Pointer needed to fix this redirect port forwarding

Thanks for this forum to help me troubleshoot my new install of OpenWrt, but my port forwarding for SSH is not working. Previous posts helped me get port 80 and 443 redirected. This redirect is one of many I need help to get working and I've included only one that I need help.

TP-Link TL-WR1043N/ND v2
OpenWrt 18.06.2 r7676-cddd7b4c77 / LuCI openwrt-18.06 branch
Zoom 5341j cable modem. Not acting as a router.
I have not enabled wireless yet so as to reduce the variables in this install.

My goal is to mimic my port forwarding in factory software of this TP-Link to accept an arbitrary port and then redirect it to a LAN client.

I can ssh to this client from any other client inside this LAN which suggests that this client has the SSH daemon running.

Starting from advice found in [SOLVED] Port forwarding not working
I can provide this info.

/etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config redirect                       
       option name 'ssh colorful'     
       option src 'wan'               
       option proto 'tcpudp'          
       option src_port '8521'         
       option dest_port '22'          
       option dest_ip '192.168.1.105' 
       option target 'DNAT'           
       option dest 'lan'              
       option family 'ipv4' 

I have moved the redirects near the top of this file.

I have added this in /etc/firewall.user

iptables -N Trace
iptables -N LOG_Trace

iptables -I INPUT -p tcp --dport 8521 -m conntrack --ctstate NEW -j Trace

iptables -A Trace -p tcp --dport 8521 -j LOG_Trace

iptables -A LOG_Trace -p tcp --dport 8521 -j LOG --log-prefix "<[[--- Trace 8521 --]]> : " --log-l

Output of /etc/init.d/firewall restart && logread -f

 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Redirect 'http traffic'
   * Redirect 'https traffic'
   * Redirect 'ssh colorful'
   * Redirect 'ssh rocky'
   * Redirect 'ssh happenstances'
   * Redirect 'rsyslog happenstances'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 nat table
   * Redirect 'ssh colorful'
   * Redirect 'http traffic'
   * Redirect 'https traffic'
   * Redirect 'ssh rocky'
   * Redirect 'ssh happenstances'
   * Redirect 'rsyslog happenstances'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'
Mon Apr  8 12:33:15 2019 kern.warn kernel: [ 2314.592670] <[[--- Trace 8521 --]]> : IN=br-wan OUT= MAC=e8:de:27:b3:65:6f:00:01:5c:a5:a6:46:08:00 SRC=outsideserverIP DST=ComcastIPaddy LEN=60 TOS=0x00 PREC=0x20 TTL=55 ID=13015 DF PROTO=TCP SPT=40572 DPT=8521 WINDOW=14600 RES=0x00 SYN URGP=0

This appears to show that this port is being blocked by OpenWrt?

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd45:eb64:df5b::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	option type 'bridge'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 6t'

The output of tcpdump -vv -ni eth0 tcp port 8521

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:31:01.306787 IP (tos 0x20, ttl 55, id 17808, offset 0, flags [DF], proto TCP (6), length 60)
    outsideserverIP.36558 > ComcastIPaddy.8521: Flags [S], cksum 0x6e23 (correct), seq 2381972926, win 14600, options [mss 1460,sackOK,TS val 1328365614 ecr 0,nop,wscale 9], length 0

The Zones in luci Firewall - Zone settings show
General Settings: Input: Accept, Output: Accept, Forward: Reject.
LAN forwards to WAN, accept for all three.
WAN: no forwards (i.e. reject), Input: Reject, Output: Accept, Forward: Reject.

iptables -L -vn; iptables -t nat -L -vn; iptables -t mangle -L -vn
reveals this output:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    60 Trace      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8521 ctstate NEW
15831 1262K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
11628 1245K input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom input rule chain */
 8062  933K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
  826 49860 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 /* !fw3 */
 3299  297K zone_lan_input  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
  267 15712 zone_wan_input  all  --  br-wan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_input  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 594K  546M forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom forwarding rule chain */
 590K  546M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
 4547  283K zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
   25  7963 zone_wan_forward  all  --  br-wan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_forward  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
15831 1262K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            /* !fw3 */
 9897 1405K output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom output rule chain */
 8221 1281K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
   16  4968 zone_lan_output  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
 1660  119K zone_wan_output  all  --  *      br-wan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_output  all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain LOG_Trace (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1    60 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8521 LOG flags 0 level 4 prefix "<[[--- Trace 8521 --]]> : "

Chain Trace (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1    60 LOG_Trace  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8521

