hi, i have the following configuration in 19.x which works like a charm:
root@OpenWrt:/etc/config# cat firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option synflood_protect '1'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option masq '1'
option forward 'ACCEPT'
list network 'wlan'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option forward 'ACCEPT'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option output 'ACCEPT'
option name 'wan6'
option masq '1'
option mtu_fix '1'
option family 'ipv6'
option input 'REJECT'
option forward 'ACCEPT'
list network 'wan6'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option name 'lantowlan'
list network 'wlan'
config forwarding
option dest 'lan'
option src 'lantowlan'
config forwarding
option src 'lan'
option dest 'lantowlan'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option src_dport '80'
option dest_port '80'
option name 'HTTP'
option dest_ip '192.168.1.100'
list proto 'tcp'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option name 'HTTPS'
option src_dport '443'
option dest_port '443'
option dest_ip '192.168.1.100'
list proto 'tcp'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'udp'
option name 'jitsi10000'
option dest_ip '192.168.1.100'
option src_dport '10000'
option dest_port '10000'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'udp'
option name 'jitsi3478'
option dest_ip '192.168.1.100'
option src_dport '3478'
option dest_port '3478'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option name 'jitsi5349'
option dest_ip '192.168.1.100'
option src_dport '5349'
option dest_port '5349'
when i use the exact same config in 20.x, it does not work. the requests are handled by uhttpd instead of forwarded to my server (192.168.1.100) on port 80 and 443. if i disable uhttpd on 0.0.0.0 and set it fixed to 192.168.1.1 i get no response at all (otherwise i get that rfc1819 error when accessing the public ip directly).
anyone an idea what could be wrong?
i also deleted the existing port forwardings in luci ui and re-created them (because i thought maybe from 19.x to 20.x something is broken/changed and the ui should correctly recreate those rules), but did not help either.