Port forwarding for WAN does not work from LAN

Afmer · November 16, 2024, 2:31pm

I hope I won't get too many tomatoes thrown at me because the problem occurred on FriendlyWRT, but I don't know where else to go with my problem. I have a NanoPI R3S with FriendlyWRT installed (OpenWrt 23.05. 5 r24106-10cc5fcd00 / LuCI 63ba3cba5b7bfb803a875d4d8f01248634687fd5 branch git-24.290.09512-a81688d). I also have a Tp-link Archer C6 router with stock firmware. I connected the tp-link to the LAN port of the NanoPI R3S in access point mode. That is, it looks like all devices connected to the tp-link are connected to the NanoPI R3S. I have a server in my local network that hosts an http application. I did port forwarding in FriendlyWRT in the firewall section. Port forwarding works well if I access it from an external network, but if I try to access the forwarded port in the local network using a public IP, then the forwarding, according to tcpdump, passes, but no response comes and as a result, I get a timeout error in the browser. The most interesting thing is that if you enable tcpdump listening on the br-lan interface, then port forwarding from the local network works correctly. Some Schrödinger ports. When the main router was Tp-Link Archer c6, everything worked perfectly both from the global network and from the local one. I can assure you in advance that in the local network, when accessing the local address, everything works correctly, and on the server, the firewall does not interfere with the work and the web application also works correctly.

tcpdump for LAN. Externalip is the real ip which was changed for security reasons

root@Firefly:~# tcpdump -i any port 444
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
17:22:20.139763 eth1  In  IP Sparkle-MacBook.lan.56929 > externalIP.444: Flags [S], seq 1065272650, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2706359940 ecr 0,sackOK,eol], length 0
17:22:20.395889 eth1  In  IP Sparkle-MacBook.lan.56930 > externalIP.444: Flags [S], seq 3203299701, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2582163974 ecr 0,sackOK,eol], length 0
17:22:21.144024 eth1  In  IP Sparkle-MacBook.lan.56929 > externalIP.444: Flags [S], seq 1065272650, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2706360941 ecr 0,sackOK,eol], length 0
17:22:21.395050 eth1  In  IP Sparkle-MacBook.lan.56930 > externalIP.444: Flags [S], seq 3203299701, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2582164974 ecr 0,sackOK,eol], length 0
17:22:22.144985 eth1  In  IP Sparkle-MacBook.lan.56929 > externalIP.444: Flags [S], seq 1065272650, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2706361942 ecr 0,sackOK,eol], length 0
17:22:22.395929 eth1  In  IP Sparkle-MacBook.lan.56930 > externalIP.444: Flags [S], seq 3203299701, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2582165975 ecr 0,sackOK,eol], length 0
17:22:23.142405 eth1  In  IP Sparkle-MacBook.lan.56929 > externalIP.444: Flags [S], seq 1065272650, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2706362943 ecr 0,sackOK,eol], length 0
17:22:23.396868 eth1  In  IP Sparkle-MacBook.lan.56930 > externalIP.444: Flags [S], seq 3203299701, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2582166976 ecr 0,sackOK,eol], length 0
17:22:24.144571 eth1  In  IP Sparkle-MacBook.lan.56929 > externalIP.444: Flags [S], seq 1065272650, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2706363944 ecr 0,sackOK,eol], length 0
17:22:24.144763 br-lan Out IP Sparkle-MacBook.lan.56929 > 192.168.0.115.444: Flags [S], seq 1065272650, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2706363944 ecr 0,sackOK,eol], length 0
17:22:24.398336 eth1  In  IP Sparkle-MacBook.lan.56930 > externalIP.444: Flags [S], seq 3203299701, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2582167977 ecr 0,sackOK,eol], length 0
17:22:24.398516 br-lan Out IP Sparkle-MacBook.lan.56930 > 192.168.0.115.444: Flags [S], seq 3203299701, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2582167977 ecr 0,sackOK,eol], length 0
17:22:25.145109 eth1  In  IP Sparkle-MacBook.lan.56929 > externalIP.444: Flags [S], seq 1065272650, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2706364946 ecr 0,sackOK,eol], length 0
17:22:25.145256 br-lan Out IP Sparkle-MacBook.lan.56929 > 192.168.0.115.444: Flags [S], seq 1065272650, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2706364946 ecr 0,sackOK,eol], length 0
17:22:25.398613 eth1  In  IP Sparkle-MacBook.lan.56930 > externalIP.444: Flags [S], seq 3203299701, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2582168978 ecr 0,sackOK,eol], length 0
17:22:25.398828 br-lan Out IP Sparkle-MacBook.lan.56930 > 192.168.0.115.444: Flags [S], seq 3203299701, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2582168978 ecr 0,sackOK,eol], length 0
17:22:27.152319 eth1  In  IP Sparkle-MacBook.lan.56929 > externalIP.444: Flags [S], seq 1065272650, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2706366947 ecr 0,sackOK,eol], length 0
17:22:27.152549 br-lan Out IP Sparkle-MacBook.lan.56929 > 192.168.0.115.444: Flags [S], seq 1065272650, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2706366947 ecr 0,sackOK,eol], length 0
17:22:27.399346 eth1  In  IP Sparkle-MacBook.lan.56930 > externalIP.444: Flags [S], seq 3203299701, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2582170979 ecr 0,sackOK,eol], length 0
17:22:27.399551 br-lan Out IP Sparkle-MacBook.lan.56930 > 192.168.0.115.444: Flags [S], seq 3203299701, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2582170979 ecr 0,sackOK,eol], length 0
17:22:31.151181 eth1  In  IP Sparkle-MacBook.lan.56929 > externalIP.444: Flags [S], seq 1065272650, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2706370948 ecr 0,sackOK,eol], length 0
17:22:31.401004 eth1  In  IP Sparkle-MacBook.lan.56930 > externalIP.444: Flags [S], seq 3203299701, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2582174980 ecr 0,sackOK,eol], length 0

