Hello,
I just installed OpenWRT on my tp-link Archer a7. I have a web server and a mail server on my lan and I am trying to configure port forwarding to these servers but can't seem to get it to work. I am using Spectrum cable modem with no spectrum router or wifi, just the A7 connected to the cable modem via wan interface.
I can ping the A7 but cannot telnet to port 25 or 143.
I have set up port forwarding as below for smtp and imap services on the mail server:
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SMTP'
option src 'wan'
option src_dport '25'
option dest_ip '192.168.1.10'
option dest_port '25'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'IMAP-TLS'
option src 'wan'
option src_dport '143'
option dest_ip '192.168.1.10'
option dest_port '143'
Anything else I need to do?
I can imagine those ports being blocked by the ISP.
Try using different port, externally.
Not the case. I had it working under the tp-link software before I flashed it.
What is the output of
iptables -t nat -nvL zone_wan_prerouting
1 Like
iptables -t nat -nvL zone_wan_prerouting
Chain zone_wan_prerouting (1 references)
pkts bytes target prot opt in out source destination
201 9417 prerouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan prerouting rule chain */
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 /* !fw3: SMTP */ to:192.168.1.10:25
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:25 /* !fw3: SMTP */ to:192.168.1.10:25
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 /* !fw3: IMAP-TLS */ to:192.168.1.10:143
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:143 /* !fw3: IMAP-TLS */ to:192.168.1.10:143
2 80 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 /* !fw3: Web TLS */ to:192.168.1.32:443
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443 /* !fw3: Web TLS */ to:192.168.1.32:443
2 121 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* !fw3: Web */ to:192.168.1.32:80
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:80 /* !fw3: Web */ to:192.168.1.32:80
There are no hits on the rules, so the requests do not reach the wan interface.
1 Like
How can I tell if Spectrum is blocking the ports? The IP is different but I have had this router for several years and no IP that has been assigned has ever been blocked. I am not using port 25 to send, only to receive. The same with IMAP port 143, this is only for incoming.
Using this port checker web site, it says smtp and imap are open: https://portchecker.co/check
But if I try to test smtp or telnet in, I cannot reach. Using ncat to any port times out.
What about traffic rules, do I need to set something up there? Also in zones I have:
wan => Lan => accept accept reject
Try using another port, as suggested by @frollic .
iptables -t nat -I zone_wan_prerouting -p tcp -m tcp --dport 10025 -j DNAT --to-destination 192.168.1.10:25
Try to telnet the mail server on external port 10025 and check the counters again.
iptables -t nat -nvL zone_wan_prerouting | head -n3
kc0dxf
May 16, 2022, 3:56pm
11
No luck, telnet times out. ncat times out.
What about bridge mode, would that be necessary?
I think it has to be something in the config. I've been using spectrum with my mail server for several years without any trouble.
If the modem is not in bridge mode, you need to create port forwarding rules in the modem as well, or activate the DMZ feature if available.
The configuration looks correct.
BTW there are hits on ports 80 and 443.
Do you have access to the web server?
kc0dxf
May 16, 2022, 4:56pm
13
The hits on 80 and 443 are from the lan. I wanted to make sure they were open on the same network.
kc0dxf
May 16, 2022, 4:59pm
14
I set up bridge mode according to this info:
But it didn't seem to make any difference.
kc0dxf
May 16, 2022, 5:14pm
15
When I send from yahoo I get this failure code: 550: 5.0.1 Recipient rejected
Can't find exactly what that code means.
It's a SMPT error code.
If your mailer can't reveal the whole error message, you can always telnet the smtp port and try sending the mail "manually".
kc0dxf
May 16, 2022, 5:44pm
17
Telnet times out. Doesn't reach.
kc0dxf
May 16, 2022, 6:08pm
18
Found it. I had my DNS servers off by one digit!
But now I am getting Error 553: Open Resolver from my server.
Actually this error is coming from Spamhaus block list.
kc0dxf
May 16, 2022, 6:28pm
19
Ok, deleted spamhaus and it works. Don't know why Spamhaus would start throwing this error with Openwrt. Any ideas?