New port forwards aren't working

Years ago, I opened ports on my router for Nginx Reverse Proxy and Plex without any issue. Online port checkers show that these ports are open and everything has been fine. A couple months ago, I created a new zone for Tailscale by following these instructions. That service is working great and I haven't had any issues.

I mention Tailscale because that is the last major service change I made to my router. Since then, I cannot get a new port to open via port forwarding (whether it's related or not). I shared the screenshot of port 1025 but I've tried ports across the available range and none of them have worked. I've left a test port open and tested later in case of some strange caching issue.

Since this problem arose, I installed UPnP in OpenWRT with no avail either. I've selected UPnP in qBittorrent and enabled the service in OpenWRT but neither talked to each other. I don't want to use UPnP and have it disabled, but I wanted to mention it for troubleshooting purposes.

I've racked my brain for months now, trying to figure out how to fix this. It should be as easy as adding the port in LuCI under Firewall > Port Forwarding, right? Let me know if there are specific logs that could help me identify the issue or if I've overlooked a setting.

I'm running OpenWrt 21.02.3 r16554-1d4dea6d4f on an old WRT1900AC.

I've checked and my external IP on the device matches what online tools show me.

I also grabbed my firewall config file and don't see any issues:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
 
config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
 
config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
 
config forwarding
	option src 'lan'
	option dest 'wan'
 
config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'
 
config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
 
config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'
 
config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
 
config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'
 
config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
 
config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
 
config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
 
config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
 
config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'
 
config include
	option path '/etc/firewall.user'
 
config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'nginx'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.168.1.101'
	option dest_port '80'
 
config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'ssl'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.1.101'
	option dest_port '443'
 
config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Plex'
	option src 'wan'
	option src_dport '32400'
	option dest_ip '192.168.1.101'
	option dest_port '32400'
 
config zone
	option name 'tailscale'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'tailscale'
 
config forwarding
	option src 'tailscale'
	option dest 'lan'
 
config forwarding
	option src 'lan'
	option dest 'tailscale'
 
config forwarding
	option src 'tailscale'
	option dest 'wan'
 
config forwarding
	option src 'wan'
	option dest 'tailscale'
 
config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'
 
config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'bt'
	option src 'wan'
	option dest_ip '192.168.1.101'
	option src_dport '1025'
	option dest_port '1025'
 
config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'bt2'
	option src 'wan'
	option src_dport '8675'
	option dest_ip '192.168.1.101'
	option dest_port '8675'
 
config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'random'
	option src 'wan'
	option src_dport '12345'
	option dest_ip '192.168.1.101'
	option dest_port '12345'

Openwrt 21.03.3 is EOL. Up to you to provide sufficient system info without perishable web links. After upgrading to current release.

What about your network file?

This means you altered routing in some form at that time also, correct?

If your default route is via Tailscale you have to use some form of Policy Based Routing (PBR) to route the traffic coming in via your WAN (the port forward) also out via the WAN and not via Tailscale

Here's what my network file looks like:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd9f:8ff3:8bcb::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'wan'
	option macaddr '62:38:e0:db:a4:ad'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'tailscale'
	option proto 'none'
	option device 'tailscale0'

I'm not sure where the routing settings are stored but here's a look at the Zones settings:

zones959×257 7.12 KB

Tailscale modifies the routing and firewall tables directly, so the OpenWrt config will not show entirely what is going on.

I'd like to update OpenWRT on this router anyway, so it sounds like starting over fresh on the latest revision might be the best way forward? If Tailscale is causing this issue, I should look at moving it off of my router and onto a dedicated machine via Docker?

docker is not a supported host environment for running OpenWrt. Full system virtualization like qemu-kvm/ virtualbox/ hyperv/ vmware would be, containerization (docker, lxc, lxd, etc.) is not. Aside from this bare-metal installations are always 'easier' than virtualising your router (as you need direct hardware access, need to duplicate parts of the configuration to the hypervisor, etc. pp.).

Details and background information for either of the statements can be found via the forum search.