My issues are three fold:
For reference: the computers are all linux / ubuntu based.
I have a port forwarded on a wired connection and an external port check website shows that its open. However, when trying to use the program on the machine, it gets no incoming connections.
I have another port forwarded to a wireless connection, but an external port check website shows its always closed.
Does it make a difference that one is wired connection and the other wireless? I also have IPv6 shut off on the client machines, would that make some kind of difference too?
Why can't I get this port forwarding / redirection working? Seems it should be simple, and I've had it working in the past on other routers/firmware, but possibly without the IPv6 disabling on the client machines.
What specific details do you need? Screenshots?
The only reason I posted the info I did was to state how I checked for open ports. I'll delete the info if need be.
Update: there I edited it out
I have a hard time believing something this simple won't work.
So simple to add the port forwards via LuCI interface, but doesn't work.
With my apologies, this forum have been hit by a bunch of link spam of late.
Knowing some more details about how you forwarded the ports and how your network and firewall are configured would help. Your /etc/config/network and /etc/config/firewall, after removing any sensitive information, would let people "look" at what you've got and see if there is something obvious. You can post them using the </> button to get "code" formatting to make it a lot more readable.
If you don't already know how to use tcpdump, you might want to look at a man page for it. If you do, the tcpdump-mini package is enough for most purposes and can be installed on your router with opkg.
Assuming a mostly default configuration (bridged ethernet + wifi), neither IPv6 support on the client nor the whether it is connected wired or wirelessly should make any difference wrt. port forwards.
There are a few common pitfalls which tend to break port forwards:
you're behind a carrier grade NAT (no public IP on wan) and thus cannot actually forward ports
the host you're forwarding to is not using the OpenWrt/LEDE router as default gateway
you forwarded the port okay but there's no actual service listening on the destination machine to respond
you mistakingly set the "Source port" in LuCI which does not match the external port you want to forward but the remote port the connection originated from
root@LEDE:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option forward 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport 'xxxxx'
option dest_ip '192.168.1.172'
option dest_port 'xxxxx'
option name 'somename'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport 'xxxxx'
option dest_ip '192.168.1.140'
option dest_port 'xxxxx'
option name 'othername'
Does anything seem wrong?
Should src_dport be 'any' , or does that even accept that as an option in the config? I noticed in Luci that it looked it said "any" but in the config it is a port number or maybe I'm remembering wrong.
I should also note, that I have ufw (on client machines) allowing incoming on the respective port numbers.
I haven't disabled anything with IPv6 in the router. But on the client machines it is disabled.
So, maybe the router is trying to do things with IPv6 and its messing things up?
I re-checked my ufw settings and it shows the correct ports allowed.
Here is what it looks like in LuCI .. again the first rule shows the port open from an external site, but the second rule/port is always closed. Really strange.
I guess I should mention, what's even really more strange is it seems I remember having the same problem with the stock Linksys firmware - as far as incoming connections not working in the clients. BUT I don't think there was a problem with the second rule /port not showing open, like the problem I'm having in lede.
So maybe this is an issue with having disabled IPv6 in client machines.. should I try enabling it and see if it makes any difference?
I've never experienced an issue like this, till I bought this new router (1900ACSv2)
Could it be hardware related?
What has me thinking this is, when I first I got it.. it would frequently "lock up" and I thought maybe it was due to heat, because it was getting hot. So I put a laptop fan/cooler under it, and the lock ups completely stopped.. never had it happen again.
@arcoso - as long as we (the community here or the internet at large) don't know your public IP address or domain name, there is no security risk in allowing us to see the internal IP addresses and ports that you're working with, and it will make it much easier for us to help you resolve the issue if we have as complete information as possible.
Meanwhile, try removing the following line from your redirect rules:
Generally, the default configuration for the firewall zone settings is as follows:
General Settings: Input: Accept, Output: Accept, Forward: Reject.
LAN forwards to WAN, accept for all three.
WAN: no forwards (i.e. reject), Input: Reject, Output: Accept, Forward: Reject.
Yes, I would recommend changing your firewall to reflect the defaults as described.
Can you post your /etc/config/firewall file, please (again, should not be a security issue as long as we don't have your external address info, but look it over and sanitize as necessary).
Looks good to me. make sure you've got the firewall refreshed with the ruleset you've shown. To force this, you can reboot or just issue the following command:
/etc/init.d/firewall restart
Meanwhile, if it is still not working, check to make sure that the two hosts in question are accepting connections on those ports -- you can test this by connecting from within your LAN and using the LAN IP addresses directly (this way it doesn't depend on the router). If that works, try using your external IP or domain name. If that fails, the two most common reasons are 1) sometimes from within the LAN, connections will not work when using the external IP or domain name (many names for this: hairpin NAT, NAT reflection, etc.), but it will work from outside your network -- try connecting from outside your network. or 2) a local machine firewall (i.e. on the hosts 192.168.1.172 and .140) will not accept connections from other networks, despite the forwarding rules. So check local firewall rules on those hosts to be sure the external connections aren't being blocked.
