Port forwarding is not working at all?

Using a OpenWRT-based router (Xiaomi AX3600) which I have SSH access to. For some reason I cannot get port forwarding to work. For example I want to open port 443 to my NAS, like this:

config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '443'
option dest_ip '192.168.1.2'
option dest_port '443'
option name 'NAS'

After rebooting the router and doing a port check via a website it does not work. It still shows up as closed. I also cannot reach it via my domain (bound to my IP). All this worked fine with my previous router, no other changes are made.

The weird thing is that the router does come with a lot of entries already present in the /etc/config/firewall. And without any modification to this file it does ! Failed with exit code 1 when running /etc/init.d/firewall reload

So I tried removing all these rules, which clears this error, but no success with the forward. Is there something I am missing?

This is the default contents of /etc/config/firewall

config defaults
	option syn_flood '0'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option drop_invalid '1'
	option disable_ipv6 '0'

config zone
	option name 'lan'
	option network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fe80::/10'
	option src_port '547'
	option dest_ip 'fe80::/10'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule 'Forbidden_Wan_RA'
	option name 'Forbidden_Wan_RA'
	option dest 'wan'
	option proto 'icmp'
	option family 'ipv6'
	option target 'REJECT'
	list icmp_type 'router-advertisement'

config include 'webinitrdr'
	option path '/lib/firewall.sysapi.loader webinitrdr'
	option reload '1'
	option enabled '1'

config include 'dnsmiwifi'
	option path '/lib/firewall.sysapi.loader dnsmiwifi'
	option reload '1'
	option enabled '1'

config include 'macfilter'
	option path '/lib/firewall.sysapi.loader macfilter'
	option reload '1'
	option enabled '1'

config include 'ipv6_masq'
	option path '/lib/firewall.sysapi.loader ipv6_masq'
	option reload '1'

config rule 'guest_8999'
	option name 'Hello wifi 8999'
	option src 'guest'
	option proto 'tcp'
	option dest_port '8999'
	option target 'ACCEPT'

config rule 'guest_8300'
	option name 'Hello wifi 8300'
	option src 'guest'
	option proto 'tcp'
	option dest_port '8300'
	option target 'ACCEPT'

config rule 'guest_7080'
	option name 'Hello wifi 7080'
	option src 'guest'
	option proto 'tcp'
	option dest_port '7080'
	option target 'ACCEPT'

config zone 'ready_zone'
	option name 'ready'
	option input 'DROP'
	option forward 'DROP'
	option output 'DROP'
	list network 'ready'

config rule 'ready_dhcp'
	option name 'DHCP for ready'
	option src 'ready'
	option src_port '67-68'
	option dest_port '67-68'
	option proto 'udp'
	option target 'ACCEPT'
	option family 'ipv4'

config rule 'ready_dhcp_out'
	option name 'DHCP for ready'
	option dest 'ready'
	option src_port '67-68'
	option dest_port '67-68'
	option proto 'udp'
	option target 'ACCEPT'
	option family 'ipv4'

config rule 'ready_minet_in'
	option name 'minet ready'
	option src 'ready'
	option dest_port '786'
	option proto 'tcp'
	option target 'ACCEPT'
	option family 'ipv4'

config rule 'ready_minet_out'
	option name 'minet ready'
	option src 'ready'
	option src_port '786'
	option proto 'tcp'
	option target 'ACCEPT'
	option family 'ipv4'

config include 'set_tcpmss'
	option path '/lib/firewall.sysapi.loader set_tcpmss'
	option reload '1'

config include 'parentalctl'
	option path '/lib/firewall.sysapi.loader parentalctl'
	option reload '1'

config include 'miqos'
	option path '/lib/firewall.sysapi.loader miqos'
	option reload '1'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'IPv4'
	option reload '1'

config include 'qcanssecm'
	option type 'script'
	option path '/etc/firewall.d/qca-nss-ecm'
	option family 'any'
	option reload '1'

to rule out an ISP block, try moving the external port from 443 to something else.

This is the correct syntax you have there for forwarding a port in OpenWrt.

