Port Forwarding Unsuccessful

Hello! I am attempting to set up port forwarding for a few services, namely Emby and Homer Dashboard. I have attempted to set it up, but I have no access to the services, although the port appears as “open” when using online checkers like https://www.yougetsignal.com/tools/open-ports/

I am using Cloudflare Dynamic DNS, but even when trying to “direct connect” using the public IP, the results are the same.

Below is the firewall config, wondering if I am missing anything obvious? Besides the attempts to PF, it is the default firewall config.

Thank you

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'emby'
        option src 'wan'
        option src_dport '8096'
        option dest_ip '10.0.0.2'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'homer1'
        option src 'wan'
        option src_dport '8080'
        option dest_ip '10.0.0.2'

You’re missing the destination port in your port forwarding rules.

Sorry those were missing as a troubleshooting step, with them I continue to get "ERR_CONNECTION_TIMED_OUT" errors

Have you verified that the server is listening for connections and responding properly? The best way to test this is to connect locally via your lan using the lan address of the server.

1 Like

yup, 10.0.0.2:8096 as well as 10.0.0.2:8080 work as expected and load instantly

Ok. Do you have a public ip? What does the main status screen of the OpenWrt luci web interface show for ipv4 upstream? Post just the first two octets in bold :
aaa.bbb.ccc.ddd

Protocol: PPPoE
Address: 81.79.XXX.XXX/32
Gateway: 84.65.XXX.XXX
DNS 1: 90.255.255.XXX
DNS 2: 90.255.255.XXX
Connected: 2h 7m 22s

Yes I am fully connected to the internet, and the "Address" field above is what I am using to attempt to direct connect.

If it helps, 10.0.0.2 is a Ubuntu based server

Ok. All is good there. And how are you testing? Inside your network or via another network (such as on cellular with your phone)?

Testing within my network as well as on mobile data on my phone,

https://portchecker.co/checking appears to suggest the ports are "open" but just don't work?

Sorry -> They ARE working from the mobile data, I was simply experiencing some cacheing issues mobile side that were hiding that.

Is it possible to make it accessible locally too? can OpenWrt router requests from a domain into an IP?

Have you verified that the dynamic dns resolves to the correct ip address?

Oh. Good. So yes, you can either setup hairpin/reflection, or set a local dns entry that will direct your local clients to the lan ip of your server. I think the latter is easier.

How would I do the latter? or the former if it is more robust

Try this:

Yup this sorted it, I had naturally tried it before but didn't work, doing it via SSH worked a treat though

You don't have IPv6?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.