Richy85
September 18, 2020, 2:13pm
1
So I've been trying to port forward for a variety of devices and applications but nothing I do seems to actually work.
I have a NAS and a server I am trying to port forward for and also certain applications.
I go to Network > Firewall > Port Forward > Add then enter the protocol, external port and desination (any or dedicated IP's, it doesnt matter nothing works) and save but nothing seem to be open or work.
I have tried restarting but still no joy.
Used to be able to open ports no problem on my old router/firmware (TP Link Archer C7) and whatever routers I've had in the past.
I've tried various port scanners and none can detect the ports I'm trying to forward. The main one is port 5000 for my nas but am also trying to forward ports in higher ranges (over 10,000) but no luck...
Is there something I'm missing?
trendy
September 18, 2020, 2:36pm
2
Please copy the output of the following commands and post it here using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c -t nat; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
1 Like
Richy85
September 18, 2020, 2:40pm
3
Forgive my noobness, but where do I enter commands?
trendy
September 18, 2020, 2:51pm
4
Use ssh to connect to the device.
1 Like
Richy85
September 18, 2020, 3:16pm
5
root@OpenWrt:~# ubus call system board;
{
"kernel": "4.14.171",
"hostname": "OpenWrt",
"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
"model": "TP-Link Archer C7 v5",
"board_name": "tplink,archer-c7-v5",
"release": {
"distribution": "OpenWrt",
"version": "19.07.2",
"revision": "r10947-65030d81f3",
"target": "ath79/generic",
"description": "OpenWrt 19.07.2 r10947-65030d81f3"
root@OpenWrt:~# uci export network; uci export fireall;
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd73:f66d:76a2::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0.2'
option proto 'pppoe'
option password 'xxxxxxxxxxxxxxxxxxx'
option ipv6 'auto'
option username 'xxxxxxxxxxxxxxxxxxxxx'
list dns '1.1.1.1'
list dns '8.8.8.8'
option peerdns '0'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr '1c:3b:f3:b3:9f:6e'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
uci: Entry not found
root@OpenWrt:~# head -n -0 /etc/firewall.user;
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
root@OpenWrt:~# head -n -0 /setc/firewall.user; \
> iptables-save -c -t nat; \
> iptables-save -c -t nat;
head: /setc/firewall.user: No such file or directory
# Generated by iptables-save v1.8.3 on Fri Sep 18 16:01:43 2020
*nat
:PREROUTING ACCEPT [779913:172561401]
:INPUT ACCEPT [24039:2053456]
:OUTPUT ACCEPT [26260:1950438]
:POSTROUTING ACCEPT [4265:297990]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[783869:172770222] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[474360:153032534] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[309509:19737688] -A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[385805:21581224] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[4221:294378] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[381517:21282038] -A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[4221:294378] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[23:1196] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.105/32 -p tcp -m tcp --dport 5000 -m comment --comment "!fw3: DS918 (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.105/32 -p udp -m udp --dport 5000 -m comment --comment "!fw3: DS918 (reflection)" -j SNAT --to-source 192.168.1.1
[474360:153032534] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[23:1196] -A zone_lan_prerouting -s 192.168.1.0/24 -d 78.33.160.189/32 -p tcp -m tcp --dport 5000 -m comment --comment "!fw3: DS918 (reflection)" -j DNAT --to-destination 192.168.1.105:5000
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 78.33.160.189/32 -p udp -m udp --dport 5000 -m comment --comment "!fw3: DS918 (reflection)" -j DNAT --to-destination 192.168.1.105:5000
[381517:21282038] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[381517:21282038] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[309509:19737688] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[3931:207528] -A zone_wan_prerouting -p tcp -m tcp --dport 5000 -m comment --comment "!fw3: DS918" -j DNAT --to-destination 192.168.1.105:5000
[1:57] -A zone_wan_prerouting -p udp -m udp --dport 5000 -m comment --comment "!fw3: DS918" -j DNAT --to-destination 192.168.1.105:5000
[1:40] -A zone_wan_prerouting -p tcp -m tcp --dport 24800 -m comment --comment "!fw3: Soulseek" -j REDIRECT --to-ports 24800
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 24800 -m comment --comment "!fw3: Soulseek" -j REDIRECT --to-ports 24800
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 24801 -m comment --comment "!fw3: Soulseek2" -j REDIRECT --to-ports 24801
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 24801 -m comment --comment "!fw3: Soulseek2" -j REDIRECT --to-ports 24801
COMMIT
# Completed on Fri Sep 18 16:01:43 2020
# Generated by iptables-save v1.8.3 on Fri Sep 18 16:01:43 2020
*nat
:PREROUTING ACCEPT [779913:172561401]
:INPUT ACCEPT [24039:2053456]
:OUTPUT ACCEPT [26260:1950438]
