI from another computer connected to the same LAN.

Thank you in advance for your help, let me know if you'd like any other adjustments!

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

Check this - enter rules manually in conf file, 1000 ways to mis-click in luci OpenWrt & Nextiva Voip - #13 by brada4
You need only one redirect/dnat rule not to "this device" but clear the field so as to "any device"

Hello, thank you for your help !

Here are the informations you asked :

ubus call system board

{
        "kernel": "6.6.110",
        "hostname": "Routeur",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Netgear R6800",
        "board_name": "netgear,r6800",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.4",
                "revision": "r28959-29397011cc",
                "target": "ramips/mt7621",
                "description": "OpenWrt 24.10.4 r28959-29397011cc",
                "builddate": "1760891865"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda1:392b:9cd1::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.0.0.254'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.21'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config device
        option name 'wan'
        option ipv6 '0'

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piofolder '/tmp/odhcpd-piofolder'

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option name 'WAN Allow HTTPS'
        list proto 'tcp'
        option dest_port '443'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option name 'WAN Allow SSH'
        list proto 'tcp'
        option dest_port '22'
        option target 'ACCEPT'

config redirect
        option name 'Proxmox HTTP'
        option src 'wan'
        option src_dport '8006'
        option dest 'lan'
        option dest_ip '10.0.0.1'
        option dest_port '8006'
        option proto 'tcp'

config rule
        option src 'wan'
        option dest '*'
        option name 'promox'
        list proto 'tcp'
        option src_port '8006'
        list dest_ip '10.0.0.1'
        option dest_port '8006'
        option target 'ACCEPT'

I did'nt manage to find how to get rid of the "this device" from the Lucy UI. This is the config that is currently running for port forwarding on my router :

image637×590 21 KB

Masquerade is not set on the wan zone. (The default is for it to be set). Since you haven't mentioned anything about symmetric routing you need it to be set, as port forwarding (redirect) is only meaningful in the context of NAT (masquerade.)

Also, remove the option gateway setting from the lan Interface.

In addition, you can remove this rule as it is redundant:

An ACCEPT FORWARD rule is added automatically when a port forwarding rule is made

I set masquerading in the WAN zone :

image984×836 29.7 KB

I also removed the gateway option from LAN interface.

It is still not working : I got a timeout trying to access https://192.168.1.21:8006

Thank you, I deleted this rule

Please post the result of nft list chain inet fw4 dstnat_wan

nft list chain inet fw4 dstnat_wan
table inet fw4 {
        chain dstnat_wan {
                meta nfproto ipv4 tcp dport 8006 counter packets 10 bytes 520 dnat ip to 10.0.0.1:8006 comment "!fw4: Proxmox HTTP"
        }
}

Cool. 10 connections were bent towards internal webserver.

Yes but the server responses are stuck somewere, do you know how I could find how to troubleshoot this ?

From the link to other thread I posted

config redirect                                 
        option target 'DNAT'           
        option src 'wan'               
        option src_dport '8006'        
        option dest_ip '10.0.0.1' # hope this is not routers own LAN IP
        option family 'ipv4'
        option proto 'tcp'
        option enabled '0'    

I think 'target DNAT' is required for forward { status dnat accept rule

I tried the following config, but still can't access to theserver behind the openwrt router

image461×308 3.97 KB

And I got this error :

/etc/init.d/firewall reload
Section @redirect[0] (Proxmox HTTP) does not specify a destination, assuming 'lan'

No warning for me :-S
We can not help you at all as long as you open SSH to wan for all internet to guess passwords.

Please use the "Preformatted text </>" button for logs, scripts, configs and general console output.

Please edit your post accordingly. Thank you!

This is the WAN interface of the openwrt router that is on the LAN of my ISP router, there is no access to it from internet.

I'll try tomorrow with config you sent :

config redirect                                 
        option target 'DNAT'           
        option src 'wan'               
        option src_dport '8006'        
        option dest_ip '10.0.0.1' # hope this is not routers own LAN IP
        option family 'ipv4'
        option proto 'tcp'
        option enabled '0'    

You have to let port in from that first. Not OpenWrt's problem.

Hello brada4,

Thank you for your answers, and sorry if I didn't explained well enough what I want to do.

I just want to access services behind the openwrt router from the my home router LAN, not over internet.

My home router ip is 192.168.1.1 (network:192.168.1.0/24)
The openwrt router is connected to the home router through it's WAN interface (ip:192.168.1.21)
The proxmox server (ip:10.0.0.1) is connected to a LAN of the openwrt router (network 10.0.0.0/24)

With what I have set up : is it possible to access proxmox server webui, from another computer connected to my home router's LAN ? (192.168.1.0/24)

Can you do wget -O /dev/null http://10.0.0.1:8006/ from the OpenWrt router itself?