tcpdump for WAN

root@Firefly:~# tcpdump -i any port 444
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
16:36:54.941344 pppoe-wan In  IP 176.59.36.210.48882 > externalIP.444: Flags [S], seq 327780614, win 42340, options [mss 1400,sackOK,TS val 396402153 ecr 0,nop,wscale 9], length 0
16:36:54.941753 br-lan Out IP 176.59.36.210.48882 > ldlses049-il.lan.444: Flags [S], seq 327780614, win 42340, options [mss 1400,sackOK,TS val 396402153 ecr 0,nop,wscale 9], length 0
16:36:54.941775 eth1  Out IP 176.59.36.210.48882 > ldlses049-il.lan.444: Flags [S], seq 327780614, win 42340, options [mss 1400,sackOK,TS val 396402153 ecr 0,nop,wscale 9], length 0
16:36:54.948488 eth1  In  IP ldlses049-il.lan.444 > 176.59.36.210.48882: Flags [S.], seq 4095341583, ack 327780615, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 1], length 0
16:36:54.948488 br-lan In  IP ldlses049-il.lan.444 > 176.59.36.210.48882: Flags [S.], seq 4095341583, ack 327780615, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 1], length 0
16:36:54.948772 pppoe-wan Out IP externalIP.444 > 176.59.36.210.48882: Flags [S.], seq 4095341583, ack 327780615, win 5840, options [mss 1452,nop,nop,sackOK,nop,wscale 1], length 0
16:36:54.960934 pppoe-wan In  IP 176.59.36.210.48884 > externalIP.444: Flags [S], seq 638631595, win 42340, options [mss 1400,sackOK,TS val 396402174 ecr 0,nop,wscale 9], length 0
16:36:54.961322 br-lan Out IP 176.59.36.210.48884 > ldlses049-il.lan.444: Flags [S], seq 638631595, win 42340, options [mss 1400,sackOK,TS val 396402174 ecr 0,nop,wscale 9], length 0
16:36:54.961340 eth1  Out IP 176.59.36.210.48884 > ldlses049-il.lan.444: Flags [S], seq 638631595, win 42340, options [mss 1400,sackOK,TS val 396402174 ecr 0,nop,wscale 9], length 0
16:36:54.961828 eth1  In  IP ldlses049-il.lan.444 > 176.59.36.210.48884: Flags [S.], seq 4106461446, ack 638631596, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 1], length 0
16:36:54.961828 br-lan In  IP ldlses049-il.lan.444 > 176.59.36.210.48884: Flags [S.], seq 4106461446, ack 638631596, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 1], length 0
16:36:54.962094 pppoe-wan Out IP externalIP.444 > 176.59.36.210.48884: Flags [S.], seq 4106461446, ack 638631596, win 5840, options [mss 1452,nop,nop,sackOK,nop,wscale 1], length 0
16:36:55.001931 pppoe-wan In  IP 176.59.36.210.48882 > externalIP.444: Flags [.], ack 1, win 83, length 0
16:36:55.002164 br-lan Out IP 176.59.36.210.48882 > ldlses049-il.lan.444: Flags [.], ack 1, win 83, length 0
16:36:55.002177 eth1  Out IP 176.59.36.210.48882 > ldlses049-il.lan.444: Flags [.], ack 1, win 83, length 0
16:36:55.010783 pppoe-wan In  IP 176.59.36.210.48882 > externalIP.444: Flags [P.], seq 1:576, ack 1, win 83, length 575
16:36:55.010959 br-lan Out IP 176.59.36.210.48882 > ldlses049-il.lan.444: Flags [P.], seq 1:576, ack 1, win 83, length 575
