Port forwarding troubles


#1

hi.

a bit of context before my question:

my current setup consists of a comcast-issued gateway (Xfinity Gateway) which i set into 'bridge mode' ... according to comcast it turns the device into just a modem.

i then have my Linksys WRT1200AC plugged into port 1 of the 'gateway' and then an ethernet cable to my PC (from one of the 4 ethernet ports on the WRT1200AC).

here are the internal addresses of each of my devices:
gateway: 10.0.0.1
Linksys WRT1200AC: 192.168.1.1
PC (ipconfig): 192.168.1.161
and my external IP: 69.x.x.x

basically, i'm trying to allow external connections access ports i open on my 'external' ip. people are unable to access my gameserver on port 27015 and can't connect.

sites like https://canyouseeme.org/ report back as the port being closed, even if i try to forward it in my LUCI ui.

any thoughts on how i can get this to work through the LUCI ui? i'm running LEDE Reboot 17.01.4.


#2

@openwrt-router:

uci show network; uci show firewall

And make sure you configured your PC firewall properly.


#3

That gateway address seems wrong...


#4

@eduperez, I'm guessing that's the hairpin access address to the cable modem. Otherwise I agree that gateway IP seems wrong.


#5
root@lilac:~# uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdb2:9e5d:a1b0::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan._orig_ifname='eth0 radio0.network1 wlan1'
network.lan._orig_bridge='true'
network.lan.ifname='eth0'
network.lan.macaddr='C2:45:25:C5:34:A2'
network.wan=interface
network.wan.ifname='eth1'
network.wan.proto='dhcp'
network.wan.peerdns='0'
network.wan.dns='1.1.1.1 1.0.0.1'
network.wan.macaddr='C2:45:25:C5:34:A2'
network.wan6=interface
network.wan6.ifname='eth1'
network.wan6.proto='dhcpv6'
network.wan6.reqaddress='try'
network.wan6.reqprefix='auto'
network.wan6.peerdns='0'
network.wan6.dns='2606:4700:4700::1111 2606:4700:4700::1001'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0 1 2 3 5'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='4 6'
root@lilac:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].forward='REJECT'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='DROP'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.miniupnpd=include
firewall.miniupnpd.type='script'
firewall.miniupnpd.path='/usr/share/miniupnpd/firewall.include'
firewall.miniupnpd.family='any'
firewall.miniupnpd.reload='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[0].src='lan'

also, the internal IPs should be 'correct'. they're the defaults i was given. (comcast gateway defaults to 10.0.0.1).

i don't have any firewall rules setup yet on port 27015 since i'm unsure of the correct settings for it through the LUCI UI, but when i was testing it external sites couldn't connect to the port.

my PC firewall isn't a concern at the moment from what i can tell, external sites can't access it through my PUBLIC IP (comcast IP). on top of that, i disable windows firewall (should've mentioned i was on windows)

thanks!


#6

It's probably 10.0.0.1 because their router uses the 10.0.0.x range for nat. Try using 192.168.1.1.


#7

192.168.1.1 for what?

192.168.1.1 is the 1200AC internal IP and how i access the LUCI ui, which i already know about.

no luck when using it as a host for port forwarding through the ui. external sites still don't pick up the port as being 'open'.


#8

No, sites are not supposed to be able to connect until you open that port, or did I misunderstood your comment?


#9

sorry, i worded that post badly.

i don't have a rule set up currently because it doesn't seem to work (tried different internal hosts, any host, etc).

i'm asking for advice on what else to try here since nothing through the port forward interface seems to work.

external sites (when i add the port forward rule) don't show it as open.

this is all i tried, alongside a combination of different hosts:

my goal is to open up the entire range (since theres multiple ports used in the range, not just one):


#10
  • Use the destination IP of the server hosting 27000-27100, you can't forward to ALL IPs.

#11

Do the PCs in the LAN acquire IP and other settings automatically or you set static IP?
Also, when you are using those sites, like canyouseeme.org, are you using the correct public IP?


#12

setting the internal ip address doesn’t seem to have an effect (canyouseeme is still reporting 27015 as being closed)

the server is hosted on my PC (internal ip posted above) but users must connect using my EXTERNAL ip address (also stated in my original post, but censored for obvious reasons).

my windows PC hosts the server (on 27015) and people connect using my external IP.

also, i get an external ip address automatically assigned by comcast, which changes when my device mac address does (mac address spoofing)... but this isn’t a concern, i just can’t get any ports open / forwarded so people can connect to my server. im unsure what else to configure / try...


#13

Start with your OpenWrt WAN -- what is the address there? is it in the 10.0.0.0/24 subnet, or are you getting a valid public IP address?


#14

i have internet connectivity just fine. 10.0.0.1 is just my 'modem' (or, well, the gateway in bridge mode)

i'm currently using ethernet for my PC (from the linksys router) and i also have WIFI set up on the router (which also works fine).


#15

Good. Since you have a proper external IP, you should be able to get forwarding to work in general.

@lleachii noted that your port forwarding does not have a proper destination address. You need to fix that.

Your forwarding rule should be limited to what you actually need... you stated 27015 earlier, so unless you need a range, just stick to that.

The rule should be TCP and/or UDP (depending on the actual use) from any host in wan via any router IP at port 27015 forwarding to <IP ADDRESS OF GAME SERVER> port 27015 in lan.

EDIT: apparently enclosing things in angle brackets < > hides it unless you make it preformatted text... fixed that (for IP address of game server).

Also, verify that the game server is running and that the port is open/listening when addressing via the local network (i.e. your LAN IP address of the server, used above). If it is not open, you won't get anything even when your firewall rules are correct.


#16

Also:

Verify that you opened you properly opened the Windows firewall.

https://www.google.com/search?q=open+ports+on+windows+10


#17

seems like it works, but port checking sites don't pick it up as open. however, my server is querying to the master server and people are able to connect.

setting the internal ip to my PCs internal ip worked. i guess i can't trust those port checking sites for this.

thanks everyone!


closed #18

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.