Port forwarding from VPN to LAN IP server

Waz · October 22, 2019, 7:12pm

Could someone help me, please? I'm having a problem with Linksys wrt1900acs. My aim is to have port forwarded from VPN to Lan IP server. I followed this link to get my vpn working

https://airvpn.org/forums/topic/20303-airvpn-configuration-on-openwrt-preventing-traffic-leakage-outside-tunnel/

Port forwarding is already configured on vpn provider. However using below link I am unsuccessful to get port forwarding working.

https://openwrt.org/docs/guide-user/firewall/firewall_configuration

This is the current config I added to etc/config/firewall

config redirect
option name 'port forward'
option src 'tun0'
option proto 'tcp'
option src_dport 'dest port'
option target 'DNAT'
option dest_ip 'server ip'
option dest_port 'server port'
option dest 'lan'

I searched the forums and found some information but it was hard for me to follow. I am new to linux and openwrt. Thanks in advance

lleachii · October 22, 2019, 7:40pm

Wich port?

You didn't specify.

Waz · October 22, 2019, 8:40pm

option src_dport '58460'
option dest_port '9091'

trendy · October 22, 2019, 9:50pm

This is the zone name, not the interface. Make sure you are using the correct source zone here.

Waz · October 22, 2019, 10:43pm

Thanks, I added interface name instead.

option src 'vpntun'

Still getting connection refused.

eduperez · October 23, 2019, 6:24am

Is the firewall on your server configured to accept external connections?

If everything else fails, use "tcpdump" to see where are the packets being dropped.

trendy · October 23, 2019, 8:02am

Did you restart the firewall service after that?
If it is still not working verify that the server is not actually blocking something and that there are hits on the firewall
iptables -t nat -L -vn | grep 58460

Waz · October 23, 2019, 4:56pm

I rebooted the router after updating the config.

iptables -t nat -L -vn | grep 58460 on the router resulted with no output. The server OS is freenas, command iptables not found.

Waz · October 23, 2019, 5:24pm

No firewall on the server, it is running freenas.

vgaetera · October 23, 2019, 5:27pm

uci show firewall

eduperez · October 23, 2019, 8:26pm

I think it's time for "tcpdump".

Waz · October 23, 2019, 9:14pm

This output is from the router

firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].masq='0'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].name='exusfw'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@zone[2].network='vpntun'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='exusfw'
firewall.@redirect[0]=redirect
firewall.@redirect[0].name='port forward'
firewall.@redirect[0].src='vpntun'
firewall.@redirect[0].proto='tcp'
firewall.@redirect[0].src_dport='58460'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].dest_ip='192.168.1.13'
firewall.@redirect[0].dest_port='9091'
firewall.@redirect[0].dest='lan'

Waz · October 23, 2019, 9:16pm

Tcpdump only works on the server, how long do you want me to run it?

trendy · October 23, 2019, 10:13pm

I told you before that you need to use there the zone name and you keep using the interface name.

eduperez · October 24, 2019, 5:45am

If you install the proper package, "tcpdump" works on the router, too.

Waz · October 24, 2019, 6:51pm

Ok now I understand what you mean. Thanks

Waz · October 24, 2019, 6:53pm

Thanks everyone for taking the time out and helping. Regards

system · November 3, 2019, 6:53pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.