Port forwarding problem

Greetings all,

in the thread Restrict communication between two vlans to only single host in each VLAN, @psherman helped me to set up port forwarding.

Unfortunately, when I shut down and restarted the host to which the server was forwarded, the forwarding no longer worked. Although I can ping from the host all the hosts on the same sub-net, when I the sub-net's gateway, reply is Destination port unreachable, so I am not sure whether this message refers to the gateway or the port to be forwarded from the server.

I had commented out the port forwarding section, restarted the router, re-introduced the port forwarding, but this did not work.

It is not a problem with the Windows gateway, as it was working before and no change was made, in fact, I re-checked by temporarily disabling the relevant Windows gateways.

Any help would be appreciated.

Kindest regards,

M

Can you give some specifics...

  • The windows host is on what network?
    • what is its IP address?
    • is it possible that the IP has changed (relative to what is configured in the port forward rule)?
  • From what IP are you initiating the pings, and what is the target IP of that ping?
  • Have you verified that the server is working properly based on attempting to connect from another system on the same subnet as the Windows machine?
1 Like

Hi @psherman,

Lan_Legacy 192.168.0.X/24

192.168.0.10/24 as originally configured.

From the host at 192.168.0.10/24 to 192.168.0.5/24.

Yes.

I do not think that it makes any difference, but some, but not all of the hostnames have Lan_WS appended by the DHCP reservation as defined in the DHCP and DNS - General Settings, because it worked before.

Kindest regards,

M

So here you are actually pinging the router itself from the windows host.

Based on your configuration here, pings would not be expected to work because the input rule on that zone is REJECT.

The port forward should still work even though the ping does not.
Alternatively, you can add a rule to allow the pings, if you want, but it would be pinging your router, not the host behind your router.

Hi @psherman,

you are correct, but the ping to the server, results in the same response:

Reply from 192.168.0.5: Destination port unreachable.

In fact, Windows Network troubleshooter report:

The remote device or resource won't accept the connection.

and the forwarding, which worked is no longer working. So, the question is, how to test where the problem is?

Kindest regards,

M

So in an ssh connection to the router itself, you are saying you cannot ping 192.168.0.10?

The port forwarding was inbound (i.e. from 192.168.0.0/24 into your private networks), so that doesn't affect outbound connections.

Hi @psherman,

No, sorry for the confusion. When I am on the host (192.168.0.10/24), I cannot ping the server, with the response coming form the gateway 192.168.0.5.

The Windows troubleshooter is clearly lying because the same server is mountable form several other Windows hosts.

I am not sure about his statement, the port is forwarded from the server to the host, in other words, the server is mountable onto the host. But, this may be semantics.

Kindest regards,

M

Ah... well, you could add a port forward rule for pings... currently that isn't allowed.

Other windows hosts on the 192.168.0.0/24 network?

Because there are servers on both sides of the routers, maybe there is an issue of precision in the terms being used here. I think it would be better to discuss them in terms of their IP addresses.

Based on your current config in the other threads (unless anything has changed), your 192.168.2.0/24 network should be able to reach any and all hosts on the 192.168.0.0/24 network. The reverse is not true because of the masquerading and firewall on your router's Lan_Legacy interface (192.168.0.5) -- and this is where the port forwarding comes into play.

Hi @psherman,

No, not from that sub-net. But all the hosts on the (192.168.1.X/24) sub-net.

No, the (Windows) hosts on 192.168.1.X/24 can access the hosts on 192.168.0.X/24, but not vice versa. The hosts on 192.168.0.X/24 cannot access the hosts on the 192.168.2.X/24 except the single host 192.168.0.10/24 should be able to access a single host on the 192.168.2.X/24.

All that worked when you helped me to figure out the problem with the incorrect gateway 192.168.0.5/24 instead of 192.168.0.1/24.

I am completely lost, why just shutting down and starting the host no longer works.

