Port forwarding issues, ports are open but not reaching LAN

We just moved into a new office. They have supplied us with a network port that we have connected my openWRT Home Hub 5A (Running 18.06.5) to and we have access to the Internet ok.

I had to set the wan device to be eth0.2 in order to be able to use the red WAN port instead of the broadband port that seems to be the default on this router.

The upstream address has a gateway of 10.1.101.1 and we are connecting the WAN using static address 10.1.101.2 as directed.

We are using LAN addresses of 192.168.0.*.

When querying external IP we get the correct IP as expected. When running a port scanner on that IP the ports we have forwarded (80,443,55555) show as open as expected. OpenWrt status page does not show the external IP (see image)

Screenshot 2019-12-19 at 16.41.26962×409 49.5 KB

The problem is there seems to be a breakdown somewhere when traffic is hitting the router. I don't know enough to diagnose and fix it myself unfortunately, I've tried dabbling with tcpdump but am not getting anything meaningful out of it. It seems like this should be a simple fix, can anyone help please?

uci show firewall output:

firewall.@defaults[0]=defaults

firewall.@defaults[0].syn_flood='1'

firewall.@defaults[0].input='ACCEPT'

firewall.@defaults[0].output='ACCEPT'

firewall.@defaults[0].forward='REJECT'

firewall.@zone[0]=zone

firewall.@zone[0].name='lan'

firewall.@zone[0].network='lan'

firewall.@zone[0].input='ACCEPT'

firewall.@zone[0].output='ACCEPT'

firewall.@zone[0].forward='ACCEPT'

firewall.@zone[0].masq='1'

firewall.@zone[1]=zone

firewall.@zone[1].name='wan'

firewall.@zone[1].network='wan' 'wan6'

firewall.@zone[1].input='REJECT'

firewall.@zone[1].output='ACCEPT'

firewall.@zone[1].forward='REJECT'

firewall.@zone[1].mtu_fix='1'

firewall.@zone[1].masq='1'

firewall.@forwarding[0]=forwarding

firewall.@forwarding[0].src='lan'

firewall.@forwarding[0].dest='wan'

firewall.@rule[0]=rule

firewall.@rule[0].name='Allow-DHCP-Renew'

firewall.@rule[0].src='wan'

firewall.@rule[0].proto='udp'

firewall.@rule[0].dest_port='68'

firewall.@rule[0].target='ACCEPT'

firewall.@rule[0].family='ipv4'

firewall.@rule[1]=rule

firewall.@rule[1].name='Allow-Ping'

firewall.@rule[1].src='wan'

firewall.@rule[1].proto='icmp'

firewall.@rule[1].icmp_type='echo-request'

firewall.@rule[1].family='ipv4'

firewall.@rule[1].target='ACCEPT'

firewall.@rule[2]=rule

firewall.@rule[2].name='Allow-IGMP'

firewall.@rule[2].src='wan'

firewall.@rule[2].proto='igmp'

firewall.@rule[2].family='ipv4'

firewall.@rule[2].target='ACCEPT'

firewall.@rule[3]=rule

firewall.@rule[3].name='Allow-DHCPv6'

firewall.@rule[3].src='wan'

firewall.@rule[3].proto='udp'

firewall.@rule[3].src_ip='fc00::/6'

firewall.@rule[3].dest_ip='fc00::/6'

firewall.@rule[3].dest_port='546'

firewall.@rule[3].family='ipv6'

firewall.@rule[3].target='ACCEPT'

firewall.@rule[4]=rule

firewall.@rule[4].name='Allow-MLD'

firewall.@rule[4].src='wan'

firewall.@rule[4].proto='icmp'

firewall.@rule[4].src_ip='fe80::/10'

firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'

firewall.@rule[4].family='ipv6'

firewall.@rule[4].target='ACCEPT'

firewall.@rule[5]=rule

firewall.@rule[5].name='Allow-ICMPv6-Input'

firewall.@rule[5].src='wan'

firewall.@rule[5].proto='icmp'

firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'

firewall.@rule[5].limit='1000/sec'

firewall.@rule[5].family='ipv6'

firewall.@rule[5].target='ACCEPT'

firewall.@rule[6]=rule

firewall.@rule[6].name='Allow-ICMPv6-Forward'

firewall.@rule[6].src='wan'

firewall.@rule[6].dest='*'

firewall.@rule[6].proto='icmp'

firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'

firewall.@rule[6].limit='1000/sec'

firewall.@rule[6].family='ipv6'

firewall.@rule[6].target='ACCEPT'

firewall.@rule[7]=rule

firewall.@rule[7].name='Allow-IPSec-ESP'

firewall.@rule[7].src='wan'

firewall.@rule[7].dest='lan'

firewall.@rule[7].proto='esp'

firewall.@rule[7].target='ACCEPT'

firewall.@rule[8]=rule

firewall.@rule[8].name='Allow-ISAKMP'

firewall.@rule[8].src='wan'

