Port forwarding not working (yes, I have read 200 posts and still no success)

It’s there in fw3, but disabled.

then it's OK, I guess.

but since we can't see the rules for port 80, and 22, I assume they're (intentionally ?) added on OS level.

I'm guessing that is why all posts I find about it uses cli to edit the iptables?

I added an ssh key and disabled passlogin to feel a BIT safer at least, I was very close to just pull the plug and go back to the old router, but I KNOW I will NEVER fix this then.

So what are your recomendations? Is there a way to add a few rules that could fix this for me?

I REALLY appreciate you guys taking time to help me, trust me, I have TRIED to learn this stuff myself like all other linux things, but this is WAY above my knowledge grade.

If that is true, ppl HAVE TO BE WARNED ABOUT THIS IMMEDIATELY! But I also want to make sure this is actually by design, and not something I actually broke before accusing anybody of anything.
What can I do?

I would consider this device compromised, unplug it, and never use again, until there's a better/trustworthy image available somewhere..

Reimage, see in the same happens again, then it's made on purpose.

Yeah, I'll do that and come back here so maybe someone can help me find out if its actually completely open by design or not.

Be back in a while and hope someone is willing to help out.
Until then, lets assume I fucked up somehow.

(What about the fact the traffic is actually UDP and not TCP?)

Am I (the one) missing something?

Cause this seems like tail chasing.

OpenWRT isn't. If your router is then either you've misconfigured it or you're using a custom image of OpenWRT which has been modified by whoever created it.

What is the output from running cat /etc/config/firewall; cat /etc/firewall.user on the router?

2 Likes

adbd seems to be Android related, is there some reason for it to run on your device ?

Also let us know where you’re downloading this image from. And post the output from

ubus call system board

So we’re all on the same page from where you’re starting from.

1 Like

Absolutely!

I just got back to my internet, it took a while to switch back to my old router and get everything to work as I want (since I had to factory reset it)

I will NOT leave this be without finding out what happened, because I'm just as upset as the next fool. If there are actually ppl releasing experimental images that they present as "working out of the box" then this is NOT ok. But again, I want to make sure that I did not fuc*k (funny how one word can stop a whole post) up before pointing fingers. I'm one of those guys who assumes the best rather than worst, call me naive if you want, but that's how I work.

I'm pretty tired now after all this so I might do the reflashing tomorrow and then come back, but believe me, I won't leave without figuring this out!!

it did work out of the box, it might have, however, shipped with some additional, undocumented features :wink:

1 Like

It is a bit harsh to scrap the whole device since there is no proof in the fw config or fw active setup readout of these open ports.

The thing with port scans is that it isn’t that easy to know what it actually has sniffed at if you actually read the whole manual for NMAP for example.

So even if you scan a IP the actual scan system will look around 360° in the uplink and if any device on the way answers on the pinging you will get a false reading for that IP. So the less devices between test computer and device under test the more meaningful answer you will get.

And we have a lot of forum treads with pretty much the same result of you make port scans without understanding port scans.
It would probably be more meaningful test to actually try ssh connecting to port 22 for example on a specific IP address to see what happens instead of port scan it. If the ssh connection is rejected than the whole port scan result is false measurement result.

Using a browser to go to the public IP address the OP posted earlier brought up the Luci login page. Think it's safe to say it was more than a misreporting by nmap.

Maybe it would make sense to learn the following:

Which banana pi? I see several supported devices in the official openwrt listings.

And if the specific model is indeed not supported by the official project, has the op contacted the vendor support channels for help/debugging.

Meanwhile, let’s see the actual firewall file:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/firewall

Ok @psherman @krazeh @frollic @dave14305
I thought my profile would show the board I have (I added it when creating the profile, mb).

But here goes.
Completely fresh install, NOTHING is changed (I lied earlier, I did change the ip of the router on the previous install) and it does not have access to the internet. I haven't even logged into the webgui, only accessed it with ssh.

I connect directly to it with my win machine and it deliveres new ip when "ipconfig /renew".

