Port forward on port 443 and 80 not working anymore

I am not sure if it was something i changed or what exactly happened but port forwards for 2222 and 51280 work as before and the ones for 443 and 80 (HTTP and HTTPS) stopped working.

They worked before, my attempts to debug / fix this did not lead to a solution, any help appreciated.

How else can i debug it / what am i missing?

Hardware is a FritzBox 7520 running OpenWrt

Here is the /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'NAS | dropbear-initramfs'
        option src 'wan'
        option src_dport '2222'
        option dest_ip '10.0.0.200'
        option dest_port '2222'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'NAS | WireGuard'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '10.0.0.200'
        option dest_port '51820'

config include 'opennds'
        option type 'script'
        option path '/usr/lib/opennds/restart.sh'

config rule

config rule
        option name 'Block-Internet-Acces'
        option src 'lan'
        option dest 'wan'
        option target 'REJECT'
        list proto 'all'
        list src_mac 'ec:71:db:12:34:56'
        list src_mac 'ec:71:db:12:34:56'
        list src_ip '10.0.0.71'
        list src_ip '10.0.0.72'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'NPM | HTTP'
        option src 'wan'
        option src_dport '80'
        option dest_ip '10.0.0.201'
        option dest_port '80'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'NPM | HTTPS'
        option src 'wan'
        option src_dport '443'
        option dest_ip '10.0.0.201'
        option dest_port '443'

Openwrt version ?

OpenWrt SNAPSHOT r25381+46-336a531c15

That is a build i got from the forum implementing a fix for the DSL as some devices of this model are affected and aren't able to connect.

But worked previously on this build.

Maybe your provider blocks these, try some higher port.

1 Like

As i wrote 2222 and 51280 work still.
What chance is there they started blocking it all of a sudden after so many years?

1 Like

Okay, so i just spun up a NGINX Server and forwarded port 80 for further debugging and that worked.

So it seams to be a problem with the connection of my router to nginx proxy manager, which is odd as i can reach it on 10.0.0.201:80 and :443 but forwarding is not working.

The docker network for NPM is a macvlan, could that be an issue?

Solution for now was to change ports of NPM to 8443 an 880 and forward directly to the NAS instead of the macvlan ip which worked for other containers but not NPM chainging the ip did not help.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.