Port forwarding

MalcolmBishop · August 31, 2021, 1:22pm

Hi,
I have configured the port forwarding.
These are the only setting I changed

Changed FORWARD traffic to accept but this didn't help.

cat /etc/config/firewall 
config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option flow_offloading '1'
	option flow_offloading_hw '1'
	option forward 'ACCEPT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option dest_port '8080'
	option src 'wan'
	option name 'System1_GUI'
	option src_dport '28xxx'
	option target 'DNAT'
	option dest 'lan'
	option dest_ip '192.168.1.xxx'
	list proto 'tcp'

config redirect
	option dest_port '22'
	option src 'wan'
	option name 'System1_SSH'
	option src_dport '22xxx'
	option target 'DNAT'
	option dest_ip '192.168.1.251'
	option dest 'lan'
	list proto 'tcp'

config redirect
	option dest_port '8080'
	option src 'wan'
	option name 'System2_GUI'
	option src_dport '28xxx'
	option target 'DNAT'
	option dest_ip '192.168.1.xxx'
	option dest 'lan'
	list proto 'tcp'

config redirect
	option dest_port '22'
	option src 'wan'
	option name 'System2_SSH'
	option src_dport '22xxx'
	option target 'DNAT'
	option dest_ip '192.168.1.200'
	option dest 'lan'
	list proto 'tcp'

I see that some packets are being forwarded but still I cannot connect with SSH.
8 416 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22xxx /* !fw3: System_SSH */ to:192.168.1.xx:22

I have connected locally just fine.
Is there anything missing in the configuration?
Best regards

pavelgl · August 31, 2021, 4:23pm

Your port forwarding rule seems to be correct and there are hits, so make sure that the device firewall accepts ssh connections outside the lan.

MalcolmBishop · August 31, 2021, 4:53pm

I changed all to accept and still no luck:

krazeh · August 31, 2021, 4:59pm

The issue is probably with the device that is running the SSH server. Check the firewall on that device to ensure it's not blocking the connection.

MalcolmBishop · August 31, 2021, 5:04pm

I have the old router and when I swap it with the OpenWrt one I can connect from the outside just fine.

erdoukki · August 31, 2021, 5:24pm

Can you ssh from OpenWrt ?

eduperez · August 31, 2021, 5:56pm

Perhaps your old router was masquerading the source IP on top of the forwarding?

MalcolmBishop · August 31, 2021, 6:04pm

good idea
I tried and yes I can login from OpenWrt to that host. I can SSH from the host to OpenWrt as well.

MalcolmBishop · August 31, 2021, 6:32pm

I think you are right, as soon as I ticked on Masquerading for LAN -> WAN and Saved I can now connect.
Thanks

Can someone tell me if my rules are safe enough?
I mean General settings (accept, accept, accept) vs. Zones (accept, accept, accept), are there any overkills?

system · September 11, 2021, 10:22am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.