Port forwarding not working

MikD · April 10, 2020, 1:36pm

Hi, I'm running OpenWrt 18.06.1 on a minirouter GL.iNet GL-300M and I have some troubles with port forwarding.
On my WAN side of this router ( we will call MainRouter from now) I have a static IP address (140.80.0.10). I'm directly connected to MainRouter with my PC on WAN side and I'm the only one connected to it.
At MainRouter LAN port (IP 192.168.10.253) the only device that is connected is the LAN port of an identical device (we will call SecondaryRouter from now) (IP 192.168.10.254).
Now I'm trying to implement a port forwarding that would allow me to connect via SSH to SecondaryRouter from MainRouter WAN but it's not working.
I tried to forward WAN port 1022 to LAN port 22 of IP 192.168.10.253 (MainRouter WAN to MainRouter LAN) and it worked, I was able to connect via SSH (software putty) to MainRouter without opening port 22.
If i try to forward forward WAN port 1022 to LAN port 22 of IP 192.168.10.254 (SecondaryRouter IP) it doesn't work.

Here I attach myfirewall settings:


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option syn_flood '1'
	option forward 'REJECT'

config redirect
	option target 'DNAT'
	option family 'ipv4'
    option proto 'tcp udp'
	option src 'wan'
	option src_dport '1022'
	option dest 'lan'
	option dest_port '22'
	option dest_ip '192.168.10.254'
    option name 'fwd SSH'
	
config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'tethering wan wan6 wwan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'
	option reload '1'

config include 'glfw'
	option type 'script'
	option path '/usr/bin/glfw.sh'
	option reload '1'

config include 'glqos'
	option type 'script'
	option path '/usr/sbin/glqos.sh'
	option reload '1'

config include 'mwan3'
	option type 'script'
	option path '/var/etc/mwan3.include'
	option reload '1'

config zone 'guestzone'
	option name 'guestzone'
	option network 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'

config rule 'guestzone_dhcp'
	option name 'guestzone_DHCP'
	option src 'guestzone'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'

config rule 'guestzone_dns'
	option name 'guestzone_DNS'
	option src 'guestzone'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'

config rule 'glservice_rule'
	option name 'glservice'
	option proto 'tcp udp'
	option src 'wan'
	option target 'ACCEPT'
	option enabled '0'
	option dest_port '83'

config rule 'glssh_rule'
	option name 'glssh'
	option dest_port '22'
	option proto 'tcp udp'
	option src 'wan'
	option target 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'guestzone'

config forwarding
	option dest 'wan'
	option src 'lan'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'tcp'
	option dest_port '80'
	option name 'LuCi'

I believe I'm missing something maybe stupid but I'm new at it...
I thank you in advance for any help you can give me!

AndrewZ · April 10, 2020, 2:25pm

Similar discussion: Port forwarding for ssh
Make sure dropbear on the slave router is listening on WAN as well and there is a rule allowing incoming traffic on the TCP port used.

MikD · April 10, 2020, 2:50pm

I just tried what you suggested.
I connected PC -> WAN_MainRouter_LAN -> WAN_SecondaryRouter(with static IP and firewall rule on port 22).
Obviously I changed the MainRouter redirect to SecondaryRouter WAN IP.
It didn't work even if i can connect SSH with PC -> WAN_SecondaryRouter.

My hoped my scenario is PC -> WAN_MainRouter_LAN -> LAN_SecondaryRouter...

Thank you anyway for your answer, I will certainly read with better attention the post you mentioned

MikD · April 10, 2020, 3:32pm

Here I attach my tcpdump output

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
17:28:26.856495 IP (tos 0x0, ttl 128, id 13953, offset 0, flags [DF], proto TCP (6), length 52)
    140.80.0.2.57295 > 140.80.0.10.1022: Flags [S], cksum 0x8ca7 (correct), seq 2451527902, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:28:27.856182 IP (tos 0x0, ttl 128, id 13955, offset 0, flags [DF], proto TCP (6), length 52)
    140.80.0.2.57295 > 140.80.0.10.1022: Flags [S], cksum 0x8ca7 (correct), seq 2451527902, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:28:29.856371 IP (tos 0x0, ttl 128, id 13957, offset 0, flags [DF], proto TCP (6), length 52)
    140.80.0.2.57295 > 140.80.0.10.1022: Flags [S], cksum 0x8ca7 (correct), seq 2451527902, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:28:33.857934 IP (tos 0x0, ttl 128, id 13959, offset 0, flags [DF], proto TCP (6), length 52)
    140.80.0.2.57295 > 140.80.0.10.1022: Flags [S], cksum 0x8ca7 (correct), seq 2451527902, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:28:41.859662 IP (tos 0x0, ttl 128, id 13963, offset 0, flags [DF], proto TCP (6), length 52)
    140.80.0.2.57295 > 140.80.0.10.1022: Flags [S], cksum 0x8ca7 (correct), seq 2451527902, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
^C
5 packets captured
8 packets received by filter
0 packets dropped by kernel

