Port forwarding dropping all packets on fresh install

I have a new DFRobot router carrier board with a raspberry pi CM4. I have:

  • Installed OpenWRT 23.05.0, completely fresh install.
  • Created a second interface (wan) and added eth1 to it, set it to DHCP and connected it to the WAN port of the ISP's HFC modem. It connects and I get a public IP.
  • Connected eth0 to my local network and all of my machines can use OpenWRT as their default gateway to the internet.
  • I disabled SSH password authentication and exposed the SSH port externally (using Network->Firewall, Traffic Rules tab), and I can SSH to my router from outside my network, from the wan side.

So far so good. However, I cannot get port forwarding to work. An example configuration:

  • Network->Firewall, Port Forwards tab
  • name: pi4 https
  • Restrict to address family: automatic
  • Protocol: TCP
  • Source zone: wan
  • External port: 8443
  • Destination zone: lan
  • Internal IP address: 192.168.1.101
  • Internal port: 443

However, packets to this port on the wan side are dropped:

rwh@ubuntu2004:~$ nmap -Pn (my server's domain name)
Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-19 21:51 AEDT
Nmap scan report for (my server's domain name)
Host is up (0.19s latency).
Not shown: 998 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
8443/tcp filtered https-alt
Nmap done: 1 IP address (1 host up) scanned in 42.63 seconds

Port 443 on 192.168.1.101 is definitely open and accessible by the router.

Network and firewall config on the router:

root@home:/etc/config# cat network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd2e:07a9:702a::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth1'

root@home:/etc/config# cat firewall 

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'pi4 https'
	list proto 'tcp'
	option src 'wan'
	option src_dport '8443'
	option dest_ip '192.168.1.101'
	option dest_port '443'

config rule
	option name 'ssh wan'
	list proto 'tcp'
	option src 'wan'
	option dest_port '22'
	option target 'ACCEPT'

Did you make sure that 192.168.1.101 is using your OpenWrt router as default route?

Brilliant! I knew it must be something simple but I just couldn't see it because I was so focused on the firewall configuration. Thanks a bunch!

For anyone interested:

root@pi4:~# cat /etc/netplan/50-cloud-init.yaml 
# This file is generated from information provided by the datasource.  Changes
# to it will not persist across an instance reboot.  To disable cloud-init's
# network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
    version: 2
    ethernets:
        eth0:
            dhcp4: false
            addresses: [192.168.1.101/24]
            gateway4: 192.168.1.100
            nameservers:
                addresses: [8.8.8.8,8.8.4.4,1.1.1.1]
            dhcp6: true
            optional: true

I changed the gateway4 to 192.168.1.1, did a netplan apply and now we get this from outside:

rwh@ubuntu2004:~$ nmap -PN (my server's domain name)
Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-20 08:24 AEDT
Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 13.48% done; ETC: 08:24 (0:00:32 remaining)
Nmap scan report for (my server's domain name)
Host is up (0.19s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
8443/tcp open  https-alt

Nmap done: 1 IP address (1 host up) scanned in 43.89 seconds

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.