No exposure from ports from wan to lan


perhaps someone can help me.
This installation of openwrt (23.05.2) makes me crazy. First it started that tailscaled not started because of missing rules. I tried and installed a lot for example the iptables-nft package after days of struggeling with that i finally got it to work dont ask me how. Anyways i started to do my usually settings and so on. Someday i tried the luci-app-pbr because i have a Wireguard VPN Client Setting active and i wanted to make some ports reachable on my regular isp's IP.
So i ended up on external websites with port scanner because nothing worked i couldnt connect to the pppoe-wan connection with public ip ( isp ) just to recognize that my whole docker zone was reachable from outside ( what really not was my intention ) and no port forwarding from wan to lan worked even without VPN and pbr. I use OpenWrt for years now and usually know the basics like port forwarding but i am really out of ideas right now.
I really wish that switch to nft from iptables wouldnt have been done, nothing works anymore.

Someone have an Idea where to start to search the failure ? Or should i completley reinstall !?

At this point, resetting to defaults -and changing the passwords for all these services (VMs) that were exposed to the outside, including router password and WPA PSKs- would be advisable. Take this as an opportunity to upgrade to 25.03.3 without keeping settings.

Based on the default setup, start up simple, with small and easy steps.

  • (new/ good) router password
  • wireless settings
  • try to use uci firewall rules -sparingly- wherever possible, avoid just installing (iptables-) package and setting rules without fully understanding them
  • feel free to ask before doing policy changes, based on the default setup.

The advice above (changing passwords, reinstalling OpenWrt without retaining settings) is about risk mitigation, as it's hard (impossible) for us to confirm if potential attackers abused your situation, so it's better to be safe than sorry and to consider anything that was exposed to the outside and (potentially) compromised.

EDIT: saving a configuration backup tarball for a post-mortem would be useful, but for a new setup it's much easier to start from a minimal/ known good state, than trying to find all the warts in an existing known-bad configuration, especially as you need minimal services now and can (hopefully) take it a bit slower this time to add potentially more difficult services.


Thank you for your answer, i will do that.

If you're planning to use mwan3 or anything else which hasn't been migrated to nft, I'd also suggest you stay on 22.03, even if this stay may be short-lived.

For example, AFAIK, the mwan3 works fine together with pbr on 22.03, whereas I haven't heard of anyone succeeding in using it with pbr on 23.05.

If tailscaled is in the same boat as mwan3, you may also face difficulties getting it to work with pbr.

Given complexity of your setup, I'd look into creating your own image (starting with 22.03 if you have packages which depend on iptables) with all your customizations packaged into a uci-defaults script. That way, if you're trying a newer release in the future and things don't work quite right, you can quickly roll back to the working configuration.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.