... maybe it can help to understand what's happening...

Thanks again

MikD · April 10, 2020, 3:34pm

sorry, I forgot to tell that command was

tcpdump -i any -vn tcp port 1022

AndrewZ · April 10, 2020, 4:22pm

You will not see the other leg this way, try

tcpdump -i any -vn 'tcp port 1022 or 22'

MikD · April 10, 2020, 5:00pm

I tested as you told me but the result is almost the same...

~# tcpdump -i eth0 -vn 'tcp port 1022 or 22'
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
18:54:48.275939 IP (tos 0x0, ttl 128, id 22678, offset 0, flags [DF], proto TCP (6), length 52)
    140.80.0.2.55360 > 140.80.0.10.1022: Flags [S], cksum 0xfc25 (correct), seq 1455434830, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:54:49.276083 IP (tos 0x0, ttl 128, id 22679, offset 0, flags [DF], proto TCP (6), length 52)
    140.80.0.2.55360 > 140.80.0.10.1022: Flags [S], cksum 0xfc25 (correct), seq 1455434830, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:54:51.276910 IP (tos 0x0, ttl 128, id 22682, offset 0, flags [DF], proto TCP (6), length 52)
    140.80.0.2.55360 > 140.80.0.10.1022: Flags [S], cksum 0xfc25 (correct), seq 1455434830, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:54:55.277354 IP (tos 0x0, ttl 128, id 22683, offset 0, flags [DF], proto TCP (6), length 52)
    140.80.0.2.55360 > 140.80.0.10.1022: Flags [S], cksum 0xfc25 (correct), seq 1455434830, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:55:03.277824 IP (tos 0x0, ttl 128, id 22684, offset 0, flags [DF], proto TCP (6), length 52)
    140.80.0.2.55360 > 140.80.0.10.1022: Flags [S], cksum 0xfc25 (correct), seq 1455434830, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
^C
5 packets captured
5 packets received by filter
0 packets dropped by kernel

AndrewZ · April 10, 2020, 5:36pm

then I can only suggest to double-check the firewall rule
you should have something similar to

# fw3 print | grep 1022
iptables -t nat -A zone_wan_prerouting -p tcp -m tcp --dport 1022 -m comment --comment "!fw3: test_ssh" -j DNAT --to-destination 192.168.10.254:22

MikD · April 12, 2020, 4:37pm

here's what i get

# fw3 print | grep 1022
Warning: Section @zone[1] (wan) cannot resolve device of network 'wwan'
iptables -t nat -A zone_wan_prerouting -p tcp -m tcp --dport 1022 -m comment --comment "!fw3: tst SSH" -j DNAT --to-destination 192.168.10.254:22
iptables -t nat -D zone_lan_prerouting -p tcp -s 192.168.10.0/255.255.255.0 -d 140.80.0.10/255.255.255.255 -m tcp --dport 1022 -m comment --comment "!fw3: tst SSH (reflection)" -j DNAT --to-destination 192.168.10.254:22
iptables -t nat -A zone_lan_prerouting -p tcp -s 192.168.10.0/255.255.255.0 -d 140.80.0.10/255.255.255.255 -m tcp --dport 1022 -m comment --comment "!fw3: tst SSH (reflection)" -j DNAT --to-destination 192.168.10.254:22

jacob58 · December 5, 2021, 2:05am

I know this is an old topic, however I struggled with the same problem. Unfortunately there was no answer to this problem here. I tried a lot and searched a lot without success. Till I found out the real problem:

The second router did not had its default gateway set to the IP address of the first router. So it had nothing to do with the firewall rules but just standard routing.

system · December 15, 2021, 2:05am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.