Port forwarding - strange

Hello forum,

I need your support once again. Today I added a Fritzbox 4040 with OpenWRT behind my 7490. Works so far.

I have I QNAP NAS running in my LAN, so I did two port forwardings. From the 7490 to the WAN Interface of my 4040. On the 4040 port forwarding to the NAS' IP (ports 80,443,8181 each). But the NAS can not be reached via Internet.

A traceroute tells me that the public IP is OK (public of the7490). Next hop is the WAN-IP of the 4040. But then, nex hop is the WAN IP of the 4040 and the back to the public IP of my 7490. A circle.
Where is my configuration failure to produce this circle ?

thanks in advice

Post here the following from 4040.

iptables-save -t nat -c | grep DNAT

Please use the "Preformatted text </>" button for logs, scripts, configs and general console output.
grafik

here we go...

[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: NAS HTTP" -j DNAT --to-destination 172.17.1.17:80
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 80 -m comment --comment "!fw3: NAS HTTP" -j DNAT --to-destination 172.17.1.17:80
[1:44] -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: NAS HTTPS" -j DNAT --to-destination 172.17.1.17:443
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 8081 -m comment --comment "!fw3: NAS 8081" -j DNAT --to-destination 172.17.1.17:8081
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 8081 -m comment --comment "!fw3: NAS 8081" -j DNAT --to-destination 172.17.1.17:8081
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 873 -m comment --comment "!fw3: NAS Rsync" -j DNAT --to-destination 172.17.1.17:873
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 873 -m comment --comment "!fw3: NAS Rsync" -j DNAT --to-destination 172.17.1.17:873
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 8899 -m comment --comment "!fw3: NAS RRTR" -j DNAT --to-destination 172.17.1.17:8899
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 8899 -m comment --comment "!fw3: NAS RRTR" -j DNAT --to-destination 172.17.1.17:8899
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 5001 -m comment --comment "!fw3: NAS WEBDAV" -j DNAT --to-destination 172.17.1.17:5001
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 51823 -m comment --comment "!fw3: wireguard WRT" -j DNAT --to-destination 172.17.1.81:51823
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 51820 -m comment --comment "!fw3: Wireguard Pi" -j DNAT --to-destination 172.17.1.95:51820
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 873 -m comment --comment "!fw3: Rsync" -j DNAT --to-destination 172.17.1.17:873
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 8899 -m comment --comment "!fw3: RRTR" -j DNAT --to-destination 172.17.1.17:8899
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 5001 -m comment --comment "!fw3: WEBDAV" -j DNAT --to-destination 172.17.1.17:5001

You have multiple entries for the same port. I suppose you added the same port forward without flushing the chains first. But this is not a big problem.
Only the tcp/443 has one hit, all other entries had no hits.
Do a fw3 restart to reset the counters and try again your ports. See if the counters grow. This means the 7490 forwards properly to 4040. Then if you cannot check on the QNAP what is going on with the packets, you can check with tcpdump the packets that travel on the cable.
tcpdump -i eth0 -vn '(host 172.17.1.17 and ( tcp port 80 or tcp port 443 or tcp port 8081))'
change eth0 with the physical lan interface.

Thanks for you quick help.
The mistake was - again - in front of the surface :slight_smile:
I forgot to forward port 8080. 8081 is another one for a virtual webserver on the QNAP. So now, it works !!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.