OpenWRT suddenly stopped forwarding ports

It seems as though today OPWNWrt has just stopped port forwarding. A reboot did not fix the problem. No configurations have been changed.
I think this has been an intermittent issue for a while, but a reboot has always solved it. Today I have done 2 to no avail.
Begging for help here. I have a lot of things that don't work, and I have NO IDEA how or what to do to troubleshoot this.

Check if your wam address suddenly did not change to cgnat 100.64 ...

1 Like

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

And ifstatus wan taking care removing last two numbers from all ip addresses.

{
        "kernel": "5.15.150",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "ASUS TUF-AX4200",
        "board_name": "asus,tuf-ax4200",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "mediatek/filogic",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd01:7247:8f8b::/48'

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'

config device
option name 'lan1'
option macaddr

config device
option name 'lan2'
option macaddr

config device
option name 'lan3'
option macaddr

config device
option name 'lan4'
option macaddr

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '10.1.1.5'
option netmask '255.255.128.0'
option delegate '0'
list dns '10.1.4.10'
list dns '10.1.4.11'

config device
option name 'eth1'
option macaddr

config interface 'wan'
option device 'eth1'
option proto 'pppoe'
option username 'redacted'
option password 'redacted'
option ipv6 'auto'

config interface 'wireguard'
option proto 'wireguard'
option private_key
list addresses '10.192.1.6/24'

config wireguard_wireguard
option description 'openwrt.conf'
option public_key
option preshared_key gfhghf
list allowed_ips '192.168.1.0/24'
list allowed_ips '10.192.1.0/24'
option endpoint_host ''
option endpoint_port '51820'
option route_allowed_ips '1'

config interface 'Guest'
option proto 'static'
option ipaddr '192.168.60.1'
option netmask '255.255.255.0'
list dns '1.1.1.1'

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option channel '10'
        option band '2g'
        option htmode 'HT40'
        option cell_density '0'
        option txpower '16'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid '<redacted>-n'
        option encryption 'sae-mixed'
        option key <redacted>

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option channel 'auto'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid <redacted>Guest'
        option encryption 'sae-mixed'
        option network 'Guest'
        option key <redacted>

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid <redacted>5G-N1'
        option encryption 'psk2'
        option key <redacted>
        option network 'lan'


config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '513'
        option limit '254'
        option leasetime '12h'
        option dhcpv4 'server'
        list dhcp_option '6,10.1.4.10'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

(Many statip's have been removed here to make this shorter)

config dhcp 'Guest'
        option interface 'Guest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,1.1.1.1'

config host
        option name 'SLZB-06P7'
        option ip '10.1.2.218'
        option mac '<redacted>'

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wireguard'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Zabbix Forward'
        option src 'wan'
        option src_dport '10050-10051'
        option dest_ip '10.1.4.1'
        option dest_port '10050-10051'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Wierguard'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '10.1.4.10'
        option dest_port '51820'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'nginx80'
        option src 'wan'
        option src_dport '80'
        option dest_ip '10.1.4.1'
        option dest_port '80'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'nginx443'
        option src 'wan'
        option src_dport '443'

Ok got the idea, your forward rules are correct, please check network prefixes on wan

And now, the port forwarding started working again (It MAY have been that mu duck DNS was not up to date after a reboot. PPPoE login. Ip address changes on reboot.. Doesn't explain why it keeps failing though)

PLease explain what "please check network prefixes on wan" means

First two numbers of ip addresses in

ifstatus pppoe-wan

Maybe you are behind nat now.

Interface pppoe-wan not found.
I may end up replying a bit slower now, as its not so much of an emergency. But would still like to find out why this is happening (if it is possible to figure out when the issue isn't occurring).And thank you for replying so quickly.

ifstatus wan
ifstatus eth0.2
ifstatus eth1.2

Wan ip address shown in luci.m.

This would explain why it fails. So you use DDNS. Does your Public IP address change often?

1 Like

No. Not that I know of. What I suspect happened is:

  1. The router stopped port forwarding.
  2. I rebooted the router. As a result the IP address changed.
  3. When the router came back online, for some reason DuckDNS didn't update quickly enough, so I was connecting to an address that was routed to the wrong IP.
    Still doesn't explain why #1 happened. It may be the IP address changed, and thats the first thing I will check when it happens again.
{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 17479,
        "l3_device": "pppoe-wan",
        "proto": "pppoe",
        "device": "eth1",
        "updated": [
                "addresses",
                "routes"
        ],
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [
                {
                        "address": "<Redacted, matches IP in web interface>",
                        "mask": 32 (Matches),
                        "ptpaddress": "<redacted, cause I dunno if this one should be posted publicly>"
                }
        ],
        "ipv6-address": [

        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "0.0.0.0",
                        "mask": 0,
                        "nexthop": "<redacted, cause I dunno if this one should be posted publicly>",
                        "source": "0.0.0.0/0"
                }
        ],
        "dns-server": [
                "<redacted, cause I dunno if this one should be posted publicly>",
                "<redacted, cause I dunno if this one should be posted publicly>"
        ],
        "dns-search": [

        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {

        }
}

Neither of those 2 interfaces are found.

Don't redact the whole address, only the last two. If the first number of the address is 10 or 100 (or sometimes 192 or 178), your ISP has placed CGNAT on the line and you won't be able to take incoming connections. Your "whats my IP" test and the DDNS will be some other address.

This is probably not the problem since the service came back. It can take 30 minutes or so for an IP change to move through the DNS system.

The shared address range, as described at https://datatracker.ietf.org/doc/html/rfc6598 , is 100.64.0.0/10, so any address between 100.64.0.0-100.127.255.255.
There is no security/privacy risk in sharing them (sort of); they are not global addresses and are re-used in different CGNAT nodes.

Note that some ISPs assign private addresses https://datatracker.ietf.org/doc/html/rfc1918 for CGNAT (10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16), or if you are under a double NAT setup.

1 Like

Should i laugh or should i cry? First two numbers of each IP were asked.

Ah, didn't realize the two comments were related, or exactly what you mean by first 2 numbers.
142.51
I just didn't fully understand. But no, I am not connected through CGNAT. That I knew. Didn't know exactly what it was called, but it is a direct connection to the net.

Are you sure?

And since that IP wasn't yours anymore, the Port Forwarding wouldn't work until DNS updated, agreed?

What other sernaio do you loose it?

1 Like

Yes, just assign interface weights and no balance rules