Port forwarding works only from wwan, not from lan

I have just set up an extremely simple port forwarding rule so that when I want to connect to my server the router redirects https traffic to the server (in lan area). However, the rule applies only to traffic incoming from wwan area, not to local traffic.
Example: i can connect to the server normally from outside my network (eg. from my smartphone), but not from my laptop that is connected to the same network.
I'm quite new to this, but shouldn't this be handled by the option "Enable NAT Loopback" (that I have ticked in the rule configuration)?

What am I doing wrong?

I am running OpenWrt 18.06.2 r7676-cddd7b4c77 / LuCI openwrt-18.06 branch (git-19.020.41695-6f6641d)
Below is a screenshot of the rule I added in the "Port forwards" section of the UI.

This is the configuration of /etc/config/firewall:

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '443'
	option dest_ip ''
	option dest_port '443'
	option name 'https'

Actually, this should be enabled by default.
Perhaps you should change the "Loopback source IP" to "Use external IP address".
In addition, the reflection works only when the source and the destination are in the same zone.

1 Like

What is the output of iptables-save -c -t nat ?

1 Like

@vgaetera It is enabled by default indeed. Could you elaborate on that, please?

@trendy, here is the output for that specific rule. Do you need the whole output?
[1970:103120] -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: https" -j DNAT --to-destination

I need to whole output.

root@OpenWrt:~# iptables-save -c -t nat
# Generated by iptables-save v1.6.2 on Thu Sep 10 11:43:13 2020
:PREROUTING ACCEPT [224757:27310746]
:INPUT ACCEPT [13676:933917]
:OUTPUT ACCEPT [41802:2919403]
:POSTROUTING ACCEPT [13420:929698]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[226736:27414322] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[52258:4960131] -A PREROUTING -i br-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[138748:8507036] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[125328:7577338] -A POSTROUTING -o br-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
[0:0] -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[125328:7577338] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[125328:7577338] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[52258:4960131] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[1970:103120] -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: https" -j DNAT --to-destination
# Completed on Thu Sep 10 11:43:13 2020

Reflection is not enabled.
Anyway I don't advice the use of reflection, since it utilizes router resources for intra-lan traffic. You can utilize an internal name for the server, like www.lan, or if you must use the public name create a hostname entry with the fqdn pointing to the internal address.

1 Like

Thank you for the recommendation.
I suppose that I can do that by adding the following line to /etc/hosts: my.domain.name

Better add it in dnsmasq


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.