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain reject (5 references)
 pkts bytes target     prot opt in     out     source               destination         
  267 15712 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */ reject-with tcp-reset
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  826 49860 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_dest_ACCEPT (4 references)
 pkts bytes target     prot opt in     out     source               destination         
   16  4968 ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 4547  283K forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan forwarding rule chain */
 4547  283K zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Zone lan to wan forwarding policy */
    1    64 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 3299  297K input_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan input rule chain */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
 3299  297K zone_lan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   16  4968 output_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan output rule chain */
   16  4968 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 3299  297K ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_wan_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  436 22252 DROP       all  --  *      br-wan  0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* !fw3: Prevent NAT leakage */
 5770  380K ACCEPT     all  --  *      br-wan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 DROP       all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* !fw3: Prevent NAT leakage */
    0     0 ACCEPT     all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  *      br-wan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 reject     all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_forward (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   25  7963 forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan forwarding rule chain */
    0     0 zone_lan_dest_ACCEPT  esp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Allow-IPSec-ESP */
    0     0 zone_lan_dest_ACCEPT  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500 /* !fw3: Allow-ISAKMP */
   25  7963 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_wan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_input (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  267 15712 input_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan input rule chain */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68 /* !fw3: Allow-DHCP-Renew */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* !fw3: Allow-Ping */
    0     0 ACCEPT     2    --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Allow-IGMP */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
  267 15712 zone_wan_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_output (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 1660  119K output_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan output rule chain */
 1660  119K zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  267 15712 reject     all  --  br-wan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 reject     all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
Chain PREROUTING (policy ACCEPT 5343 packets, 619K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 5358  621K prerouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom prerouting rule chain */
 5197  609K zone_lan_prerouting  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
  161 12030 zone_wan_prerouting  all  --  br-wan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_prerouting  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain INPUT (policy ACCEPT 2760 packets, 230K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 2128 packets, 156K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 489 packets, 38513 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 3556  246K postrouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom postrouting rule chain */
   27  5241 zone_lan_postrouting  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
 3066  207K zone_wan_postrouting  all  --  *      br-wan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_postrouting  all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain postrouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_lan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   27  5241 postrouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan postrouting rule chain */
    1    64 SNAT       tcp  --  *      *       192.168.1.0/24       192.168.1.150        tcp dpt:80 /* !fw3: http traffic (reflection) */ to:192.168.1.1
    0     0 SNAT       udp  --  *      *       192.168.1.0/24       192.168.1.150        udp dpt:80 /* !fw3: http traffic (reflection) */ to:192.168.1.1
    0     0 SNAT       tcp  --  *      *       192.168.1.0/24       192.168.1.150        tcp dpt:443 /* !fw3: https traffic (reflection) */ to:192.168.1.1
    0     0 SNAT       udp  --  *      *       192.168.1.0/24       192.168.1.150        udp dpt:443 /* !fw3: https traffic (reflection) */ to:192.168.1.1
    0     0 SNAT       tcp  --  *      *       192.168.1.0/24       192.168.1.105        tcp dpt:22 /* !fw3: ssh colorful (reflection) */ to:192.168.1.1
    0     0 SNAT       udp  --  *      *       192.168.1.0/24       192.168.1.105        udp dpt:22 /* !fw3: ssh colorful (reflection) */ to:192.168.1.1
    0     0 SNAT       tcp  --  *      *       192.168.1.0/24       192.168.1.150        tcp dpt:22 /* !fw3: ssh rocky (reflection) */ to:192.168.1.1
    0     0 SNAT       udp  --  *      *       192.168.1.0/24       192.168.1.150        udp dpt:22 /* !fw3: ssh rocky (reflection) */ to:192.168.1.1
    0     0 SNAT       tcp  --  *      *       192.168.1.0/24       192.168.1.103        tcp dpt:22 /* !fw3: ssh happenstances (reflection) */ to:192.168.1.1
    0     0 SNAT       udp  --  *      *       192.168.1.0/24       192.168.1.103        udp dpt:22 /* !fw3: ssh happenstances (reflection) */ to:192.168.1.1
    0     0 SNAT       tcp  --  *      *       192.168.1.0/24       192.168.1.103        tcp dpt:8086 /* !fw3: rsyslog happenstances (reflection) */ to:192.168.1.1
    0     0 SNAT       udp  --  *      *       192.168.1.0/24       192.168.1.103        udp dpt:8086 /* !fw3: rsyslog happenstances (reflection) */ to:192.168.1.1