Kindest regards,

M

I forgot the mention the 192.168.1.0/24 network...

This is expected.

Right.

But it's not happening now? Is the port forward rule enabled currently? Is the host/server on the 192.168.2.0/24 network up and running properly (can you connect to it from other hosts on the 192.168.2.0/24 network? What about the 192.168.1.0/24 network?

Hi @psherman,

No, none of the hosts on the 192.168.0.0/24 network can mount the server on 192.168.2.10/24. Now, saying that, I do not know if all could do it, it was tested and worked only with the 192.168.0.10/24.

Well, the Enable check-mark is checked in LuCI. Here is the firewall:

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'Lan_WS'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'Lan_WS'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'Lan_WS'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'Lan_WS'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'Lan_Servers'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'Lan_Servers'
        option forward 'ACCEPT'

config forwarding
        option src 'Lan_WS'
        option dest 'wan'

config forwarding
        option src 'Lan_WS'
        option dest 'Lan_Servers'

config forwarding
        option src 'Lan_Servers'
        option dest 'Lan_WS'

config zone
        option name 'Lan_Legacy'
        option output 'ACCEPT'
        list network 'Lan_Legacy'
        option masq '1'
        option forward 'REJECT'
        option input 'REJECT'

config forwarding
        option src 'Lan_WS'
        option dest 'Lan_Legacy'

config redirect
        option name 'SMB'
        option dest 'Lan_Legacy'
        option target 'DNAT'
        option src 'Lan_Servers'
        option src_dport '445'
        option dest_port '445'
        option family 'ipv4'
        option dest_ip '192.168.2.10'
        list proto 'tcp'

Currently, there is only a single host on the 192.168.2.0/24 network, but all the hosts on the 192.168.1.0/24 network can mount the server on 192.168.2.10/24.

Kindest regards,

M

Can you try a different host on 192.168.0.0/24 to connect to the server at 192.168.2.10?

Hi @psherman,

Yes, I tried, and no it could not connect.

Kindest regards,

M

Check the windows firewall on 192.168.2.10 -- try disabling it and see if that helps.

Hi @psherman,

no difference.

Kindest regrards,

M

I'm really not sure why it isn't working.

Let's try a different service. Does your server at 192.168.2.10 have an ssh server? Can we try that through the port forward instead (TCP port 22). A web server or really any other service could be used. This will help us understand if the forwarding is working in general.

Hi @psherman,

I reconfigured the ports to 22 for shh, but the connection times out.

I wonder whether, despite your valiant effort, it is not time to admit defeat. I actually even tried a different computer because of the peculiar circumstances why it quit working is peculiar, but that did not help.

See, before I posted here, I did a lot of searching, and I gathered that several people had unsolved problems with port forwarding on OpenWRT. Perhaps there is a problem with the software working on my router.

So, instead of port forwarding, what about enabling access from the Lan_Legacy to the Lan_Servers, and then restrict the access by:

  • allowing only the single host through the OpenWRT firewall, by, e.g., IP address, MAC address, perhaps I can even generate a certificate, and other restrictions that you can think of;
  • allowing, at the target server firewall, access only from the single host; and
  • disallowing, at the other servers on the same sub-net, access from the entire 192.168.0.2/24 sub-net.

Yes, the last two restrictions are going against the centralized control philosophy, but, as the saying goes "Man 's gotta do, what man's gotta do."

What do you think?

Kindest regards,

M

I think I found the problem...

The source and destination zones are reversed:

It should look like this:

config redirect
        option name 'SMB'
        option src 'Lan_Legacy'
        option target 'DNAT'
        option dest 'Lan_Servers'
        option src_dport '445'
        option dest_port '445'
        option family 'ipv4'
        option dest_ip '192.168.2.10'
        list proto 'tcp'

Hi @psherman,

thank you, I triple checked it, even rebooted the router, but the problem persists.

Kindest regards,

M

let's see the complete configuration again (network and firewall files).