uzsibox
November 21, 2024, 4:27pm
1
Hey!https://www.yougetsignal.com/tools/open-ports/ to check if my ports are open.
OpenWrt Info and hardware:
Hostname OpenWrt
Model TP-Link Archer C6 v3
Architecture MediaTek MT7621 ver:1 eco:3
Target Platform ramips/mt7621
Firmware Version OpenWrt 23.05.4 r24012-d8dd03c46f / LuCI openwrt-23.05 branch git-24.086.45142-09d5a38
Kernel Version 5.15.162
I'm trying to host dedicated servers. V rising I managed to get to work using localhost connect and then copying the server adress for others to join. Enshrouded no such luck.
brada4
November 21, 2024, 4:58pm
2
The "port forward" should direct the connection attempting to connect wan IP to IP of game device.
Probably use luci-app-attendedsysupgrade and get to 23.05.5 right away.
Can you post output of
ubus call system board
cat /etc/config/firewall
mk24
November 21, 2024, 5:02pm
3
First double check that there is no ISP NAT. The wan IPv4 (shown on the main status page as IPv4 Upstream ) must exactly match the IP that is reported when you use a LAN computer to access a "what's my IP" test site.
Your forward is not configured properly. An Internal IP and Internal Port must be specified for port forwarding to work. The GUI apparently does not enforce this. Internal IP is the address of your server computer on the LAN. It is useful to make a DHCP Reservation for that machine so that you know it will always have the same IP. Internal port is the port that is open on the LAN machine. For this sort of gaming scenario it is usually OK to set it the same as External Port. If you had multiple servers with the same port open to the LAN you'd need to re-map them to different external ports.
1 Like
brada4
November 21, 2024, 5:07pm
4
Adapt port numbers in the following example, not so many creepers in brand new game but beware.
Disable incoming ping and change WAN zone forward and input from reject to drop.
Example custom rule to limit connection rate towards your rule.
Add into a new file with .nft extension in /etc/nftables.d/
(Filter line is optimal bytecode-wise, limiter is copied from fw4 default, may need changed. It keeps your server up while may drop legit clients under attack)
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
iif $wan_devices ct state n…
For gui editable version add following to /etc/config/firewall
config redirect
option dest 'lan'
option target 'DNAT'
option name 'https'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.1.43'
option dest_port '8443'
option limit '10/second'
option limit_burst '10'
option enabled '0'
ad edit accordingly.
2 Likes
mk24
November 21, 2024, 5:22pm
5
A limit of 10 packets per second is probably too strict for a game to work properly. If you were DoS attacked, the problem is that the incoming ISP line will remain saturated with packets even though your router later drops them.
brada4
November 21, 2024, 5:23pm
6
It limits new state (430 bytes RAM , 2 pts towards conntrack_max) creation, not pps.
uzsibox
November 21, 2024, 6:00pm
7
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.162",
"hostname": "OpenWrt",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "TP-Link Archer C6 v3",
"board_name": "tplink,archer-c6-v3",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.4",
"revision": "r24012-d8dd03c46f",
"target": "ramips/mt7621",
"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
}
}
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Enshrouded'
option src 'wan'
option src_dport '15636'
option dest_port '15636'
option dest_ip '192.168.1.183'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Ensh2'
option src 'lan'
option src_dport '15636'
option dest_port '15636'
option dest_ip '192.168.1.183'
config redirect
option dest 'lan'
option target 'DNAT'
option src 'wan'
option src_dport '15637'
option dest_port '15637'
option dest_ip '192.168.1.183'
config redirect
option dest 'wan'
option target 'DNAT'
option src 'wan'
option src_dport '15637'
option dest_port '15637'
option dest_ip '192.168.1.183'
config redirect
option dest 'lan'
option target 'DNAT'
option src 'wan'
option src_dport '15636-15637'
option dest_port '15636-15637'
option dest_ip '192.168.1.183'
This rule does nothing and can be deleted (it has the same source and destination zones):
The last 2 rules are redundant and should be deleted (and the first of these two doesn't do anything, anyway):
1 Like
brada4
November 21, 2024, 6:31pm
9
desr_port is also redunddant, same port is implied if no port speciified
1 Like
mk24
November 21, 2024, 6:33pm
10
LuCI shows the default as "any" which is wrong and confusing. It should say "same as external" when unset.
2 Likes
brada4
November 21, 2024, 6:35pm
11
Destination interface is filter, not target, as such it never happens against nat.
uzsibox
November 21, 2024, 6:37pm
12
I deleted the rules you mentioned still shows closed to external site.
mk24
November 21, 2024, 6:38pm
13
You would think that, but my experience has been that if a dest zone is not specified it becomes an input rule and port forwarding (reverse NAT) does not occur at all.
Let's do a little more digging...
What are the first two octets (in bold: aaa.bbb .ccc.ddd) of the address that you see after issuing this command:
ifstatus wan | grep address
Let's review the latest config files:
cat /etc/config/network
cat /etc/config/firewall
And finally, have you tested connectivity while on your lan when pointing at address 192.168.1.183 (ports 15636 and 15637)?
uzsibox
November 21, 2024, 6:50pm
15
ifstatus wan | grep address
"ipv4-address": [
"address": "78.131.
"ptpaddress": "10.0
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd77:5e8e:85d3::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'pppoe'
option username 'baloghattila-kjn'
option password 'UWvbeJsd'
option ipv6 'auto'
config interface 'wan6'
option device 'wan'
option proto 'dhcp'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Enshrouded'
option src 'wan'
option src_dport '15636'
option dest_port '15636'
option dest_ip '192.168.1.183'
config redirect
option dest 'lan'
option target 'DNAT'
option src 'wan'
option src_dport '15637'
option dest_port '15637'
option dest_ip '192.168.1.183'
option name 'Ensh lan'
It doesn't look like you made the changes to the firewall that I recommended.
uzsibox
November 21, 2024, 6:52pm
17
yes i updated i forgot to save and apply in the browser
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Enshrouded'
option src 'wan'
option src_dport '15636'
option dest_port '15636'
option dest_ip '192.168.1.183'
config redirect
option dest 'lan'
option target 'DNAT'
option src 'wan'
option src_dport '15637'
option dest_port '15637'
option dest_ip '192.168.1.183'
option name 'Ensh lan'
That suggests that the server is not running on the host in question. This means that the port will not appear to be open even if the port forwarding is all configured properly.
The server must be running and listening for inbound connections for a port scan or a remote connection to the service/game to show an open port/functioning server.
1 Like
