Port forwarding working in 19.x but not in 20.x

slackito · August 5, 2021, 11:15pm

hi, i have the following configuration in 19.x which works like a charm:

root@OpenWrt:/etc/config# cat firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'
	option forward 'ACCEPT'
	list network 'wlan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'ACCEPT'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option output 'ACCEPT'
	option name 'wan6'
	option masq '1'
	option mtu_fix '1'
	option family 'ipv6'
	option input 'REJECT'
	option forward 'ACCEPT'
	list network 'wan6'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option name 'lantowlan'
	list network 'wlan'

config forwarding
	option dest 'lan'
	option src 'lantowlan'

config forwarding
	option src 'lan'
	option dest 'lantowlan'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option src_dport '80'
	option dest_port '80'
	option name 'HTTP'
	option dest_ip '192.168.1.100'
	list proto 'tcp'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option name 'HTTPS'
	option src_dport '443'
	option dest_port '443'
	option dest_ip '192.168.1.100'
	list proto 'tcp'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'udp'
	option name 'jitsi10000'
	option dest_ip '192.168.1.100'
	option src_dport '10000'
	option dest_port '10000'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'udp'
	option name 'jitsi3478'
	option dest_ip '192.168.1.100'
	option src_dport '3478'
	option dest_port '3478'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option name 'jitsi5349'
	option dest_ip '192.168.1.100'
	option src_dport '5349'
	option dest_port '5349'

when i use the exact same config in 20.x, it does not work. the requests are handled by uhttpd instead of forwarded to my server (192.168.1.100) on port 80 and 443. if i disable uhttpd on 0.0.0.0 and set it fixed to 192.168.1.1 i get no response at all (otherwise i get that rfc1819 error when accessing the public ip directly).

anyone an idea what could be wrong?
i also deleted the existing port forwardings in luci ui and re-created them (because i thought maybe from 19.x to 20.x something is broken/changed and the ui should correctly recreate those rules), but did not help either.

psherman · August 5, 2021, 11:35pm

you have some odd stuff happening here.

First, do you have different LAN and WLAN networks? Is there a reason you don't just have them in the same zone? You don't seem to have a lan network assigned anywhere -- just the wlan.

As a result of the above, you can remove the lan2wlan zone definition since it does nothing useful, as well as the forwarding between the lan and lan2wlan zones.

Finally disable masquerading on your lan zone.

Is the server (192.168.1.100) on your wired or wireless network?

slackito · August 6, 2021, 7:41am

192.168.7.x is wlan (ath10k @2.4ghz) and i am planning to separate lan and wlan (at the moment they can communicate together global but i want to highly finetune that)
192.168.1.x is the lan

btw. just to mention that again: in 19.x this exact same config works like a charm, but not in 20.x

trendy · August 6, 2021, 10:55am

You don't have any lan interface defined to any zone.
Most likely 19.07 was less strict with what is allowed, as long as there is a DNAT defined.
You can verify that with iptables-save -c -t nat
In any case you need to fix the remarks mentioned earlier by @psherman . This configuration is not correct, regardless of the fact that it seemed to work fine to you.

psherman · August 6, 2021, 3:40pm

If you want to keep your wired and wireless networks separated, that is fine. But you must define your wired LAN in a zone for things to work. I suspect that the lan zone on your firewall is supposed to be connected to your wired lan network, but currently it has the wlan as the only associated network. Fix that and remove masquerading and it should work.

slackito · August 8, 2021, 12:33pm

thanks, removed masq and added list network 'lan' and it works now, thanks!
i will separate them later in different zones (lan and wlan)

system · August 18, 2021, 12:33pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.