Do i just input this into ssh ?
Yes, like that.
1 Like
When I do this through ssh, nothing happens
uci export firewall
1 Like
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
option family 'ipv4'
config zone
option name 'wan'
option output 'ACCEPT'
option mtu_fix '1'
option network 'wan'
option input 'REJECT'
option forward 'REJECT'
option masq '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config redirect
option dest_port '1935'
option src 'wan'
option name 'Test'
option src_dport '1935'
option target 'DNAT'
option dest 'lan'
list proto 'tcp'
config redirect
option dest_port '3478'
option src 'wan'
option name 'Test2'
option src_dport '3478'
option target 'DNAT'
option dest 'lan'
list proto 'tcp'
config redirect
option dest_port '3479'
option src 'wan'
option name 'Test 3'
option src_dport '3479'
option target 'DNAT'
option dest 'lan'
list proto 'tcp'
config redirect
option dest_port '10070'
option src 'wan'
option name 'Test 4'
option src_dport '10070'
option target 'DNAT'
option dest 'lan'
list proto 'tcp'
config redirect
option dest_port '10080'
option src 'wan'
option name 'Test 5'
option src_dport '10080'
option target 'DNAT'
option dest 'lan'
list proto 'tcp'
config redirect
option dest_port '3074'
option src 'wan'
option name 'Test 6'
option src_dport '3074'
option target 'DNAT'
option dest 'lan'
list proto 'udp'
config redirect
option dest_port '3478'
option src 'wan'
option name 'Test 7'
option src_dport '3478'
option target 'DNAT'
option dest 'lan'
list proto 'udp'
config redirect
option dest_port '3479'
option src 'wan'
option name 'Test 8'
option src_dport '3479'
option target 'DNAT'
option dest 'lan'
list proto 'udp'
config redirect
option dest_port '3658'
option src 'wan'
option src_dport '3658'
option target 'DNAT'
option dest 'lan'
list proto 'udp'
option name 'Test 9'
config redirect
option dest_port '9305'
option src 'wan'
option name 'Test 10'
option src_dport '9305'
option target 'DNAT'
option dest 'lan'
list proto 'udp'
config redirect
option dest_port '9308'
option src 'wan'
option name 'Test 11'
option src_dport '9308'
option target 'DNAT'
option dest 'lan'
list proto 'udp'
config nat
option src_port '3078'
option src 'lan'
option name 'Test'
option target 'SNAT'
option snat_ip '100.66.88.180'
option dest_port '3078'
list proto 'tcp'
list proto 'udp'
Yes I know about IP for fowarding
If you know why don't you fix it?
1 Like
Because like I said, even with IPs assigned, it still doesnât change the issue,
Something is blocking the ports for the opening, When I test them via port checker and of course consoles test as well, comes back as closed/strict
Could the software potentially have a bug ? Would it be worth updating to the newest version 19.07.5 ?
Not a bug, just a pebkac.
You can add the IPs and post the iptables command we mentioned above, or you can keep wondering why it doesn't work.
1 Like
Donât know what pebkac is
root@OpenWrt:~# iptables-save -c -t nat | grep DNAT
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p tcp -m tcp --dport 1935 -m comment --comment "!fw3: Test (reflection)" -j DNAT --to-destination 192.168.1.10:1935
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p tcp -m tcp --dport 3478 -m comment --comment "!fw3: Test2 (reflection)" -j DNAT --to-destination 192.168.1.10:3478
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p tcp -m tcp --dport 3479 -m comment --comment "!fw3: Test 3 (reflection)" -j DNAT --to-destination 192.168.1.10:3479
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p tcp -m tcp --dport 10070 -m comment --comment "!fw3: Test 4 (reflection)" -j DNAT --to-destination 192.168.1.10:10070
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p tcp -m tcp --dport 10080 -m comment --comment "!fw3: Test 5 (reflection)" -j DNAT --to-destination 192.168.1.10:10080
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p udp -m udp --dport 3074 -m comment --comment "!fw3: Test 6 (reflection)" -j DNAT --to-destination 192.168.1.10:3074
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p udp -m udp --dport 3478 -m comment --comment "!fw3: Test 7 (reflection)" -j DNAT --to-destination 192.168.1.10:3478
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p udp -m udp --dport 3479 -m comment --comment "!fw3: Test 8 (reflection)" -j DNAT --to-destination 192.168.1.10:3479
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p udp -m udp --dport 3658 -m comment --comment "!fw3: Test 9 (reflection)" -j DNAT --to-destination 192.168.1.10:3658
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p udp -m udp --dport 9305 -m comment --comment "!fw3: Test 10 (reflection)" -j DNAT --to-destination 192.168.1.10:9305
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p udp -m udp --dport 9308 -m comment --comment "!fw3: Test 11 (reflection)" -j DNAT --to-destination 192.168.1.10:9308
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 1935 -m comment --comment "!fw3: Test" -j DNAT --to-destination 192.168.1.10:1935
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 3478 -m comment --comment "!fw3: Test2" -j DNAT --to-destination 192.168.1.10:3478
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 3479 -m comment --comment "!fw3: Test 3" -j DNAT --to-destination 192.168.1.10:3479
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 10070 -m comment --comment "!fw3: Test 4" -j DNAT --to-destination 192.168.1.10:10070
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 10080 -m comment --comment "!fw3: Test 5" -j DNAT --to-destination 192.168.1.10:10080
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 3074 -m comment --comment "!fw3: Test 6" -j DNAT --to-destination 192.168.1.10:3074
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 3478 -m comment --comment "!fw3: Test 7" -j DNAT --to-destination 192.168.1.10:3478
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 3479 -m comment --comment "!fw3: Test 8" -j DNAT --to-destination 192.168.1.10:3479
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 3658 -m comment --comment "!fw3: Test 9" -j DNAT --to-destination 192.168.1.10:3658
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 9305 -m comment --comment "!fw3: Test 10" -j DNAT --to-destination 192.168.1.10:9305
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 9308 -m comment --comment "!fw3: Test 11" -j DNAT --to-destination 192.168.1.10:9308
Zero hits everywhere, nothing reached the OpenWrt.
