Hi,
I recently had an internet outage (ISP issue) and silly me wiped my config (I had a backup) while trying to pinpoint the issue.
Since having my service restored I haven't been able to workout my port forwarding config (previously working) allowing access to some local services via a lets encrypt reverse proxy.
I have DDNS setup with Cloudflare and this seems to be working fine (IP updates in dash when it changes).
config redirect
option dest_port '180'
option src 'wan'
option name 'HTTP'
option src_dport '80'
option target 'DNAT'
option dest_ip '192.168.1.10'
option dest 'lan'
list proto 'tcp'
config redirect
option dest_port '1443'
option src 'wan'
option name 'HTTPS'
option src_dport '443'
option target 'DNAT'
option dest_ip '192.168.1.10'
option dest 'lan'
list proto 'tcp'
config redirect
option dest_port '32400'
option src 'wan'
option name 'Plex'
option src_dport '14431'
option target 'DNAT'
option dest_ip '192.168.1.10'
option dest 'lan'
list proto 'tcp'
I should note that the plex rule seems to be working fine.
Because I have the whole network setup to run through a Wireguard VPN I also have VPN policy routing setup so that the response from the port forward goes through the same gateway it came in from (WAN not the Wireguard interface).
These rules are as follows:
config policy
option interface 'wan'
option name 'Plex Local Server'
option src_addr '192.168.1.10/32'
option src_port '32400'
config policy
option interface 'wan'
option name 'Plex Remote Servers'
option src_addr '192.168.1.0/24'
option dest_addr 'plex.tv my.plexapp.com'
config policy
option interface 'wan'
option name 'HTTP'
option src_addr '192.168.1.10/32'
option src_port '180'
config policy
option interface 'wan'
option name 'HTTPS'
option src_addr '192.168.1.10/32'
option src_port '1443'
config policy
option name 'Default'
option src_addr '192.168.1.0/24'
option interface 'WGINTERFACE'
I suspect this is where things are going wrong although I believe this is exactly as I had it setup before.
Should note that my local address range is 192.168.1.0/24 with the reverse proxy hosted at a static ip 192.168.1.10 and listening on ports 1443 and 180 (forwarded to 443 and 80 via a docker network).
Any help would be great.
Cheers
trendy
September 29, 2020, 10:01am
2
Can you verify that you get hits on the firewall for the DNAT?iptables-save -c -t nat | grep DNAT
I do not, that command returns nothing (Just inputting it into the terminal ssh'd into the router as root).
I assume that would point to something wrong with my DDNS setup then?
trendy
September 29, 2020, 11:07am
4
Run the following and post the output:fw3 restart; iptables-save
1 Like
Thanks
Warning: Option 'dns_fwd_allow'.src_mac has invalid value 'MAC_ADDR1'
Warning: Option 'dns_fwd_allow'.src_mac has invalid value 'MAC_ADDR2'
Warning: Section 'dns_fwd_allow' skipped due to invalid options
Warning: Option 'dns_fwd_reject'.dest_port has invalid value '53'
Warning: Option 'dns_fwd_reject'.dest_port has invalid value '853'
Warning: Section 'dns_fwd_reject' skipped due to invalid options
Warning: Option @rule[11].dest_port has invalid value '53'
Warning: Option @rule[11].dest_port has invalid value '853'
Warning: Section @rule[11] (DNS-Forward-Reject-WG) skipped due to invalid option s
Warning: Option @redirect[0].dest_port has invalid value '180'
Warning: Option @redirect[0].src_dport has invalid value '80'
Warning: Section @redirect[0] (HTTP) skipped due to invalid options
Warning: Option @redirect[1].dest_port has invalid value '1443'
Warning: Option @redirect[1].src_dport has invalid value '443'
Warning: Section @redirect[1] (HTTPS) skipped due to invalid options
Warning: Option @redirect[2].dest_port has invalid value '32400'
Warning: Option @redirect[2].src_dport has invalid value '14431'
Warning: Section @redirect[2] (Plex) skipped due to invalid options
Warning: Option @redirect[3].dest_port has invalid value '27864'
Warning: Option @redirect[3].src_dport has invalid value '27864'
Warning: Section @redirect[3] (Transmission) skipped due to invalid options
Warning: Option @helper[0].port has invalid value '10080'
Warning: Section @helper[0] (amanda) has invalid options
Warning: Option @helper[1].port has invalid value '21'
Warning: Section @helper[1] (ftp) has invalid options
