Port Forward not working on custom firewall zone

F4FXL · January 21, 2024, 7:35am

Hi All,

I have been wrapping my head around this for a couple of days now.

I have a setup where I have 4 zones:

lan (as created by default by OpenWRT)
wan (as created by default)
f5kavvpn (covering an OpenVPN Network)
hamwan (covering a Wireguard Tunnel)

I want to maintain different port forwards on zone both hamwan and wan.

My issue is:
None of the port forwards on hamwan zone are working. If I move the hamwan interface to the wan zone all is working fine. But this is not what I want to achieve.
Any advices are Welcome.

ubus call system board

{
	"kernel": "5.15.137",
	"hostname": "F5ZEE-Router-2",
	"system": "Atheros AR9344 rev 2",
	"model": "TP-Link TL-WDR4300 v1",
	"board_name": "tplink,tl-wdr4300-v1",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "ath79/generic",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}

/etc/config/network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '-REDACTED-'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.212.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ip4table 'lan'
	option ip6table 'lan'

config device
	option name 'eth0.2'
	option macaddr 'e8:94:f6:3f:4f:f5'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option disable '1'
	option metric '0'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 2 3 4'
	option vid '1'
	option description 'LAN'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 1'
	option vid '2'
	option description 'WAN'

config interface 'hamwan'
	option proto 'wireguard'
	option private_key '-REDACTED-'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	list addresses '-REDACTED-'
	list addresses '-REDACTED-'
	option ip4table 'hamwan'
	option ip6table 'hamwan'
	option metric '100'
	option mtu '1420'
	option nohostroute '1'

config wireguard_hamwan
	option description 'Imported peer configuration'
	option public_key '-REDACTED-'
	option preshared_key '-REDACTED-'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option persistent_keepalive '25'
	option endpoint_host '-REDACTED-'
	option endpoint_port '-REDACTED-'

config interface 'f5kavvpn'
	option proto 'none'
	option device 'tunudp'
	option defaultroute '0'
	option ip4table 'f5kavvpn'
	option ip6table 'f5kavvpn'
	option metric '110'

config route 'f5kavvpn_rt'
	option interface 'f5kavvpn'
	option target '0.0.0.0/0'

config route6 'f5kavvpn_rt6'
	option interface 'f5kavvpn'
	option target '::/0'

config route
	option target '0.0.0.0/0'
	option table 'hamwan'
	option gateway '44.33.3.1'
	option interface 'hamwan'

config rule
	option src '192.168.212.0/24'
	option dest '10.8.0.0/24'
	option priority '2999'
	option lookup 'main'

config rule
	option src '192.168.212.2/32'
	option dest '0.0.0.0/0'
	option priority '3000'
	option lookup 'hamwan'
	option disabled '0'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 5'
	option vid '3'
	option description 'WAN-Bck'

config interface 'wanbck'
	option proto 'dhcp'
	option device 'eth0.3'
	option hostname '*'
	option metric '1'

config device
	option name 'eth0.3'
	option type '8021q'
	option ifname 'eth0'
	option vid '3'
	option macaddr 'E8:94:F6:3F:4F:F6'

config failover 'failover'
	option wan 'wan'
	option failover 'wanbck'
	option pinghost '8.8.8.8'

/etc/config/firewall

config defaults
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option synflood_protect '1'
	option flow_offloading '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wanbck'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'hamwan'
	option proto 'icmp'
	option family 'ipv4'
	option target 'ACCEPT'
	list icmp_type 'echo-request'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option family 'ipv4'
	option target 'ACCEPT'
	list icmp_type 'echo-request'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config zone
	option name 'hamwan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	list network 'hamwan'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'hamwan'

config zone
	option name 'f5kavvpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	list network 'f5kavvpn'

config forwarding
	option src 'lan'
	option dest 'f5kavvpn'

config forwarding
	option src 'f5kavvpn'
	option dest 'lan'

config forwarding
	option src 'f5kavvpn'
	option dest 'wan'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'DStar G2'
	list proto 'udp'
	option src 'hamwan'
	option src_dport '40000'
	option dest_ip '192.168.212.2'
	option dest_port '40000'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Dstar DExtra'
	list proto 'udp'
	option src 'hamwan'
	option src_dport '30001'
	option dest_ip '192.168.212.2'
	option dest_port '30001'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'DStar DCS'
	list proto 'udp'
	option src 'hamwan'
	option src_dport '30051'
	option dest_ip '192.168.212.2'
	option dest_port '30051'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'DStar DPlus'
	list proto 'udp'
	option src 'hamwan'
	option src_dport '20001'
	option dest_ip '192.168.212.2'
	option dest_port '20001'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'DStar DV Dongle'
	list proto 'udp'
	option src 'hamwan'
	option src_dport '50001'
	option dest_ip '192.168.212.2'
	option dest_port '50001'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'ircddb Remote'
	list proto 'udp'
	option src 'hamwan'
	option src_dport '43210'
	option dest_port '43210'
	option dest_ip '192.168.212.2'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Hamwan SSH'
	list proto 'tcp'
	option src 'hamwan'
	option src_dport '-REDACTED-'
	option dest_port '22'
	option dest_ip '192.168.212.1'

egc · January 21, 2024, 8:57am

The above can also and perhaps better be done with adding the folllowing in the openvpn config:

redirect-gateway def1
redirect-gateway ipv6

But to answer your question you can port forward incoming traffic from OpenVPN and WireGuard but are you sure that the server side (commercial VPN or VPS) supports port forwarding?

My own VPN provider supported port forwarding until recently and I used that but unfortunately they stopped supporting that.

Note if you are running a VPN client with default route via the VPN the port forwarding via the WAN is blocked, you have to use PBR to route the forwarded traffic form the WAN back to the WAN and not via the VPN

trendy · January 21, 2024, 11:45am

You can easily verify that you receive the packets to be forwarder with tcpdump:

opkg update
opkg install tcpdump
tcpdump -i hamwan -c 10 -n port 43210

F4FXL · January 21, 2024, 3:55pm

@egc The other side of the wireguard accepts portforward, the IP I actually get on the other side is a public one. The OpenVPN has no routing to wan, it is just used to access some machines. Whenever I move the hamwan interface in to the wan zone port forwarding is working. I am already using pbr to route some of the trafic through hamwan, this is working fine and is not depending on which zone the hamwan interface is in.

@trendy
I can see the packets coming in using tcpdump.... I need to continue investigating from here.... Yet it is weird that all is fien when hamwan interface is moved to the wan zone

F4FXL · January 21, 2024, 7:40pm

@trendy using tcpdump I was able to determine following:
outgoing packets are going through wan interface but with the IP of hamwan....

Adding proper PBR rules made everything work....

For this scenario to work I have to accept that some hosts exclusively are accessed the internet through either wan or hamwan. Having them on both would require some addtional NATing witchery I guess.

egc · January 21, 2024, 8:36pm

You can work with source an destination ports for your pbr so you can actually have a lan client which route some traffic via the vpn and some via wan as set by port.

F4FXL · January 21, 2024, 9:01pm

In the end it is just fine tuning of what I have. Yet, I need more magic to have same service available on both zones.