Port Forwarding after Upgrade

Hi there!
today I upgraded my Linksys WRT3200ACM to latest version of OpenWRT (from 19.07.7 to 23.05.2). Before the upgrade I moved the following files, due to the new syntax in network:
/etc/config/system --> /etc/config/system.bak
/etc/config/network --> /etc/config/network.bak
/etc/config/firewall --> /etc/config/firewall.bak

After that I run the sysupgrade within luci which worked perfectly. After some post-upgrade configs the routers works as expected – exept port forwarding.

I just want to forward the wan traffic to my websever which on 192.168.10.130 (ports 443 & 80)
I tried a lot of stuff but couldn´t get it working. Help would be appreciated!
Here are some config files which might be helpful:

cat /etc/config/firewall

config defaults
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option synflood_protect '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'webservices'
        option src 'wan'
        option src_port '80'
        list dest_ip '192.168.10.130'
        option dest_port '80'
        option target 'ACCEPT'
        option enabled '0'
        option dest 'lan'

config rule
        option name 'webservices_443'
        option src 'wan'
        option src_port '443'
        list dest_ip '192.168.10.130'
        option dest_port '443'
        option target 'ACCEPT'
        option enabled '0'
        option dest 'lan'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'webservices'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.10.130'
        option dest_port '80'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'webservices_443'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.10.130'
        option dest_port '443'

cat /etc/config/system

config system
        option hostname 'OpenWrt'
        option timezone 'CET-1CEST,M3.5.0,M10.5.0/3'
        option ttylogin '0'
        option log_size '64'
        option urandom_seed '0'
        option compat_version '1.1'
        option zonename 'Europe/Vienna'
        option log_proto 'udp'
        option conloglevel '8'
        option cronloglevel '5'

config timeserver 'ntp'
        list server '0.openwrt.pool.ntp.org'
        list server '1.openwrt.pool.ntp.org'
        list server '2.openwrt.pool.ntp.org'
        list server '3.openwrt.pool.ntp.org'

config led 'led_wan'
        option name 'WAN'
        option sysfs 'pca963x:rango:white:wan'
        option trigger 'netdev'
        option mode 'link tx rx'
        option dev 'wan'

config led 'led_usb1'
        option name 'USB 1'
        option sysfs 'pca963x:rango:white:usb2'
        option trigger 'usbport'
        list port 'usb1-port1'

config led 'led_usb2'
        option name 'USB 2'
        option sysfs 'pca963x:rango:white:usb3_1'
        option trigger 'usbport'
        list port 'usb2-port1'
        list port 'usb3-port1'

config led 'led_usb2_ss'
        option name 'USB 2 SS'
        option sysfs 'pca963x:rango:white:usb3_2'
        option trigger 'usbport'
        list port 'usb3-port1'

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd23:b61f:de8c::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr '26:f5:a2:c4:35:30'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

Hi

did you forget to enable the rule ?
checkbox on right side ?

wrt966×246 30.7 KB

hehe no i didn't forget - i just disabled it because it is not working.

And yes the device is reachable via ssh within lan - no problem whatsoever here.

On 19 portforwarding worked without any issues.

Do I need port forwarding rules and traffic rules? Or would the portforwarding rules suffice?

...thanks ...

well, i am using 2 rules

config rule
        list proto 'tcp'
        option src 'vlan33'
        option dest_port '80'
        option target 'ACCEPT'
        option src_port '80'
        option name 'http_to_frater'
        list dest_ip '192.168.202.4'

config redirect
        option dest 'vlan202'
        option target 'DNAT'
        option name 'frater80v4'
        list proto 'tcp'
        option src 'vlan33'
        option src_dport '80'
        option dest_ip '192.168.202.4'
        option dest_port '80'

vlan33 is WAN
vlan202 is LAN side

Interesting, for me the sole redirect rule works without the traffic rule, but I am on K5.15 with nftables so YMMV.