Since it is not the official OpenWrt installed, It is unlikely that you will receive useful input here.
Better seek advise from the relevant maintainer.

Tried different ports, with the same results. And there were no issues with port forwarding these exact same ports on my AC68U.

From what I can tell, it looks pretty much exactly like the OpenWRT?

Yes I know, the OpenWRT is in development for this router. Sadly there is no maintainer and not much information to be had about this. And as it is based on OpenWRT I have nowhere else to go.

Yes, it should work the way you have written it.

I hope that someone else will provide you with some insight. As long as the device is not supported by OpenWrt it is hard to troubleshoot.

Have you checked with tcpdump if the package reaches the router?

The early part looks like default OpenWrt firewall, but the latter half of the fire mainly contains OEM includes of separate add-on scripts.

You should also evaluate all the included OEM additions to firewall.

You likely need to do the port-forward via OEM GUI, so that the forward rules get added to the correct places.

2 Likes

Yes, I did add the Port forward from the OEM GUI from the start, without any luck. That's when I started digging in the files and found that without any modification to the default settings I get this error ! Failed with exit code 1 when running /etc/init.d/firewall reload

This is when I thought I had a solution, deleting all the custom rules made this fail disappear. But it still did not work. So now I am back at the beginning again with the default rules added.

This is the result when trying to reach my IP and port 443 from outside my network:

tcpdump -i any -vn tcp port 443
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
17:45:56.596404 IP (tos 0x0, ttl 128, id 8005, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.1.10.50758 > 104.27.151.28.443: Flags [S], cksum 0xab1b (correct), seq 3339876613, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:45:56.596404 IP (tos 0x0, ttl 128, id 8005, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.1.10.50758 > 104.27.151.28.443: Flags [S], cksum 0xab1b (correct), seq 3339876613, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:45:56.596746 IP (tos 0x0, ttl 127, id 8005, offset 0, flags [DF], proto TCP (6), length 52)
    100.124.216.102.50758 > 104.27.151.28.443: Flags [S], cksum 0x2feb (correct), seq 3339876613, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:45:56.608485 IP (tos 0x0, ttl 53, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    104.27.151.28.443 > 100.124.216.102.50758: Flags [S.], cksum 0x9b26 (correct), seq 2329871615, ack 3339876614, win 65535, options [mss 1400,nop,nop,sackOK,nop,wscale 10], length 0
17:45:56.608574 IP (tos 0x0, ttl 52, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    104.27.151.28.443 > 192.168.1.10.50758: Flags [S.], cksum 0x1657 (correct), seq 2329871615, ack 3339876614, win 65535, options [mss 1400,nop,nop,sackOK,nop,wscale 10], length 0
17:45:56.608589 IP (tos 0x0, ttl 52, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    104.27.151.28.443 > 192.168.1.10.50758: Flags [S.], cksum 0x1657 (correct), seq 2329871615, ack 3339876614, win 65535, options [mss 1400,nop,nop,sackOK,nop,wscale 10], length 0
17:45:56.608831 IP (tos 0x0, ttl 128, id 8006, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.1.10.50758 > 104.27.151.28.443: Flags [.], cksum 0x52ec (correct), ack 1, win 1028, length 0
17:45:56.608831 IP (tos 0x0, ttl 128, id 8006, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.1.10.50758 > 104.27.151.28.443: Flags [.], cksum 0x52ec (correct), ack 1, win 1028, length 0
17:45:56.608921 IP (tos 0x0, ttl 127, id 8006, offset 0, flags [DF], proto TCP (6), length 40)
    100.124.216.102.50758 > 104.27.151.28.443: Flags [.], cksum 0xd7bb (correct), ack 1, win 1028, length 0
^C
9 packets captured
9 packets received by filter
0 packets dropped by kernel

My NAS IP is 192.168.1.2 but that does not show up here at all.

You are behind CGNAT.

1 Like

Is it something I can work my way around? As I have made no other changes than switching the router to this new one. And it worked before, there must be a setting in OpenWRT for this?

