Port forwarding doesn't work. TL-WR842N3G + 3G modem ZTE MF637

Manvelloid · October 29, 2021, 12:13am

Hi everyone!
I am trying to access to my local IP cameras from internet for this purpose I have to use 3g usb modem and router. So my configuration is 3g modem with static IP sim (ZTE mf637)--> router (tl wr842n) --> local ip cams and other devices. I have installed 21.02 and configured usb modem on it. Now I can share internet and even access my router configurations from web. But unfortunately port forwarding doesn't seem to work, I cant access from web to my devices and I cant understand what is the problem.

Manvelloid · October 29, 2021, 12:14am

Manvelloid · October 29, 2021, 12:14am

jaromanda · October 29, 2021, 12:25am

Many mobile data services do not allow incoming connections - i.e. all ports are blocked by the provider

so, port-forwarding won't ever be an option

psherman · October 29, 2021, 12:26am

@jaromanda is absolutely right - most mobile providers use cg-nat which means they port forwarding is not possible.

jaromanda · October 29, 2021, 12:28am

Interesting - so, what is the first octet of your 3g-USB IPv4 address?

psherman · October 29, 2021, 12:52am

Do you mean that you can access the router configuration from the internet, or are you on your local network accessing it via a web browser?

I will also add that you should never expose the router admin interface to the internet.

mk24 · October 29, 2021, 2:57am

It's not a good idea to expose IP cameras to the Internet either since especially the cheap ones have dodgy firmware.

The wan interface should not be up while you're using USB as the wan. Also wan is up with an IP in the same range as lan, which will cause problems.

Manvelloid · October 29, 2021, 4:19am

Thank you guys for your response. I have asked my operator and they say that they don't block any incoming connection or ports. I can even change port via which I get access to luci from web and everything work perfect, so it isn't the issue.

Manvelloid · October 29, 2021, 4:20am

I am using internet, not local network.

Manvelloid · October 29, 2021, 4:22am

IPv4 is 46.13x.xxx.xxx

jaromanda · October 29, 2021, 4:36am

good, so it's not CGNAT

It's probably your configuration is wrong as mentioned by @mk24

Manvelloid · October 29, 2021, 4:44am

The problem is that when I delete wan interface I am loosing internet connection on local devices

jaromanda · October 29, 2021, 4:50am

that makes no sense, since the WAN interface has a LAN IP address

I think you'll need to show your /etc/config/network contents

psherman · October 29, 2021, 5:30am

Just to verify: how are you getting that IPv4 address? Are you looking at the "IPv4 Upstream" as shown by OpenWrt? Or are you using some other method like googling "what's my IP"? If the latter, what does OpenWrt report as its upstream? The same, or something different? If different, what are the first 2 octets?

Manvelloid · October 29, 2021, 5:57am

Ip4 address is same from both sources as shown in openwrt and from online services. What are octets, are they first 6 numbers or what?

psherman · October 29, 2021, 6:14am

Ok. That verifies that you do indeed have a public ip.

No need to post the response about the first 2 octets, but to answer your question: aaa.bbb.ccc.ddd -each letter grouping is an octet. Ipv4 uses 4 octets separated by periods.

trendy · October 29, 2021, 10:00am

Use ssh to connect to the device.
Then run the following command to verify that packets are hitting the firewall to be redirected: iptables-save -c -t nat | grep 8888

Manvelloid · October 29, 2021, 3:36pm

this is what I get in /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxx:xxxx:xxxx::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr 'xx:x:xx:xx:xx:xx'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 6t'

config interface 'USB'
        option proto '3g'
        option device '/dev/ttyUSB2'
        option apn 'connect'
        option dialnumber '*99#'
        option ipv6 'auto'

Manvelloid · October 29, 2021, 5:03pm

This is what I get

[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.1.12/32 -p tcp -m tcp --dport 8888 -m comm                                                                                         ent --comment "!fw3: WEBCam (reflection)" -j DNAT --to-destination 192.168.1.10:80
[1:52] -A zone_lan_prerouting -s 192.168.1.0/24 -d stat.ip/32 -p tcp -m tcp --dport 8888 -m com                                                                                         ment --comment "!fw3: WEBCam (reflection)" -j DNAT --to-destination 192.168.1.10:80
[13:676] -A zone_wan_prerouting -p tcp -m tcp --dport 8888 -m comment --comment "!fw3: WEBCam" -j DN                                                                                         AT --to-destination 192.168.1.10:80