Wall of text incoming:

BusyBox v1.33.1 (2021-11-18 23:12:11 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 21.02-SNAPSHOT, r0-f920a121a
 Manufacturer: BananaPi
 Manufacturer URL: https://www.banana-pi.org/
 Bug URL: https://www.banana-pi.org/

ubus call system board

{
        "kernel": "5.10.66",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 0",
        "model": "BananaPi RK3568-BPI-R2PRO-PC HDMI (Linux)",
        "board_name": "rockchip,rk3568-bpi-r2pro-pc",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02-SNAPSHOT",
                "revision": "r0-f920a121a",
                "target": "bananapi/armv8",
                "description": "OpenWrt 21.02-SNAPSHOT r0-f920a121a"
        }
}

cat /etc/config/firewall

config defaults
        option syn_flood        1
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT
        option fullcone         1
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option src_ip           fc00::/6
        option dest_ip          fc00::/6
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

config rule
        option name             Allow-ISAKMP
        option src              wan
        option dest             lan
        option dest_port        500
        option proto            udp
        option target           ACCEPT

# allow interoperability with traceroute classic
# note that traceroute uses a fixed port range, and depends on getting
# back ICMP Unreachables.  if we're operating in DROP mode, it won't
# work so we explicitly REJECT packets on these ports.
config rule
        option name             Support-UDP-Traceroute
        option src              wan
        option dest_port        33434:33689
        option proto            udp
        option family           ipv4
        option target           REJECT
        option enabled          false

# include a file with users custom iptables rules
config include
        option path /etc/firewall.user


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option dest             wan
#       option proto    tcp
#       option target   REJECT

# block a specific mac on wan
#config rule
#       option dest             wan
#       option src_mac  00:11:22:33:44:66
#       option target   REJECT

# block incoming ICMP traffic on a zone
#config rule
#       option src              lan
#       option proto    ICMP
#       option target   DROP

# port redirect port coming in on wan to lan
#config redirect
#       option src                      wan
#       option src_dport        80
#       option dest                     lan
#       option dest_ip          192.168.16.235
#       option dest_port        80
#       option proto            tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#       option src              wan
#       option src_dport        22001
#       option dest             lan
#       option dest_port        22
#       option proto            tcp

### FULL CONFIG SECTIONS
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port 80
#       option dest             wan
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
#       option target   REJECT

#config redirect
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port         1024
#       option src_dport        80
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp

cat /etc/firewall.user

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

Are there worries to be had about this image?
Need more info? Shout and I will obey. The board is only sitting there, isolated in its own little network bubble, all alone silently sobbing... xD

Edit.
Looking at the output of /etc/config/firewall at the end. WTF IS 194.25.2.129 ?!?!
I can ping it from my computer, someone/something in Germany??!?

Where do you download it from? It's an odd image because it claims to be a 21.02-SNAPSHOT, but runs Linux 5.10.66, which only appeared in 22.03. Hard to predict what else was turned inside out for this board.

EDIT: Does it come from here:
https://wiki.banana-pi.org/Banana_Pi_BPI-R2_Pro#Release_image

What output do you get now with iptables-save -c

Those entries are commented out as examples for user customization.

2 Likes

Yeah, you are right, should read more carefully.

iptables-save -c

# Generated by iptables-save v1.8.7 on Fri Jan  1 18:54:18 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
COMMIT
# Completed on Fri Jan  1 18:54:18 2021
# Generated by iptables-save v1.8.7 on Fri Jan  1 18:54:18 2021
*mangle
:PREROUTING ACCEPT [7265:707350]
:INPUT ACCEPT [6105:444411]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6820:754080]
:POSTROUTING ACCEPT [6829:757074]
COMMIT
# Completed on Fri Jan  1 18:54:18 2021
# Generated by iptables-save v1.8.7 on Fri Jan  1 18:54:18 2021
*filter
:INPUT ACCEPT [6106:444451]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6821:754456]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
COMMIT

Info about the image, compile logs are available at https://forum.banana-pi.org/t/banana-pi-bpi-r2-pro-openwrt-ubuntu-debian-linux-image/13158

So this whole thread is about a private/OEM "21.02" build containing a kernel 5.10 version only used since 22.03 and using a chip rk3568 that is not supported by the regular OpenWrt...
Nice.

The image is likely a mix of 21.02 with backports from 22.03 mixed with vendor's device hardware support code. No idea what they have done to the firewall/NAT code.

You should try to get help from the actual author of the image.

4 Likes

I did some more checking into the actual zip files I had on my computer.
It turns out that the version I'm using is no longer the one linked to in the forum post.
It used to be so the one on the banana pi wiki page was older than the one in the one linked to in the thread I posted. But the logs linked in the wiki was to the link with the post containing the newer images.
That is no longer the case, the forum post must have been changed back to the "old" one. I'm guessing it was removed for exactly the reasons I was experiencing.

Since I cant find this image (OpenWRT-21.02-EMMCBoot-rockdev-MT7531SW-DSA-20220623.zip) but rather only (OpenWRT-EMMCBoot-rockdev-MT7531SW-20220228) there is no real reason to panic.

I'll just delete the image I have on my computer and try the old one out, carefully. xD