I'm trying to set up a port forward on my local network because I have one locked-down laptop with very restrictive firewall.
When I use microsoft rdp from the locked down device to 141.92.156.2:80 I want it to connect to 192.168.0.117:3389 (default rdp port of another machine on my network)
So far no joy, can anyone shed some insight, here is the etc/config/firewall entry
config redirect
option target 'DNAT'
option proto 'tcp udp'
option src_dip '141.92.156.2'
option src_dport '80'
option dest_ip '192.168.0.117'
option dest_port '3389'
option name 'annapurna156'
option dest 'lan'
option src 'lan'
I am not sure what are you trying to achieve there.
LAN to LAN traffic will most likely not hit the firewall at all, unless they two hosts are connected to different interfaces on the router, both belonging to LAN firewall zone.
Explain a bit better the problem and you'll get more feedback.
OK, this was confusing, my mistake. There is a firewall on the locked down device which I cannot touch. The port-forwarding needs to be setup under the firewall rules of my openwrt router. Both the locked down device and th e target are connected to the 'lan' side of the openwrt router.
I'm not sure why you quoted your words as mine, but OK...
Please clearly explain what port you wish to open on this device (I'm guessing RDP 3398/udp).
Please explain this - how port 80 on a public IP to a bank gets involved, if your devices are all on LAN.
Yes, and you were told:
So please explain why you want to place rules in the OpenWrt - as if it will control any firewall between the 2 devices on the same broadcast domain?
Also, the 2 IPs you show are not in the same subnet, so it brings more confusion regarding your "devices are on LAN side" description. Lastly, you still haven't explained why you're trying to backdoor the IP of a bank to get to a desktop.
I open the locked down device, I open Microsoft rdp, I type in 141.92.156.2:80, it opens a rdp session to another machine, also on my network, with ip 192.168.0.117
What port forwarding rule can I setup on my router to enable this.
None, not possible if these IPs are not on the same LAN.
The router is not involved if they are on the same LAN.
If they are on a different network src and dst network cannot both be LAN
These IPs have different subnet numbering, so they cannot both be on LAN
Now if you really being honest about thinking you control the firewall at at a bank for real...you'd make a port forward from WAN to LAN (not LAN to LAN). Otherwise your port forward rule was OK (except you can remove the public IP, and RDP is only TCP).
But none of this works until you can open the client's firewall, which you admit that you do not control.
Wow, are you trolling me? I'm finding it hard to describe this in simpler terms. But here goes again.
Imagine you are in your house, you have 2 machines A & B, which have ip addresses 1 & 2 respectively. You connect them together with a router, that is also in your house. Are you telling me it is impossible to set up the router so that when machine A opens a connection to ip address 3, it in fact gets routed to machine B?
Is this not the essence of port-forwarding? I know it is not impossible because, like I said, I have had it working before.
I only thought this worked from the IP in question (192.168.0.117); but otherwise, I also agree with your conclusion - given the scarce information the OP provided.
I honestly think the OP is using public address space (perhaps on one interface) and doesn't realize it...or want's to use a "hidden subnet" on the same LAN by forcing the firewall to redirect the packet....but then perhaps the OP's terminology in computer networking is not clear enough to convey that...
No, nobody is rolling you here. All answers you have received seem to me insightful and appropriate. You either do not know what you are doing, or are not capable of explaining yourself.
It's OK I've got it, was a couple of things, firstly the src had to be 'wan', I guess I was confused because both machines were on my network, I thought it would be 'lan' to 'lan'.
Secondly, I needed to set up a static route from 141.92.156.2 to 192.168.0.117. Can't share the config as I did this via the Luci interface.
Maybe the second step is only needed because there's something wrong with the port forward config, but anyway, it's working!
config redirect
option target 'DNAT'
option proto 'tcp udp'
option src_dip '141.92.156.2'
option src_dport '80'
option dest_ip '192.168.0.117'
option dest_port '3389'
option name 'annapurna156'
option dest 'lan'
option src 'wan'
I explain above the issue; but you think I'm trolling you or something. Smh.
I thought you may have had the decency and honor to apologize, instead you act like I didn't provide this information.
Nonetheles, as others can now see, you are using a public IP belonging to a bank somewhere in your network. This is likely why your rigging some weird route and port forward, instead of configuring it correctly - is even necessary to accomplish your goal.
If you configured this network range as normal, it likely wouldn't be necessary for you to route IPs from a bank to your RDP computer.