Not sure what's wrong or anything else I need to configure? DMZ works, but port forward doesn't work.
You don't need to hide your internal network addresses (RFC1918 network addresses are not considered 'sensitive' or unique).
How are you testing the port forwarding? Have you verified that you have a service listening for incoming connections on the host (whose IP you have obfuscated) on each of the forwarded ports? You can verify that the services are responding by attempting a local connection (i.e. from another host on your network > 192.168.x.y:port).
Also, have you verified that you have a public IP address?
Do you mean this? It's by default.
The servers are all good in local. I have a public IP address. DMZ port forward configuration works, but the others doesn't work.
I never mentioned masquerading at all.
When I asked how you are testing your configuration -- that was referring to the idea of testing on your own network or using a network at another location (or cellular) so that you are properly exercising the WAN? And are you testing with a port probing tool or are you testing with practical service connections?
let's take a look at your config files:
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd36:c104:9cda::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.10.6'
list dns '9.9.9.9'
list dns '8.8.8.8'
option delegate '0'
config interface 'wan'
option device 'eth1'
option proto 'static'
option ipaddr '10.0.100.20'
option netmask '255.255.255.0'
option gateway '10.0.100.1'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
config device
option name 'eth1'
option ipv6 '0'
config device
option name 'eth0'
option ipv6 '0'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option forward 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option src 'wan'
option src_port '8888'
option dest_port '8888'
option target 'ACCEPT'
option name 'TCP UDP forward'
list dest_ip '192.168.10.14'
option dest '*'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'AI'
option src 'wan'
option src_dport '6655'
option dest_ip '192.168.10.240'
option dest_port '6655'
list proto 'tcp'
list proto 'udp'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'NextCloud'
option src 'wan'
option src_dport '8888'
option dest_ip '192.168.10.14'
option dest_port '8888'
list proto 'tcp'
list proto 'udp'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'test'
option src 'wan'
option dest_ip '192.168.10.14'
option src_dport '12321'
option dest_port '12321'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'DMZ'
option src 'wan'
option dest_ip '192.168.10.12'
list proto 'all'
I have an ISP router DMZ to openwrt WAN
Which specific port forwarding rules are you testing?
Have you made 100% certain that the upstream router is configured properly to DMZ to the OpenWrt router?
I double checked my DMZ setting and found it's not the correct DMZ IP. Because I tried a lots of router/firewall OSs, I messed them up. Now, I can 100% sure the ISP router is DMZ to OpenWRT and 6655 is working. The 8888 port is still not work. My ISP's router can't do port forward. They use VLAN+PPPoE connection method. I believe I should be able to configure it with OpenWRT, but I don't have time to try it.
This is from my ISP's router
the way to test the OpenWrt config is simple... connect a device to the ISP router (upstream of the OpenWrt router) and see if you can reach the service at port 8888 (you'll use the address 10.0.100.20 while connected to the 10.0.100.0/24 network).
- If this works, OpenWrt is working as expected and the problem may be your upstream router or your ISP.
- If it doesn't work, connect your device to the OpenWrt router so that it is on the 192.168.10.0/24 network and then try to connect to 192.168.10.14 on port 8888.
report back with your findings.
I tried to connect to the ISP router, and open 10.0.100.20:8888. It's not work.
Connect to OpenWrt, 192.168.10.14:8888 works.
So that would indicate that the port forward is not quite right...
are you positive that the protocol is TCP/UDP?
Yes, it's for http web service.
What about if you disable/remove this DMZ rule?
I have tried to disable the DMZ rule, but still, 8888 is not work.