Port forwarding not working - Packets not reaching LAN but Ports are open

Hi,
I have trouble setting up port forwarding with my new OpenWRT router. Here is my Setup:
I have the router behind a modem set up in bridge mode. So I have a public IP on my OpenWRT router. On the LAN side I have two VLANs setup. 192.168.178.0/24 and 10.0.1.0./24. Routing between the networks works fine. I have been trying to setup port forwarding to a host in the 10.0.1.0/24 network. I want to forward port 80 and 443 to my nginx proxy manager. The config looks like this:

config redirect
        option dest_port '80'
        option src 'wan'
        option name 'http_npm'
        option src_dport '80'
        option target 'DNAT'
        option dest_ip '10.0.1.14'
        option dest 'SmartHome'
        list proto 'tcp'

config redirect
        option dest_port '443'
        option src 'wan'
        option name 'https_npm'
        option src_dport '443'
        option target 'DNAT'
        option dest_ip '10.0.1.14'
        option dest 'SmartHome'
        list proto 'tcp'

config forwarding
        option dest 'wan'
        option src 'lan'

I have also created firewall rules to allow this traffic:

These are my firewall zone settings:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option masq '1'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'
        option input 'ACCEPT'
config zone
        option name 'SmartHome'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        list network 'SmartHome'

From a port scanner website I know that the ports seems to be open and tcpdump also gets packets on wan. But they are not reaching the 10.0.1.0 interface. So it's probably the firewall. But being new to OpenWRT I don't now whats missing. I have played around with the zone settings, but I haven't got it working.

Your firewall rules do not reflect in /etc/config/firewall

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Thanks for the quick reply :slight_smile:

Yes I only copied the parts which I was referring to. But here is the output of the commands:

{
        "kernel": "4.4.60",
        "hostname": "GL-AXT1800",
        "system": "ARMv7 Processor rev 4 (v7l)",
        "model": "GL Technologies, Inc. AXT1800",
        "board_name": "glinet,axt1800",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02-SNAPSHOT",
                "revision": "r16399+159-c67509efd7",
                "target": "ipq807x/ipq60xx",
                "description": "OpenWrt 21.02-SNAPSHOT r16399+159-c67509efd7",
                "tip-revision": "OpenWrt 21.02-SNAPSHOT r16399+159-c67509efd7 / TIP-devel-d303bd39",
                "tip-version": "devel"
        }
}

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix ''

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth2'

config device
        option name 'eth1'
        option macaddr ''

config device
        option name 'eth2'
        option macaddr ''

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option isolate '0'
        option ipaddr '192.168.178.1'
        option device 'eth2'

config device
        option name 'eth0'
        option macaddr ''

config interface 'wan'
        option device 'eth0'
        option ipv6 '0'
        option proto 'pppoe'
        option username ''
        option password ''

config interface 'wan6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@wan'

config switch
        option name 'switch0'
        option reset '0'
        option enable_vlan '0'

config interface 'tethering6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@tethering'

config interface 'wwan6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@wwan'

config interface 'guest'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.9.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option multicast_querier '1'
        option igmp_snooping '0'
        option isolate '0'
        option bridge_empty '1'
        option disabled '1'

config interface 'wwan'
        option proto 'dhcp'

config interface 'modem_1_1_2_6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@modem_1_1_2'

config rule 'policy_bypass_vpn'
        option mark '0x60000/0x60000'
        option lookup '53'
        option priority '53'

config rule 'policy_via_vpn'
        option mark '0x80000/0x80000'
        option lookup '52'
        option priority '52'

config rule 'policy_dns'
        option mark '0x100000/0x100000'
        option lookup '51'
        option priority '51'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option description 'LAN'
        option ports '1 5t'

config switch_vlan
        option device 'switch0'
        option ports '2 5t'
        option vlan '3'
        option description 'Smart Home'

config interface 'SmartHome'
        option proto 'static'
        option ipaddr '10.0.1.1'
        option netmask '255.255.255.0'
        option device 'br_smarthome'

config device
        list ports 'eth1'
        option type 'bridge'
        option name 'br_smarthome'
        option bridge_empty '1'
config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/c000000.wifi'
        option band '5g'
        option htmode 'HE80'
        option channels '36,40,44,48'
        option country 'US'
        option channel 'auto'
        option legacy_rates '0'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'GL-AXT1800-0b4-5G'
        option encryption 'psk2'
        option wds '1'
        option isolate '0'
        option ifname 'wlan1'
        option key ''
        option disabled '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/c000000.wifi+1'
        option band '2g'
        option country 'US'
        option disabled '0'
        option channel 'auto'
        option htmode 'HE40'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option encryption 'psk2'
        option wds '1'
        option ifname 'wlan0'
        option network 'SmartHome'
        option key ''
        option ssid ''

config wifi-iface 'guest5g'
        option device 'radio0'
        option network 'guest'
        option mode 'ap'
        option ifname 'wlan1-1'
        option encryption 'psk2'
        option ssid 'GL-AXT1800-0b4-5G-Guest'
        option guest '1'
        option disabled '1'
        option wds '1'
        option isolate '1'
        option key ''

config wifi-iface 'guest2g'
        option device 'radio1'
        option network 'guest'
        option mode 'ap'
        option ifname 'wlan0-1'
        option encryption 'psk2'
        option ssid 'GL-AXT1800-0b4-Guest'
        option guest '1'
        option disabled '1'
        option wds '1'
        option isolate '1'
        option key ''

