Port Forwarding not working with 2 WAN interfaces

Hi All,

I'm using a device with 2 internet interfaces (MPLS sim cards). Both these WAN interfaces can be reached from remote end.

I have put portforwarding rules, but I'm observing that these ports are only accessible through one of the 2 interfaces ( the one with lower metric ). I'm unable to access the forwarded ports from the interface with higher metric

Below are the iptable rules that are created for the portforwarding rules for port 9021 which is forwarded to port 21 on 192.168.1.1

test@iotgateway:~# iptables-save | grep 9021
-A zone_lan_prerouting -s 192.168.1.0/24 -d 10.146.236.235/32 -p tcp -m tcp --dport 9021 -m comment --comment "!fw3: FTP (reflection)" -j DNAT --to-destination 192.168.1.1:21
-A zone_lan_prerouting -s 192.168.1.0/24 -d 10.146.236.235/32 -p udp -m udp --dport 9021 -m comment --comment "!fw3: FTP (reflection)" -j DNAT --to-destination 192.168.1.1:21
-A zone_lan_prerouting -s 192.168.1.0/24 -d 10.82.29.142/32 -p tcp -m tcp --dport 9021 -m comment --comment "!fw3: FTP (reflection)" -j DNAT --to-destination 192.168.1.1:21
-A zone_lan_prerouting -s 192.168.1.0/24 -d 10.82.29.142/32 -p udp -m udp --dport 9021 -m comment --comment "!fw3: FTP (reflection)" -j DNAT --to-destination 192.168.1.1:21
-A zone_wan_prerouting -p tcp -m tcp --dport 9021 -m comment --comment "!fw3: FTP" -j DNAT --to-destination 192.168.1.1:21
-A zone_wan_prerouting -p udp -m udp --dport 9021 -m comment --comment "!fw3: FTP" -j DNAT --to-destination 192.168.1.1:21

below are my routes

test@iotgateway:~# ip route
default via 10.64.64.65 dev 3g-wanSIM0 proto static metric 10 
default via 10.64.64.64 dev 3g-wanSIM1 proto static metric 20 
10.64.64.64 dev 3g-wanSIM1 proto kernel scope link src 10.82.29.142 
10.64.64.65 dev 3g-wanSIM0 proto kernel scope link src 10.146.236.235 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
239.255.255.250 dev br-lan scope link 

Please let me know if there is any solution to this.

for two wan interfaces, I can recommend you to install mwan3 package! That will set up all kernel routing (ip route) tables and rules (ip rule) and also iptables rules to mark packages.

AFAIK mwan3 is used for egress traffic (traffic leaving the router). For ingress traffic, as in this case, mwan3 has no role.

Is there any other param I need to verify to see if the portforward rules are applied properly, so that I can access the ports through both the interfaces?

Port forwardings are applied fine (although you don't need UDP for FTP). If 192.168.1.1 is the router itself, you don't need DNAT, rather to open port TCP/21 for the WAN interfaces.

Also check here that testing incoming and forwarded ingress connections works fine.
https://openwrt.org/docs/guide-user/network/wan/multiwan/mwan3#tplink_wdr3600_mwan3_-_14-24_two_wan_connections

1 Like

Otherwise:
https://openwrt.org/packages/pkgdata/kmod-nf-nathelper