No, there is no such setting in any router for that.
You are assigned the IP your provider gives you when the router connects. Call them and sort it out.

2 Likes

I have the same problem with FREE ISP (France) and I have to get a IPv4 FULL STACK to get my forwards work again...

There are ways around it, but those carry addional costs, or good buddies on ISPs without CGNAT :wink:

You could rent a vps with public IPv4. Then create a tunnel from OpenWrt to the vps and forward from vps to OpenWrt.

Got it working, problem was that my public IP I had was locked to my old router's MAC-adress.
Now I got it locked to the new router MAC and it looks better. However I still got issues with both my OpenVPN AS server and my Plex server.
I have opened 1194 on both TCP and UDP for my OpenVPN AS server, and 32400 and 32443 on TCP for Plex.

When trying to connect to OpenVPN while doing a tcpdump, I get not succesful connection, and this is the log:

tcpdump -n -i any port 1194
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
17:33:55.391580 IP redactedip.31839 > secondredactedip.1194: UDP, length 42
17:33:55.391964 IP redactedip.31839 > 192.168.1.2.1194: UDP, length 42
17:33:55.391995 IP redactedip.31839 > 192.168.1.2.1194: UDP, length 42
17:33:56.365773 IP redactedip.31839 > secondredactedip.1194: UDP, length 42
17:33:56.365914 IP redactedip.31839 > 192.168.1.2.1194: UDP, length 42
17:33:56.365939 IP redactedip.31839 > 192.168.1.2.1194: UDP, length 42
17:33:57.344604 IP redactedip.31839 > secondredactedip.1194: UDP, length 42
17:33:57.344765 IP redactedip.31839 > 192.168.1.2.1194: UDP, length 42
17:33:57.344791 IP redactedip.31839 > 192.168.1.2.1194: UDP, length 42
17:33:58.358619 IP redactedip.31839 > secondredactedip.1194: UDP, length 42
17:33:58.358778 IP redactedip.31839 > 192.168.1.2.1194: UDP, length 42
17:33:58.358807 IP redactedip.31839 > 192.168.1.2.1194: UDP, length 42
17:33:59.385675 IP redactedip.31839 > secondredactedip.1194: UDP, length 42
17:33:59.385813 IP redactedip.31839 > 192.168.1.2.1194: UDP, length 42
17:33:59.385834 IP redactedip.31839 > 192.168.1.2.1194: UDP, length 42
17:33:59.402564 IP redactedip.31787 > secondredactedip.1194: UDP, length 42
17:33:59.402873 IP redactedip.31787 > 192.168.1.2.1194: UDP, length 42
17:33:59.402888 IP redactedip.31787 > 192.168.1.2.1194: UDP, length 42
17:34:00.367834 IP redactedip.31787 > secondredactedip.1194: UDP, length 42
17:34:00.367987 IP redactedip.31787 > 192.168.1.2.1194: UDP, length 42
17:34:00.368012 IP redactedip.31787 > 192.168.1.2.1194: UDP, length 42
17:34:01.382810 IP redactedip.31787 > secondredactedip.1194: UDP, length 42
17:34:01.382920 IP redactedip.31787 > 192.168.1.2.1194: UDP, length 42
17:34:01.382946 IP redactedip.31787 > 192.168.1.2.1194: UDP, length 42
17:34:04.176848 IP redactedip.31787 > secondredactedip.1194: UDP, length 42
17:34:04.177033 IP redactedip.31787 > 192.168.1.2.1194: UDP, length 42
17:34:04.177065 IP redactedip.31787 > 192.168.1.2.1194: UDP, length 42
17:34:04.464860 IP redactedip.31782 > secondredactedip.1194: Flags [S], seq 757589432, win 65535, options [mss 1400,sackOK,TS val 249986057 ecr 0,nop,wscale 8], length 0
17:34:04.465248 IP redactedip.31782 > 192.168.1.2.1194: Flags [S], seq 757589432, win 65535, options [mss 1400,sackOK,TS val 249986057 ecr 0,nop,wscale 8], length 0
