Port Forwarding Problems

Hi,
recently I switched from an old TL WR 841n v8 to an TL WR 841N v13. Since that the port forwarding does not work anymore. I tied much and read other articles and topics. No Result.
My Setup:
Client: 10.0.0.152
Server: 10.0.0.202
Router: 10.0.0.1
IP Assigned from my modem(behind wan): 192.168.1.2

When I try to connect to http://10.0.0.202:8086/ I get an Result. When I try http://192.168.1.2:8086/ I get a timeout. The Server is not the problem. Its the router.

I am using: OpenWrt SNAPSHOT r9909-9af2735 / LuCI Master (f138fc93). Kernel Version: 4.14.113.
I also tired the latest stable release. No success.

I set up the firewall and the correct Port rules.

Here is my /etc/config/network


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd43:9094:0ab6::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.0.0.1'
	option dns '10.0.0.202'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr 'c0:25:e9:5e:3a:fe'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	option type 'bridge'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr 'c0:25:e9:5e:3a:ff'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

My /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option forward 'REJECT'
	option input 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '89'
	option dest_ip '10.0.0.202'
	option dest_port '80'
	option name 'HTTP'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '90'
	option dest_ip '10.0.0.202'
	option dest_port '3000'
	option name 'Grafana'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_ip '10.0.0.202'
	option dest_port '53'
	option name 'DNS Server'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp udp'
	option src_dport '2222'
	option dest_ip '10.0.0.202'
	option dest_port '22'
	option name 'SSH'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option src_dport '8086'
	option dest_ip '10.0.0.202'
	option dest_port '8086'
	option name 'InfluxDB'
	option proto 'tcp'

Thanks for help!

Moritz

PS: The other forwarding rules also do not work!

  • If you are connecting from the LAN, there's no need for redirect, you can connect the server directly.
  • If you are connecting from the WAN, you need to use a globally routed IP address.
1 Like

I tired connecting from LAN and WAN. I can ping 192.168.1.2.
What do you mean with a globally routed IP address?

Why is this bridge?

2 Likes

Was so by default

Since the client is in the same LAN as the server (according to your first post) you can access the server by typing only the IP 10.0.0.202.
If the client was connecting from the WAN, then you would have to use the WAN IP plus the port that you are forwarding, that is 192.168.1.2 :8086

You can safely remove the bridge from the WAN interface. Most likely it was added accidentally by you during configuration.

Hmm. When I am from WAN: Of course I must select the port. But I still cant acces the HTTP Share. Thats my problem

I will remove it. But is this the "Problem"?

It shouldn't be the root cause of the issue, but you never know.

Verify the iptables rules are there:
iptables -t nat -L -vn | grep 8086
and that there are hits.
Also you can run tcpdump to verify that packets come and go
tcpdump -i eth0.2 tcp port 8086

root@BixNETv2:~# iptables -t nat -L -vn | grep 8086
    0     0 SNAT       tcp  --  *      *       10.0.0.0/24          10.0.0.202           tcp dpt:8086 /* !fw3: InfluxDB (reflection) */ to:10.0.0.1
    0     0 DNAT       tcp  --  *      *       10.0.0.0/24          192.168.1.2          tcp dpt:8086 /* !fw3: InfluxDB (reflection) */ to:10.0.0.202:8086
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8086 /* !fw3: InfluxDB */ to:10.0.0.202:8086
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0.2, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
233 packets received by filter
126 packets dropped by kernel

While tcpdump I tried to connect via Firefox. No success

Okay first of all there are no hits on the firewall, so nothing reached these rules. Better post the whole firewall dump:
iptables -L -vn; iptables -t nat -L -vn; iptables -t mangle -L -vn

