Not able to use port forwarding to a specific LAN IP

hello again
I'm trying to open a specific port on the firewall to allow traffic to a specific server in the LAN

I need SSH to be forwarded from the WAN to LAN-server IP
and openvpn UDP 1194 from WAN to go to a specific LAN server IP

I have a bunch of rules in the firewall that I don;t really understand
however the rule I created seems to be present but doesn't work
when I try to connect from WAN doesn't allow a connection

here the firewall file

root@OpenWrt:/etc/config# cat firewall

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp'
        option dest_port '1194'
        option name 'openVPN'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option name 'debVPN'
        option family 'ipv4'
        option proto 'udp'
        option dest 'lan'
        option dest_ip '192.168.1.102'
        option dest_port '1194'

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config include
        option path '/etc/firewall.user'

config redirect
        option enabled '1'
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option src_dport '1194'
        option dest_ip '192.168.1.102'
        option dest_port '1194'
        option name 'openVPN'
        option proto 'udp'

config forwarding
        option dest 'lan'
        option src 'wan'

config forwarding
        option dest 'wan'
        option src 'lan'

type or paste code here

can anyone gives some explanation to why all those rules are present?
and where or how should I configure this to work?

I am trying only with VPN at present but SSH would be nice as well

thank you in advance for your reply

P

The debVPN rule is useless.
Also you should be careful with the wan->lan forwarding. Better turn it off if you don't know what you are doing.

Other than that your redirect configuration is correct.
Is this OpenWrt router directly connected to the internet, or is behind some other router?
Is your ISP allowing incoming connections?
Is your ISP doing some Carrier Grade NAT? (usually in mobile connections).

Hi Trendy
Yes the router is directly connected to internet and I have fixed public IP
The provider shouldn't be doing anything special
At least before there was no issue with old router

I think I don't understand openwrt that much

Any suggestions or explanation about the other rules?
I only added those 2 for 1194 trying to make this work

Thanx
P

Ok then download and install tcpdump: opkg update ; opkg install tcpdump
Run tcpdump and capture for vpn packets: tcpdump -i any -vn udp port 1194
Try to connect, stop it with Ctrl-c and paste the output here.

The rule is useless, because the destination IP belongs to the private range of your LAN. A packet will arrive on your wan interface with your public IP as destination, then you need to redirect it to the server in the lan.
The forwarding is dangerous because it allows anyone from wan to initiate a connection to everything in the lan. Normally just lan->wan is fine. If you want to allow some flow from wan you can either create a rule or a redirect.

here the tcpdump output

removed IPs

seems the router sees it but is not passing it
maybe I should try running it on the end machine as well to see if it gets there but from what I can see it doesn't seem to

thnanx

found the problem :expressionless:

my bad
since the new router the IP address was changed from 192.168.1.1 to a different one
however I did not change the gateway to the server :roll_eyes:
when I tried to install tcpdump I noticed I had no internet on that server so it wouldn't work

so I take it I was spending time on the firewall when instead it was the server not responding :smile:

tank you anyway for pointing me to the right route :wink:

P

1 Like

I am glad you found it.
In fact the router was passing it fine as you can see here in these two examples:

148.252.***.***.47254 > 77.44.***.***.1194: UDP, length 54
148.252.***.***.47254 > 192.168.1.102.1194: UDP, length 54

The second one is after the DNAT.

If your problem is solved, feel free to mark the relevant post as the solution; and edit the title to add "[SOLVED]" to the beginning (click the pencil behind the topic).

grafik

Thank you Trendy :slight_smile:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.