Let me try a reply:
I installed tcpdump
(curiously it installs w.o a man page!).
The appropriate device is a bit unclear as it is only labelled as "wan", so I used that. Could not find any other definition in e,g. /etc/config/network or /firewall ... files.
Connection method: To access a device on LAN, I used an eternal network (mobile 4G) and e.g. Owlfiles on an iPad to access NAS. That usually worked. It also provides a diagnosis option, showing no "local network permission" but "port connect - succeed":
Also used the TOR network to access an IP cam as well as to perform a port scan via port scan websites on my IP. All ports showed as closed (even 80 e.g.).
Note on port 123: It isn't 123 but I used it to mask the actual port.
Only when I try to access a device via Nemo using the external IP, tcpdump
actually shows anything. In all other cases, nothing is logged on that port. Output below (with xxx.xxx.xxx.121 being the external IP):
tcpdump: listening on wan, link-type EN10MB (Ethernet), snapshot length 262144 bytes
13:17:31.952116 IP (tos 0x0, ttl 63, id 33639, offset 0, flags [DF], proto TCP (6), length 60)
OpenWrt.lan.49376 > xxx.xxx.xxx.121: Flags [S], cksum 0xeea3 (correct), seq 3237523084, win 64240, options [mss 1460,sackOK,TS val 3369448943 ecr 0,nop,wscale 7], length 0
13:17:32.980163 IP (tos 0x0, ttl 63, id 33640, offset 0, flags [DF], proto TCP (6), length 60)
OpenWrt.lan.49376 > xxx.xxx.xxx.121: Flags [S], cksum 0xea9d (correct), seq 3237523084, win 64240, options [mss 1460,sackOK,TS val 3369449973 ecr 0,nop,wscale 7], length 0
13:17:34.997837 IP (tos 0x0, ttl 63, id 33641, offset 0, flags [DF], proto TCP (6), length 60)
OpenWrt.lan.49376 > xxx.xxx.xxx.121: Flags [S], cksum 0xe2bd (correct), seq 3237523084, win 64240, options [mss 1460,sackOK,TS val 3369451989 ecr 0,nop,wscale 7], length 0
13:17:39.091830 IP (tos 0x0, ttl 63, id 33642, offset 0, flags [DF], proto TCP (6), length 60)
OpenWrt.lan.49376 > xxx.xxx.xxx.121: Flags [S], cksum 0xd2bd (correct), seq 3237523084, win 64240, options [mss 1460,sackOK,TS val 3369456085 ecr 0,nop,wscale 7], length 0
13:17:47.283876 IP (tos 0x0, ttl 63, id 33643, offset 0, flags [DF], proto TCP (6), length 60)
OpenWrt.lan.49376 > xxx.xxx.xxx.121: Flags [S], cksum 0xb2bd (correct), seq 3237523084, win 64240, options [mss 1460,sackOK,TS val 3369464277 ecr 0,nop,wscale 7], length 0
13:18:03.415116 IP (tos 0x0, ttl 63, id 33644, offset 0, flags [DF], proto TCP (6), length 60)
OpenWrt.lan.49376 > xxx.xxx.xxx.121: Flags [S], cksum 0x73bd (correct), seq 3237523084, win 64240, options [mss 1460,sackOK,TS val 3369480405 ecr 0,nop,wscale 7], length 0
Finally as requested, below is the content of /etc/config/network...firewall...dhcp...wireless with devices and MACs masked.
NETWORK:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fda9:853d:7b54::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.0.2'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'wan'
option macaddr '8C:B1:DA:5D:69:D9'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
WIRELESS:
config wifi-device 'radio0'
option type 'mac80211'
option path '18000000.axi/bcma0:7/pci0000:00/0000:00:00.0/0000:01:00.0/bcma1:1'
option channel '2'
option band '2g'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'SSID'
option encryption 'psk-mixed'
option key 'KEY'
DHCP:
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '20'
option limit '222'
option leasetime '30d'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option ip '192.168.0.122'
option mac 'MAC'
option name 'Device-2'
config host
option ip '192.168.0.123'
option mac 'MAC'
option name 'Device-1'
config host
option ip '192.168.0.121'
option mac 'MAC'
option name 'nas'
config host
option ip '192.168.0.55'
option mac 'MAC'
option name 'Device'
config host
option ip '192.168.0.56'
option mac 'MAC'
option name 'Device'
config host
option ip '192.168.0.57'
option mac 'MAC'
option name 'Device'
config host
option ip '192.168.0.58'
option mac 'MAC'
option name 'Device'
config host
option ip '192.168.0.59'
option mac 'MAC'
option name 'Device'
config host
option ip '192.168.0.60'
option mac 'MAC'
option name 'Device'
FIREWALL:
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'nas'
option src 'wan'
option src_dport '121'
option dest_port '121'
option dest_ip '192.168.0.121'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Device-1'
option src 'wan'
option src_dport '123'
option dest_port '123'
option dest_ip '192.168.0.123'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Device-2'
option src 'wan'
option src_dport '122'
option dest_port '122'
option dest_ip '192.168.0.122'
In /etc/config/firewall
I added to config redirect
of those in question option enabled 1
and did a etc/init.d/firewall restart
without any improvement.