Port Forwarding: multiple ports one rule, port range

TheHellSite · March 16, 2019, 12:44pm

Firmware: OpenWrt 18.06.2 r7676-cddd7b4c77 / LuCI openwrt-18.06 branch (git-19.020.41695-6f6641d)

I am trying to forward multiple ports to some devices.

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '53 80 3074'
	option dest_ip '192.168.1.31'
	option dest_port '53 80 3074'
	option name 'Allow-Xbox-Live-TCP'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'udp'
	option src_dport '53 88 500 3074 3544 4500'
	option dest_ip '192.168.1.31'
	option dest_port '53 88 500 3074 3544 4500'
	option name 'Allow-Xbox-Live-UDP'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'udp'
	option src_dport '5060 7078:7109'
	option dest_ip '192.168.1.5'
	option dest_port '5060 7078:7109'
	option name 'Allow-VoIP-FB-7412'

service firewall restart gives me an error.

root@OPENWRT-ROUTER:~# service firewall restart
Warning: Option @redirect[0].src_dport has invalid value '53 80 3074'
Warning: Option @redirect[0].dest_port has invalid value '53 80 3074'
Warning: Section @redirect[0] (Allow-Xbox-Live-TCP) skipped due to invalid options
Warning: Option @redirect[1].src_dport has invalid value '53 88 500 3074 3544 4500'
Warning: Option @redirect[1].dest_port has invalid value '53 88 500 3074 3544 4500'
Warning: Section @redirect[1] (Allow-Xbox-Live-UDP) skipped due to invalid options
Warning: Option @redirect[2].src_dport has invalid value '5060 7078:7109'
Warning: Option @redirect[2].dest_port has invalid value '5060 7078:7109'
Warning: Section @redirect[2] (Allow-VoIP-FB-7412) skipped due to invalid options

Hegabo · March 16, 2019, 12:54pm

I think you can specify a continuous port range (e.g 500-510) but not multiple individual ports or ranges in one rule

TheHellSite · March 16, 2019, 1:00pm

Oh yes sure. I was reading the options list for firewall rules. (which allows this)

But wouldn't it make sense to implement this kind of feature to port forwardings?
Or is this a technical limitation of iptables?

Hegabo · March 16, 2019, 1:37pm

I think it's just not that required. Applications that use many ports will usually just use a continuous range. For the case of few individual ports, I imagine it's simple enough to have separate rules.

vgaetera · March 16, 2019, 1:45pm

Unfortunately it's a limitation of fw3 current version.
Although I wouldn't recommend it, but you still can use raw iptables commands in the /etc/firewall.user.

TheHellSite · March 16, 2019, 2:01pm

I just created single rules for all ports now. Hopefully it will be possibly to do this in one rule someday.

system · March 26, 2019, 2:10pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.