Warning: Option @helper[2].port has invalid value '1719'
Warning: Section @helper[2] (RAS) has invalid options
Warning: Option @helper[3].port has invalid value '1720'
Warning: Section @helper[3] (Q.931) has invalid options
Warning: Option @helper[4].port has invalid value '6667'
Warning: Section @helper[4] (irc) has invalid options
Warning: Option @helper[5].port has invalid value '137'
Warning: Section @helper[5] (netbios-ns) has invalid options
Warning: Option @helper[6].port has invalid value '1723'
Warning: Section @helper[6] (pptp) has invalid options
Warning: Option @helper[7].port has invalid value '6566'
Warning: Section @helper[7] (sane) has invalid options
Warning: Option @helper[8].port has invalid value '5060'
Warning: Section @helper[8] (sip) has invalid options
Warning: Option @helper[9].port has invalid value '161'
Warning: Section @helper[9] (snmp) has invalid options
Warning: Option @helper[10].port has invalid value '69'
Warning: Section @helper[10] (tftp) has invalid options
Warning: Option @helper[11].port has invalid value '554'
Warning: Section @helper[11] (rtsp) has invalid options
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv4 raw table
* Flushing IPv6 filter table
* Flushing IPv6 mangle table
* Flushing conntrack table ...
* Populating IPv4 filter table
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-Ping'
* Rule 'Allow-IGMP'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Forward 'lan' -> 'wan'
* Forward 'lan' -> 'WGZONE'
* Zone 'lan'
* Zone 'wan'
* Zone 'WGZONE'
* Populating IPv4 nat table
* Zone 'lan'
* Zone 'wan'
* Zone 'WGZONE'
* Populating IPv4 mangle table
* Zone 'lan'
* Zone 'wan'
* Zone 'WGZONE'
* Populating IPv4 raw table
* Zone 'lan'
- Using automatic conntrack helper attachment
* Zone 'wan'
* Zone 'WGZONE'
* Populating IPv6 filter table
* Rule 'Allow-DHCPv6'
* Rule 'Allow-MLD'
* Rule 'Allow-ICMPv6-Input'
* Rule 'Allow-ICMPv6-Forward'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Forward 'lan' -> 'wan'
* Forward 'lan' -> 'WGZONE'
* Zone 'lan'
* Zone 'wan'
* Zone 'WGZONE'
* Populating IPv6 mangle table
* Zone 'lan'
* Zone 'wan'
* Zone 'WGZONE'
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.user'
# Generated by iptables-save v1.8.3 on Tue Sep 29 21:10:58 2020
*nat
:PREROUTING ACCEPT [1:403]
:INPUT ACCEPT [1:403]
:OUTPUT ACCEPT [1:120]
:POSTROUTING ACCEPT [1:120]
:postrouting_WGZONE_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_WGZONE_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_WGZONE_postrouting - [0:0]
:zone_WGZONE_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prero uting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i WGINTERFACE -m comment --comment "!fw3" -j zone_WGZONE_prerouti ng
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j pos trouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o WGINTERFACE -m comment --comment "!fw3" -j zone_WGZONE_postrou ting
-A zone_WGZONE_postrouting -m comment --comment "!fw3: Custom WGZONE postrouting rule chain" -j postrouting_WGZONE_rule
-A zone_WGZONE_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_WGZONE_prerouting -m comment --comment "!fw3: Custom WGZONE prerouting r ule chain" -j prerouting_WGZONE_rule
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule ch ain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule ch ain" -j prerouting_wan_rule
COMMIT
# Completed on Tue Sep 29 21:10:58 2020
# Generated by iptables-save v1.8.3 on Tue Sep 29 21:10:58 2020
*raw
:PREROUTING ACCEPT [227:276771]
:OUTPUT ACCEPT [193:69180]
:zone_lan_helper - [0:0]
-A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
COMMIT
# Completed on Tue Sep 29 21:10:58 2020
# Generated by iptables-save v1.8.3 on Tue Sep 29 21:10:58 2020
*mangle
:PREROUTING ACCEPT [252:305431]
:INPUT ACCEPT [252:305431]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [211:77104]
:POSTROUTING ACCEPT [211:77104]
-A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comme nt "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comme nt "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o WGINTERFACE -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --com ment "!fw3: Zone WGZONE MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i WGINTERFACE -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --com ment "!fw3: Zone WGZONE MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Sep 29 21:10:58 2020