root@BixNETv2:~# iptables -L -vn; iptables -t nat -L -vn; iptables -t mangle -L 
-vn
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 102K 8964K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
 131K   12M input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom input rule chain */
 109K   10M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
 2109  106K syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 /* !fw3 */
    0     0 zone_lan_input  all  --  tun0   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
16824 1194K zone_lan_input  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
 4791  773K zone_wan_input  all  --  br-wan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_input  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
3931K 3508M forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom forwarding rule chain */
3911K 3507M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
    0     0 zone_lan_forward  all  --  tun0   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
18792 1259K zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
  356 23322 zone_wan_forward  all  --  br-wan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_forward  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 102K 8965K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            /* !fw3 */
 136K   21M output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom output rule chain */
 103K   18M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
    0     0 zone_lan_output  all  --  *      tun0    0.0.0.0/0            0.0.0.0/0            /* !fw3 */
19190 1349K zone_lan_output  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
13503  919K zone_wan_output  all  --  *      br-wan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_output  all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain reject (4 references)
 pkts bytes target     prot opt in     out     source               destination         
 1132 58796 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */ reject-with tcp-reset
 3659  714K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 2109  106K RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_dest_ACCEPT (4 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0            /* !fw3 */
19190 1349K ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_forward (2 references)
 pkts bytes target     prot opt in     out     source               destination         
18792 1259K forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan forwarding rule chain */
18792 1259K zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Zone lan to wan forwarding policy */
    8   480 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_input (2 references)
 pkts bytes target     prot opt in     out     source               destination         
16824 1194K input_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan input rule chain */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
16824 1194K zone_lan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_output (2 references)
 pkts bytes target     prot opt in     out     source               destination         
19190 1349K output_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan output rule chain */
19190 1349K zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0            ctstate NEW,UNTRACKED /* !fw3 */
16824 1194K ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_wan_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  312 55055 DROP       all  --  *      br-wan  0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* !fw3: Prevent NAT leakage */
31975 2122K ACCEPT     all  --  *      br-wan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 DROP       all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* !fw3: Prevent NAT leakage */
    0     0 ACCEPT     all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  *      br-wan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 reject     all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_forward (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  356 23322 forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan forwarding rule chain */
    0     0 zone_lan_dest_ACCEPT  esp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Allow-IPSec-ESP */
    0     0 zone_lan_dest_ACCEPT  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500 /* !fw3: Allow-ISAKMP */
  356 23322 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_wan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_input (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 4791  773K input_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan input rule chain */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68 /* !fw3: Allow-DHCP-Renew */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* !fw3: Allow-Ping */
    0     0 ACCEPT     2    --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Allow-IGMP */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194 /* !fw3: Allow-OpenVPN */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
 4791  773K zone_wan_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_output (2 references)
 pkts bytes target     prot opt in     out     source               destination         
13503  919K output_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan output rule chain */
13503  919K zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 4791  773K reject     all  --  br-wan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 reject     all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
Chain PREROUTING (policy ACCEPT 50120 packets, 9987K bytes)
 pkts bytes target     prot opt in     out     source               destination         
50245 9995K prerouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom prerouting rule chain */
    0     0 zone_lan_prerouting  all  --  tun0   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
23255 1625K zone_lan_prerouting  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
26990 8370K zone_wan_prerouting  all  --  br-wan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_prerouting  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain INPUT (policy ACCEPT 10208 packets, 707K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 24652 packets, 1702K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 3210 packets, 233K bytes)
 pkts bytes target     prot opt in     out     source               destination         
37815 2554K postrouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom postrouting rule chain */
    0     0 zone_lan_postrouting  all  --  *      tun0    0.0.0.0/0            0.0.0.0/0            /* !fw3 */
 8518  597K zone_lan_postrouting  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
26245 1744K zone_wan_postrouting  all  --  *      br-wan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_postrouting  all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain postrouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_lan_postrouting (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 8518  597K postrouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan postrouting rule chain */
    0     0 SNAT       tcp  --  *      *       10.0.0.0/24          10.0.0.202           tcp dpt:80 /* !fw3: HTTP (reflection) */ to:10.0.0.1
    0     0 SNAT       tcp  --  *      *       10.0.0.0/24          10.0.0.202           tcp dpt:3000 /* !fw3: Grafana (reflection) */ to:10.0.0.1
 1258 75480 SNAT       tcp  --  *      *       10.0.0.0/24          10.0.0.202           tcp dpt:53 /* !fw3: DNS Server (reflection) */ to:10.0.0.1
 7098  502K SNAT       udp  --  *      *       10.0.0.0/24          10.0.0.202           udp dpt:53 /* !fw3: DNS Server (reflection) */ to:10.0.0.1
    0     0 SNAT       tcp  --  *      *       10.0.0.0/24          10.0.0.202           tcp dpt:22 /* !fw3: SSH (reflection) */ to:10.0.0.1
    0     0 SNAT       udp  --  *      *       10.0.0.0/24          10.0.0.202           udp dpt:22 /* !fw3: SSH (reflection) */ to:10.0.0.1
    4   240 SNAT       tcp  --  *      *       10.0.0.0/24          10.0.0.202           tcp dpt:8086 /* !fw3: InfluxDB (reflection) */ to:10.0.0.1

