After days of failure, I rebooted back to dd-wrt and Port forwarding works fine. So I can rule out ISP and hardware (WRT3200ACM). Port scan correctly shows all the forwarded ports when run from LAN. SSH into a remote server and no ports are reported, neither does ping. I assume I've missed something important, but what? TIA
Firewall:
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
#...
config redirect
option target 'DNAT'
option name 'https'
list proto 'tcp'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.2.3'
option dest_port '443'
option dest 'lan'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'ssh'
list proto 'tcp'
option src 'wan'
option src_dport '2222'
option dest_ip '192.168.2.3'
option dest_port '2222'
option family 'ipv4'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config rule
option name 'guest DNS'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'guest DHCP'
list proto 'udp'
option src 'guest'
option dest_port '67 68'
option target 'ACCEPT'
From another host on your lan (the 192.168.2.0/24 network), you can connect to the host 192.168.2.3 on port 2222 for ssh and 443 for https.
the IP address on your OpenWrt wan matches the IP address if you google "what's my ip" (you can check the wan address with ifstatus wan | grep address).
the address seen above matches the address you are using to attempt a remote connection -- specifically, if you're using a dynamic dns service, make sure the IP that is resolved is the same (`nslookup <your.dynamicdns.domai.name>')
and that the host at 192.168.2.3 doesn't have a local firewall that is blocking the connections. This can happen, especially on Windows, if the system believes you are on a new network and assumes it is untrusted -- you may need to make adjustments to the local host level firewall. Disabling the host level firewall temporarily can be a good way to test this.
Thank you for taking time to reply. Since I am able to reboot my router (WRT3200ACM) to the alternate partition (dd-wrt) and my port forwards all work successfully there, that leads me to believe that my domain name, and ip are being correctly resolved. On OpenWRT using SSH to the router and running "ip a" shows the correct public ip on wan@eth0. br-lan uses 192.168.2.1 br-guest uses 192.168.4.1
One experiment I did yesterday was a factory reset and rebuild a very simple configuration, no guest, no extras - only added 2 port forwards (ssh & https). No joy. Forwarding still worked on LAN and not from WAN. Wireshrark showed no packets arriving from WAN.
In debugging I've tried to simplify the setup. I have multiple computers and devices on my LAN and multiple ports forwarded. All work successfully with dd-wrt. I'm new to OpenWRT and still assume I've done something wrong in my configuration.