Either you didn't try to reach an internal server or something else is blocking you.
1 Like
Nice explanation there, I told you I am not used to this system.
What do you mean by this ?
I prefer voice chat to typing to be fair...
Yet you considered it a bug, although we told you twice that a destination IP is needed.
I mean what I wrote. If there is no packet reaching OpenWrt on wan interface destined for the ports you defined to be forwarded, the hit counters will be zero, as they are now.
I know you mean well, but I told you the issue I was having is same with ip or no ip, but also on web interface, when no ip is there, option is ANY which based on assumption means all.
I will type what Xbox saying now
WiFi Name
IPv4
NAT Type: Strict
UPnP not successful
Xbox.com/Xbox one/UPnP
This is after multiple NAT tests
Going on games, same issue, NAT Type Strict
PS4
NAT Type 3 which means Strict
Are there any hits now with the iptables command?
root@OpenWrt:~# iptables-save -c -t nat | grep DNAT
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p tcp -m tcp --dport 1935 -m comment --comment "!fw3: Test (reflection)" -j DNAT --to-destination 192.168.1.10:1935
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p tcp -m tcp --dport 3478 -m comment --comment "!fw3: Test2 (reflection)" -j DNAT --to-destination 192.168.1.10:3478
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p tcp -m tcp --dport 3479 -m comment --comment "!fw3: Test 3 (reflection)" -j DNAT --to-destination 192.168.1.10:3479
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p tcp -m tcp --dport 10070 -m comment --comment "!fw3: Test 4 (reflection)" -j DNAT --to-destination 192.168.1.10:10070
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p tcp -m tcp --dport 10080 -m comment --comment "!fw3: Test 5 (reflection)" -j DNAT --to-destination 192.168.1.10:10080
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p udp -m udp --dport 3074 -m comment --comment "!fw3: Test 6 (reflection)" -j DNAT --to-destination 192.168.1.10:3074
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p udp -m udp --dport 3478 -m comment --comment "!fw3: Test 7 (reflection)" -j DNAT --to-destination 192.168.1.10:3478
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p udp -m udp --dport 3479 -m comment --comment "!fw3: Test 8 (reflection)" -j DNAT --to-destination 192.168.1.10:3479
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p udp -m udp --dport 3658 -m comment --comment "!fw3: Test 9 (reflection)" -j DNAT --to-destination 192.168.1.10:3658
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p udp -m udp --dport 9305 -m comment --comment "!fw3: Test 10 (reflection)" -j DNAT --to-destination 192.168.1.10:9305
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p udp -m udp --dport 9308 -m comment --comment "!fw3: Test 11 (reflection)" -j DNAT --to-destination 192.168.1.10:9308
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 1935 -m comment --comment "!fw3: Test" -j DNAT --to-destination 192.168.1.10:1935
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 3478 -m comment --comment "!fw3: Test2" -j DNAT --to-destination 192.168.1.10:3478
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 3479 -m comment --comment "!fw3: Test 3" -j DNAT --to-destination 192.168.1.10:3479
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 10070 -m comment --comment "!fw3: Test 4" -j DNAT --to-destination 192.168.1.10:10070
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 10080 -m comment --comment "!fw3: Test 5" -j DNAT --to-destination 192.168.1.10:10080
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 3074 -m comment --comment "!fw3: Test 6" -j DNAT --to-destination 192.168.1.10:3074
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 3478 -m comment --comment "!fw3: Test 7" -j DNAT --to-destination 192.168.1.10:3478
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 3479 -m comment --comment "!fw3: Test 8" -j DNAT --to-destination 192.168.1.10:3479
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 3658 -m comment --comment "!fw3: Test 9" -j DNAT --to-destination 192.168.1.10:3658
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 9305 -m comment --comment "!fw3: Test 10" -j DNAT --to-destination 192.168.1.10:9305
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 9308 -m comment --comment "!fw3: Test 11" -j DNAT --to-destination 192.168.1.10:9308
root@OpenWrt:~# iptables-save -c -t nat | grep DNAT
