asnelt
July 31, 2021, 7:57pm
1
I am running OpenWRT 19.07.7 on a Netgear R7800 and configured a Guest network according to the Guest Wifi using LuCI instructions on 192.168.2.1/24. I enabled VLAN functionality and have my "secure" 192.168.1.1/24 LAN network associated with interface eth1.1 whereas my Guest network is associated with interface eth1.2.
I have an "insecure" server on 192.168.2.22 which is connected to an ethernet port associated with eth1.2 in the Guest network. I have an "accept forward" traffic rule from LAN to Guest so that I can access 192.168.2.22 from other machines in my LAN network but I cannot access machines in my LAN network from 192.168.2.22 (getting "connection refused"). This is how I want it to be.
Now I would like to set up port forwarding for SSH port 22 from WAN to 192.168.2.22. When I port forward to another server 192.168.1.22 (internal IP address) in my eth1.1 LAN network (Destination zone) then I can SSH in from outside with no issues. But when I try to port forward to server 192.168.2.22 (Internal IP address) in my Guest network (destination zone) and try to SSH in from outside, then I get a "connection refused" response.
I tried messing with traffic rules and the firewall input settings but couldn't get it to work. Any hint would be much appreciated!
trendy
July 31, 2021, 9:23pm
2
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
ubus call system board; \
uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
2 Likes
asnelt
July 31, 2021, 10:40pm
3
{
"kernel": "4.14.221",
"hostname": "**********",
"system": "ARMv7 Processor rev 0 (v7l)",
"model": "Netgear Nighthawk X4S R7800",
"board_name": "netgear,r7800",
"release": {
"distribution": "OpenWrt",
"version": "19.07.7",
"revision": "r11306-c4a6851c72",
"target": "ipq806x/generic",
"description": "OpenWrt 19.07.7 r11306-c4a6851c72"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '******************'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option proto 'pppoe'
option password '**********'
option ipv6 'auto'
option username '***********'
option ifname 'eth0.101'
option mtu '1400'
list dns '1.1.1.1'
list dns '1.0.0.1'
option peerdns '0'
config interface 'wan6'
option proto 'dhcpv6'
option ifname 'eth0.101'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '6t 4 3'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '101'
option ports '0t 5t'
config interface 'guest'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option type 'bridge'
option ifname 'eth1.2'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '2'
option ports '6t 2 1'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'lan'
option forward 'REJECT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option forward 'REJECT'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option network 'guest'
option forward 'REJECT'
option name 'guest'
option output 'ACCEPT'
option input 'REJECT'
config forwarding
option dest 'wan'
option src 'guest'
config rule
option dest_port '53'
option src 'guest'
option name 'Allow-Guest-DNS'
option target 'ACCEPT'
option proto 'tcp udp'
config rule
option dest_port '67-68'
option src 'guest'
option name 'Allow-Guest-DHCP'
option target 'ACCEPT'
option proto 'udp'
config rule
option dest_port '22'
list proto 'tcp'
option target 'ACCEPT'
option src 'lan'
option name '********* local ssh'
option dest 'guest'
list dest_ip '192.168.2.22'
config forwarding
option dest 'wan'
option src 'openlan'
config redirect
option dest_port '22'
option src 'wan'
option name 'SSH Forward'
option src_dport '22'
option target 'DNAT'
list proto 'tcp'
option dest 'guest'
option dest_ip '192.168.2.22'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.3 on Sat Jul 31 23:19:26 2021
*nat
:PREROUTING ACCEPT [6414:442419]
:INPUT ACCEPT [1478:102918]
:OUTPUT ACCEPT [1218:87941]
:POSTROUTING ACCEPT [827:60661]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[6428:443023] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[790:74035] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[977:50587] -A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i eth0.101 -m comment --comment "!fw3" -j zone_wan_prerouting
[4661:318401] -A PREROUTING -i br-guest -m comment --comment "!fw3" -j zone_guest_prerouting
[5548:324300] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[2:674] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[4721:263639] -A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth0.101 -m comment --comment "!fw3" -j zone_wan_postrouting
[21:2151] -A POSTROUTING -o br-guest -m comment --comment "!fw3" -j zone_guest_postrouting
[21:2151] -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
[0:0] -A zone_guest_postrouting -s 192.168.2.0/24 -d 192.168.2.22/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: SSH Forward (reflection)" -j SNAT --to-source 192.168.2.1
[4661:318401] -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
[0:0] -A zone_guest_prerouting -s 192.168.2.0/24 -d **************/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: SSH Forward (reflection)" -j DNAT --to-destination 192.168.2.22:22
[2:674] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[790:74035] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[4721:263639] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[4721:263639] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[977:50587] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[14:604] -A zone_wan_prerouting -p tcp -m tcp --dport 22 -m comment --comment "!fw3: SSH Forward" -j DNAT --to-destination 192.168.2.22:22
COMMIT
# Completed on Sat Jul 31 23:19:26 2021
# Generated by iptables-save v1.8.3 on Sat Jul 31 23:19:26 2021
*mangle
:PREROUTING ACCEPT [12270474:10946241057]
:INPUT ACCEPT [9737:2086906]
:FORWARD ACCEPT [12260319:10944073952]
:OUTPUT ACCEPT [9318:1202779]
:POSTROUTING ACCEPT [12269600:10945274393]
[3387:177276] -A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[3295:171984] -A FORWARD -i pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o eth0.101 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth0.101 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sat Jul 31 23:19:26 2021
