Port forwarding doesn't work on TL-WR940N

trendy · November 17, 2020, 3:17pm

no errors, that's good. Post again the iptables-save -c

d368 · November 18, 2020, 1:48pm

# Generated by iptables-save v1.6.2 on Thu Feb 27 23:09:34 2020
*nat
:PREROUTING ACCEPT [173:33682]
:INPUT ACCEPT [50:3378]
:OUTPUT ACCEPT [41:2943]
:POSTROUTING ACCEPT [6:408]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[173:33682] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[0:0] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[173:33682] -A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_wan_prerouting
[46:3143] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[40:2735] -A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.0.0/24 -d 192.168.0.100/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: PLC_WEB (reflection)" -j SNAT --to-source 192.168.0.1
[0:0] -A zone_lan_postrouting -s 192.168.0.0/24 -d 192.168.0.100/32 -p tcp -m tcp --dport 102 -m comment --comment "!fw3: PLC (reflection)" -j SNAT --to-source 192.168.0.1
[0:0] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.0.0/24 -d 10.42.25.232/32 -p tcp -m tcp --dport 8080 -m comment --comment "!fw3: PLC_WEB (reflection)" -j DNAT --to-destination 192.168.0.100:80
[0:0] -A zone_lan_prerouting -s 192.168.0.0/24 -d 10.42.25.232/32 -p tcp -m tcp --dport 102 -m comment --comment "!fw3: PLC (reflection)" -j DNAT --to-destination 192.168.0.100:102
[40:2735] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[40:2735] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[173:33682] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 8080 -m comment --comment "!fw3: PLC_WEB" -j DNAT --to-destination 192.168.0.100:80
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 102 -m comment --comment "!fw3: PLC" -j DNAT --to-destination 192.168.0.100:102
COMMIT
# Completed on Thu Feb 27 23:09:34 2020
# Generated by iptables-save v1.6.2 on Thu Feb 27 23:09:34 2020
*mangle
:PREROUTING ACCEPT [376:51121]
:INPUT ACCEPT [253:20817]
:FORWARD ACCEPT [5:260]
:OUTPUT ACCEPT [249:35813]
:POSTROUTING ACCEPT [244:35413]
[5:260] -A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Feb 27 23:09:34 2020
# Generated by iptables-save v1.6.2 on Thu Feb 27 23:09:34 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
[79:6719] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[176:14178] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[95:7673] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[81:6505] -A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
[5:260] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[5:260] -A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[79:6719] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[168:29438] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[113:25301] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[55:4137] -A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output
[5:260] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[0:0] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[55:4137] -A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
[5:260] -A zone_wan_dest_REJECT -o eth0 -m comment --comment "!fw3" -j reject
[5:260] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[5:260] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[81:6505] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[81:6505] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
[55:4137] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[55:4137] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[81:6505] -A zone_wan_src_ACCEPT -i eth0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Thu Feb 27 23:09:34 2020

trendy · November 18, 2020, 1:56pm

Looks better now, the eth0 is assigned to the wan zone correctly.
Try to connect from wan.

d368 · November 18, 2020, 2:10pm

I'm still connected by WAN - doesn't work. I still cant open the 10.42.25.232:8080 webpage ...

vgaetera · November 18, 2020, 2:14pm

Proceed with diagnostics:
Port forwarding doesn't work on TL-WR940N

d368 · November 18, 2020, 5:40pm

I'm sorry, this is not possible:

Collected errors:
 * verify_pkg_installable: Only have 72kb available on filesystem /overlay, pkg tcpdump needs 284
 * opkg_install_cmd: Cannot install package tcpdump.

trendy · November 18, 2020, 7:18pm

Post this to see if there are hits:
iptables-save -c -t nat

lleachii · November 18, 2020, 7:31pm

~~It should work if you rectify this situation before trying.~~

Disregard, I observed you received a size error.

trendy · November 18, 2020, 7:35pm

It means that the PC is connected on the wan interface of the router. Doesn't have to be connected to the internet for that.
@d368 make sure that you are configuring the PC correctly when you connect it to the wan.

network.wan.ipaddr='10.42.25.232'
network.wan.netmask='255.255.252.0'

The subnet mask is rather unsual.

d368 · November 19, 2020, 5:44am

The subnet mask is rather unsual.

Yes, I know it, but this is what I have to configure from customers side...

@d368 make sure that you are configuring the PC correctly when you connect it to the wan.

My PC has the IP 10.42.25.240 with subnet mask 255.255.252.0. So it should work.
I think it's only an small error ... but I have no idea how to solve it. F**** ....

trendy · November 19, 2020, 8:57am

Follow the instructions.

vgaetera · November 19, 2020, 10:22am

iptables -I forwarding_rule -j LOG --log-prefix iptables:
logread -f -e iptables

d368 · November 19, 2020, 10:36am

make sure that you are configuring the PC correctly when you connect it to the wan.

Hi all,

this is what does me think about the settings, that the customer has to implement on his device. I found the problem and now it's working: the device with IP 192.168.0.100 should be set up by the customer with the IP 192.168.0.100, subnet mask 255.255.255.0 and also with the gateway 192.168.0.1. But the customer forgot to setup the gateway for the device 192.168.0.100.

Now it's working perfectly!
Thanks all who helped me solving this problem!

trendy · November 19, 2020, 10:41am

Didn't it occur to the customer that the device doesn't have internet?

d368 · November 19, 2020, 10:47am

Both devices, means the device 192.168.0.100 and also the PC with IP 10.42.25.240 are in a private network without access to the internet. The customer said that he configured the device correctly - but this hasn't been the case. And I didn't believe much in the customers IT department .

And my fault is, that I didn't check the customers configuration (how should I do this without access to the device)!

trendy · November 19, 2020, 10:50am

Still, we should be able to see the hits of the iptables' DNAT rule.

system · November 29, 2020, 10:50am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.