Port forwarding problem

hi guys,
I have spent hours on this issue and read a number of posts on the topic of port forwarding using OpenWrt. Still no luck. Thus I am turning to you hoping that you can help. Here is the issue:

Years ago I configured an OpenWrt router to do port forwarding as determined below.

                    OpenWrt router
ISP    -   (  WAN zone    -   LAN zone   )    -   server
          192.168.1.0/24   192.168.2.0/24     192.168.2.71:443

My ISP assigned a public IP address to me and it had been working as expected.

Recently I changed the router device and configured port forwarding on the new device again. This time it does not work according to https://canyouseeme.org/

When I put my old device back in place, port forwarding works as expected.

Given below are configuration files for my new router device. Can anyone tell me what is wrong in the configuration and why the anticipated port forwarding does not work when I hit my public IP address on the port 37564?

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd70:dadc:30ff::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0.2'
	option macaddr '50:d4:f7:fa:4a:23'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

root@OpenWrt:~# cat /etc/config/firewall 
config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'https at lahti'
	option src 'wan'
	option src_dport '37564'
	option dest_ip '192.168.2.71'
	option dest_port '443'
	list proto 'tcp'

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
root@OpenWrt:~# ubus call system board
{
	"kernel": "5.15.137",
	"hostname": "OpenWrt",
	"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
	"model": "TP-Link Archer C7 v5",
	"board_name": "tplink,archer-c7-v5",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "ath79/generic",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}

Your OpenWrt router does not have a public IP on its wan interface.
I guess you have an ISP provided device acting as an upstream router for you.
If the ISP device has a public IP assigned, then it should have either DMZ or port forwarding configured as well. I would start from checking these settings.
Since your OpenWrt is configured as DHCP client you will probably need to configure a static mapping for it on the upstream router, or just allocate the address statically.

2 Likes

You don’t have a public ip according to your own network map.

Definitions of private ip addresses

1 Like

You have a forward from ISP to your wan on port
37564 ?

EDIT: sorry, replied to wrong person :frowning:

Hi @jan3

here is my idea :slight_smile:

  1. no, you don't have public IP, and you set port forward FIRST on ISP router, or you setup DMZ on ISP router, whatever ...
  2. since your OWRT was only device attached on ISP router, there was "almost" static 192.168.1.x IP assigned for your old OWRT device
  3. so, your DMZ or FIRST port forward from ISP router worked as expected, because you set for ex: ISP 8080 -> 192.168.1.100 (OWRT) 8080 -> 192.168.2.100 (LAN) 8080
  4. you changed your device, and your "almost" static addres is changed, it is not 192.168.1.100 anymore, it is maybe 101 now
  5. your FIRST portfowrad from ISP router, or DMZ, point still to old 192.168.1.100 (old OWRT router)
  6. check your ISP router how it is set up
    maybe this will help ?

Thank you, @AndrewZ, @flygarn12 and NPeca75 (as a new user I can address only two users in a post), for pointing out that I do not have a public IP address assigned to my device and that a configuration on the upstream router need to be changed so it forwards the traffic (addressed to my public IP address) to my device which shall have a static IP address. I will follow up with the ISP (who has a control over the upstream device) later and inform the forum about the outcome then.

@kukulo, ISP forwards all traffic (regardless of either source or destination port) to my device; or rather to a dynamic IP address which my old device leased and my new device did not - thus the problem. I picked 37564 just for testing purposes.

exactly what i wrote in my post

The traffic on that random port is not coming that is my opinion. Can you nmap the port to see wherer is open? Moreover an accept forward rule on wan zone is a wrong configuration.

You can see the WAN IP address in the GUI on Status > Overview in the Network section:
afbeelding

Here you see mine and my WAN ip address is 192.168.0.9

This is not a public IP address so I can easily show it.

Please lookup your own WAN IP address and only show the part before the first dot this is because you do not want to show your whole WAN IP address if you really have a public IP address

1 Like

@egc, as I indicated in my original post in this thread, my WAN IP address is 192.168.1.0/24. It is 192.168.1.59 in particular. Thus the hypothesis which @NPeca75 and AndrewZ declared in their posts in this thread.

It's only now that I have raised a ticket at the ISP. As soon as I have their response I will inform the forum in this thread if the hypothesis was right.

1 Like

Guys, as written in this and this post, the problem was a configuration of the upstream device controlled by an ISP. The configuration has been changed to route a traffic (destined to "my public IP address") to my new device and port forwarding works as expected. Thus the problem was not a configuration of my device (as presented in the initial post in this thread) but a configuration of the upstream device. Thank you for your help and support.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.