Hello all, here is my setup
Homehub 5 with 19.07 luci web interface
Now the issue I am having it reguarding NAT type, all my home devices seems to have a strict Nat type (type 3 for PlayStation)
I have tried port fowarding with failure via network/firewall/port fowarding
I have set static addresses for the devices which I want the ports fowarded for
I have also installed uPnP via Luci Web Interface and still no luck
I have used a port checker app to see if ports open and comes back as closed.
Main port I want open is 3074
I am really baffled by this especially as I am still learning all this software
Currently
Wan = dsl0.101 with PPPoE login and 1480 MTU (ISP setup config)
LAN = static with dhcp as setup by default + my static ip setups
I am away from home until weekend but I will be actively checking this thread as I am really confused by this
Thanks
trendy
December 9, 2020, 8:17am
2
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; iptables-save -c
How do I do this exactly ? I need simple steps as I don’t fully, know this system and I am restricted to luci web interface
trendy
December 9, 2020, 10:09am
4
Use ssh to connect to the device.
2 Likes
Will have to do this Friday/Saturday when I a, back home,
Thank you
If you have your router's web GUI open with the Internet, that isn't advised for security reasons.
Your telling me that opening web ui with internet is dangerous ?
I am going to look at that ssh stuff when I get back, I was reading that CMD works as well is that right ?
Thanks
trendy
December 9, 2020, 3:31pm
8
I think there is a misunderstanding here. Currently you don't have access to your router over the internet, as the firewall by default blocks http and ssh from the internet. That's why you need to go home to send us the logs, right?
4 Likes
I didn’t realise y0u could do remote access with this ?
The issues I am experiencing at home is with consoles mainly, NAT type being strict, when I open relevant ports via ‘firewall/port fowarding, this has no changes to NAT type, I even managed to download UPNP package from web interface packages which I followed from a different openwrt forum section.
When I used a 3rd party application to actually see if my ports had in deed been open, they cam3 back as closed despite fowarding the ports.
To break this down
I can get you the logs when I am back home Friday night/Saturday morning UK time as I am away from home
at the same time, I am very keen to configure the remote access if that is possible to do for when I am not home.
Hegabo
December 9, 2020, 7:08pm
10
Yes, Windows 10 now contains OpenSSH Client (which you can run from CMD or PowerShell).This should give access the SSH server (the router in this case), where you run the commands. If you get an error that command doesn't exist, make sure that OpenSSH Client in Windows Optional Features is installed.
If, in other cases, you need to run other Linux commands on your PC , then you need to install WSL2. Info about that in the link that @trendy provided.
3 Likes
trendy
December 9, 2020, 7:44pm
11
Don't blindly trust these applications. There is a way to verify port forward works and that isiptables-save -c -t nat | grep DNAT
4 Likes
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdbb:473b:26a6::/48'
config atm-bridge 'atm'
option vpi '1'
option vci '32'
option encaps 'llc'
option payload 'bridged'
option nameprefix 'dsl'
config dsl 'dsl'
option ds_snr_offset '0'
option tone 'a'
option annex 'b'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option mtu '1480'
option delegate '0'
option force_link '0'
config device 'lan_eth0_1_dev'
option name 'eth0.1'
option macaddr '84:a4:23:06:4f:fa'
config interface 'wan'
option ifname 'dsl0.101'
option proto 'pppoe'
option username (private)
option password (private)
option ipv6 '0'
option delegate '0'
option mtu '1480'
config device 'wan_dsl0_dev'
option name 'dsl0'
option macaddr '84:a4:23:06:4f:fb'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 6t'
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
option sequential_ip '1'
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option start '2'
option limit '40'
option ra 'server'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option mac '98:5F:D3:10:45:B1'
option name 'Xbox'
option dns '1'
option ip '192.168.1.10'
config host
option mac '28:0D:FC:4C:C4:BF'
option name 'PS3Slim'
option dns '1'
option ip '192.168.1.14'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
option family 'ipv4'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.3 on Fri Dec 11 19:37:23 2020
*nat
:PREROUTING ACCEPT [486128:208883300]
:INPUT ACCEPT [4138:305208]
:OUTPUT ACCEPT [12491:909220]
:POSTROUTING ACCEPT [28:5004]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[486128:208883300] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[485543:208854464] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[585:28836] -A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[36644:2964707] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[16:4152] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[36616:2959703] -A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[16:4152] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[485543:208854464] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[36616:2959703] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[36616:2959703] -A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
