Hi everyone
I think i've configured port forwarding but the port is question is closed.
Can you tell me how to troubleshoot please?
Thanks in advance.
Cap'n
check from the router, if the port on the .100 host is answering
how are you trying to access it from internet ?
One option is to check the firewall packet counters for hits on this rule. You can find that on the Status > Firewall tab in Luci.
If you don't see anything there, there is also the tcpdump option, which captures packets on the wire, i.e before the firewall. tcpdump -i <wan interface> -n port 9091 (you need to have tcpdump installed first).
I don't seem to have packet counters in Status > Firewall
I used that command and checked the port from a few websites
root@OpenWrt:~# tcpdump -i wan -n port 9091
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wan, link-type EN10MB (Ethernet), snapshot length 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
root@OpenWrt:~#
again, how are you trying to test this ...
1 Like
check, from the router, if the port on the .100 host is answering
Not sure how to do that.
Yes trying to access from the internet.
try https://www.tecmint.com/check-remote-port-in-linux/, will need to install the package 1st.
sorry, that's insufficient info, you need to provide specifics (not IPs).
one more question, is there a public IP on the openwrt devices' WAN port ?
1 Like
Yes there is.
1 Like
provide specifics on how the test is done ... from where, via what, to where, etc ...
1 Like
https://www.portchecktool.com/
Using my external ip and the port I'm trying to open
OK, you're not attempting this from your own LAN 
and you're sure your ISP is allowing incoming traffic ?
1 Like
No. I've asked. Expecting a response tomorrow
1 Like
Is your public external IP the same as the one your wan interface has or are you behind CGNAT?
You'd better try from your mobile phone connected on mobile data only. Don't trust these port forwarding test sites.
1 Like
that would indicate you don't have a public IP, after all.
if that's the case, the incoming traffic will never reach the port you've opened.
2 Likes
OK. Will see if I can get a static IP from carrier
That's a sign of CGNAT, so port forwarding will not work.
But since you have IPv6, you have accomplish what you are trying with native routing. Add a firewall rule to allow from wan to lan, IP of the server and dest port 9091. You should also make sure the server has a fixed IP.
Finally disable the wan_6 interface with
uci set network.wan.ipv6='1'
uci commit network
ifup wan
2 Likes
That's not correct. You have a redirect or port forward, which applies to IPv4 only. You need to add a firewall rule to allow from wan to lan for the IPv6 address and port 9091.
1 Like
Tangentially and jumping way back in the thread, just to fill in the blanks... The counters are on the dstnat_wan chain, so if you find that in the Status -> Firewall page and hover over #, you should see the counter values there (packets and bytes counts).
Alternatively, you could list the chain from the command line and see the current counter values:
$ nft list chain inet fw4 dstnat_wan
table inet fw4 {
chain dstnat_wan {
meta nfproto ipv4 tcp dport 10222 counter packets 6051 bytes 362984 dnat ip to 10.1.1.202:22 comment "!fw4: SSH-from-WAN"
}
}
1 Like