d368
November 17, 2020, 1:46pm
1
Hi all,
I'm trying to get my TL-WR940N running with activated port forwarding. But it doesn't work.
List item WAN: 10.42.25.XXX
List item LAN: 192.168.0.1
Port forwarding for the defined port 8080 is configured to internal IP 192.168.0.100 port 80 - but it doesn't work.
Has anyone an idea, why it doesn't work?
Thanks a lot!
d368
November 17, 2020, 1:57pm
2
Just one interessting information: if I'm connected to the internal LAN, I can open the web page from my device by using the 10.42.25.XXX:8080 address ...
My network adapter for the internal network is configured to DHCP.
d368
November 17, 2020, 2:14pm
4
Yes, you are right. The IP 10.42.25.XXX belongs to a private LAN.
trendy
November 17, 2020, 2:15pm
5
Please post the output of:iptables-save -c -t nat
1 Like
d368
November 17, 2020, 2:17pm
6
# Generated by iptables-save v1.6.2 on Thu Feb 27 22:11:53 2020
*nat
:PREROUTING ACCEPT [289:24669]
:INPUT ACCEPT [62:3445]
:OUTPUT ACCEPT [168:11032]
:POSTROUTING ACCEPT [290:15912]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[289:24669] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[195:16990] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[290:15912] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j ostrouting_rule
[122:4880] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[122:4880] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j ostrouting_lan_rule
[195:16990] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 8080 -m comment --comment "!fw3: PLC_WEB" -j DNAT --to-destination 192.168.0.100:80
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 102 -m comment --comment "!fw3: PLC" -j DNAT --to-destination 192.168.0.100:102
COMMIT
# Completed on Thu Feb 27 22:11:53 2020
trendy
November 17, 2020, 2:21pm
7
The rule is there, but there are no hits.
1 Like
d368
November 17, 2020, 2:27pm
8
Now I'm connected by using the WAN port:
# Generated by iptables-save v1.6.2 on Thu Feb 27 22:22:27 2020
*nat
:PREROUTING ACCEPT [98:10623]
:INPUT ACCEPT [38:2016]
:OUTPUT ACCEPT [12:794]
:POSTROUTING ACCEPT [17:994]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[98:10623] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[14:1022] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[17:994] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[5:200] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[5:200] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[14:1022] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 8080 -m comment --comment "!fw3: PLC_WEB" -j DNAT --to-destination 192.168.0.100:80
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 102 -m comment --comment "!fw3: PLC" -j DNAT --to-destination 192.168.0.100:102
COMMIT
# Completed on Thu Feb 27 22:22:27 2020
trendy
November 17, 2020, 2:30pm
9
No difference, hits are still 0.
1 Like
d368
November 17, 2020, 2:33pm
10
Sorry, I don't understand what you mean ...
trendy
November 17, 2020, 2:37pm
11
These numbers at the beginning of the line show the packets:bytes for each rule. Zero means that nothing matched this rule.
d368:
[0:0]
You need to verify that you are trying to connect to the wan interface, correct protocol (tcp) and port (8080).
1 Like
d368
November 17, 2020, 2:38pm
12
I'm definitely connected to the WAN port and I try to open the page 10.42.25.232:8080 in my web browser.
opkg update
opkg install tcpdump
tcpdump -evn -i any tcp port 8080
2 Likes
d368
November 17, 2020, 2:58pm
14
What makes me a bit nervous is, that I can connect to the IP 10.42.25.232:8080 when I'm connected to the LAN interface with the local address 192.168.0.150 ....
trendy
November 17, 2020, 3:03pm
15
I think I found it. The wan zone is empty. Post uci export firewall to verify.
2 Likes
d368
November 17, 2020, 3:06pm
16
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'ACCEPT'
option forward 'REJECT'
option network 'wan wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '8080'
option dest_ip '192.168.0.100'
option dest_port '80'
option name 'PLC_WEB'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option dest_ip '192.168.0.100'
option name 'PLC'
option proto 'tcp'
option src_dport '102'
option dest_port '102'
config forwarding
option dest 'wan'
option src 'lan'
trendy
November 17, 2020, 3:08pm
17
That is correct. What about uci show network.wan ?
d368
November 17, 2020, 3:11pm
18
network.wan=interface
network.wan.ifname='eth0'
network.wan.proto='static'
network.wan.ipaddr='10.42.25.232'
network.wan.netmask='255.255.252.0'
network.wan.gateway='10.42.24.1'
network.wan.dns='10.42.24.1'
trendy
November 17, 2020, 3:14pm
19
Looks good too, try to restart the firewall and post the output.fw3 restart
1 Like
d368
November 17, 2020, 3:15pm
20
Warning: Unable to locate ipset utility, disabling ipset support
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv6 filter table
* Flushing IPv6 mangle table
* Flushing conntrack table ...
* Populating IPv4 filter table
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-Ping'
* Rule 'Allow-IGMP'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Redirect 'PLC_WEB'
* Redirect 'PLC'
* Forward 'lan' -> 'wan'
* Zone 'lan'
* Zone 'wan'
* Populating IPv4 nat table
* Redirect 'PLC_WEB'
* Redirect 'PLC'
* Zone 'lan'
* Zone 'wan'
* Populating IPv4 mangle table
* Zone 'lan'
* Zone 'wan'
* Populating IPv6 filter table
* Rule 'Allow-DHCPv6'
* Rule 'Allow-MLD'
* Rule 'Allow-ICMPv6-Input'
* Rule 'Allow-ICMPv6-Forward'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Forward 'lan' -> 'wan'
* Zone 'lan'
* Zone 'wan'
* Populating IPv6 mangle table
* Zone 'lan'
* Zone 'wan'
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.user'