Port forwarding problem

Installing and Using OpenWrt Network and Wireless Configuration
1

This week I met a very wired problem. I Just configured a very typical router running 17.01.4. with static WAN IP. I've been doing this kind of settings for many times. Just like I did it before, I configured it in our office where I was working. The SSH port 22 was forwaded to an internal server with a very typical setting:

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '22'
        option dest_ip '172.16.100.1'
        option dest_port '22'
        option name 'SSH'

And it works as I expected. I then moved it to the other office where the router is to be placed. This office has different static IPs. I modified the WAN IP accordingly. But then it just stop working. I watched the log message by the folling rule:

iptables -t nat -I PREROUTING -p tcp -i eth1 --dport 22 -j LOG

eth1 is the external interface. Packages go to port 22 did reach the router but just not get forwarded to the destination server.

I've tried everything I can to solve the problem without a clue. Finally I am sort of bypassing this problem. Because we have more IPs available that the idea of IP alias came to my mind. I just bond one more IPs to the WAN interface. This time it works. But I would like to find the reason underneath. Is there any one can give me a hint? Thanks.

2

Is there any particular reason you are setting up your rules directly via iptables instead of letting fw3 do its magic? Unless you know what you are doing, the firewall should be configured via Luci/UCI via the /etc/config/firewall file to avoid clashes between your manually inserted rules and the auto created ones by fw3.

Edit: actually, disregard my comment. I was too focused on the iptables quote. But you quoted the firewall config for the earlier working setup. So I assume you used that for the new setup as well. Could you post the /etc/config/firewall file in full with the new rules for the new setup?

3

In order to dig out the real problem, I left the /etc/config/firewall unmodified except the port forwarding rules for SSH.

4

By any chance, are you running dropbear on all interfaces?

5

I shift the port that dropbear is listening to 222:

config dropbear
option PasswordAuth 'on'
option Port '222'

Oh, I noticeds that I cannot ssh to port 222 on wan by the orginal IP. But the IP alias will accept outside connections (also on port 222).

6

Did that solve your other problem?

For clarity, is the SSH server you're connecting to the dropbear instance on the router, or another downstream device???