17:34:04.465282 IP redactedip.31782 > 192.168.1.2.1194: Flags [S], seq 757589432, win 65535, options [mss 1400,sackOK,TS val 249986057 ecr 0,nop,wscale 8], length 0
17:34:04.465470 IP 192.168.1.2.1194 > redactedip.31782: Flags [R.], seq 0, ack 757589433, win 0, length 0
17:34:04.465470 IP 192.168.1.2.1194 > redactedip.31782: Flags [R.], seq 0, ack 1, win 0, length 0
17:34:04.465600 IP secondredactedip.1194 > redactedip.31782: Flags [R.], seq 0, ack 757589433, win 0, length 0
17:34:04.530941 IP redactedip.31764 > secondredactedip.1194: Flags [S], seq 757589432, win 65535, options [mss 1400,sackOK,TS val 249987087 ecr 0,nop,wscale 8], length 0
17:34:04.531355 IP redactedip.31764 > 192.168.1.2.1194: Flags [S], seq 757589432, win 65535, options [mss 1400,sackOK,TS val 249987087 ecr 0,nop,wscale 8], length 0
17:34:04.531388 IP redactedip.31764 > 192.168.1.2.1194: Flags [S], seq 757589432, win 65535, options [mss 1400,sackOK,TS val 249987087 ecr 0,nop,wscale 8], length 0
17:34:04.531547 IP 192.168.1.2.1194 > redactedip.31764: Flags [R.], seq 0, ack 757589433, win 0, length 0
17:34:04.531547 IP 192.168.1.2.1194 > redactedip.31764: Flags [R.], seq 0, ack 1, win 0, length 0
17:34:04.531671 IP secondredactedip.1194 > redactedip.31764: Flags [R.], seq 0, ack 757589433, win 0, length 0
17:34:06.705824 IP redactedip.31792 > secondredactedip.1194: UDP, length 42
17:34:06.706186 IP redactedip.31792 > 192.168.1.2.1194: UDP, length 42
17:34:06.706212 IP redactedip.31792 > 192.168.1.2.1194: UDP, length 42
17:34:07.683780 IP redactedip.31792 > secondredactedip.1194: UDP, length 42
17:34:07.683912 IP redactedip.31792 > 192.168.1.2.1194: UDP, length 42
17:34:07.683939 IP redactedip.31792 > 192.168.1.2.1194: UDP, length 42
17:34:09.240778 IP redactedip.31792 > secondredactedip.1194: UDP, length 42
17:34:09.240935 IP redactedip.31792 > 192.168.1.2.1194: UDP, length 42
17:34:09.240967 IP redactedip.31792 > 192.168.1.2.1194: UDP, length 42
17:34:10.798816 IP redactedip.31792 > secondredactedip.1194: UDP, length 42
17:34:10.798904 IP redactedip.31792 > 192.168.1.2.1194: UDP, length 42
17:34:10.798918 IP redactedip.31792 > 192.168.1.2.1194: UDP, length 42
17:34:10.798929 IP redactedip.31792 > secondredactedip.1194: UDP, length 42
17:34:10.798955 IP redactedip.31792 > 192.168.1.2.1194: UDP, length 42
17:34:10.798964 IP redactedip.31792 > 192.168.1.2.1194: UDP, length 42
17:34:10.855618 IP redactedip.31799 > secondredactedip.1194: UDP, length 42
17:34:10.855960 IP redactedip.31799 > 192.168.1.2.1194: UDP, length 42
17:34:10.855978 IP redactedip.31799 > 192.168.1.2.1194: UDP, length 42
17:34:11.573561 IP redactedip.31799 > secondredactedip.1194: UDP, length 42
17:34:11.573721 IP redactedip.31799 > 192.168.1.2.1194: UDP, length 42
17:34:11.573745 IP redactedip.31799 > 192.168.1.2.1194: UDP, length 42
17:34:12.965577 IP redactedip.31799 > secondredactedip.1194: UDP, length 42
17:34:12.965744 IP redactedip.31799 > 192.168.1.2.1194: UDP, length 42
17:34:12.965775 IP redactedip.31799 > 192.168.1.2.1194: UDP, length 42
17:34:13.678776 IP redactedip.31799 > secondredactedip.1194: UDP, length 42
17:34:13.678850 IP redactedip.31799 > 192.168.1.2.1194: UDP, length 42
17:34:13.678868 IP redactedip.31799 > 192.168.1.2.1194: UDP, length 42