# Generated by iptables-save v1.8.3 on Sat Jul 31 23:19:26 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_dest_REJECT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[2406:434457] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[7331:1652449] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[4043:1447645] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1111:52648] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[569:36890] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[1462:70558] -A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i eth0.101 -m comment --comment "!fw3" -j zone_wan_input
[1257:97356] -A INPUT -i br-guest -m comment --comment "!fw3" -j zone_guest_input
[12260319:10944073952] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[12256463:10943829543] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[216:25894] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[15:684] -A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth0.101 -m comment --comment "!fw3" -j zone_wan_forward
[3625:217831] -A FORWARD -i br-guest -m comment --comment "!fw3" -j zone_guest_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[2406:434457] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[6912:768322] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[6457:733973] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[5:1685] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[443:30580] -A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o eth0.101 -m comment --comment "!fw3" -j zone_wan_output
[7:2084] -A OUTPUT -o br-guest -m comment --comment "!fw3" -j zone_guest_output
[1271:53590] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[203:21452] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[1111:52648] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[9:2204] -A zone_guest_dest_ACCEPT -o br-guest -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_guest_dest_REJECT -o br-guest -m comment --comment "!fw3" -j reject
[3625:217831] -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
[3625:217831] -A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
[1257:97356] -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
[18:952] -A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Allow-Guest-DNS" -j ACCEPT
[1100:79084] -A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Allow-Guest-DNS" -j ACCEPT
[9:4244] -A zone_guest_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: Allow-Guest-DHCP" -j ACCEPT
[0:0] -A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[130:13076] -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
[7:2084] -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
[7:2084] -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
[130:13076] -A zone_guest_src_REJECT -i br-guest -m comment --comment "!fw3" -j reject
[5:1685] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_REJECT -o br-lan -m comment --comment "!fw3" -j reject
[216:25894] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[2:120] -A zone_lan_forward -d 192.168.2.22/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: ************** local ssh" -j zone_guest_dest_ACCEPT
[214:25774] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_REJECT
[569:36890] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[569:36890] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[5:1685] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[5:1685] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[569:36890] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[37:2338] -A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[4245:271847] -A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.101 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0.101 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o eth0.101 -m comment --comment "!fw3" -j reject
[15:684] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[15:684] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[1462:70558] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[118:8592] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[1344:61966] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[443:30580] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[443:30580] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[1344:61966] -A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i eth0.101 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sat Jul 31 23:19:26 2021
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
7: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.2.1/24 brd 192.168.2.255 scope global br-guest
valid_lft forever preferred_lft forever
9: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
14: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1392 qdisc fq_codel state UNKNOWN qlen 3
inet *************** peer *************/32 scope global pppoe-wan
valid_lft forever preferred_lft forever
default via ************** dev pppoe-wan
************** dev pppoe-wan scope link src ************
192.168.1.0/24 dev br-lan scope link src 192.168.1.1
192.168.2.0/24 dev br-guest scope link src 192.168.2.1
local ************* dev pppoe-wan table local scope host src ***************
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local scope link src 192.168.1.1
broadcast 192.168.2.0 dev br-guest table local scope link src 192.168.2.1
local 192.168.2.1 dev br-guest table local scope host src 192.168.2.1
broadcast 192.168.2.255 dev br-guest table local scope link src 192.168.2.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
trendy
July 31, 2021, 11:15pm
4
The rule is there and there are hits, which means packets are forwarded to the server. You should troubleshoot on the server why there is this connection refused message.
2 Likes
asnelt
August 1, 2021, 11:03pm
5
Thank you very much for the quick replies! I used tcptrack on the server to confirm that the packets indeed reach the server. The connection is then in a SYN_SENT state, so the problem is definitely with the server. I did not expect this because I could reach the server from my LAN network.
Your server's gateway is not accepting external connections (from outside your LAN / GUEST network).
system
August 12, 2021, 4:06pm
7
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