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p tcp -m tcp --dport 1935 -m comment --comment "!fw3: Test (reflection)" -j DNAT --to-destination 192.168.1.10:1935
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p tcp -m tcp --dport 3478 -m comment --comment "!fw3: Test2 (reflection)" -j DNAT --to-destination 192.168.1.10:3478
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p tcp -m tcp --dport 3479 -m comment --comment "!fw3: Test 3 (reflection)" -j DNAT --to-destination 192.168.1.10:3479
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p tcp -m tcp --dport 10070 -m comment --comment "!fw3: Test 4 (reflection)" -j DNAT --to-destination 192.168.1.10:10070
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p tcp -m tcp --dport 10080 -m comment --comment "!fw3: Test 5 (reflection)" -j DNAT --to-destination 192.168.1.10:10080
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p udp -m udp --dport 3074 -m comment --comment "!fw3: Test 6 (reflection)" -j DNAT --to-destination 192.168.1.10:3074
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p udp -m udp --dport 3478 -m comment --comment "!fw3: Test 7 (reflection)" -j DNAT --to-destination 192.168.1.10:3478
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p udp -m udp --dport 3479 -m comment --comment "!fw3: Test 8 (reflection)" -j DNAT --to-destination 192.168.1.10:3479
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p udp -m udp --dport 3658 -m comment --comment "!fw3: Test 9 (reflection)" -j DNAT --to-destination 192.168.1.10:3658
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p udp -m udp --dport 9305 -m comment --comment "!fw3: Test 10 (reflection)" -j DNAT --to-destination 192.168.1.10:9305
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 100.66.88.180/32 -p udp -m udp --dport 9308 -m comment --comment "!fw3: Test 11 (reflection)" -j DNAT --to-destination 192.168.1.10:9308
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 1935 -m comment --comment "!fw3: Test" -j DNAT --to-destination 192.168.1.10:1935
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 3478 -m comment --comment "!fw3: Test2" -j DNAT --to-destination 192.168.1.10:3478
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 3479 -m comment --comment "!fw3: Test 3" -j DNAT --to-destination 192.168.1.10:3479
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 10070 -m comment --comment "!fw3: Test 4" -j DNAT --to-destination 192.168.1.10:10070
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 10080 -m comment --comment "!fw3: Test 5" -j DNAT --to-destination 192.168.1.10:10080
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 3074 -m comment --comment "!fw3: Test 6" -j DNAT --to-destination 192.168.1.10:3074
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 3478 -m comment --comment "!fw3: Test 7" -j DNAT --to-destination 192.168.1.10:3478
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 3479 -m comment --comment "!fw3: Test 8" -j DNAT --to-destination 192.168.1.10:3479
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 3658 -m comment --comment "!fw3: Test 9" -j DNAT --to-destination 192.168.1.10:3658
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 9305 -m comment --comment "!fw3: Test 10" -j DNAT --to-destination 192.168.1.10:9305
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 9308 -m comment --comment "!fw3: Test 11" -j DNAT --to-destination 192.168.1.10:9308
Do you have a public IP on the wan?
ifstatus wan
Here you go, ps I should have a Static IP from ISP as well, IPv4 only as we donât have IPv6
OpenWrt:~# ifstatus wan
{
"up": true,
"pending": false,
"available": true,
"autostart": true,
"dynamic": false,
"uptime": 41727,
"l3_device": "pppoe-wan",
"proto": "pppoe",
"device": "dsl0.101",
"updated": [
"addresses",
"routes"
],
"metric": 0,
"dns_metric": 0,
"delegation": false,
"ipv4-address": [
{
"address": "100.66.88.xxx,
"mask": 32,
"ptpaddress": "10.0.xxx.xxxâ
}
],
"ipv6-address": [
],
"ipv6-prefix": [
],
"ipv6-prefix-assignment": [
],
"route": [
{
"target": "0.0.0.0",
"mask": 0,
"nexthop": "10.0.254.86",
"source": "0.0.0.0/0"
}
],
"dns-server": [
"8.8.8.8",
"8.8.4.4"
],
"dns-search": [
],
"neighbors": [
],
"inactive": {
"ipv4-address": [
],
"ipv6-address": [
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
]
},
"data": {
Tough luck, you are behind carrier grade nat.
Sorry we didn't ask earlier, it would have saved us some time.
You can only ask your provider to give you a public IP.
2 Likes
So, Static IP = CGNAT
CGNAT = my port restrictions
Am I right by this ?