firewall.@rule[8].dest='lan'

firewall.@rule[8].dest_port='500'

firewall.@rule[8].proto='udp'

firewall.@rule[8].target='ACCEPT'

firewall.@include[0]=include

firewall.@include[0].path='/etc/firewall.user'

firewall.@redirect[0]=redirect

firewall.@redirect[0].target='DNAT'

firewall.@redirect[0].src='wan'

firewall.@redirect[0].dest='lan'

firewall.@redirect[0].proto='tcp'

firewall.@redirect[0].src_dport='55555'

firewall.@redirect[0].dest_port='9999'

firewall.@redirect[0].name='al-web-server'

firewall.@redirect[0].dest_ip='192.168.0.212'

firewall.@redirect[1]=redirect

firewall.@redirect[1].target='DNAT'

firewall.@redirect[1].src='wan'

firewall.@redirect[1].dest='lan'

firewall.@redirect[1].proto='tcp'

firewall.@redirect[1].src_dport='80'

firewall.@redirect[1].dest_ip='192.168.0.13'

firewall.@redirect[1].dest_port='80'

firewall.@redirect[1].name='tom-http'

firewall.@redirect[2]=redirect

firewall.@redirect[2].target='DNAT'

firewall.@redirect[2].src='wan'

firewall.@redirect[2].dest='lan'

firewall.@redirect[2].proto='tcp'

firewall.@redirect[2].src_dport='443'

firewall.@redirect[2].dest_ip='192.168.0.13'

firewall.@redirect[2].dest_port='443'

firewall.@redirect[2].name='tom-https'

uci show network output:

network.loopback=interface

network.loopback.ifname='lo'

network.loopback.proto='static'

network.loopback.ipaddr='127.0.0.1'

network.loopback.netmask='255.0.0.0'

network.globals=globals

network.globals.ula_prefix='fd2a:b208:3ada::/48'

network.atm=atm-bridge

network.atm.vpi='1'

network.atm.vci='32'

network.atm.encaps='llc'

network.atm.payload='bridged'

network.atm.nameprefix='dsl'

network.dsl=dsl

network.dsl.annex='a'

network.dsl.tone='av'

network.lan=interface

network.lan.type='bridge'

network.lan.ifname='eth0.1'

network.lan.proto='static'

network.lan.netmask='255.255.255.0'

network.lan.ip6assign='60'

network.lan.dns='8.8.8.8 8.8.4.4'

network.lan.ipaddr='192.168.0.1'

network.lan_dev=device

network.lan_dev.name='eth0.1'

network.lan_dev.macaddr='a0:1b:29:71:c8:46'

network.wan=interface

network.wan.proto='static'

network.wan.ipaddr='10.1.101.2'

network.wan.netmask='255.255.255.248'

network.wan.gateway='10.1.101.1'

network.wan.dns='8.8.8.8 8.8.4.4'

network.wan.ifname='eth0.2'

network.wan_dev=device

network.wan_dev.name='dsl0'

network.wan_dev.macaddr='a0:1b:29:71:c8:47'

network.wan6=interface

network.wan6.ifname='@wan'

network.wan6.proto='dhcpv6'

network.@switch[0]=switch

network.@switch[0].name='switch0'

network.@switch[0].reset='1'

network.@switch[0].enable_vlan='1'

network.@switch_vlan[0]=switch_vlan

network.@switch_vlan[0].device='switch0'

network.@switch_vlan[0].vlan='1'

network.@switch_vlan[0].vid='1'

network.@switch_vlan[0].ports='0 1 2 4 6t'

network.@switch_vlan[1]=switch_vlan

network.@switch_vlan[1].device='switch0'

network.@switch_vlan[1].vlan='2'

network.@switch_vlan[1].vid='2'

network.@switch_vlan[1].ports='5 6t'

Use "tcpdump" to see where are the packets being lost.

That is wrong. Remove it.

Make sure that you have proper forwardings in the upstream router too.
If you still haven't found out where the problem is run tcpdump -i any -vn tcp port 80 and try to access Tom's web server from the internet.

Thanks for the replies!

That masq setting on VLAN 1 was just a result of some tinkering, I'll be doing a factory reset and setting up the bare minimum settings again tomorrow at the office.

I'll try some diagnostics with tcpdump too, I need to do a bit more reading about how to use it properly first.

Would the fact that a port scan shows only the ports we have opened in the openwrt firewall as being open not point to the upstream router effectively putting us in a DMZ where all traffic is able to reach us? This is what leads me to believe there is some kind of configuration setting within openwrt that is needed to resolve the LAN machine from the WAN port forwarding, all the info I can find that describes very similar setups to ours seems to suggest simply doing the port forwards should be enough.

The upstream is just forwarding the packets to OpenWrt. It doesn't respond back to the port scanner. So if it is really not working, and the port scanner shows open ports, then the port scanner reports as open the ports that didn't receive some icmp port unreachable response.
Generally speaking port forwarding is enough. Twice in your case.