[36616:2959703] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[585:28836] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[585:28836] -A zone_wan_prerouting -j MINIUPNPD
COMMIT
# Completed on Fri Dec 11 19:37:23 2020
# Generated by iptables-save v1.8.3 on Fri Dec 11 19:37:23 2020
*mangle
:PREROUTING ACCEPT [669009:231152267]
:INPUT ACCEPT [37504:3865858]
:FORWARD ACCEPT [168404:20600792]
:OUTPUT ACCEPT [39328:4163056]
:POSTROUTING ACCEPT [207290:24733902]
[18684:1060280] -A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[17710:994184] -A FORWARD -i pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Dec 11 19:37:23 2020
# Generated by iptables-save v1.8.3 on Fri Dec 11 19:37:23 2020
*filter
:INPUT ACCEPT [2:104]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[240:22766] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[37266:3843196] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[31915:3476190] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[137:8720] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[4255:317551] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[1096:49455] -A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
[168404:20600792] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[141630:18133228] -A FORWARD -m comment --comment "!fw3: Traffic offloading" -m conntrack --ctstate RELATED,ESTABLISHED -j FLOWOF FLOAD --hw
[141630:18133228] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[26774:2467564] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[240:22766] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[39089:4141030] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[26532:3223290] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[33:9182] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[12524:908558] -A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
[1096:49455] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[137:8720] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comme nt "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[33:9182] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[26774:2467564] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[26774:2467564] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[4255:317551] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[4255:317551] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[33:9182] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[33:9182] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[4253:317447] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[442:29946] -A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[38856:3346176] -A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -j MINIUPNPD
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[1096:49455] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[1096:49455] -A zone_wan_input -j MINIUPNPD
[1096:49455] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[12524:908558] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[12524:908558] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[1096:49455] -A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri Dec 11 19:37:23 2020
I tried that and it done nothing
(iptables-save -c -t nat | grep DNAT)
You are supposed to create port forwarding rules aka redirects.
1 Like
I removed everything I done, then I created this post,
Everything I been doing is on web interface. However trendy assisted me with SSH,
So what do you mean by redirects ?
config redirect
option dest_port '1935'
option src 'wan'
option name 'Test'
option src_dport '1935'
option target 'DNAT'
option dest 'lan'
list proto 'tcp'
config redirect
option dest_port '3478'
option src 'wan'
option name 'Test2'
option src_dport '3478'
option target 'DNAT'
option dest 'lan'
list proto 'tcp'
config redirect
option dest_port '3479'
option src 'wan'
option name 'Test 3'
option src_dport '3479'
option target 'DNAT'
option dest 'lan'
list proto 'tcp'
config redirect
option dest_port '10070'
option src 'wan'
option name 'Test 4'
option src_dport '10070'
option target 'DNAT'
option dest 'lan'
1 Like
So I have opened ports, but router is still blocking them from when I test them via port checker
I am curious to know, it’s there a different protocol for opening ports for the wan side or not ?
In theory lan side ports open, but if wan side was rejecting them as to speak via firewall settings then this could be my issue, other than that, must be a software bug poetentiallly ?
trendy
December 12, 2020, 5:28pm
18
The redirects are incomplete, there is no lan IP defined.
3 Likes
Even with LAN IP address assigned iTs Same issue!
Check port opening from the internet and post the output:
