Port Forwarding not working 22.03.3

Installing and Using OpenWrt Network and Wireless Configuration
1

I recently installed 22.03.3 r20028-43d71ad93e on TL-WR1043ND-v2.
I am trying to access a device on my network that I previously was able to access on this router (when I was using TP Link's OEM firmware). I have set up port forwarding but I cannot access the ports from the internet.

I have set up DDNS and confirmed it is running. I pinged it just fine.
I have the modem plugged into my router's wan port. below is an output of my current config.
Can someone help me understand what I'm missing to get be able to access 192.168.0.139 remotely?

{
        "kernel": "5.10.161",
        "hostname": "OpenWrt",
        "system": "Qualcomm Atheros QCA9558 ver 1 rev 0",
        "model": "TP-Link TL-WR1043ND v2",
        "board_name": "tplink,tl-wr1043nd-v2",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.3",
                "revision": "r20028-43d71ad93e",
                "target": "ath79/generic",
                "description": "OpenWrt 22.03.3 r20028-43d71ad93e"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdbf:84f4:6f05::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.1'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 6t'

config device
        option name 'eth0.2'
        option type '8021q'
        option ifname 'eth0'
        option vid '2'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option start '10'
        option limit '300'
        list dhcp_option '6,1.1.1.1,1.0.0.1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option mac 'XX:XX:XX:XX:xx:50'
        option ip '192.168.0.9'
        option name 'XXXXXX'
        option dns '1'

config host
        option mac '00:dd:dd:DD:dd:5D'
        option ip '192.168.0.12'

config host
        option name 'Cat1'
        option dns '1'
        option mac '00:11:22:xx:yy:AA'
        option ip '192.168.0.254'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Force DNS'
        option src 'wan'
        option src_dport '53'
        option dest_port '53'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Cats'
        option src 'wan'
        option dest_ip '192.168.0.254'
        list proto 'tcp'
        list proto 'udp'
        list proto 'icmp'
        option src_dport '80'
        option dest_port '5036'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Cats2'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.0.254'
        option dest_port '6827'
        list proto 'tcp'
        list proto 'udp'
        list proto 'icmp'



head: /etc/firewall.user: No such file or directory
-ash: iptables-save: not found
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.0.1/24 brd 192.168.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 11.222.333.444/22 brd 44.333.222.111 scope global eth0.2
       valid_lft forever preferred_lft forever
default via 69.118.220.1 dev eth0.2  src 11.222.333.444
33.222.111.0/22 dev eth0.2 scope link  src 11.222.333.444
192.168.0.0/24 dev br-lan scope link  src 192.168.0.1
broadcast 33.222.111.0 dev eth0.2 table local scope link  src 11.222.333.444
local 11.222.333.444 dev eth0.2 table local scope host  src 11.222.333.444
broadcast 44.333.222.111 dev eth0.2 table local scope link  src 11.222.333.444
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.0.0 dev br-lan table local scope link  src 192.168.0.1
local 192.168.0.1 dev br-lan table local scope host  src 192.168.0.1
broadcast 192.168.0.255 dev br-lan table local scope link  src 192.168.0.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
2

You have two conflicting rules here... which one do you want to forward from port 80 on your WAN?

1 Like
3

I wanted to open both ports on the internal ip, but if I have to choose one it would be the 5036 port. thank you

4

Correct. You can only use port 80 once in the port forwarding rules.
So remove this from your config:

Meanwhile, have you tested to make sure the service is running and listening for inbound connections on the host and port you've specified (192.168.0.254 port 5036)? You can test this while connected to your LAN. If it's not listening, port forwarding will not work because it has nothing to forward to.

Also, it is worth mentioning that you will be opening this service to the internet on port 80. Port 80 (traditionally used for http/web), is likely to be a frequent target for crawlers and bots and potential attacks from malware/hackers on the internet. Be sure that the service is properly hardened for exposure to the internet. (If your need is entirely personal in nature, you could alternatively use a VPN which is a much more secure method of gaining remote access to your network).

1 Like
5

Thank you, I have removed it, and restarted but no luck. Port 80, doesn't open. I have tested the device and it is listening. I can access it locally via internal IP at that port. I'll keep looking for a solution.

6

Are you testing from WAN?

7

Is .139 a typo? The posts above discuss the .254 host.

1 Like
8

Yes I'm using portchecker.co and port 80 is closed.

9

sorry 139 and 254 are the same. Initially when I posted the logs I was trying to anonymize the actual MACs and IPs.

10

I mean did you actually test your service.

I would advise to actually attempting to access the service you're configuring. You could use a cellular data connection for example.

No need to obscure a private IP address.

ICMP doesn't have "ports", and if your server is UDP, it may not respond to such tests. If your server is TCP, I would advise omitting UDP and ICMP.

EDIT: BTW, you don't have to double post, you can respond to 2 people at once, tag them, etc.

1 Like
11

Thanks. my service does work and the only thing I changed was changing my TPlink router from the oem firmware to OpenWRT. I tried accessing it using cellular and via ddns, but it doesn't connect. I feel confident it's just that port 80 is not open.
I had only added ICMP to see if that was what I was missing. I can turn that off. On the OEM firmware when I had it working I had it set up as TCP/UDP. I also had UPnP enabled on the OEM firmware.

12
  • Do you have any other conflicting port forward or traffic firewall rules - specifying port 80 on WAN?
  • To verify, you deleted the other conflicting rule, correct?
13

Correct. I just deleted the other rules and now I just have 1 rule for forwarding port 80. I rebooted the router and tested the service, and the portchecker tool. Port 80 is still closed.

14

I deleted the rule and created a new rule to forward to a random port, and now I'm able to access my device as expected by appending the port after the url ":XXXXX". I wish I could know what I did wrong but I think my issue is resolved now.

15

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.