16:36:55.010974 eth1  Out IP 176.59.36.210.48882 > ldlses049-il.lan.444: Flags [P.], seq 1:576, ack 1, win 83, length 575
16:36:55.011574 eth1  In  IP ldlses049-il.lan.444 > 176.59.36.210.48882: Flags [.], ack 576, win 3495, length 0
16:36:55.011686 pppoe-wan Out IP externalIP.444 > 176.59.36.210.48882: Flags [.], ack 576, win 3495, length 0
16:36:55.050845 pppoe-wan In  IP 176.59.36.210.48884 > externalIP.444: Flags [.], ack 1, win 83, length 0
16:36:55.051198 br-lan Out IP 176.59.36.210.48884 > ldlses049-il.lan.444: Flags [.], ack 1, win 83, length 0
16:36:55.051218 eth1  Out IP 176.59.36.210.48884 > ldlses049-il.lan.444: Flags [.], ack 1, win 83, length 0
16:36:55.061144 pppoe-wan In  IP 176.59.36.210.48884 > externalIP.444: Flags [P.], seq 1:576, ack 1, win 83, length 575
16:36:55.061332 br-lan Out IP 176.59.36.210.48884 > ldlses049-il.lan.444: Flags [P.], seq 1:576, ack 1, win 83, length 575
16:36:55.061349 eth1  Out IP 176.59.36.210.48884 > ldlses049-il.lan.444: Flags [P.], seq 1:576, ack 1, win 83, length 575
16:36:55.061930 eth1  In  IP ldlses049-il.lan.444 > 176.59.36.210.48884: Flags [.], ack 576, win 3495, length 0
16:36:55.062054 pppoe-wan Out IP externalIP.444 > 176.59.36.210.48884: Flags [.], ack 576, win 3495, length 0
16:36:55.654927 eth1  In  IP ldlses049-il.lan.444 > 176.59.36.210.48882: Flags [P.], seq 1:1260, ack 576, win 3495, length 1259
16:36:55.655023 pppoe-wan Out IP externalIP.444 > 176.59.36.210.48882: Flags [P.], seq 1:1260, ack 576, win 3495, length 1259
16:36:55.841132 pppoe-wan In  IP 176.59.36.210.48882 > externalIP.444: Flags [.], ack 1260, win 83, length 0
16:36:55.841346 br-lan Out IP 176.59.36.210.48882 > ldlses049-il.lan.444: Flags [.], ack 1260, win 83, length 0
16:36:55.841363 eth1  Out IP 176.59.36.210.48882 > ldlses049-il.lan.444: Flags [.], ack 1260, win 83, length 0
16:36:55.841133 pppoe-wan In  IP 176.59.36.210.48882 > externalIP.444: Flags [F.], seq 583, ack 1260, win 83, length 0
16:36:55.841428 br-lan Out IP 176.59.36.210.48882 > ldlses049-il.lan.444: Flags [F.], seq 583, ack 1260, win 83, length 0
16:36:55.841438 eth1  Out IP 176.59.36.210.48882 > ldlses049-il.lan.444: Flags [F.], seq 583, ack 1260, win 83, length 0
16:36:55.841133 pppoe-wan In  IP 176.59.36.210.48882 > externalIP.444: Flags [P.], seq 576:583, ack 1260, win 83, length 7
16:36:55.841486 br-lan Out IP 176.59.36.210.48882 > ldlses049-il.lan.444: Flags [P.], seq 576:583, ack 1260, win 83, length 7
16:36:55.841496 eth1  Out IP 176.59.36.210.48882 > ldlses049-il.lan.444: Flags [P.], seq 576:583, ack 1260, win 83, length 7
16:36:55.841949 eth1  In  IP ldlses049-il.lan.444 > 176.59.36.210.48882: Flags [.], ack 576, win 3495, options [nop,nop,sack 1 {583:584}], length 0
