Port forwarding is not working on Linksys WRT1900ACS

Hi,
I've been trying to port forward through LuCI for my DVR device on LAN 192.168.1.110 for the following ports 8077, 5000, 5001, and 80. I've read all the similar posts regarding this but couldn't figure out my problem.

I'm connected using a PPPoE connection and have a WAN IP address that changes every time I restart my router.

Router model: Linksys WRT1900ACS
Firmware version: OpenWrt 19.07.7

Here is a picture of my port forwards:

and here is my /etc/config/firewall:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option mtu_fix '1'
        option masq '1'
        option input 'REJECT'
        option forward 'ACCEPT'
        option network 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config redirect
        option dest_port '8077'
        option src 'wan'
        option name 'cctv'
        option src_dport '8077'
        option target 'DNAT'
        option dest_ip '192.168.1.110'
        option dest 'lan'
        list proto 'tcp'
        list proto 'udp'

config redirect
        option src 'wan'
        option name 'cctv2'
        option src_dport '80'
        option target 'DNAT'
        option dest_ip '192.168.1.110'
        option dest 'lan'
        option dest_port '80'
        list proto 'tcp'
        list proto 'udp'

config redirect
        option dest_port '5000'
        option src 'wan'
        option name 'cctv3'
        option src_dport '5000'
        option target 'DNAT'
        option dest_ip '192.168.1.110'
        option dest 'lan'
        list proto 'udp'

config redirect
        option dest_port '5001'
        option src 'wan'
        option name 'cctv4'
        option src_dport '5001'
        option target 'DNAT'
        option dest_ip '192.168.1.110'
        option dest 'lan'
        list proto 'udp'

config forwarding
        option dest 'wan'
        option src 'lan'

and here is my iptables-save -c -t nat; ifstatus wan command output:

# iptables-save -c -t nat; ifstatus wan
# Generated by iptables-save v1.8.3 on Tue Jul 12 19:04:01 2022
*nat
:PREROUTING ACCEPT [666:119453]
:INPUT ACCEPT [136:10183]
:OUTPUT ACCEPT [408:29890]
:POSTROUTING ACCEPT [24:3186]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[666:119453] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[539:106179] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[118:9920] -A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[679:61039] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[4:824] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[656:57973] -A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[4:824] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.110/32 -p tcp -m tcp --dport 8077 -m comment --comment "!fw3: cctv (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.110/32 -p udp -m udp --dport 8077 -m comment --comment "!fw3: cctv (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.110/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: cctv2 (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.110/32 -p udp -m udp --dport 80 -m comment --comment "!fw3: cctv2 (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.110/32 -p udp -m udp --dport 5000 -m comment --comment "!fw3: cctv3 (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.110/32 -p udp -m udp --dport 5001 -m comment --comment "!fw3: cctv4 (reflection)" -j SNAT --to-source 192.168.1.1
[539:106179] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 86.97.8.240/32 -p tcp -m tcp --dport 8077 -m comment --comment "!fw3: cctv (reflection)" -j DNAT --to-destination 192.168.1.110:8077
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 86.97.8.240/32 -p udp -m udp --dport 8077 -m comment --comment "!fw3: cctv (reflection)" -j DNAT --to-destination 192.168.1.110:8077
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 86.97.8.240/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: cctv2 (reflection)" -j DNAT --to-destination 192.168.1.110:80
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 86.97.8.240/32 -p udp -m udp --dport 80 -m comment --comment "!fw3: cctv2 (reflection)" -j DNAT --to-destination 192.168.1.110:80
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 86.97.8.240/32 -p udp -m udp --dport 5000 -m comment --comment "!fw3: cctv3 (reflection)" -j DNAT --to-destination 192.168.1.110:5000
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 86.97.8.240/32 -p udp -m udp --dport 5001 -m comment --comment "!fw3: cctv4 (reflection)" -j DNAT --to-destination 192.168.1.110:5001
[656:57973] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[656:57973] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[118:9920] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 8077 -m comment --comment "!fw3: cctv" -j DNAT --to-destination 192.168.1.110:8077
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 8077 -m comment --comment "!fw3: cctv" -j DNAT --to-destination 192.168.1.110:8077
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: cctv2" -j DNAT --to-destination 192.168.1.110:80
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 80 -m comment --comment "!fw3: cctv2" -j DNAT --to-destination 192.168.1.110:80
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 5000 -m comment --comment "!fw3: cctv3" -j DNAT --to-destination 192.168.1.110:5000
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 5001 -m comment --comment "!fw3: cctv4" -j DNAT --to-destination 192.168.1.110:5001
COMMIT
# Completed on Tue Jul 12 19:04:01 2022
{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 84668,
        "l3_device": "pppoe-wan",
        "proto": "pppoe",
        "device": "br-wan",
        "updated": [
                "addresses"
        ],
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [
                {
                        "address": "86.97.8.240",
                        "mask": 32,
                        "ptpaddress": "10.207.112.1"
                }
        ],
        "ipv6-address": [
                {
                        "address": "fe80::a1d3:35e1:bf52:97f0",
                        "mask": 128
                }
        ],
        "ipv6-prefix": [

        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "0.0.0.0",
                        "mask": 0,
                        "nexthop": "10.207.112.1",
                        "source": "0.0.0.0/0"
                }
        ],
        "dns-server": [
                "213.42.20.20",
                "195.229.241.222"
        ],
        "dns-search": [

        ],
        "neighbors": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ],
                "neighbors": [

                ]
        },
        "data": {

        }
}
root@OpenWrt:~#

I'm not really good with routers, and not sure where the problem is exactly, your help would be much appreciated.
Thank you for your time.

None of them has any hits, so it doesn't look like any packet matching these rules made it to the wan interface of the router.

3 Likes

Are you sure that the packets are all UDP? Maybe try TCP + UDP, or maybe all protocols?

2 Likes

Or, these days almost more importantly, are you sure that you have a globally routable IPv4 address on WAN and that your ISP isn't using cgNAT?

4 Likes

I'm using https://www.yougetsignal.com/tools/open-ports/ to check if the port is open or not and it says it's closed.
To open ports I just added entries in Firewall - Port Forwards, do I need to do anything else?

I've tried already still the same.
Do I need to configure traffic rules in the firewall as well? I only added in port forwards?

Yes, I'm sure.
I checked my ip address on https://www.whatismyip.com/ and it's matching the IP on my wan connection.

And do you know for sure they aren't blocking incoming traffic?

1 Like

Yes, I do.
I had a doubt about this router, so I used a dlink router to open a port and it worked but not with openwrt router.

You don't need anything else. Also don't use such tools. Try to connect to the server port yourself, from the internet (e.g from a mobile phone on mobile data, not wifi). At the same time monitor the hit counters on the DNAT rules: iptables-save -t nat -c | grep cctv

Have you verified that the device is online and listening for connections if you attempt to connect locally (192.168.1.110)? You should be getting hits on the firewall, so this may not be the only issue, but the device must be listening for connections or it will appear that port forwarding isn't working.