Chain zone_lan_prerouting (2 references)
 pkts bytes target     prot opt in     out     source               destination         
23255 1625K prerouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan prerouting rule chain */
    0     0 DNAT       tcp  --  *      *       10.0.0.0/24          192.168.1.2          tcp dpt:89 /* !fw3: HTTP (reflection) */ to:10.0.0.202:80
    0     0 DNAT       tcp  --  *      *       10.0.0.0/24          192.168.1.2          tcp dpt:90 /* !fw3: Grafana (reflection) */ to:10.0.0.202:3000
    0     0 DNAT       tcp  --  *      *       10.0.0.0/24          192.168.1.2          tcp dpt:53 /* !fw3: DNS Server (reflection) */ to:10.0.0.202:53
    0     0 DNAT       udp  --  *      *       10.0.0.0/24          192.168.1.2          udp dpt:53 /* !fw3: DNS Server (reflection) */ to:10.0.0.202:53
    0     0 DNAT       tcp  --  *      *       10.0.0.0/24          192.168.1.2          tcp dpt:2222 /* !fw3: SSH (reflection) */ to:10.0.0.202:22
    0     0 DNAT       udp  --  *      *       10.0.0.0/24          192.168.1.2          udp dpt:2222 /* !fw3: SSH (reflection) */ to:10.0.0.202:22
    4   240 DNAT       tcp  --  *      *       10.0.0.0/24          192.168.1.2          tcp dpt:8086 /* !fw3: InfluxDB (reflection) */ to:10.0.0.202:8086

Chain zone_wan_postrouting (2 references)
 pkts bytes target     prot opt in     out     source               destination         
26245 1744K postrouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan postrouting rule chain */
26245 1744K MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_prerouting (2 references)
 pkts bytes target     prot opt in     out     source               destination         
26990 8370K prerouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan prerouting rule chain */
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:89 /* !fw3: HTTP */ to:10.0.0.202:80
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:90 /* !fw3: Grafana */ to:10.0.0.202:3000
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* !fw3: DNS Server */ to:10.0.0.202:53
  117  7712 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* !fw3: DNS Server */ to:10.0.0.202:53
    4   164 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2222 /* !fw3: SSH */ to:10.0.0.202:22
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:2222 /* !fw3: SSH */ to:10.0.0.202:22
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8086 /* !fw3: InfluxDB */ to:10.0.0.202:8086
Chain PREROUTING (policy ACCEPT 4187K packets, 3537M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 233K packets, 21M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 3931K packets, 3508M bytes)
 pkts bytes target     prot opt in     out     source               destination         
14378  843K TCPMSS     tcp  --  *      br-wan  0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 /* !fw3: Zone wan MTU fixing */ TCPMSS clamp to PMTU
    0     0 TCPMSS     tcp  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 /* !fw3: Zone wan MTU fixing */ TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT 238K packets, 30M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 4168K packets, 3538M bytes)
 pkts bytes target     prot opt in     out     source               destination         

@Bixilon,

  • Have you confirmed that there's a Globally routeable IP address on WAN?
  • Where is the network 192.168.1.0/24, and how are you able to access that network to reach the host at 192.168.1.2?
  • Have you made a Port Forward from the Internet to 192.168.1.2?

Again, this sound like you are connected to LAN. What happens when you are physically connected on WAN?

