Port forwarding is NOT working ONLY for guest network

I am bit confused, the server on guest network can access internet fine. So I don't see the point of doing the ping from server to internet? Maybe you might want to have a look at my 1st post about what is working and what is not :slight_smile:

If the server connects to the internet without issues, you can skip this test and check why it receives the packets and is not responding.

1 Like

but if I can hit the server in guest lan from primary lan, doesn't that mean if server receives the packets, it will respond?

(That's what you're troubleshooting.)

Yeah, I have tried adjusting the firewall zone to allow wan zone to guest zone, no luck..
And just now I added guest network into the LAN zone just to see what will happen, it fixes the issue and I can hit my server on guest network from internet... but that is not ideal as I like to keep them in their own zone (guest network in guest zone, primary network in LAN zone), instead of having LAN zone including both guest and primary networks..
I guess I will have to live with it for now until someone help me with a solution

It is not necessary, revert that.

Assign the guest interface back to guest zone.
Install tcpdump and capture the packets forwarded to guest interface from wan.
opkg update; opkg install tcpdump; tcpdump -i br-guest-lan -vn '(host and (port 80 or port 443)'
Then try to access the server from the internet.

Thanks a lot for your help.
I have reverted the setup to be one zone for one interface and clear the destination of wan zone. I hosted a simple file server HFS on port 80. With the tcpdump running:
when I tried to hit it using public IP, nothing is showing
when I hit it using guest lan IP (, it is showing this:

when I move this guest network into LAN zone (so this zone has guest + lan networks), hit it with public IP, I get this:

I think I understand now what is your problem. You are trying to access the server in guest from a client in lan using the public IP of the wan. This will not work so simply. When you set up a redirect in Luci or UCI, there is an option to create NAT loopback. This means that you can access the server within the same zone with the wan IP. But it is not created for other zones. Since this is adding extra cycles in CPU utilization it is discouraged. You can access the server directly with its private IP, or create a hostname for the server. However if you insist on doing it, you can replicate the reflection rules from guest zone to lan zone. If wan IP is not static, you'd need to check it each time the firewall starts and apply the valid one.


Thanks a lot, the issue is finally resolved. My end goal is to use my domain name instead of public IP. So I just added the domain name to private IP mapping in HostNames to prove your theory. And it works perfectly!! Thanks.


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.