Port forward problem

In the OpenWrt 23.05.5 X86_64 version, there is no problem with the port - forwarding of the firewall if it is forwarded to the router itself. However, if it is forwarded to other hosts in the LAN, it doesn't work properly.

I used tcpdump to capture packets and found that the forwarding did occur, but the source IP address was not masked. At this time, the forwarded host would respond through its own gateway (not the router gateway). Therefore, it doesn't work properly. I forcibly changed the LAN to masked and then the forwarding worked normally. I also found another router to try and found that the router that worked normally would mask the source address as no - data. Could you tell me how to fix this problem, please?
This is forcibly mask packet " OpenWrt.lan.50812 > 192.168.18.2.80"
This is normal mask packets "no-data.63841 > 192.168.18.2.80"

let's take a look at the config to see if there are any clues. Please make sure you've got the desired port forward in the config.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.167",
        "hostname": "OpenWrt",
        "system": "Intel(R) Celeron(R) CPU 3865U @ 1.80GHz",
        "model": "VMware, Inc. VMware Virtual Platform",
        "board_name": "vmware-inc-vmware-virtual-platform",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "x86/64",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
        }
}
---------------------------------------------------------------------------------------------------------
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd51:7d2f:8100::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.18.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth5'
        option proto 'pppoe'
        option username '406598721'  
        option password '1a2b3c4d'   
        option ipv6 'auto'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
-----------------------------------------------------------------------------------------------
root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option target 'DNAT'
        option name 'X86router_ssh'
        option src 'wan'
        option src_dport '54321'
        option dest 'lan'
        option dest_ip '192.168.18.1'
        option dest_port '22'

config redirect
        option target 'DNAT'
        option name 'linksys_ssh'
        option src 'wan'
        option dest 'lan'
        option dest_ip '192.168.18.2'
        option dest_port '22'
        option src_dport '55555'

Turn off masquerading on the lan zone.

Reboot and test again.

This option is off by default. In the off state, the source IP will not be masquerad and will be like 185.199.111.133.50812 > 192.168.18.2.22 when forwarding. But there is another gateway on my machine 192.168.18.2, it will respond through its own gateway after receiving the data packets instead of returning the data packets to 192.168.18.1.

This option is off by default. In the off state, the source IP will not be masquerad and will be like 185.199.111.133.50812 > 192.168.18.2.22 when forwarding. But there is another gateway on my machine 192.168.18.2, it will respond through its own gateway after receiving the data packets instead of returning the data packets to 192.168.18.1.

What other gateway is in the network? Although you mentioned it, I'm not sure exactly how this relates to the overall network architecture and the problem at hand. Could you draw a system topology diagram for us (the more comprehensive, the better).

Thanks for the diagram. I'm still quite confused... this is a very unusual topology.

I see that you're trying to ssh in from the client to the wan of the x86 (right hand router) and it seems that your port forward target is another router (192.168.18.2)??

What's confusing, though, is the relationship with the other router (192.168.18.2)... Why is it there? If this is a dual wan setup, why not put both wans on the same router and use mwan3 and/or policy based routing to handle the two connections?