# Generated by iptables-save v1.8.3 on Tue Sep 29 21:10:58 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_WGZONE_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_WGZONE_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_WGZONE_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_WGZONE_dest_ACCEPT - [0:0]
:zone_WGZONE_dest_REJECT - [0:0]
:zone_WGZONE_forward - [0:0]
:zone_WGZONE_input - [0:0]
:zone_WGZONE_output - [0:0]
:zone_WGZONE_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw 3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i WGINTERFACE -m comment --comment "!fw3" -j zone_WGZONE_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwardi ng_rule
-A FORWARD -m comment --comment "!fw3: Traffic offloading" -m conntrack --ctstat e RELATED,ESTABLISHED -j FLOWOFFLOAD --hw
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3 " -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i WGINTERFACE -m comment --comment "!fw3" -j zone_WGZONE_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o WGINTERFACE -m comment --comment "!fw3" -j zone_WGZONE_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreacha ble
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/s ec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_WGZONE_dest_ACCEPT -o WGINTERFACE -m conntrack --ctstate INVALID -m comm ent --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_WGZONE_dest_ACCEPT -o WGINTERFACE -m comment --comment "!fw3" -j ACCEPT
-A zone_WGZONE_dest_REJECT -o WGINTERFACE -m comment --comment "!fw3" -j reject
-A zone_WGZONE_forward -m comment --comment "!fw3: Custom WGZONE forwarding rule chain" -j forwarding_WGZONE_rule
-A zone_WGZONE_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: A ccept port forwards" -j ACCEPT
-A zone_WGZONE_forward -m comment --comment "!fw3" -j zone_WGZONE_dest_REJECT
-A zone_WGZONE_input -m comment --comment "!fw3: Custom WGZONE input rule chain" -j input_WGZONE_rule
-A zone_WGZONE_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Acc ept port redirections" -j ACCEPT
-A zone_WGZONE_input -m comment --comment "!fw3" -j zone_WGZONE_src_REJECT
-A zone_WGZONE_output -m comment --comment "!fw3: Custom WGZONE output rule chai n" -j output_WGZONE_rule
-A zone_WGZONE_output -m comment --comment "!fw3" -j zone_WGZONE_dest_ACCEPT
-A zone_WGZONE_src_REJECT -i WGINTERFACE -m comment --comment "!fw3" -j reject
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain " -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding polic y" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to WGZONE forwarding po licy" -j zone_WGZONE_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Acce pt port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j in put_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment - -comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain " -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_ lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow- ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Acce pt port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j in put_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHC P-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allo w-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Tue Sep 29 21:10:58 2020
trendy
September 29, 2020, 1:11pm
7
It doesn't seem to be related to this ticket, as your configuration is using the correct options src and dest.ubus call system board
1 Like
The device details:
{
"kernel": "4.14.180",
"hostname": "OpenWrt",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "UBNT-ERX",
"board_name": "ubnt-erx",
"release": {
"distribution": "OpenWrt",
"version": "19.07.3",
"revision": "r11063-85e04e9f46",
"target": "ramips/mt7621",
"description": "OpenWrt 19.07.3 r11063-85e04e9f46"
}
}
Didn't copy paste from some other system.
Thanks for all the help
Ok I have made progress.
I had a rule to forward all DNS queries to a pi-hole on the network.
Going through and adjusting these correctly has fixed the issue.
Thanks for all your help!
1 Like
system
October 9, 2020, 9:49pm
10
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.