Port forward - one router works, another not

Hi all,

I have strange situation and I'm stuck. What I have:

Two identical routers TP-Link Archer C20i, flashed with the latest snapshot OpenWrt SNAPSHOT r20513-a99707d14c / LuCI Master git-22.245.77360-10bcb22 (because of the failed 5 GHz radios with the release)
Two different ISPs, both with open ports 80/443

First router is configured with static internal ip address 192.168.66.1 and to forward all incoming requests on ports 80/443 to 192.168.66.103. DHCPD is on
Second router is configured with static internal ip address 192.168.66.175 and to forward all incoming requests on ports 80/443 to 192.168.66.103. DHCPD is off

The first router works as expected. The second is not working. Neither port 80 nor port 443 could be reached. Neither local nor global.

The settings are much similar.

Router 1:
 ubus call system board; \
> uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
        "kernel": "5.10.139",
        "hostname": "koko_telekabel",
        "system": "MediaTek MT7620A ver:2 eco:6",
        "model": "TP-Link Archer C20i",
        "board_name": "tplink,archer-c20i",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r20513-a99707d14c",
                "target": "ramips/mt7620",
                "description": "OpenWrt SNAPSHOT r20513-a99707d14c"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdaa:4956:5751::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.66.1'

config device
        option name 'eth0.2'
        option macaddr 'a4:2b:b0:cd:7b:19'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 6t'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option force '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'koko'
        option dns '1'
        option mac '90:1B:0E:FE:B1:2C'
        option ip '192.168.66.103'

config host
        option name 'Niki'
        option dns '1'
        option mac '74:D4:35:B7:8E:FF'
        option ip '192.168.66.156'

config host
        option name 'airRohr'
        option dns '1'
        option mac '80:7D:3A:22:E6:5E'
        option ip '192.168.66.135'

config host
        option name 'meter.ac'
        option dns '1'
        option mac '98:D8:63:06:1F:DA'
        option ip '192.168.66.206'

config host
        option name 'Pantum'
        option dns '1'
        option mac '84:7A:B6:E3:DC:B0'
        option ip '192.168.66.101'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'https'
        list proto 'tcp'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.66.103'
        option dest_port '443'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'http'
        list proto 'tcp'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.66.103'
        option dest_port '80'

head: /etc/firewall.user: No such file or directory
-ash: iptables-save: not found
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.66.1/24 brd 192.168.66.255 scope global br-lan
       valid_lft forever preferred_lft forever
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet externalip1/24 brd 31.13.201.255 scope global eth0.2
       valid_lft forever preferred_lft forever
default via 31.13.201.1 dev eth0.2  src externalip1
31.13.201.0/24 dev eth0.2 scope link  src externalip1
192.168.66.0/24 dev br-lan scope link  src 192.168.66.1
broadcast 31.13.201.0 dev eth0.2 table local scope link  src externalip1
local externalip1 dev eth0.2 table local scope host  src externalip1
broadcast 31.13.201.255 dev eth0.2 table local scope link  src externalip1
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.66.0 dev br-lan table local scope link  src 192.168.66.1
local 192.168.66.1 dev br-lan table local scope host  src 192.168.66.1
broadcast 192.168.66.255 dev br-lan table local scope link  src 192.168.66.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
Router 2
ubus call system board; \
> uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
        "kernel": "5.10.139",
        "hostname": "kokokokovski",
        "system": "MediaTek MT7620A ver:2 eco:6",
        "model": "TP-Link Archer C20i",
        "board_name": "tplink,archer-c20i",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r20513-a99707d14c",
                "target": "ramips/mt7620",
                "description": "OpenWrt SNAPSHOT r20513-a99707d14c"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdec:9cc6:90b8::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.66.175'

config device
        option name 'eth0.2'
        option macaddr '30:b5:c2:eb:98:65'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 6t'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'http'
        list proto 'tcp'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.66.103'
        option dest_port '80'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'https'
        list proto 'tcp'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.66.103'
        option dest_port '443'

head: /etc/firewall.user: No such file or directory
-ash: iptables-save: not found
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet externalip2/23 brd 91.204.159.255 scope global eth0.2
       valid_lft forever preferred_lft forever
9: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.66.175/24 brd 192.168.66.255 scope global br-lan
       valid_lft forever preferred_lft forever
default via 91.204.159.254 dev eth0.2  src externalip2
91.204.158.0/23 dev eth0.2 scope link  src externalip2
192.168.66.0/24 dev br-lan scope link  src 192.168.66.175
broadcast 91.204.158.0 dev eth0.2 table local scope link  src externalip2
local externalip2 dev eth0.2 table local scope host  src externalip2
broadcast 91.204.159.255 dev eth0.2 table local scope link  src externalip2
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.66.0 dev br-lan table local scope link  src 192.168.66.175
local 192.168.66.175 dev br-lan table local scope host  src 192.168.66.175
broadcast 192.168.66.255 dev br-lan table local scope link  src 192.168.66.175
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

Could you tell me what more I can check to figure out what is wrong with the router 2 or it settings?

Could be because of 192.168.66.175 instead of setting first network address?

Best regards

Edit: uhttpd is configured to listen to the local ip address only. On both routers.

Router 1
config uhttpd 'main'
        list listen_http '192.168.66.1:80'
#       list listen_http '[::]:80'
        list listen_https '192.168.66.1:443'
#       list listen_https '[::]:443'
        option redirect_https '0'
        option home '/www'
        option rfc1918_filter '1'
        option max_requests '3'
        option max_connections '100'
        option cert '/etc/uhttpd.crt'
        option key '/etc/uhttpd.key'
        option cgi_prefix '/cgi-bin'
        list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
        option script_timeout '60'
        option network_timeout '30'
        option http_keepalive '20'
        option tcp_keepalive '1'
        option ubus_prefix '/ubus'

Router 2
config uhttpd 'main'
        list listen_http '192.168.66.175:80'
        list listen_http '[::]:80'
        list listen_https '192.168.66.175:443'
        list listen_https '[::]:443'
        option home '/www'
        option rfc1918_filter '1'
        option max_requests '3'
        option max_connections '100'
        option cert '/etc/uhttpd.crt'
        option key '/etc/uhttpd.key'
        option cgi_prefix '/cgi-bin'
        list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
        option script_timeout '60'
        option network_timeout '30'
        option http_keepalive '20'
        option tcp_keepalive '1'
        option ubus_prefix '/ubus'
        option redirect_https 'on'

Is the second router connected to the first router via the LAN port (LAN - LAN)? If so, the firewall on the second router doesn't do anything because you're working on a single subnet (the firewall only becomes involved when you are routing between two different subnets).

Yes, both are connected via their LAN ports.

Then you cannot do any forwarding on the second router.

But you have two ISPs, so each router actually has wan and does routing to Lan, right?

Yes, there are two ISPs, two WANs, connected separately.

Edit:

Ouch! Default gateway of 192.168.66.103 is 192.168.66.1!

I'm not sure if it is possible to work with these conditions. :frowning:

I tested, I can have two gateways with different metrics on windows (PC), but it doesn't work smoothly.

Any suggestions?

I don't think this is going to work the way you want.

You should probably run both ISPs into a single router and use mwan3 and pbr to handle this.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.