Port forwarding on AC1750

legionslo · October 18, 2020, 7:17pm

Hi all,
I have a good background in computer engineering but looks like I've fallen behind. I cannot, for the love of god, do a simple port forward!

I am using LuCI openwrt-19.07 on AC150 Archer v5. I just want to forward 8080 to my Raspberry pi.

If I run sudo netstat -pant | grep 8080 on my Raspberry Pi I get:

Pi is listening on port 8080 and if I open 192.168.1.140:8080 I get the desired webpage shown.

This is the port forward in question. I've set it up as shown below.

This should be completely straightforward but it's not working at all. I did not change any other things in OpenWRT settings. Can someone please, please, please help me? I'm already sorry that I did not stay with the official firmware . hopefully you guys will prove me wrong.

legionslo · October 18, 2020, 7:18pm

here are the missing two screenshots, apparently i cannot add more than one picture

legionslo · October 18, 2020, 7:18pm

vgaetera · October 18, 2020, 7:45pm

opkg update
opkg install tcpdump
tcpdump -n -i any port 8080

https://openwrt.org/docs/guide-quick-start/sshadministration

pwned · October 18, 2020, 8:29pm

If you want to forward a port from WAN you have to open the port also.

Network -> Firewall -> Traffic Rules, right after the Traffic Rules list there's "Open ports on router"

vgaetera · October 18, 2020, 8:41pm

Permissive rules matching DNAT conntrack state are added automatically by default.

pwned · October 18, 2020, 8:49pm

Sorry, didn't know that this is handled automatically. Thy for pointing this out.

legionslo · October 19, 2020, 5:31am

Okay, here is the partial output for tcpdump -n -i any port 8080

07:27:44.332061 IP 188.xxx.yyy.zz.8080 > 192.168.64.103.62316: Flags [R.], seq 0, ack 1, win 0, length 0
07:27:44.332198 IP 188.xxx.yyy.zz..8080 > 192.168.1.146.62316: Flags [R.], seq 0, ack 1, win 0, length 0
07:27:44.332217 IP 188.xxx.yyy.zz..8080 > 192.168.1.146.62316: Flags [R.], seq 0, ack 1, win 0, length 0

so it's trying to forward to all devices except the Raspberry pi on 192.168.1.140.

vgaetera · October 19, 2020, 5:38am

It looks like you have cropped it too much.
Those seem to be only replies, no requests.

legionslo · October 19, 2020, 5:53am

oh sorry, here's another screenshot.

is it normal to have my IP and 8080 port together written in this way? like www.yyy.xxx.10.8080 and not www.yyy.xxx.10:8080

thank you for helping me!

vgaetera · October 19, 2020, 6:23am

Well, this is confusing.
Post your configuration redacting the private parts:

uci show network; uci show firewall; \
ip address show; ip route show; ip rule show

legionslo · October 19, 2020, 6:57am

sure, here's the output

root@OpenWrt:~# uci show network; uci show firewall; \
> ip address show; ip route show; ip rule show
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdfd:1a04:5619::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan_eth0_2_dev=device
network.wan_eth0_2_dev.name='eth0.2'
network.wan_eth0_2_dev.macaddr='xxxxxx'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='2 3 4 5 0t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='1 0t'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@redirect[0]=redirect
firewall.@redirect[0].name='some awesome game'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].src_dport='8080'
firewall.@redirect[0].dest_ip='192.168.1.140'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].proto='tcp' 'udp'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether d8:07:b6:81:68:91 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::da07:b6ff:fe81:6891/64 scope link
       valid_lft forever preferred_lft forever
4: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether d8:07:b6:81:68:90 brd ff:ff:ff:ff:ff:ff
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether d8:07:b6:81:68:91 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fdfd:1a04:5619::1/60 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::da07:b6ff:fe81:6891/64 scope link
       valid_lft forever preferred_lft forever
7: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether d8:07:b6:81:68:91 brd ff:ff:ff:ff:ff:ff
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether d8:07:b6:81:68:92 brd ff:ff:ff:ff:ff:ff
    inet 192.168.64.103/24 brd 192.168.64.255 scope global eth0.2
       valid_lft forever preferred_lft forever
    inet6 fe80::da07:b6ff:fe81:6892/64 scope link
       valid_lft forever preferred_lft forever
9: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether d8:07:b6:81:68:91 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::da07:b6ff:fe81:6891/64 scope link
       valid_lft forever preferred_lft forever
default via 192.168.64.1 dev eth0.2  src 192.168.64.103
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
192.168.64.0/24 dev eth0.2 scope link  src 192.168.64.103
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

vgaetera · October 19, 2020, 7:24am

None of your interfaces has a public IP address, so it is not clear how do you expect it to work.
Typically you are supposed to configure port forwarding on the router which has a public IP address.

legionslo · October 19, 2020, 8:14am

The router is connected to my ISP shitty modem/router. I will put it in DMZ and send you some beer money. Thank you for figuring this out. I wonder how long it would take me to figure it out myself, probably quite some time.

system · October 29, 2020, 8:14am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.