Chain zone_lan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 5197  609K prerouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan prerouting rule chain */
    1    64 DNAT       tcp  --  *      *       192.168.1.0/24       ComcastIP        tcp dpt:80 /* !fw3: http traffic (reflection) */ to:192.168.1.150:80
    0     0 DNAT       udp  --  *      *       192.168.1.0/24       ComcastIP        udp dpt:80 /* !fw3: http traffic (reflection) */ to:192.168.1.150:80
    0     0 DNAT       tcp  --  *      *       192.168.1.0/24       ComcastIP        tcp dpt:443 /* !fw3: https traffic (reflection) */ to:192.168.1.150:443
    0     0 DNAT       udp  --  *      *       192.168.1.0/24       ComcastIP        udp dpt:443 /* !fw3: https traffic (reflection) */ to:192.168.1.150:443
    0     0 DNAT       tcp  --  *      *       192.168.1.0/24       ComcastIP        /* !fw3: ssh colorful (reflection) */ to:192.168.1.105:22
    0     0 DNAT       udp  --  *      *       192.168.1.0/24       ComcastIP        /* !fw3: ssh colorful (reflection) */ to:192.168.1.105:22
    0     0 DNAT       tcp  --  *      *       192.168.1.0/24       ComcastIP        tcp dpt:8520 /* !fw3: ssh rocky (reflection) */ to:192.168.1.150:22
    0     0 DNAT       udp  --  *      *       192.168.1.0/24       ComcastIP        udp dpt:8520 /* !fw3: ssh rocky (reflection) */ to:192.168.1.150:22
    0     0 DNAT       tcp  --  *      *       192.168.1.0/24       ComcastIP        tcp dpt:8523 /* !fw3: ssh happenstances (reflection) */ to:192.168.1.103:22
    0     0 DNAT       udp  --  *      *       192.168.1.0/24       ComcastIP        udp dpt:8523 /* !fw3: ssh happenstances (reflection) */ to:192.168.1.103:22
    0     0 DNAT       tcp  --  *      *       192.168.1.0/24       ComcastIP        tcp dpt:8086 /* !fw3: rsyslog happenstances (reflection) */ to:192.168.1.103:8086
    0     0 DNAT       udp  --  *      *       192.168.1.0/24       ComcastIP        udp dpt:8086 /* !fw3: rsyslog happenstances (reflection) */ to:192.168.1.103:8086

Chain zone_wan_postrouting (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 3066  207K postrouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan postrouting rule chain */
 3066  207K MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_prerouting (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  161 12030 prerouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan prerouting rule chain */
   12   688 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 /* !fw3: http traffic */ to:192.168.1.150:80
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:80 /* !fw3: http traffic */ to:192.168.1.150:80
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 /* !fw3: https traffic */ to:192.168.1.150:443
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:443 /* !fw3: https traffic */ to:192.168.1.150:443
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:8521 /* !fw3: ssh colorful */ to:192.168.1.105:22
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:8521 /* !fw3: ssh colorful */ to:192.168.1.105:22
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8520 /* !fw3: ssh rocky */ to:192.168.1.150:22
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:8520 /* !fw3: ssh rocky */ to:192.168.1.150:22
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8523 /* !fw3: ssh happenstances */ to:192.168.1.103:22
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:8523 /* !fw3: ssh happenstances */ to:192.168.1.103:22
    2   833 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8086 /* !fw3: rsyslog happenstances */ to:192.168.1.103:8086
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:8086 /* !fw3: rsyslog happenstances */ to:192.168.1.103:8086
Chain PREROUTING (policy ACCEPT 623K packets, 549M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 27518 packets, 2511K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 594K packets, 546M bytes)
 pkts bytes target     prot opt in     out     source               destination         
 3821  237K TCPMSS     tcp  --  *      br-wan  0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 /* !fw3: Zone wan MTU fixing */ TCPMSS clamp to PMTU
    0     0 TCPMSS     tcp  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 /* !fw3: Zone wan MTU fixing */ TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT 25788 packets, 2693K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 620K packets, 549M bytes)
 pkts bytes target     prot opt in     out     source               destination        

The firewall is working, but I'm not understanding what I'm overlooking. I hope for pointers as to what I should do next.

thx, sam

If those other redirects work correctly, then most likely the issue is in the destination host firewall or routing.
If you can't fix, then you should workaround it with OpenWrt firewall SNAT rule.

These redirects do not work.

Searching for "OpenWrt firewall SNAT rule”

provides this link

https://openwrt.org/docs/guide-user/firewall/firewall_configuration#snat

that suggests SNAT isn’t documented?

Is SNAT the same as Source NAT?

Happy to be pointed to how this could work, sam452

Change to option src_dport

3 Likes