:POSTROUTING ACCEPT [4265:297990]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[783869:172770222] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[474360:153032534] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[309509:19737688] -A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[385805:21581224] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[4221:294378] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[381517:21282038] -A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[4221:294378] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[23:1196] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.105/32 -p tcp -m tcp --dport 5000 -m comment --comment "!fw3: DS918 (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.105/32 -p udp -m udp --dport 5000 -m comment --comment "!fw3: DS918 (reflection)" -j SNAT --to-source 192.168.1.1
[474360:153032534] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[23:1196] -A zone_lan_prerouting -s 192.168.1.0/24 -d 78.33.160.189/32 -p tcp -m tcp --dport 5000 -m comment --comment "!fw3: DS918 (reflection)" -j DNAT --to-destination 192.168.1.105:5000
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 78.33.160.189/32 -p udp -m udp --dport 5000 -m comment --comment "!fw3: DS918 (reflection)" -j DNAT --to-destination 192.168.1.105:5000
[381517:21282038] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[381517:21282038] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[309509:19737688] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[3931:207528] -A zone_wan_prerouting -p tcp -m tcp --dport 5000 -m comment --comment "!fw3: DS918" -j DNAT --to-destination 192.168.1.105:5000
[1:57] -A zone_wan_prerouting -p udp -m udp --dport 5000 -m comment --comment "!fw3: DS918" -j DNAT --to-destination 192.168.1.105:5000
[1:40] -A zone_wan_prerouting -p tcp -m tcp --dport 24800 -m comment --comment "!fw3: Soulseek" -j REDIRECT --to-ports 24800
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 24800 -m comment --comment "!fw3: Soulseek" -j REDIRECT --to-ports 24800
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 24801 -m comment --comment "!fw3: Soulseek2" -j REDIRECT --to-ports 24801
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 24801 -m comment --comment "!fw3: Soulseek2" -j REDIRECT --to-ports 24801
COMMIT
# Completed on Fri Sep 18 16:01:43 2020
root@OpenWrt:~# iptables-save -c -t nat;
# Generated by iptables-save v1.8.3 on Fri Sep 18 16:11:26 2020
*nat
:PREROUTING ACCEPT [782266:173050631]
:INPUT ACCEPT [24114:2059401]
:OUTPUT ACCEPT [26355:1957039]
:POSTROUTING ACCEPT [4275:298786]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[786231:173259920] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[475860:153469280] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[310371:19790640] -A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[387169:21648199] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[4231:295174] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[382871:21348217] -A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[4231:295174] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[23:1196] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.105/32 -p tcp -m tcp --dport 5000 -m comment --comment "!fw3: DS918 (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.105/32 -p udp -m udp --dport 5000 -m comment --comment "!fw3: DS918 (reflection)" -j SNAT --to-source 192.168.1.1
[475860:153469280] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[23:1196] -A zone_lan_prerouting -s 192.168.1.0/24 -d 78.33.160.189/32 -p tcp -m tcp --dport 5000 -m comment --comment "!fw3: DS918 (reflection)" -j DNAT --to-destination 192.168.1.105:5000
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 78.33.160.189/32 -p udp -m udp --dport 5000 -m comment --comment "!fw3: DS918 (reflection)" -j DNAT --to-destination 192.168.1.105:5000
[382871:21348217] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[382871:21348217] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[310371:19790640] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[3940:207996] -A zone_wan_prerouting -p tcp -m tcp --dport 5000 -m comment --comment "!fw3: DS918" -j DNAT --to-destination 192.168.1.105:5000
[1:57] -A zone_wan_prerouting -p udp -m udp --dport 5000 -m comment --comment "!fw3: DS918" -j DNAT --to-destination 192.168.1.105:5000
[1:40] -A zone_wan_prerouting -p tcp -m tcp --dport 24800 -m comment --comment "!fw3: Soulseek" -j REDIRECT --to-ports 24800
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 24800 -m comment --comment "!fw3: Soulseek" -j REDIRECT --to-ports 24800
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 24801 -m comment --comment "!fw3: Soulseek2" -j REDIRECT --to-ports 24801
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 24801 -m comment --comment "!fw3: Soulseek2" -j REDIRECT --to-ports 24801
COMMIT
# Completed on Fri Sep 18 16:11:26 2020
root@OpenWrt:~# ip -4 ro li tab all ; ip -4 ru
default via **.**.***.*** dev pppoe-wan
**.**.***.*** dev pppoe-wan scope link src **.**.***.***
192.168.1.0/24 dev br-lan scope link src 192.168.1.1
local **.**.***.*** dev pppoe-wan table local scope host src **.**.***.***
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local scope link src 192.168.1.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
krazeh
September 18, 2020, 3:20pm
6
Can you redo uci export firewall
? You had it as uci export fireall
in the above output.