16:36:55.842064 pppoe-wan Out IP externalIP.444 > 176.59.36.210.48882: Flags [.], ack 576, win 3495, options [nop,nop,sack 1 {583:584}], length 0
16:36:55.842154 eth1  In  IP ldlses049-il.lan.444 > 176.59.36.210.48882: Flags [.], ack 584, win 3495, length 0
16:36:55.842179 pppoe-wan Out IP externalIP.444 > 176.59.36.210.48882: Flags [.], ack 584, win 3495, length 0
16:36:55.860639 pppoe-wan In  IP 176.59.36.210.48882 > externalIP.444: Flags [F.], seq 583, ack 1260, win 83, length 0
16:36:55.860832 br-lan Out IP 176.59.36.210.48882 > ldlses049-il.lan.444: Flags [F.], seq 583, ack 1260, win 83, length 0
16:36:55.860849 eth1  Out IP 176.59.36.210.48882 > ldlses049-il.lan.444: Flags [F.], seq 583, ack 1260, win 83, length 0
16:36:55.861326 eth1  In  IP ldlses049-il.lan.444 > 176.59.36.210.48882: Flags [.], ack 584, win 3495, options [nop,nop,sack 1 {583:584}], length 0
16:36:55.861433 pppoe-wan Out IP externalIP.444 > 176.59.36.210.48882: Flags [.], ack 584, win 3495, options [nop,nop,sack 1 {583:584}], length 0
16:36:56.359700 eth1  In  IP ldlses049-il.lan.444 > 176.59.36.210.48884: Flags [P.], seq 1:1260, ack 576, win 3495, length 1259
16:36:56.359829 pppoe-wan Out IP externalIP.444 > 176.59.36.210.48884: Flags [P.], seq 1:1260, ack 576, win 3495, length 1259
16:36:56.361170 eth1  In  IP ldlses049-il.lan.444 > 176.59.36.210.48882: Flags [F.], seq 1260, ack 584, win 3495, length 0
16:36:56.361170 br-lan In  IP ldlses049-il.lan.444 > 176.59.36.210.48882: Flags [F.], seq 1260, ack 584, win 3495, length 0
16:36:56.440841 pppoe-wan In  IP 176.59.36.210.48884 > externalIP.444: Flags [.], ack 1260, win 83, length 0
16:36:56.441138 br-lan Out IP 176.59.36.210.48884 > ldlses049-il.lan.444: Flags [.], ack 1260, win 83, length 0
16:36:56.441162 eth1  Out IP 176.59.36.210.48884 > ldlses049-il.lan.444: Flags [.], ack 1260, win 83, length 0
16:36:56.440841 pppoe-wan In  IP 176.59.36.210.48884 > externalIP.444: Flags [F.], seq 583, ack 1260, win 83, length 0
16:36:56.441230 br-lan Out IP 176.59.36.210.48884 > ldlses049-il.lan.444: Flags [F.], seq 583, ack 1260, win 83, length 0
16:36:56.441241 eth1  Out IP 176.59.36.210.48884 > ldlses049-il.lan.444: Flags [F.], seq 583, ack 1260, win 83, length 0
16:36:56.440841 pppoe-wan In  IP 176.59.36.210.48884 > externalIP.444: Flags [P.], seq 576:583, ack 1260, win 83, length 7
16:36:56.441291 br-lan Out IP 176.59.36.210.48884 > ldlses049-il.lan.444: Flags [P.], seq 576:583, ack 1260, win 83, length 7
16:36:56.441301 eth1  Out IP 176.59.36.210.48884 > ldlses049-il.lan.444: Flags [P.], seq 576:583, ack 1260, win 83, length 7
16:36:56.441795 eth1  In  IP ldlses049-il.lan.444 > 176.59.36.210.48884: Flags [.], ack 576, win 3495, options [nop,nop,sack 1 {583:584}], length 0
16:36:56.441908 pppoe-wan Out IP externalIP.444 > 176.59.36.210.48884: Flags [.], ack 576, win 3495, options [nop,nop,sack 1 {583:584}], length 0