Besides I do not redirect port 80 and 443 as the router listens on these ports it might be different (although it should not be)

But what the underlying problem is eludes me, the redirect rule looks OK.

Hi there!
At first what was strange the line

list proto 'tcp'

was missing in /etc/config/firewall

I added it by hand and tried it without the traffic rule. Did not work. Also with the traffic rule it did not work. (Of course restarted the firewall by hand…)

Is there a way to debug such scenarios?

Besides:
curl gives the following output if i curl my external ip address:

curl: (7) Failed to connect to nextcloud.benjamin-draxlbauer.at port 443 after 3197 ms: Keine Route zum Zielrechner

so only a "no route to host"

thanks for your help anyways!

An additional traffic rule is not needed due to the presence of this default rule in the forward_wan chain.

ct status dnat accept comment "!fw4: Accept port forwards"

Run nft list chain inet fw4 dstnat_wan and check the rule counters for hits.

Gives the following output:

root@OpenWrt:~# nft list chain inet fw4 dstnat_wan
table inet fw4 {
        chain dstnat_wan {
                meta nfproto ipv4 tcp dport 80 counter packets 0 bytes 0 dnat ip to 192.168.10.130:80 comment "!fw4: webservices"
                meta nfproto ipv4 tcp dport 443 counter packets 0 bytes 0 dnat ip to 192.168.10.130:443 comment "!fw4: webservices_443"
        }
}

Was exactly posting this also:
nft list table inet fw4 | grep 443

My 1194 port (OVPN server) is hit:

meta nfproto ipv4 tcp dport 1194 counter packets 10 bytes 448 dnat ip to 192.168.0.6:1194 comment "!fw4: OVPN-server6"
meta nfproto ipv4 udp dport 1194 counter packets 5 bytes 210 dnat ip to 192.168.0.6:1194 comment "!fw4: OVPN-server6"

Yours not so nothing knocking on your router it seems?

Gives the following:

root@OpenWrt:~# nft list table inet fw4 | grep 443
                ip saddr 192.168.10.0/24 ip daddr 192.168.178.22 tcp dport 443 dnat ip to 192.168.10.130:443 comment "!fw4: webservices_443 (reflection)"
                ip saddr 192.168.10.0/24 ip daddr 192.168.10.130 tcp dport 443 snat ip to 192.168.10.1 comment "!fw4: webservices_443 (reflection)"
                meta nfproto ipv4 tcp dport 443 counter packets 0 bytes 0 dnat ip to 192.168.10.130:443 comment "!fw4: webservices_443"

Are you sure you are using the correct external IP address?

You are testing from outside e.g. with your phone/laptop on cellular, reflection is not standard enabled, I think.

As the counter is 0 it looks there is nothing trying to enter your router.

I have dyndns installed so yes this should be the case. Plus canyouseeme.org gives me the same ip.

When i revert to my 19.0 Openwrt partition port forwarding works as expected....

Could it be the case, that I am missing some packages due to the upgrade process?

Or maybe the packages are dropped somewhere?

Does it match the IP on WAN interface?

as far as i see it does not:

2024-01-06_13-381806×722 103 KB

That's the issue. You don't have a Public IP addresses on your WAN interface.

Okay so i need to configure the wan interface – Any hints how to change this?

Is the dyndns not overwriting correctly or is there something wrong with the wan interface config?

• thanks for help – I am not very experienced with network stuff

No. You don't have a Public IP. There's nothing you can do locally. You can call your ISP to inquire about receiving one.

If available, they'll usually charge or make you setup a business account.

I don´t get it – If I use 19.0 Openwrt port forwarding from external zone works as expected. Ports 80 and 443 on my external ip are open and everything works. The services on the server has been up since many years...

That is exactly the point why I use Dynamic DNS as to renew my external ip …

Then you may wish to ask your ISP what changed, as your current screenshot clearly shows a non-public IP.