Port worwarding

I forwarded ports some days ago, everything worked great, but today they stopped working. I enabled port forwarding (for 51476), on canyouseeme.org i get " Reason: Connection refused"

Not a lot to go on here...

Is the service that your port forward points to still running? (for example, a game or other type of server)? And is it accepting connections on your local network?

Is your external IP address still the same as it was previously?

And let's see your config.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

I think i removed all ip adresses and mac adresses, i still have public ip (not sure if its same, but canyouseeme cant check it anyway

root@OpenWrt:~# ubus call system board
{
	"kernel": "5.15.162",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7628AN ver:1 eco:2",
	"model": "Xiaomi Mi Router 4C",
	"board_name": "xiaomi,mi-router-4c",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.4",
		"revision": "r24012-d8dd03c46f",
		"target": "ramips/mt76x8",
		"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
	}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdba:1285:2c0f::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0.2'
	option macaddr '8c:de:f9:db:ad:a1'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '4 2 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Transimssion'
	option src 'wan'
	option src_dport '51476'
	option dest_ip '192.168.1.163'

(sorry for dumb questions by the way)

When you setup the port forwards, did you specifically provide an IP address or did you leave it on the default of any?

If you tried to tell the router which ports to forward and specifically gave the router a specific IP for a specific device, chances are that device's IP has changed and thus the port forwarding won't work anymore since the IP isn't the specific IP listed in the port forward. This can be addressed by simply providing the device you want to have those ports forwarded with a static lease and rebooting the router and device afterwards so the new static ip can be issues and ports reopened or simply not telling the router to only port forward to a specific IP address in your local network.

Anyway hopefully that helps otherwise we will be waiting to see your config stuff sherman asked for.

Is the transmission server still running and accepting incoming connections on the host at 192.168.1.163?

What are the first two octets of your IP address (in bold: aaa.bbb.ccc.ddd):

ifstatus wan | grep address

Are you testing with that address when you do the external port scan?

@Oliumen i set this to any
results of ifstatus:
10.33.xxx.xxx (idk why my ISP took my ip, i wrote to its support)
thanks for help

Yup, that's not a public IP.

Hopefully your ISP can ensure you can maintain a public IP on your wan.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

Wait, my ISP said that i have public ip, sites like myip show it

If the IP address on your wan begins with 10. it is an RFC1918 address. That is not a public IP. However, whenever you access the internet, you will have an "apparent IP address" insofar as the request must route to and from the publicly routable internet -- these are the public IP addresses of the ISP that are shared when they perform NAT/CG-NAT for their customers. That IP address will not be uniquely yours if your ISP isn't providing it directly to your equipment.

That said, do you have another router in front of your OpenWrt device? For example, and ISP issued router?

I have only one router. I hnow this thing about public and local adresses. On myip i get 194.37.xxx.xxx, but in router 10.33.xxx.xxx. Some days ago everything worked fine. I remember tuning on (and off), upnp

The wan address on your router proves that you do not have a public IP.

What is upstream of your OpenWrt router (i.e. what is the wan port of your OpenWrt router connected to)?

My router connected directly to ethernet (i think), some days ago everything vorked fine,
my ISP's answer (translated): In the router you have our local network address, because we work on the Nat system, respectively, the service External IP address is provided on the Static Nat(1:1) system.

That's pretty conclusive. You do not have a public IP on your wan, so port forwarding will not work. This is because the public IP address (i.e. the ISP's NAT-to-public IP endpoint) is not configured to forward that traffic to your router (where you could then forward it to the host in question).

Traditionally, this means that you're out of luck unless:

• your ISP can issue you a public IP (this sometimes comes with an extra charge, if it is possible at all).
• you have dual stack and can use IPv6
• or, you may try techniques such as "STUN" which can help open ports accordingly. This may or may not work, though. Search the forums for STUN and give that a shot.

Sounds like you are behind a double NAT. One layer from your local network and one from the ISPs.

I have public ip, my ports worked like 2 days ago. My ISP has option to give public ip and i used it. May be thats some ISP issue and i have to wait

See PC Router x64 - Can't port forward? - #26 by AndrewZ
Use your own interface names when testing.
If you see nothing on eth0.2 (your wan), then their statement about 1:1 NAT is probably false.

I see some logs: 19:01:47.462376 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) 10.33.xxx.xxx.51476 > ec2-52-202-215-126.compute-1.amazonaws.com.46748: Flags [R.], cksum 0x8884 (correct), seq 0, ack 3442276324, win 0, length 0

These aren't the packets you're looking for.
You supposed to check incoming packets, addressed to 10.33.xxx.xxx

I don't see incoming packages, i think i should wait some time, ISPs in Russia (don't know about other countries) can make this type of things. If it won't help should i open new theme or write in this?