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option local '/lan/'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option rebind_protection '0'
        option domain ''

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option leasetime '12h'
        option dhcpv4 'server'
        option force '1'
        option limit '254'
        option dhcpv6 'disabled'
        option ra 'disabled'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config domain
        option name 'console.gl-inet.com'
        option ip '192.168.8.1'

config domain
        option name 'console.gl-inet.com'
        option ip '::ffff:192.168.8.1'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'disabled'
        option ra 'disabled'

config dhcp 'SmartHome'
        option leasetime '12h'
        option interface 'SmartHome'
        option start '50'
        option limit '254'
        list ra_flags 'none'

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'
        option input 'ACCEPT'
        option masq '1'
        option forward 'REJECT'

config rule
        option dest_port '80'
        option name 'allow_in_http-npm'
        option dest 'SmartHome'
        list dest_ip '10.0.1.14'
        option target 'ACCEPT'
        list proto 'tcp'
        option src '*'

config rule
        option dest_port '443'
        option name 'allow_in_https_npm'
        option dest 'SmartHome'
        list dest_ip '10.0.1.14'
        option target 'ACCEPT'
        list proto 'tcp'
        option src '*'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config include 'nat6'
        option path '/etc/firewall.nat6'
        option reload '1'

config rule 'process_mark'
        option name 'process_mark'
        option dest '*'
        option proto 'all'
        option extra '-m owner --gid-owner 65533'
        option target 'MARK'
        option set_xmark '0x80000/0x80000'

config rule 'wan_in_conn_mark'
        option name 'wan_in_conn_mark'
        option src 'wan'
        option dest '*'
        option set_xmark '0x80000/0x80000'
        option target 'MARK'
        option extra '-m mark --mark 0x0/0x3f00 -j CONNMARK --set-xmark 0x80000/0x80000'
        option enabled '0'

config rule 'lan_in_conn_mark_restore'
        option name 'lan_in_conn_mark_restore'
        option src 'lan'
        option dest '*'
        option set_xmark '0x80000/0x80000'
        option target 'MARK'
        option extra '-m connmark --mark 0x80000/0x80000 -j CONNMARK --restore-mark'
        option enabled '0'

config rule 'out_conn_mark_restore'
        option name 'out_conn_mark_restore'
        option dest '*'
        option set_xmark '0x80000/0x80000'
        option target 'MARK'
        option extra '-m connmark --mark 0x80000/0x80000 -j CONNMARK --restore-mark'
        option enabled '0'

config include 'swap_wan_in_conn_mark'
        option type 'script'
        option reload '1'
        option enabled '0'
        option path '/etc/firewall.swap_wan_in_conn_mark.sh'

config rule 'block_dns'
        option name 'block_dns'
        option src '*'
        option device 'br-+'
        option dest_port '53'
        option target 'REJECT'
        option enabled '0'

config include 'gls2s'
        option type 'script'
        option path '/var/etc/gls2s.include'
        option reload '1'

config include 'glblock'
        option type 'script'
        option path '/usr/bin/gl_block.sh'
        option reload '1'

config include 'vpn_server_policy'
        option type 'script'
        option path '/etc/firewall.vpn_server_policy.sh'
        option reload '1'
        option enabled '1'

config zone
        option name 'SmartHome'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        list network 'SmartHome'

config rule
        option dest 'SmartHome'
        option src 'lan'
        option name 'allow_lan_to_any'
        option target 'ACCEPT'

config rule
        option src 'SmartHome'
        option name 'allow_homeassistant_any'
        list src_ip '10.0.1.11'
        option dest '*'
        option target 'ACCEPT'

config rule
        option dest_port '5353'
        option src '*'
        option dest '*'
        option target 'ACCEPT'
        list proto 'udp'
        option name 'Allow_mDNS'

config rule
        option dest '*'
        option src 'SmartHome'
        option name 'Allow_Smarhome_to_any'
        option target 'ACCEPT'

config redirect
        option dest_port '80'
        option src 'wan'
        option name 'http_npm'
        option src_dport '80'
        option target 'DNAT'
        option dest_ip '10.0.1.14'
        option dest 'SmartHome'
        list proto 'tcp'

config redirect
        option dest_port '443'
        option src 'wan'
        option name 'https_npm'
        option src_dport '443'
        option target 'DNAT'
        option dest_ip '10.0.1.14'
        option dest 'SmartHome'
        list proto 'tcp'

config forwarding
        option dest 'wan'
        option src 'lan'

config forwarding
        option dest 'wan'
        option src 'SmartHome'

It appears you are using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

  1. Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
  2. Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
  3. Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

Okay I understand. However as I am new to OpenWRT based routers It would be very helpful if someone could confirm, that my current setup should work in vanilla OpenWRT. Because than it probably is a vendor specific problem.

Ask in gl.inet forum.
Saved firewall rules are incompletely visualized in their luci web version, no telling what else deviates.
As for rule in config file it should forward as you expect on real OpenWRT.