Port forwarding problem

jan3 · March 29, 2024, 10:08am

hi guys,
I have spent hours on this issue and read a number of posts on the topic of port forwarding using OpenWrt. Still no luck. Thus I am turning to you hoping that you can help. Here is the issue:

Years ago I configured an OpenWrt router to do port forwarding as determined below.

                    OpenWrt router
ISP    -   (  WAN zone    -   LAN zone   )    -   server
          192.168.1.0/24   192.168.2.0/24     192.168.2.71:443

My ISP assigned a public IP address to me and it had been working as expected.

Recently I changed the router device and configured port forwarding on the new device again. This time it does not work according to https://canyouseeme.org/

When I put my old device back in place, port forwarding works as expected.

Given below are configuration files for my new router device. Can anyone tell me what is wrong in the configuration and why the anticipated port forwarding does not work when I hit my public IP address on the port 37564?

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd70:dadc:30ff::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0.2'
	option macaddr '50:d4:f7:fa:4a:23'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

root@OpenWrt:~# cat /etc/config/firewall 
config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'https at lahti'
	option src 'wan'
	option src_dport '37564'
	option dest_ip '192.168.2.71'
	option dest_port '443'
	list proto 'tcp'

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

root@OpenWrt:~# ubus call system board
{
	"kernel": "5.15.137",
	"hostname": "OpenWrt",
	"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
	"model": "TP-Link Archer C7 v5",
	"board_name": "tplink,archer-c7-v5",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "ath79/generic",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}

AndrewZ · March 29, 2024, 10:41am

Your OpenWrt router does not have a public IP on its wan interface.
I guess you have an ISP provided device acting as an upstream router for you.
If the ISP device has a public IP assigned, then it should have either DMZ or port forwarding configured as well. I would start from checking these settings.
Since your OpenWrt is configured as DHCP client you will probably need to configure a static mapping for it on the upstream router, or just allocate the address statically.

flygarn12 · March 29, 2024, 10:42am

You don’t have a public ip according to your own network map.

Definitions of private ip addresses

kukulo · March 29, 2024, 11:08am

You have a forward from ISP to your wan on port
37564 ?

NPeca75 · March 29, 2024, 11:25am

EDIT: sorry, replied to wrong person

Hi @jan3

here is my idea

no, you don't have public IP, and you set port forward FIRST on ISP router, or you setup DMZ on ISP router, whatever ...
since your OWRT was only device attached on ISP router, there was "almost" static 192.168.1.x IP assigned for your old OWRT device
so, your DMZ or FIRST port forward from ISP router worked as expected, because you set for ex: ISP 8080 -> 192.168.1.100 (OWRT) 8080 -> 192.168.2.100 (LAN) 8080
you changed your device, and your "almost" static addres is changed, it is not 192.168.1.100 anymore, it is maybe 101 now
your FIRST portfowrad from ISP router, or DMZ, point still to old 192.168.1.100 (old OWRT router)
check your ISP router how it is set up
maybe this will help ?

jan3 · March 29, 2024, 6:10pm

Thank you, @AndrewZ, @flygarn12 and NPeca75 (as a new user I can address only two users in a post), for pointing out that I do not have a public IP address assigned to my device and that a configuration on the upstream router need to be changed so it forwards the traffic (addressed to my public IP address) to my device which shall have a static IP address. I will follow up with the ISP (who has a control over the upstream device) later and inform the forum about the outcome then.

jan3 · March 29, 2024, 7:23pm

@kukulo, ISP forwards all traffic (regardless of either source or destination port) to my device; or rather to a dynamic IP address which my old device leased and my new device did not - thus the problem. I picked 37564 just for testing purposes.

NPeca75 · March 29, 2024, 8:20pm

exactly what i wrote in my post

kukulo · March 30, 2024, 3:03am

The traffic on that random port is not coming that is my opinion. Can you nmap the port to see wherer is open? Moreover an accept forward rule on wan zone is a wrong configuration.

egc · March 30, 2024, 7:20am

You can see the WAN IP address in the GUI on Status > Overview in the Network section:
afbeelding

Here you see mine and my WAN ip address is 192.168.0.9

This is not a public IP address so I can easily show it.

Please lookup your own WAN IP address and only show the part before the first dot this is because you do not want to show your whole WAN IP address if you really have a public IP address

jan3 · April 10, 2024, 5:53pm

@egc, as I indicated in my original post in this thread, my WAN IP address is 192.168.1.0/24. It is 192.168.1.59 in particular. Thus the hypothesis which @NPeca75 and AndrewZ declared in their posts in this thread.

It's only now that I have raised a ticket at the ISP. As soon as I have their response I will inform the forum in this thread if the hypothesis was right.

jan3 · April 20, 2024, 8:15am

Guys, as written in this and this post, the problem was a configuration of the upstream device controlled by an ISP. The configuration has been changed to route a traffic (destined to "my public IP address") to my new device and port forwarding works as expected. Thus the problem was not a configuration of my device (as presented in the initial post in this thread) but a configuration of the upstream device. Thank you for your help and support.