And this is when trying to reach port 32400 from outside my network:

tcpdump -n -i any port 32400
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
17:39:04.974833 IP redactedip.58545 > secondredactedip.32400: Flags [S], seq 4016126867, win 14600, options [mss 1460,sackOK,TS val 642341301 ecr 0,nop,wscale 8], length 0
17:39:04.975211 IP redactedip.58545 > 192.168.1.2.32400: Flags [S], seq 4016126867, win 14600, options [mss 1460,sackOK,TS val 642341301 ecr 0,nop,wscale 8], length 0
17:39:04.975238 IP redactedip.58545 > 192.168.1.2.32400: Flags [S], seq 4016126867, win 14600, options [mss 1460,sackOK,TS val 642341301 ecr 0,nop,wscale 8], length 0
17:39:04.975536 IP 192.168.1.2.32400 > redactedip.58545: Flags [S.], seq 476740876, ack 4016126868, win 65160, options [mss 1460,sackOK,TS val 1742028299 ecr 642341301,nop,wscale 7], length 0
17:39:04.975536 IP 192.168.1.2.32400 > redactedip.58545: Flags [S.], seq 476740876, ack 4016126868, win 65160, options [mss 1460,sackOK,TS val 1742028299 ecr 642341301,nop,wscale 7], length 0
17:39:04.975643 IP secondredactedip.32400 > redactedip.58545: Flags [S.], seq 476740876, ack 4016126868, win 65160, options [mss 1460,sackOK,TS val 1742028299 ecr 642341301,nop,wscale 7], length 0
17:39:05.140591 IP redactedip.58545 > secondredactedip.32400: Flags [.], ack 1, win 58, options [nop,nop,TS val 642341343 ecr 1742028299], length 0
17:39:05.140722 IP redactedip.58545 > 192.168.1.2.32400: Flags [.], ack 1, win 58, options [nop,nop,TS val 642341343 ecr 1742028299], length 0
17:39:05.140738 IP redactedip.58545 > 192.168.1.2.32400: Flags [.], ack 1, win 58, options [nop,nop,TS val 642341343 ecr 1742028299], length 0
17:39:05.140944 IP redactedip.58545 > secondredactedip.32400: Flags [F.], seq 1, ack 1, win 58, options [nop,nop,TS val 642341343 ecr 1742028299], length 0
17:39:05.140985 IP redactedip.58545 > 192.168.1.2.32400: Flags [F.], seq 1, ack 1, win 58, options [nop,nop,TS val 642341343 ecr 1742028299], length 0
17:39:05.140995 IP redactedip.58545 > 192.168.1.2.32400: Flags [F.], seq 1, ack 1, win 58, options [nop,nop,TS val 642341343 ecr 1742028299], length 0
17:39:05.142166 IP 192.168.1.2.32400 > redactedip.58545: Flags [.], ack 2, win 510, options [nop,nop,TS val 1742028466 ecr 642341343], length 0
17:39:05.142166 IP 192.168.1.2.32400 > redactedip.58545: Flags [.], ack 2, win 510, options [nop,nop,TS val 1742028466 ecr 642341343], length 0
17:39:05.142222 IP secondredactedip.32400 > redactedip.58545: Flags [.], ack 2, win 510, options [nop,nop,TS val 1742028466 ecr 642341343], length 0

15 packets captured
15 packets received by filter
0 packets dropped by kernel

Hello, how do I move the external port from 443 to another?

It's just a FW rule, you can open whatever port you'd like on the WAN side, as long as you route it to 443 on the router.

1 Like

in fact I ask how it is done, because I am interested in opening this range of ports 50000-65355, because my ISP does not let me open them. Would you explain how I can do it please?