trendy
September 18, 2020, 3:26pm
7
[3931:207528] -A zone_wan_prerouting -p tcp -m tcp --dport 5000 -m comment --comment "!fw3: DS918" -j DNAT --to-destination 192.168.1.105:5000
[1:57] -A zone_wan_prerouting -p udp -m udp --dport 5000 -m comment --comment "!fw3: DS918" -j DNAT --to-destination 192.168.1.105:5000
[1:40] -A zone_wan_prerouting -p tcp -m tcp --dport 24800 -m comment --comment "!fw3: Soulseek" -j REDIRECT --to-ports 24800
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 24800 -m comment --comment "!fw3: Soulseek" -j REDIRECT --to-ports 24800
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 24801 -m comment --comment "!fw3: Soulseek2" -j REDIRECT --to-ports 24801
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 24801 -m comment --comment "!fw3: Soulseek2" -j REDIRECT --to-ports 24801
The first 3 redirects seem to work from the hits they have. The last 3 don't have any hits. Mind though that the last 4 rules are REDIRECTS which mean that the traffic is redirected to the router. I am not sure that this is what you wanted.
1 Like
Richy85
September 18, 2020, 4:13pm
8
root@OpenWrt:~# uci export firewall
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option src 'wan'
option name 'DS918'
option src_dport '5000'
option target 'DNAT'
option dest_ip '192.168.1.105'
option dest 'lan'
config redirect
option src 'wan'
option name 'Soulseek'
option target 'DNAT'
option dest 'lan'
option src_dport '24800'
config redirect
option src 'wan'
option name 'Soulseek2'
option target 'DNAT'
option dest 'lan'
option src_dport '24801'
trendy
September 18, 2020, 5:01pm
9
There is no destination IP in Soulseek rules.
1 Like
Richy85
September 18, 2020, 5:01pm
10
I've tried it set to any, and with specific IP (I have statics). Neither work.
You also need to open those ports in the firewall on the destination host.
And make sure to run the service which is supposed to listen on those ports.
trendy
September 18, 2020, 5:07pm
12
Post again the commands mentioned above with these things fixed.
1 Like
Richy85
September 19, 2020, 7:29am
13
Yep, all set up. Have even tried disabling firewall/security on devices but still no joy.
