Port-forwarding to TP-Link EAP

rakesh · January 20, 2025, 5:42pm

Please help me understand why below will not work.

My laptop --- public-internet -- OpenWRT (Public-IP xx.xx, Lan IP: 192.168.0.1) --- TP-Link EAP (192.168.0.2)

I put port-forwarding by editing /etc/config/firewall.

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'          
        option proto 'tcp udp'             
        option src_dport '8098'
        option dest_ip '192.168.0.2'
        option dest_port '80'
        option enabled '1'
        option name 'Forward_AP'

From my laptop, why i am not able to see the EAP login page through public_IP:8098?

Same forwarding rule if I do for the OpenWRT device itself (192.168.0.1), I am able to see the Luci login page.

Heck, even I can access the EAP via the n2n edge interface (a lightweight vpn on OpenWRT).

config redirect                              
        option target 'DNAT'                    
        option src 'edge'      
        option dest 'lan'      
        option proto 'tcp udp' 
        option src_dport '13202'
        option dest_ip '192.168.0.2'
        option dest_port '80'             
        option name 'Forward_AP1'     
                                      
config redirect 'ap1_snat'            
        option name 'AP1-SNAT'        
        option src 'edge'             
        option dest 'lan'                       
        option dest_ip '192.168.0.2' 
        option src_dip '192.168.0.1'  
        option family 'ipv4'          
        option proto 'tcpudp'               
        option target 'SNAT'

So why would a simple port forwarding over WAN is not working?

trendy · January 20, 2025, 8:32pm

Does the EAP have gateway 192.168.0.1 configured?

rakesh · January 21, 2025, 2:47am

yes. Gateway, netmask, dns, the usuals.

rakesh · January 21, 2025, 3:53am

tcpdump on wan port shows only packets with Flags [S]
I have got port forward working for other devices, like biometric devices etc.
I assumed an AP would behave similarly.

eduperez · January 21, 2025, 6:51am

White that configuration, the TP-Link EAP device is receiving traffic from a public IP address, and probably rejecting it. Either configure its firewall to accept any traffic, or enable SNAT on the router to masquerade the origin of the connection as internal.

trendy · January 21, 2025, 8:21am

Right, either firewall or the web server on the EAP has some access list to allow only local addresses.

rakesh · January 21, 2025, 12:50pm

I suspected that as well, since after all I have SNAT setup on vpn interface, and it works.

However over wan it doesn't seem to be working.

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'          
        option proto 'tcp udp'             
        option src_dport '8098'
        option dest_ip '192.168.0.2'
        option dest_port '80'
        option enabled '1'
        option name 'Forward_AP'

config redirect 'ap9_snat'            
        option name 'AP9-SNAT'        
        option src 'wan'             
        option dest 'lan'             
        option dest_ip '192.168.0.2'
        option src_dip '192.168.0.1'
        option family 'ipv4'        
        option proto 'tcpudp'       
        option target 'SNAT'

Below works:

config redirect                              
        option target 'DNAT'                    
        option src 'edge'      
        option dest 'lan'      
        option proto 'tcp udp' 
        option src_dport '13202'
        option dest_ip '192.168.0.2'
        option dest_port '80'             
        option name 'Forward_AP1'     
                                      
config redirect 'ap1_snat'            
        option name 'AP1-SNAT'        
        option src 'edge'             
        option dest 'lan'                       
        option dest_ip '192.168.0.2' 
        option src_dip '192.168.0.1'  
        option family 'ipv4'          
        option proto 'tcpudp'               
        option target 'SNAT'

I have below rules on the vpn/edge interface.

config forwarding           
        option dest 'edge'            
        option src 'lan'                                
config forwarding                       
        option dest 'edge'    
        option src 'wan'                                    
config forwarding                  
        option dest 'lan'                       
        option src 'edge'                                         
config forwarding                      
        option dest 'wan'                   
        option src 'edge'

Whereas i have standard OpenWRT rules on wan.
But I guess since I have put forward rules on the specific port, it should be fine?