16:36:56.442002 eth1  In  IP ldlses049-il.lan.444 > 176.59.36.210.48884: Flags [.], ack 584, win 3495, length 0
16:36:56.442025 pppoe-wan Out IP externalIP.444 > 176.59.36.210.48884: Flags [.], ack 584, win 3495, length 0
16:36:56.443514 eth1  In  IP ldlses049-il.lan.444 > 176.59.36.210.48884: Flags [F.], seq 1260, ack 584, win 3495, length 0
16:36:56.443514 br-lan In  IP ldlses049-il.lan.444 > 176.59.36.210.48884: Flags [F.], seq 1260, ack 584, win 3495, length 0
16:36:56.443718 pppoe-wan Out IP externalIP.444 > 176.59.36.210.48884: Flags [F.], seq 1260, ack 584, win 3495, length 0
16:36:56.501149 pppoe-wan In  IP 176.59.36.210.48884 > externalIP.444: Flags [.], ack 1261, win 83, length 0
16:36:56.501448 br-lan Out IP 176.59.36.210.48884 > ldlses049-il.lan.444: Flags [.], ack 1261, win 83, length 0
16:36:56.501471 eth1  Out IP 176.59.36.210.48884 > ldlses049-il.lan.444: Flags [.], ack 1261, win 83, length 0
16:36:56.927906 eth1  In  IP ldlses049-il.lan.444 > 176.59.36.210.48882: Flags [F.], seq 1260, ack 584, win 3495, length 0
16:36:56.927906 br-lan In  IP ldlses049-il.lan.444 > 176.59.36.210.48882: Flags [F.], seq 1260, ack 584, win 3495, length 0
16:36:58.067964 eth1  In  IP ldlses049-il.lan.444 > 176.59.36.210.48882: Flags [F.], seq 1260, ack 584, win 3495, length 0
16:36:58.067964 br-lan In  IP ldlses049-il.lan.444 > 176.59.36.210.48882: Flags [F.], seq 1260, ack 584, win 3495, length 0
16:37:00.347862 eth1  In  IP ldlses049-il.lan.444 > 176.59.36.210.48882: Flags [F.], seq 1260, ack 584, win 3495, length 0
16:37:00.347862 br-lan In  IP ldlses049-il.lan.444 > 176.59.36.210.48882: Flags [F.], seq 1260, ack 584, win 3495, length 0
16:37:04.907941 eth1  In  IP ldlses049-il.lan.444 > 176.59.36.210.48882: Flags [F.], seq 1260, ack 584, win 3495, length 0
16:37:04.907941 br-lan In  IP ldlses049-il.lan.444 > 176.59.36.210.48882: Flags [F.], seq 1260, ack 584, win 3495, length 0

brada4 · November 16, 2024, 3:23pm

You need multple rules, one per zone.

Afmer · November 16, 2024, 4:34pm

Can you please tell me what you mean? I don't quite understand what I need to do.

brada4 · November 16, 2024, 4:37pm

You have to ask whomever makes that.

Afmer · November 16, 2024, 5:12pm

If I understood you correctly, I made a separate port forwarding on the WAN interface, and separately made a forwarding on the LAN interface, but I still can’t access this port inside the LAN.

Afmer · November 16, 2024, 5:17pm

pavelgl · November 16, 2024, 6:21pm

Afmer · November 16, 2024, 6:56pm

Thank you very much, kind man. This really helped in solving the problem. I spent about 25 hours on this over two days. Thank you very much again. I also want to add that after applying the settings I had to restart FriendlyWRT

system · November 26, 2024, 6:57pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.