Your route reflection from inside the LAN works:

    4   240 SNAT       tcp  --  *      *       10.0.0.0/24          10.0.0.202           tcp dpt:8086 /* !fw3: InfluxDB (reflection) */ to:10.0.0.1
    4   240 DNAT       tcp  --  *      *       10.0.0.0/24          192.168.1.2          tcp dpt:8086 /* !fw3: InfluxDB (reflection) */ to:10.0.0.202:8086

However the port forwarding from the WAN doesn't have any hits:

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8086 /* !fw3: InfluxDB */ to:10.0.0.202:8086

Most likely you are not pointing the external devices correctly, because other port forwardings you have implemented work fine:

  117  7712 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* !fw3: DNS Server */ to:10.0.0.202:53
    4   164 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2222 /* !fw3: SSH */ to:10.0.0.202:22

Once again test by running tcpdump and try to access from WAN port 8086 on 192.168.1.2
tcpdump -i br-wan -vvn tcp port 8086

Yes. I can acces this IP.

The 10.0.0.0/24 Network is the Network from OpenWRT. The 192.168.1.0/24 is the one from the o2 HomeBox. I can plug directly an LAN cable to it.

I have on the "modem" forwared all ports to the OpenWRT firewall.

When I am physically on LAN: Same result. Time out

@trendy:
None of the rules work. No DNS, no HTTP and no InfluxDB(HTTP).

I will run again:

root@BixNETv2:~# tcpdump -i br-wan -vvn tcp port 8086
tcpdump: listening on br-wan, link-type EN10MB (Ethernet), capture size 262144 bytes
21:00:57.615834 IP (tos 0x0, ttl 64, id 40378, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.3.38025 > 192.168.1.2.8086: Flags [S], cksum 0xa98f (correct), seq 2275256522, win 65535, options [mss 1460,sackOK,TS val 18953584 ecr 0,nop,wscale 9], length 0
21:00:57.850012 IP (tos 0x0, ttl 64, id 13074, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.3.38026 > 192.168.1.2.8086: Flags [S], cksum 0xa558 (correct), seq 766641829, win 65535, options [mss 1460,sackOK,TS val 18953655 ecr 0,nop,wscale 9], length 0
21:00:58.633992 IP (tos 0x0, ttl 64, id 40379, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.3.38025 > 192.168.1.2.8086: Flags [S], cksum 0xa862 (correct), seq 2275256522, win 65535, options [mss 1460,sackOK,TS val 18953885 ecr 0,nop,wscale 9], length 0
21:00:58.851779 IP (tos 0x0, ttl 64, id 13075, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.3.38026 > 192.168.1.2.8086: Flags [S], cksum 0xa42b (correct), seq 766641829, win 65535, options [mss 1460,sackOK,TS val 18953956 ecr 0,nop,wscale 9], length 0
21:01:00.634560 IP (tos 0x0, ttl 64, id 40380, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.3.38025 > 192.168.1.2.8086: Flags [S], cksum 0xa609 (correct), seq 2275256522, win 65535, options [mss 1460,sackOK,TS val 18954486 ecr 0,nop,wscale 9], length 0
21:01:00.778578 IP (tos 0x0, ttl 64, id 13076, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.3.38026 > 192.168.1.2.8086: Flags [S], cksum 0xa1e9 (correct), seq 766641829, win 65535, options [mss 1460,sackOK,TS val 18954534 ecr 0,nop,wscale 9], length 0
^C
6 packets captured
26 packets received by filter
0 packets dropped by kernel

Now there are some entries. But still Firefox sais: "Verbindung fehlgeschlagen" => Connection failed.

Why?

But thanks anyway:)

There are incoming packets to the Openwrt from the other client, but no response back. You need to broaden now the packet capture to see where the packets are dropped.
Try to capture all the interfaces. You should be able to see packets coming from 192.168.1.3 wan port and going out to 10.0.0.202 on the lan port.
tcpdump -i any -vvn tcp port 8086

Also run the same tcpdump on the server.