root@OpenWrt:~# ubus call system board;
{
"kernel": "4.14.171",
"hostname": "OpenWrt",
"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
"model": "TP-Link Archer C7 v5",
"board_name": "tplink,archer-c7-v5",
"release": {
"distribution": "OpenWrt",
"version": "19.07.2",
"revision": "r10947-65030d81f3",
"target": "ath79/generic",
"description": "OpenWrt 19.07.2 r10947-65030d81f3"
}
}
root@OpenWrt:~# uci export network; uci export firewall
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd73:f66d:76a2::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0.2'
option proto 'pppoe'
option password '**************'
option ipv6 'auto'
option username '************************************'
list dns '1.1.1.1'
list dns '8.8.8.8'
option peerdns '0'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr '1c:3b:f3:b3:9f:6e'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option src 'wan'
option name 'DS918'
option src_dport '5000'
option target 'DNAT'
option dest_ip '192.168.1.105'
option dest 'lan'
config redirect
option src 'wan'
option name 'Soulseek'
option target 'DNAT'
option dest 'lan'
option src_dport '24800'
option dest_ip '192.168.1.221'
config redirect
option src 'wan'
option name 'Soulseek2'
option target 'DNAT'
option dest 'lan'
option src_dport '24801'
option dest_ip '192.168.1.221'
root@OpenWrt:~# head -n -0 /etc/firewall.user;
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
root@OpenWrt:~# iptables-save -c -t nat;
# Generated by iptables-save v1.8.3 on Sat Sep 19 08:23:31 2020
*nat
:PREROUTING ACCEPT [147032:34681736]
:INPUT ACCEPT [5948:525864]
:OUTPUT ACCEPT [4855:374622]
:POSTROUTING ACCEPT [779:71980]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[147695:34716948] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[93537:31122259] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[54158:3594689] -A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[71793:3881502] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[774:71620] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[71014:3809522] -A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[774:71620] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.105/32 -p tcp -m tcp --dport 5000 -m comment --comment "!fw3: DS918 (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.105/32 -p udp -m udp --dport 5000 -m comment --comment "!fw3: DS918 (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.221/32 -p tcp -m tcp --dport 24800 -m comment --comment "!fw3: Soulseek (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.221/32 -p udp -m udp --dport 24800 -m comment --comment "!fw3: Soulseek (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.221/32 -p tcp -m tcp --dport 24801 -m comment --comment "!fw3: Soulseek2 (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.221/32 -p udp -m udp --dport 24801 -m comment --comment "!fw3: Soulseek2 (reflection)" -j SNAT --to-source 192.168.1.1
[93537:31122259] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d **.**.***.***/32 -p tcp -m tcp --dport 5000 -m comment --comment "!fw3: DS918 (reflection)" -j DNAT --to-destination 192.168.1.105:5000
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d **.**.***.***/32 -p udp -m udp --dport 5000 -m comment --comment "!fw3: DS918 (reflection)" -j DNAT --to-destination 192.168.1.105:5000
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d **.**.***.***/32 -p tcp -m tcp --dport 24800 -m comment --comment "!fw3: Soulseek (reflection)" -j DNAT --to-destination 192.168.1.221:24800
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d **.**.***.***/32 -p udp -m udp --dport 24800 -m comment --comment "!fw3: Soulseek (reflection)" -j DNAT --to-destination 192.168.1.221:24800
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d **.**.***.***/32 -p tcp -m tcp --dport 24801 -m comment --comment "!fw3: Soulseek2 (reflection)" -j DNAT --to-destination 192.168.1.221:24801
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d **.**.***.***/32 -p udp -m udp --dport 24801 -m comment --comment "!fw3: Soulseek2 (reflection)" -j DNAT --to-destination 192.168.1.221:24801
[71014:3809522] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[71014:3809522] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[54158:3594689] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[662:35152] -A zone_wan_prerouting -p tcp -m tcp --dport 5000 -m comment --comment "!fw3: DS918" -j DNAT --to-destination 192.168.1.105:5000
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 5000 -m comment --comment "!fw3: DS918" -j DNAT --to-destination 192.168.1.105:5000
[1:60] -A zone_wan_prerouting -p tcp -m tcp --dport 24800 -m comment --comment "!fw3: Soulseek" -j DNAT --to-destination 192.168.1.221:24800
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 24800 -m comment --comment "!fw3: Soulseek" -j DNAT --to-destination 192.168.1.221:24800
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 24801 -m comment --comment "!fw3: Soulseek2" -j DNAT --to-destination 192.168.1.221:24801
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 24801 -m comment --comment "!fw3: Soulseek2" -j DNAT --to-destination 192.168.1.221:24801
COMMIT
# Completed on Sat Sep 19 08:23:31 2020
root@OpenWrt:~# ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
11: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN qlen 3
inet **.**.***.*** peer **.**.***.***/** scope global pppoe-wan
valid_lft forever preferred_lft forever
default via **.**.***.***dev pppoe-wan
**.**.***.*** dev pppoe-wan scope link src **.**.***.***
192.168.1.0/24 dev br-lan scope link src 192.168.1.1
local **.**.***.*** dev pppoe-wan table local scope host src **.**.******
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local scope link src 192.168.1.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
1 Like
Run Wireshark or tcpdump on the destination host and check if you can see incoming connections on those ports.
In addition, note that:
trendy
September 19, 2020, 4:43pm
15
Richy85:
[1:60]
Just one packet forwarded for tcp/24800 to 192.168.1.105:5000
The rest have 0 hits, therefore nothing reached the router.
1 Like