Using a OpenWRT-based router (Xiaomi AX3600) which I have SSH access to. For some reason I cannot get port forwarding to work. For example I want to open port 443 to my NAS, like this:
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '443'
option dest_ip '192.168.1.2'
option dest_port '443'
option name 'NAS'
After rebooting the router and doing a port check via a website it does not work. It still shows up as closed. I also cannot reach it via my domain (bound to my IP). All this worked fine with my previous router, no other changes are made.
The weird thing is that the router does come with a lot of entries already present in the /etc/config/firewall
. And without any modification to this file it does ! Failed with exit code 1
when running /etc/init.d/firewall reload
So I tried removing all these rules, which clears this error, but no success with the forward. Is there something I am missing?
This is the default contents of /etc/config/firewall
config defaults
option syn_flood '0'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option drop_invalid '1'
option disable_ipv6 '0'
config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule 'Forbidden_Wan_RA'
option name 'Forbidden_Wan_RA'
option dest 'wan'
option proto 'icmp'
option family 'ipv6'
option target 'REJECT'
list icmp_type 'router-advertisement'
config include 'webinitrdr'
option path '/lib/firewall.sysapi.loader webinitrdr'
option reload '1'
option enabled '1'
config include 'dnsmiwifi'
option path '/lib/firewall.sysapi.loader dnsmiwifi'
option reload '1'
option enabled '1'
config include 'macfilter'
option path '/lib/firewall.sysapi.loader macfilter'
option reload '1'
option enabled '1'
config include 'ipv6_masq'
option path '/lib/firewall.sysapi.loader ipv6_masq'
option reload '1'
config rule 'guest_8999'
option name 'Hello wifi 8999'
option src 'guest'
option proto 'tcp'
option dest_port '8999'
option target 'ACCEPT'
config rule 'guest_8300'
option name 'Hello wifi 8300'
option src 'guest'
option proto 'tcp'
option dest_port '8300'
option target 'ACCEPT'
config rule 'guest_7080'
option name 'Hello wifi 7080'
option src 'guest'
option proto 'tcp'
option dest_port '7080'
option target 'ACCEPT'
config zone 'ready_zone'
option name 'ready'
option input 'DROP'
option forward 'DROP'
option output 'DROP'
list network 'ready'
config rule 'ready_dhcp'
option name 'DHCP for ready'
option src 'ready'
option src_port '67-68'
option dest_port '67-68'
option proto 'udp'
option target 'ACCEPT'
option family 'ipv4'
config rule 'ready_dhcp_out'
option name 'DHCP for ready'
option dest 'ready'
option src_port '67-68'
option dest_port '67-68'
option proto 'udp'
option target 'ACCEPT'
option family 'ipv4'
config rule 'ready_minet_in'
option name 'minet ready'
option src 'ready'
option dest_port '786'
option proto 'tcp'
option target 'ACCEPT'
option family 'ipv4'
config rule 'ready_minet_out'
option name 'minet ready'
option src 'ready'
option src_port '786'
option proto 'tcp'
option target 'ACCEPT'
option family 'ipv4'
config include 'set_tcpmss'
option path '/lib/firewall.sysapi.loader set_tcpmss'
option reload '1'
config include 'parentalctl'
option path '/lib/firewall.sysapi.loader parentalctl'
option reload '1'
config include 'miqos'
option path '/lib/firewall.sysapi.loader miqos'
option reload '1'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'IPv4'
option reload '1'
config include 'qcanssecm'
option type 'script'
option path '/etc/firewall.d/qca-nss-ecm'
option family 'any'
option reload '1'