Port Forwarding

I am trying to port forward and am having mixed results, likely do to my noob status in OpenWRT. I have many ports "open". When I check sites like https://myopenports.com/ some show as open and some as closed. Any help is greatly appreciated. Below is my system and the "firewall rules" from the "status" page.

System
|Hostname|LuxulOpenWrt|
|Model|Luxul ABR-4500 V1|
|Architecture|ARMv7 Processor rev 0 (v7l)|
|Target Platform|bcm53xx/generic|
|Firmware Version|OpenWrt 22.03.3 r20028-43d71ad93e / LuCI openwrt-22.03 branch git-23.039.29681-007c243|
|Kernel Version|5.10.161|
|Local Time|2023-03-01 12:08:30|
|Uptime|8d 13h 22m 15s|
|Load Average|0.00, 0.00, 0.00|

|Rule matches | Rule actions|
|#Rule comment: Unraid40 BTraffic matched by rule: 1 Packets, 40 BytesAddress family is IPv4TCP destination port is 443|Rewrite destination to 192.168.XXX.XXX, port 443|

|#Rule comment: Unraid0 BTraffic matched by rule: 0 Packets, 0 BytesAddress family is IPv4UDP destination port is 443|Rewrite destination to 192.168.XXX.XXX, port 443|

|#Rule comment: WireguardVPN0 BTraffic matched by rule: 0 Packets, 0 BytesAddress family is IPv4UDP destination port is 51820|Rewrite destination to 192.168.XXX.XXX, port 51820|

|#Rule comment: PS5180 BTraffic matched by rule: 3 Packets, 180 BytesAddress family is IPv4TCP destination port is 3478-3480|Rewrite destination to 192.168.XXX.XXX, port 3478-3480|

|#Rule comment: PS560 BTraffic matched by rule: 1 Packets, 60 BytesAddress family is IPv4TCP destination port is 1935|Rewrite destination to 192.168.XXX.XXX, port 1935|

|#Rule comment: PS50 BTraffic matched by rule: 0 Packets, 0 BytesAddress family is IPv4UDP destination port is 3074|Rewrite destination to 192.168.XXX.XXX, port 3074|

|#Rule comment: PS50 BTraffic matched by rule: 0 Packets, 0 BytesAddress family is IPv4UDP destination port is 3478-3479|Rewrite destination to 192.168.XXX.XXX, port 3478-3479|

|#Rule comment: Plex60 BTraffic matched by rule: 1 Packets, 60 BytesAddress family is IPv4TCP destination port is 32400|Rewrite destination to 192.168.XXX.XXX, port 32400|

|#Rule comment: Ombi60 BTraffic matched by rule: 1 Packets, 60 BytesAddress family is IPv4TCP destination port is 3579|Rewrite destination to 192.168.XXX.XXX, port 3579|

|#Rule comment: Ombi0 BTraffic matched by rule: 0 Packets, 0 BytesAddress family is IPv4UDP destination port is 3579|Rewrite destination to 192.168.XXX.XXX, port 3579|

|#Rule comment: Torrent120 BTraffic matched by rule: 2 Packets, 120 BytesAddress family is IPv4TCP destination port is 51413|Rewrite destination to 192.168.XXX.XXX, port 51413|

|#Rule comment: Torrent270 BTraffic matched by rule: 3 Packets, 270 BytesAddress family is IPv4UDP destination port is 51413|Rewrite destination to 192.168.XXX.XXX, port 51413|

|#Rule comment: PhotoPrism0 BTraffic matched by rule: 0 Packets, 0 BytesAddress family is IPv4TCP destination port is 2342|Rewrite destination to 192.168.XXX.XXX, port 2342|

|#Rule comment: delugeVPN0 BTraffic matched by rule: 0 Packets, 0 BytesAddress family is IPv4TCP destination port is 8112|Rewrite destination to 192.168.XXX.XXX, port 8112|

|#Rule comment: delugeVPN0 BTraffic matched by rule: 0 Packets, 0 BytesAddress family is IPv4UDP destination port is 8112|Rewrite destination to 192.168.XXX.XXX, port 8112|

That's very unreadable.

Post /etc/config/firewall

First of all - do you have a public IP address on your router WAN interface?

Why do people hide 192.168. addresses?

Anyway, are all xxx.xxx the same?

You say mixed results? In what way? Some work done don't? Which ones do? Which ones don't?

because they don't realize they're private ?

Here is the Firewall File

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Unraid'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.0.105'
	option dest_port '443'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'WireguardVPN'
	list proto 'udp'
	option src 'wan'
	option src_dport '51820'
	option dest_ip '192.168.0.105'
	option dest_port '51820'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'PS5'
	option src 'wan'
	option dest_ip '192.168.0.100'
	option src_dport '3478-3480'
	option dest_port '3478-3480'
	list proto 'tcp'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'PS5'
	list proto 'tcp'
	option src 'wan'
	option src_dport '1935'
	option dest_ip '192.168.0.100'
	option dest_port '1935'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'PS5'
	list proto 'udp'
	option src 'wan'
	option src_dport '3074'
	option dest_ip '192.168.0.100'
	option dest_port '3074'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'PS5'
	list proto 'udp'
	option src 'wan'
	option src_dport '3478-3479'
	option dest_ip '192.168.0.100'
	option dest_port '3478-3479'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Plex'
	list proto 'tcp'
	option src 'wan'
	option src_dport '32400'
	option dest_ip '192.168.0.105'
	option dest_port '32400'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Ombi'
	option src 'wan'
	option src_dport '3579'
	option dest_ip '192.168.0.105'
	option dest_port '3579'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Torrent'
	option src 'wan'
	option src_dport '51413'
	option dest_port '51413'
	option dest_ip '192.168.0.90'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'PhotoPrism'
	list proto 'tcp'
	option src 'wan'
	option src_dport '2342'
	option dest_ip '192.168.0.105'
	option dest_port '2342'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'delugeVPN'
	option src 'wan'
	option src_dport '8112'
	option dest_ip '192.168.0.105'
	option dest_port '8112'

I was embarrassed about the disorganization of ip addresses....

You have quite a few port forwards defined... and they all look correct from a syntax perspective.

So what exactly is the problem? Are there ports reported as open that you would have expected to be closed? Or closed that you would have expected to be open? Which ports in particular are at issue?

Unless I'm an idiot and I'm not understanding what you are saying, then yes I do.

There are ports that I expect to be open that are closed.

Which ports, specifically?

Open Ports:
443
32400
3579
Closed Ports:
51820
3478-3480
1935
3074
3478-3479

This is wireguard. It is a UDP protocol that is not 'chatty' and will not respond to port scans or any other probes. It will only respond when a remote peer connects with valid cryptographic keys.

These are all related to your PS5. They will only appear open if 3 conditions are met:

• The PS5 is powered on/awake
• The specific game that uses these ports is running
• The game is accepting incoming connections (i.e. running as a server)

And further, it is possible that the UDP ports will not respond (similar to the Wireguard situation) even if the service is running (it may only respond if there is 'valid data' sent to that port)... I don't know if that is the situation for the PS5 system or not, but it is a plausible scenario.

Thank you @psherman

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.