Port forwarding not working

I have installed tcpdump and followed the ping signal.

• 192.168.210.10 is having no reply
• 192.168.210.1 does have

23:08:56.302554 IP 10.10.10.2 > 192.168.210.10: ICMP echo request, id 65015, seq 12, length 72
23:08:58.306645 IP 10.10.10.2 > 192.168.210.10: ICMP echo request, id 54784, seq 13, length 72
23:09:00.314563 IP 10.10.10.2 > 192.168.210.10: ICMP echo request, id 21399, seq 14, length 72
23:09:04.060950 IP 10.10.10.2 > 192.168.210.1: ICMP echo request, id 45989, seq 0, length 72
23:09:04.061059 IP 192.168.210.1 > 10.10.10.2: ICMP echo reply, id 45989, seq 0, length 72
23:09:05.080595 IP 10.10.10.2 > 192.168.210.1: ICMP echo request, id 39897, seq 1, length 72

As you have shown, 192.168.210.1 does respond. But, I would expect it to because it is the router itself on that end, and the firewall zone that contains the WG interface has input = ACCEPT. It is a special case in that it isn't actually routing to a different subnet here -- it's really just like responding to an alias or nickname.

But that said, I remain entirely confident that the problem is not OpenWrt. The problem is on the 192.168.210.10 host OS, VM configuration, or guest OS (in the VM), or some combination of all of those.

What puts a big question mark on my forehead are the port forwardings. My main purpose is not only VPN access, but also route 443/80 to Docker based services running on the Debian client (192.168.210.10).

I have setup the forwardings, but typing in the public IPv4 of the OpenWrt router (starting with 202) does not bring up the Web Server running on the Debian Client. The Web service itself is running on the Debian Client, as it is reachable through the Debians public IPv4 (starting with 94).

IMG_01041920×835 143 KB

The port forwarding works on the wan zone and is not relevant for the VPN. And, stuff coming in from the wan will have a publicly routable IP address as compared to the vpn which will be another RFC1918 subnet.

I cannot explain why your target host isn't responding, but I remain confident that the OpenWrt side of things is configured properly. The only way to prove or disprove this, however, is to have another real (not virtual) host on that network to use as a target.

If Debian's default route is via ISP and not OpenWrt, that would explain everything.

Disable the public IP address and set the router's IP as the default gateway.

You can run this on Debian to see if it fixes the vpn connection (won't help with port forwarding).

ip route add 192.168.200.0/24 via 192.168.210.1

I‘ll get your point, but the Debian system can already access the 192.168.200.0/24 fully. The routing VPSDebian - OpenWrt - WireGuard - Keenetic - Client in 192.168.20.0/24 works.

On the other hand, I can access from my locale clients (192.168.200.0/24) the OpenWRT Luci by typing 192.168.210.1 in the Browser…so, this is more than just an alias replying to a ping signal.

For testing purposes, run this on OpenWrt and try again.

nft insert rule inet fw4 srcnat_lan ip daddr 192.168.210.0/24 counter snat ip to 192.168.210.1

I have executed the command…well, after Perplexity explained me its content.

I have three results:

• I can access from a 192.168.200.0/24 client services running on the 192.168.210.10 Debian client.
• I cannot access the LUCI GUI via 192.168.210.1 from a client 192.168.200.0/24 (which worked before)
• After reboot, the systems behaved as before (LUCI accessible, Debian services not)