Port Forwarding doesn't work

x86cokr · January 5, 2021, 4:19pm

Hi,

I modified /etc/config/firewall to open port forwarding of ftp to certain internal ip like the following and /etc/init.d/firewall restart.
However it doesn't work. "connection refused" occurs on ftp client.
If there is other thing to be required to configure, please let me know.

config defaults
        option syn_flood        1
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT
        option masq             1
        option mtu_fix          1

config redirect                                           
        option src              wan                       
        option src_port         21                        
        option dest             lan                       
        option dest_ip  192.168.1.32                      
        option dest_port        21                        
        option target           DNAT                      
        option proto    tcp

Thanks in advance

jamesmacwhite · January 5, 2021, 4:23pm

Drop src_port the src_port value will not be 21, so the rule will never match.

You likely intended to put 21 for src_dport and dest_port

x86cokr · January 5, 2021, 4:43pm

Thanks for your response

After I changed src_port to src_dport, the following error occurs when I tried ftp test from https://ftptest.net

Error: Connection attempt timed out

Timeouts are usually caused by some router and/or firewall that is interrupting the connection.
Try uninstalling all firewalls and plug your computer directly into your modem, thus bypassing the router.

Can you please check this to solve this issue?

trendy · January 5, 2021, 5:03pm

Is there a lan zone defined?
Post the whole output of uci export firewall; cat /etc/firewall.user
Also ftp is using multiple ports, you'll need to use 20 and 21, plus to track the passive connections.

uci add firewall redirect
uci add_list firewall.@redirect[-1].proto='tcp'
uci set firewall.@redirect[-1].src_dport='20-21'
uci set firewall.@redirect[-1].dest_ip='10.0.2.5'
uci set firewall.@redirect[-1].dest_port='20-21'
uci set firewall.@redirect[-1].src='wan'
uci set firewall.@redirect[-1].name='ftp'
uci set firewall.@redirect[-1].dest='lan'
uci set firewall.@redirect[-1].helper='ftp'
uci set firewall.@redirect[-1].reflection='0'
uci set firewall.@redirect[-1].target='DNAT'
uci commit firewall
service firewall restart

vgaetera · January 5, 2021, 6:25pm

x86cokr · January 6, 2021, 2:10pm

It seems that when I changed the router to openwrt, the configuration of the firewall on the PC was changed when initially connected to openwrt.
I found that the packet reached the ftp server but blocked by firewall on the PC of ftp server.
I unchecked it on the firewall, then ftp works ok.
Thanks you all for your responses.

system · January 16, 2021, 2:10pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.