1 Like
root@BixNETv2:~# tcpdump -i br-wan -vvn tcp port 8086
tcpdump: listening on br-wan, link-type EN10MB (Ethernet), capture size 262144 bytes
22:00:46.466038 IP (tos 0x0, ttl 64, id 25240, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.3.39412 > 192.168.1.2.8086: Flags [S], cksum 0xd0f6 (correct), seq 3562062222, win 65535, options [mss 1460,sackOK,TS val 20030230 ecr 0,nop,wscale 9], length 0
22:00:46.697099 IP (tos 0x0, ttl 64, id 1799, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.3.39415 > 192.168.1.2.8086: Flags [S], cksum 0xd0f2 (correct), seq 4046365797, win 65535, options [mss 1460,sackOK,TS val 20030306 ecr 0,nop,wscale 9], length 0
22:00:47.462728 IP (tos 0x0, ttl 64, id 25241, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.3.39412 > 192.168.1.2.8086: Flags [S], cksum 0xcfc9 (correct), seq 3562062222, win 65535, options [mss 1460,sackOK,TS val 20030531 ecr 0,nop,wscale 9], length 0
22:00:47.699406 IP (tos 0x0, ttl 64, id 1800, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.3.39415 > 192.168.1.2.8086: Flags [S], cksum 0xcfc5 (correct), seq 4046365797, win 65535, options [mss 1460,sackOK,TS val 20030607 ecr 0,nop,wscale 9], length 0
22:00:49.467834 IP (tos 0x0, ttl 64, id 25242, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.3.39412 > 192.168.1.2.8086: Flags [S], cksum 0xcd70 (correct), seq 3562062222, win 65535, options [mss 1460,sackOK,TS val 20031132 ecr 0,nop,wscale 9], length 0
22:00:49.580369 IP (tos 0x0, ttl 64, id 1801, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.3.39415 > 192.168.1.2.8086: Flags [S], cksum 0xcd91 (correct), seq 4046365797, win 65535, options [mss 1460,sackOK,TS val 20031171 ecr 0,nop,wscale 9], length 0
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
22:00:46.466038 ethertype IPv4, IP (tos 0x0, ttl 64, id 25240, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.3.39412 > 192.168.1.2.8086: Flags [S], cksum 0xd0f6 (correct), seq 3562062222, win 65535, options [mss 1460,sackOK,TS val 20030230 ecr 0,nop,wscale 9], length 0
22:00:46.466038 IP (tos 0x0, ttl 64, id 25240, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.3.39412 > 192.168.1.2.8086: Flags [S], cksum 0xd0f6 (correct), seq 3562062222, win 65535, options [mss 1460,sackOK,TS val 20030230 ecr 0,nop,wscale 9], length 0
22:00:46.466038 IP (tos 0x0, ttl 64, id 25240, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.3.39412 > 192.168.1.2.8086: Flags [S], cksum 0xd0f6 (correct), seq 3562062222, win 65535, options [mss 1460,sackOK,TS val 20030230 ecr 0,nop,wscale 9], length 0
22:00:46.697099 ethertype IPv4, IP (tos 0x0, ttl 64, id 1799, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.3.39415 > 192.168.1.2.8086: Flags [S], cksum 0xd0f2 (correct), seq 4046365797, win 65535, options [mss 1460,sackOK,TS val 20030306 ecr 0,nop,wscale 9], length 0
22:00:46.697099 IP (tos 0x0, ttl 64, id 1799, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.3.39415 > 192.168.1.2.8086: Flags [S], cksum 0xd0f2 (correct), seq 4046365797, win 65535, options [mss 1460,sackOK,TS val 20030306 ecr 0,nop,wscale 9], length 0
22:00:46.697099 IP (tos 0x0, ttl 64, id 1799, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.3.39415 > 192.168.1.2.8086: Flags [S], cksum 0xd0f2 (correct), seq 4046365797, win 65535, options [mss 1460,sackOK,TS val 20030306 ecr 0,nop,wscale 9], length 0
22:00:47.462728 ethertype IPv4, IP (tos 0x0, ttl 64, id 25241, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.3.39412 > 192.168.1.2.8086: Flags [S], cksum 0xcfc9 (correct), seq 3562062222, win 65535, options [mss 1460,sackOK,TS val 20030531 ecr 0,nop,wscale 9], length 0
