Port forwarding not working

I have a simple configuration: an ADSL modem in bridge mode , a fritzbox and a PC (with ubuntu) connected to each other. In the fritzbox several ports are forwarded to the PC. This works as expected.

Now I change the fritzbox by an nanopi wth openwrt. Port forwarding does not work. Why?

The modem has an internal (at the home side) IP and gives the IP to the WAN side of the Nanopi. The Nanopi LAN side has a static IP (given by me) and gives the PC an IP adress. I forward the WAN port 4444 to the LAN adress When I ssh from elsewhere with the correct IP adress (dyndns)(also visable in the Web interface of the modem) and the port 4444 I expect to ssh to my PC ( sshd is running. Why is this all working with the fritzbox and not working with openwrt (version 19.7)?

Please post the result of the following commands:

iptables-save -t nat -c | grep DNAT

See below:

[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 22 -m comment --comment "!fw3: ssh" -j DNAT --to-destination

I must say, I tried a lot and also the forwarding the WAN port 22 (in my post this was 4444). I am no expert on iptables but what looks strange to me is the "--dport 22" . Should this not be "--sport 22"?

No, it should be --dport

The firewall rule is correct, except that you must initiate the SSH request to port 22, not 4444.
Delete your redirect rule and execute the following:

uci add firewall redirect
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].proto='tcp'
uci set firewall.@redirect[-1].src='wan'
uci set firewall.@redirect[-1].src_dport='4444'
uci set firewall.@redirect[-1].dest='lan'
uci set firewall.@redirect[-1].dest_ip=''
uci set firewall.@redirect[-1].dest_port='22'
uci set firewall.@redirect[-1].family='ipv4'
uci set firewall.@redirect[-1].name='SSH_to_PC'
uci commit firewall
fw3 restart

If it still doesn't work, post the output of the previous command again.

It makes no difference. The output of the iptables-save command is as expected:

[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 4444 -m comment --comment "!fw3: SSH_to_PC" -j DNAT --to-destination

When looking at the status of the firewall (in the openwrt webpage) I am not able to see where the ssh packets (or ping packets) are stopped.

Can this be a result of some strange behaviour of the modem? As I said before, with a Fritzbox router with portforwarding it all works so, in my opinion, it must be the openwrt router who behaves strange so the most likely place where it goes wrong is the firewall. Is there an easy way to check that packets from outside really arrive at the wan side of the openwrt router?

Something else is strange. When I ping from outside to my fritzbox I get a reply and a normal time. When I do the same with my openwrt router the pings are dropped or rejected. As far as I know the pings from outside to the openwrt router are allowed (you can turn this off). I will recheck this.

If pings are not returned while they should be returned, the problem lies obviously not in the port forwarding rule.

There are no hits on the rule, which means that the requests do not reach the wan interface of the router.

Then there must be some other rule (before this zone_wan_prerouting rule) that blocks the pings and the ssh packets?

The PREROUTING chain is the first chain in the iptables processing flowchart and it is used only to change the destination address of the packets. The ping could be blocked by the filter INPUT chain, but as I said before, the packets do not reach the wan interface.

There must be something else, like

When I ping from outside my ip address I get a response, when I switch my fritzbox for the openwrt router I get nothing. OK my openwrt router gets an IP address from the modem but nothing else I can think of. How can my modem know I switched routers?

I could give my openwrt router a static address.

Have you checked to make sure you have the same IP address on the wan when you switch out the routers. Often, a different MAC means a different IP address is assigned to your router. If you are using a ddns service, make sure it is updated

Do not do this unless your isp specifically instructs you to use a static ip configuration.

These two sentences are contradictory... if the modem is in bridge mode, your router should get a public IP address.

You are right. This home router I got from my provider is a normal router with all the bells and whistles. When I wanted to do (several years ago) something that was not possible with this router (make two extra routing rules), I switched something in the router: turn on bridge or DMZ mode, I now can not remember which of the two. In hindsight it must have been DMZ mode. My modem (H369A) does not support bridge mode but has DMZ. I understood that after this the one Lan port acts like a public IP address and there is no firewall or routing active; it is just a modem that lets everything through. (this is on address The attached router should do the firewalling and routing. This question is about the changing of the fritzbox for a openwrt router (a Nanopi). The Fritzbox allowed extra routing table lines, but the Nanopi is capable to do a lot more.

Please tell me if I understand some thing wrong.

The Nanopi worked well as a normal router apart from the forwarding of ports (for ssh and openvpn).

I did something similar at an other place with a modem/router that supported bridge mode and everything worked there fine (port forwarding, firewall, dyndns, dhcp, wifi, openvpn, ssh) with a Nanopi.

It was strange behaviour of the modem after all. When you put this modem (ZTE H369A) in DMZ mode you have to enter an IP adress or a Mac address. I gave an IP address ( The modem has normally a DHCP server running at the Lan side and that gives address starting from That's the address my old Fritzbox got from the modem (mathing the address I gave at the DMZ page). When I switched the Fritzbox for the Nanopi (with openwrt) it got the address (why not 3?). Apparently this worked OK apart from pings from outside (the internet) and from incoming traffic (on the ports I wanted to forward (in my case 4444).

There is some logic in this in hindsight. The normal lease time is 24 hours. I found the solution by giving the nanopi a fixed address and the same mac address as the fritzbox. The mac address would have be sufficient. Also waiting a day or some resetting would have done the trick. After that I could ping from outside and the forwarding worked.

It is now no problem to get the Nanopi working with the normal DHCP server working at my modem and getting an address and DNS servers from my modem.

I would like to thank pavelgl and psherman for their replies!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

Sorry, but I don't' see how to mark this thread as solved.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.