I can't connect to my DVR from wan.
I have a wimax antenna that brings connection to my openwrt router.
The wimax part has a static IP and my provider opened the needed ports for me.
I did port forwarding of the needed ports on my router as well.
If inside the lan I can connect to my DVR by it's ip 192.168.15.105
But I cannot connect to it from wan (eg from my mobile data connection on the smartphone).
My provider says ports are open, so the problem should be between the router and the antenna maybe.
Is there a way to check that port forwarding works locally, I mean, shouldn't be my DVR reachable by using the router ip (192.168.15.1) instead of the DVR one (192.168.15.105)? (actually is not)
Is it something related to the way the router interact with the antenna? I read someone talking about bridging the router.
Here is my configuration:
/etc/config/firewall
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '8036'
option dest_port '8036'
option name 'DVR'
option proto 'tcp udp'
option dest_ip '192.168.15.105'
option dest 'lan'
config redirect
option target 'DNAT'
option src 'wan'
option proto 'tcp udp'
option src_dport '10029'
option dest_port '10029'
option name 'DVR Search'
option dest_ip '192.168.15.105'
option dest 'lan'
config redirect
option target 'DNAT'
option src 'wan'
option proto 'tcp udp'
option src_dport '8146'
option dest_port '8146'
option name 'DVR Audio'
option dest_ip '192.168.15.105'
option dest 'lan'
I would use "tcpdump" on each interface, to check that the packages are reaching the router on WAN and leaving on LAN.
On the other hand, these issues are quite often caused by the firewall on the device, that are usually configured to block external traffic.
1 Like
May be you should specify also the src_dip of your external routeur IP ?
option src_dip '192.168.15.1'
You can also "play" with the logging feature of the firewall rules to help debug
how can I use tcpdump to check the packages?
I added this option but nothing changed.
How can I play with the logging features of the firewall rules?
Install it with "opkg install tcpdump", then execute it against the WAN interface("tcpdump -i wan") to see if you receive the packets, then against the LAN interface ("tcpdump -i br-lan") to see the packets leaving the router, and the possible answers.
1 Like
thanks!
when I run tcpdump -i wan or against wwan it says
tcpdump: wan: No such device exists
(SIOCGIFHWADDR: No such device)
but the device is there
root@OpenWrt:~# ubus list network.interface.*
network.interface.lan
network.interface.loopback
network.interface.wan
network.interface.wan6
network.interface.wwan
If I use tcpdump -i br-lan it gives lots of connections and it's not easy to understand what's going on, maybe I should run it isolating the device, and the easy way to do that for my knowledge is to deatach all the other devices and turn off the wifi
but what about the wan part?
You did not mention before that there was a WWAN... how many devices do you own, and how are they connected?
You can execute "ifconfig" to see the physical names for the interfaces.
I thought the wwan was by default.
I have a 4g wifi router with the DVR connected to it by ethernet.
I can access the router both from my laptop by wireless or from a raspberry via ethernet (so I can disable wifi to test)
The router connects to the internet not more by 4G but via ethernet WAN as DHCP client.
Internet is provided by a wimax antenna on the roof, the provider gives us a static IP and do the port forwarding from the antenna.
I used ifconfig and there are
wlan0
lo
eth0, eth0.1, and eth0.2
and br-lan
I run tcpdump against wlan0 and like with br-lan there are tons of informations to check.
Somewere here I read about bridging the devices to perform port forwarding, but this bridging thing is something I don't really understand.
Please, porst your "network" config here, what you explain does not mach what "ifconfig" says.
Also, bridging and NATing are mutually exclusive, and each one is used in a different situation.
The wwan part was used before moving back to the wimax provider as I had tons of issues with the 4G connection (other people had issues with this D-Link DWR-921 C3).
By now it can be also removed as I don't plan to use it.
Here is the /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd51:eeba:d297::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.15.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device 'lan_dev'
option name 'eth0.1'
option macaddr '28:3b:82:cc:b6:56'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_dev'
option name 'eth0.2'
option macaddr '28:3b:82:cc:b6:55'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface 'wwan'
option proto 'wwan'
option apn 'web.omnitel.it'
option auto '0'
Ok, try to stop all traffic on your network for a while, then run "tcpdump" on eth0.2, and see if you see the packets coming in from outside when you try to reach the DVR; have a look at tcpdump's manual, and see if you can use any parameter to reduce the gibberish.
1 Like
I didn't try yet this tcpdump thing, I fear it is lots of pain and no good.
I was trying to resolve restoring the OEM firmware (I couldn't) and get another router (which I also need).
But a new question is rising to my mind: did the ISP opened the ports correctly?
Ports looks closed.
I searched online some port scanner tools and I did a scan from my digital ocean droplet:
nmap -p 10029 [mypublicip]
Host is up (0.041s latency).
PORT STATE SERVICE
10029/tcp closed unknown
Is this nmap scan true?
I altready tried to contact the provider but now they are not availables.
tcpdump -n -i any port 8036 or port 8146 or port 10029
2 Likes
As far as I know, "nmap" will report a port as "closed" if it is really closed or wrongly forwarded.