22:00:47.462728 IP (tos 0x0, ttl 64, id 25241, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.3.39412 > 192.168.1.2.8086: Flags [S], cksum 0xcfc9 (correct), seq 3562062222, win 65535, options [mss 1460,sackOK,TS val 20030531 ecr 0,nop,wscale 9], length 0
22:00:47.462728 IP (tos 0x0, ttl 64, id 25241, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.3.39412 > 192.168.1.2.8086: Flags [S], cksum 0xcfc9 (correct), seq 3562062222, win 65535, options [mss 1460,sackOK,TS val 20030531 ecr 0,nop,wscale 9], length 0
22:00:47.699406 ethertype IPv4, IP (tos 0x0, ttl 64, id 1800, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.3.39415 > 192.168.1.2.8086: Flags [S], cksum 0xcfc5 (correct), seq 4046365797, win 65535, options [mss 1460,sackOK,TS val 20030607 ecr 0,nop,wscale 9], length 0
22:00:47.699406 IP (tos 0x0, ttl 64, id 1800, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.3.39415 > 192.168.1.2.8086: Flags [S], cksum 0xcfc5 (correct), seq 4046365797, win 65535, options [mss 1460,sackOK,TS val 20030607 ecr 0,nop,wscale 9], length 0
22:00:47.699406 IP (tos 0x0, ttl 64, id 1800, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.3.39415 > 192.168.1.2.8086: Flags [S], cksum 0xcfc5 (correct), seq 4046365797, win 65535, options [mss 1460,sackOK,TS val 20030607 ecr 0,nop,wscale 9], length 0
22:00:49.467834 ethertype IPv4, IP (tos 0x0, ttl 64, id 25242, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.3.39412 > 192.168.1.2.8086: Flags [S], cksum 0xcd70 (correct), seq 3562062222, win 65535, options [mss 1460,sackOK,TS val 20031132 ecr 0,nop,wscale 9], length 0
22:00:49.467834 IP (tos 0x0, ttl 64, id 25242, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.3.39412 > 192.168.1.2.8086: Flags [S], cksum 0xcd70 (correct), seq 3562062222, win 65535, options [mss 1460,sackOK,TS val 20031132 ecr 0,nop,wscale 9], length 0
22:00:49.467834 IP (tos 0x0, ttl 64, id 25242, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.3.39412 > 192.168.1.2.8086: Flags [S], cksum 0xcd70 (correct), seq 3562062222, win 65535, options [mss 1460,sackOK,TS val 20031132 ecr 0,nop,wscale 9], length 0
22:00:49.580369 ethertype IPv4, IP (tos 0x0, ttl 64, id 1801, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.3.39415 > 192.168.1.2.8086: Flags [S], cksum 0xcd91 (correct), seq 4046365797, win 65535, options [mss 1460,sackOK,TS val 20031171 ecr 0,nop,wscale 9], length 0
22:00:49.580369 IP (tos 0x0, ttl 64, id 1801, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.3.39415 > 192.168.1.2.8086: Flags [S], cksum 0xcd91 (correct), seq 4046365797, win 65535, options [mss 1460,sackOK,TS val 20031171 ecr 0,nop,wscale 9], length 0
22:00:49.580369 IP (tos 0x0, ttl 64, id 1801, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.3.39415 > 192.168.1.2.8086: Flags [S], cksum 0xcd91 (correct), seq 4046365797, win 65535, options [mss 1460,sackOK,TS val 20031171 ecr 0,nop,wscale 9], length 0
^C
18 packets captured
24 packets received by filter
0 packets dropped by kernel

Oh. These are both in the OpenWRT Router. I will Run the command on the server tomorrow (today?)

Yes, but as I don't see any return traffic, most likely your server is dropping the packet.

The server works well. This is not the problem. The Server does NOT get any request....

I don't see anything else wrong other than the unusual bridged wan.
Unless someone else has a better idea, take a backup, restore factory defaults, and start configuring the router from scratch. Most of the the default configuration works for your case out of the box, so basically you only need to add the port forwarding rules.

1 Like