rakesh · January 21, 2025, 12:53pm

To avoid ambiguity, here is the rest of the /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wwan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fe80::/10'
	option src_port '547'
	option dest_ip 'fe80::/10'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option proto 'tcp'
	option dest_port '22'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option proto 'tcp'
	option dest_port '23'
	option target 'ACCEPT'

config zone                    
        option input 'ACCEPT'  
        option output 'ACCEPT'
        option name 'edge' 
        option forward 'ACCEPT'  
        option network 'edge0'          
        option masq '1'       
        option mtu_fix '1'    
                              
config forwarding           
        option dest 'edge'            
        option src 'lan'      
                          
config forwarding                       
        option dest 'edge'    
        option src 'wan'    
                                     
config forwarding                  
        option dest 'lan'                       
        option src 'edge'              
                                      
config forwarding                      
        option dest 'wan'                   
        option src 'edge'

trendy · January 21, 2025, 2:09pm

Run a tcpdump on the lan interface and capture the tcp 80 towards 192.168.0.2 , then start a connection from wan

rakesh · January 21, 2025, 2:52pm

tcpdump -i eth2 dst 192.168.0.2

20:17:54.766923 IP OpenWRT.lan.11042 > ap1.lan.80: Flags [S], seq 804044086, win 65535, options [mss 1260,nop,wscale 6,nop,nop,TS val 3018348727 ecr 0,sackOK,eol], length 0
20:17:54.768664 IP OpenWRT.lan > ap1.lan: ICMP time exceeded in-transit, length 68
20:17:55.020143 IP OpenWRT.lan.50109 > ap1.lan.80: Flags [S], seq 1998194871, win 65535, options [mss 1260,nop,wscale 6,nop,nop,TS val 3519259939 ecr 0,sackOK,eol], length 0
20:17:55.021394 IP OpenWRT.lan > ap1.lan: ICMP time exceeded in-transit, length 68
20:17:55.767218 IP OpenWRT.lan.11042 > ap1.lan.80: Flags [S], seq 804044086, win 65535, options [mss 1260,nop,wscale 6,nop,nop,TS val 3018349727 ecr 0,sackOK,eol], length 0
20:17:55.769044 IP OpenWRT.lan > ap1.lan: ICMP time exceeded in-transit, length 68
20:17:56.022046 IP OpenWRT.lan.50109 > ap1.lan.80: Flags [S], seq 1998194871, win 65535, options [mss 1260,nop,wscale 6,nop,nop,TS val 3519260940 ecr 0,sackOK,eol], length 0
20:17:56.023672 IP OpenWRT.lan > ap1.lan: ICMP time exceeded in-transit, length 68
20:17:56.767040 IP OpenWRT.lan.11042 > ap1.lan.80: Flags [S], seq 804044086, win 65535, options [mss 1260,nop,wscale 6,nop,nop,TS val 3018350727 ecr 0,sackOK,eol], length 0
20:17:56.768899 IP OpenWRT.lan > ap1.lan: ICMP time exceeded in-transit, length 68
20:17:57.021401 IP OpenWRT.lan.50109 > ap1.lan.80: Flags [S], seq 1998194871, win 65535, options [mss 1260,nop,wscale 6,nop,nop,TS val 3519261940 ecr 0,sackOK,eol], length 0
20:17:57.023151 IP OpenWRT.lan > ap1.lan: ICMP time exceeded in-transit, length 68

trendy · January 21, 2025, 3:25pm

OpenWrt sends the SYN, but doesn't get the SYNACK. Also the ICMP message means that you have a routing loop somewhere. Maybe some VPN is active and routes packets asymmetrically. Pretty tough to achieve in a simple network. Anyway, bottom line is that the port forwarding rule that you have is working.

rakesh · January 26, 2025, 5:44am

I tried a few combinations, SNAT, no-SNAT etc. No luck, though tcpdump output changes.

I didn't try turning off the n2n VPN on OpenWRT, as thats my go-to way to ssh into the device.

I am putting a pause on this method, and trying something else.
I appreciate you @trendy and @eduperez for taking time to post on this thread.
Thank you very much.