Port forwarding config to server

I just installed OpenWRT on my tp-link Archer a7. I have a web server and a mail server on my lan and I am trying to configure port forwarding to these servers but can't seem to get it to work. I am using Spectrum cable modem with no spectrum router or wifi, just the A7 connected to the cable modem via wan interface.

I can ping the A7 but cannot telnet to port 25 or 143.

I have set up port forwarding as below for smtp and imap services on the mail server:

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'SMTP'
        option src 'wan'
        option src_dport '25'
        option dest_ip ''
        option dest_port '25'
config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'IMAP-TLS'
        option src 'wan'
        option src_dport '143'
        option dest_ip ''
        option dest_port '143'

Anything else I need to do?

I can imagine those ports being blocked by the ISP.

Try using different port, externally.

Not the case. I had it working under the tp-link software before I flashed it.

What is the output of

iptables -t nat -nvL zone_wan_prerouting
1 Like
iptables -t nat -nvL zone_wan_prerouting
Chain zone_wan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  201  9417 prerouting_wan_rule  all  --  *      *              /* !fw3: Custom wan prerouting rule chain */
    0     0 DNAT       tcp  --  *      *              tcp dpt:25 /* !fw3: SMTP */ to:
    0     0 DNAT       udp  --  *      *              udp dpt:25 /* !fw3: SMTP */ to:
    0     0 DNAT       tcp  --  *      *              tcp dpt:143 /* !fw3: IMAP-TLS */ to:
    0     0 DNAT       udp  --  *      *              udp dpt:143 /* !fw3: IMAP-TLS */ to:
    2    80 DNAT       tcp  --  *      *              tcp dpt:443 /* !fw3: Web TLS */ to:
    0     0 DNAT       udp  --  *      *              udp dpt:443 /* !fw3: Web TLS */ to:
    2   121 DNAT       tcp  --  *      *              tcp dpt:80 /* !fw3: Web */ to:
    0     0 DNAT       udp  --  *      *              udp dpt:80 /* !fw3: Web */ to:

There are no hits on the rules, so the requests do not reach the wan interface.

1 Like

How can I tell if Spectrum is blocking the ports? The IP is different but I have had this router for several years and no IP that has been assigned has ever been blocked. I am not using port 25 to send, only to receive. The same with IMAP port 143, this is only for incoming.

Using this port checker web site, it says smtp and imap are open: https://portchecker.co/check

But if I try to test smtp or telnet in, I cannot reach. Using ncat to any port times out.

What about traffic rules, do I need to set something up there? Also in zones I have:
wan => Lan => accept accept reject

Try using another port, as suggested by @frollic.

iptables -t nat -I zone_wan_prerouting -p tcp -m tcp --dport 10025  -j DNAT --to-destination

Try to telnet the mail server on external port 10025 and check the counters again.

iptables -t nat -nvL zone_wan_prerouting | head -n3

No luck, telnet times out. ncat times out.

What about bridge mode, would that be necessary?

I think it has to be something in the config. I've been using spectrum with my mail server for several years without any trouble.

If the modem is not in bridge mode, you need to create port forwarding rules in the modem as well, or activate the DMZ feature if available.

The configuration looks correct.

BTW there are hits on ports 80 and 443.
Do you have access to the web server?

The hits on 80 and 443 are from the lan. I wanted to make sure they were open on the same network.

I set up bridge mode according to this info:

But it didn't seem to make any difference.

When I send from yahoo I get this failure code: 550: 5.0.1 Recipient rejected

Can't find exactly what that code means.

It's a SMPT error code.

If your mailer can't reveal the whole error message, you can always telnet the smtp port and try sending the mail "manually".

Telnet times out. Doesn't reach.

Found it. I had my DNS servers off by one digit!

But now I am getting Error 553: Open Resolver from my server.

Actually this error is coming from Spamhaus block list.

Ok, deleted spamhaus and it works. Don't know why Spamhaus would start throwing this error with Openwrt. Any ideas?