Portforward not working to access LAN machine from WAN

Installing and Using OpenWrt Network and Wireless Configuration
1

I have my OpenWRT router setup behind my ISP router. I have setup my port forwarding as below but not able to access my LAN[OpenWrt router network] website from WAN[ISP router network].

** what wrong setup I have **

website hosted in LAN at 10.20.30.177:7000

[OK] from LAN --> curl http://10.20.30.177:7000 Works OK
[OK] from LAN Gateway [10.20.30.1]--> curl http://10.20.30.177:7000 Works OK # WAN IP for this [172.17.2.90], LAN IP for this [10.20.30.1]
[ERROR] from WAN[172.17.2.80]: curl http://172.17.2.90:7000 Operation Timeout and not

image
image1020×1053 148 KB

2

Does 10.20.30.177 have a default gateway configured? If yes and it can browse the internet, then do the following.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c -t nat; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
1 Like
3

@vermapraveen
Port forwarding isn't enough - I think.
You have to create a Traffic rule as well which ACCEPT protocol tcp, (dest) port 7000 in relation wan-->lan.

4

No, see:

iptables-save -c -t filter | grep -e DNAT
5

Is the firewall on the web server configured to accept external connections?

1 Like
6

Add section to /etc/config/firewall

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp udp'
	option src_dport '7000'
	option dest_ip '10.20.30.177'
	option dest_port '7000'
	option name 'website-TEST'
7

Pls. check this link, at the end of section "LAN-side public server", config rule.

8

I updated the article.
Did you check the command posted above?

9

I have had chance only now to check it.
Ok, understood, we have general input rules for both zones. (Thanks for the correction.)

10 
{
	"kernel": "4.14.215",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 5 (v7l)",
	"model": "Raspberry Pi 2 Model B Rev 1.1",
	"board_name": "raspberrypi,2-model-b",
	"release": {
		"distribution": "OpenWrt",
		"version": "19.07.6",
		"revision": "r11278-8055e38794",
		"target": "brcm2708/bcm2709",
		"description": "OpenWrt 19.07.6 r11278-8055e38794"
	}
}
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'

config interface 'wan'
	option ifname 'eth0'
	option proto 'dhcp'

config interface 'lan'
	option proto 'static'
	option ifname 'eth1'
	option ipaddr '10.20.30.1'
	option netmask '255.255.255.0'
	option gateway '172.17.2.1'
	option type 'bridge'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'eth1'
	option start '100'
	option limit '150'
	option interface 'eth1'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option mtu_fix '1'
	option network 'wan'
	option masq '1'
	option input 'REJECT'
	option forward 'REJECT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp udp'
	option src_dport '7000'
	option dest_ip '10.20.30.177'
	option dest_port '7000'
	option name 'website-TEST'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.3 on Thu Feb 11 12:30:41 2021
*nat
:PREROUTING ACCEPT [678:49744]
:INPUT ACCEPT [43:3915]
:OUTPUT ACCEPT [28:2536]
:POSTROUTING ACCEPT [1:69]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[678:49744] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[65:5378] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[613:44366] -A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_wan_prerouting
[49:3812] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[48:3743] -A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 10.20.30.0/24 -d 10.20.30.177/32 -p tcp -m tcp --dport 7000 -m comment --comment "!fw3: website-TEST (reflection)" -j SNAT --to-source 10.20.30.1
[0:0] -A zone_lan_postrouting -s 10.20.30.0/24 -d 10.20.30.177/32 -p udp -m udp --dport 7000 -m comment --comment "!fw3: website-TEST (reflection)" -j SNAT --to-source 10.20.30.1
[65:5378] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 10.20.30.0/24 -d 172.17.2.90/32 -p tcp -m tcp --dport 7000 -m comment --comment "!fw3: website-TEST (reflection)" -j DNAT --to-destination 10.20.30.177:7000
[0:0] -A zone_lan_prerouting -s 10.20.30.0/24 -d 172.17.2.90/32 -p udp -m udp --dport 7000 -m comment --comment "!fw3: website-TEST (reflection)" -j DNAT --to-destination 10.20.30.177:7000
[48:3743] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[48:3743] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[613:44366] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 7000 -m comment --comment "!fw3: website-TEST" -j DNAT --to-destination 10.20.30.177:7000
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 7000 -m comment --comment "!fw3: website-TEST" -j DNAT --to-destination 10.20.30.177:7000
COMMIT
# Completed on Thu Feb 11 12:30:41 2021
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    inet 172.17.2.90/24 brd 172.17.2.255 scope global eth0
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 10.20.30.1/24 brd 10.20.30.255 scope global br-lan
       valid_lft forever preferred_lft forever
default via 172.17.2.1 dev eth0  src 172.17.2.90 
10.20.30.0/24 dev br-lan scope link  src 10.20.30.1 
172.17.2.0/24 dev eth0 scope link  src 172.17.2.90 
broadcast 10.20.30.0 dev br-lan table local scope link  src 10.20.30.1 
local 10.20.30.1 dev br-lan table local scope host  src 10.20.30.1 
broadcast 10.20.30.255 dev br-lan table local scope link  src 10.20.30.1 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 172.17.2.0 dev eth0 table local scope link  src 172.17.2.90 
local 172.17.2.90 dev eth0 table local scope host  src 172.17.2.90 
broadcast 172.17.2.255 dev eth0 table local scope link  src 172.17.2.90 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default
11

current setting looks like this

root@OpenWrt:~# iptables-save -c -t filter | grep -e DNAT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
12

webserver is ubuntu se I was able to get below config

ufw status
Status: active

To                         Action      From
--                         ------      ----                
Nginx HTTP                 ALLOW       Anywhere                  
**7000**                       ALLOW       Anywhere                  
80                         ALLOW       Anywhere         
Nginx HTTP (v6)            ALLOW       Anywhere (v6)             
**7000** (v6)                  ALLOW       Anywhere (v6)             
80 (v6)                    ALLOW       Anywhere (v6)

also as I mentioned in OP,

[OK] from LAN Gateway [10.20.30.1]--> curl http://10.20.30.177:7000 Works OK

13

tried with no luck. see current settings here: Portforward not working to access LAN machine from WAN - #10 by vermapraveen

14

No hits on the firewall, nothing reached OpenWrt.

Run a tcpdump to verify if the packets indeed arrive:
opkg update; opkg install tcpdump; tcpdump -i eth0 -evn port 7000

2 Likes
15

I am trying to call OpenWrt server on port 7000 in WAN as below and expecting port forwarding will take place. Isn't this how it should be? correct me if wrong.

curl http://172.17.2.90:7000`

from

172.17.2.80 :  is 1 of machine or my phone in WAN.

from WAN[172.17.2.80]: curl http://172.17.2.90:7000 Operation Timeout and not

16

That is correct.

Remove the gateway from the lan interface and if it doesn't fix run the tcpdump mentioned before and try it again.

2 Likes
17 
root@OpenWrt:~# tcpdump -i eth0 -evn port 7000
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:01:08.358990 wan-client-mac > rpi-openwrt-mac, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61751 > 172.17.2.90.7000: Flags [S], cksum 0x81f0 (correct), seq 2441550657, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 488407490 ecr 0,sackOK,eol], length 0
13:01:09.351284 wan-client-mac > rpi-openwrt-mac, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61751 > 172.17.2.90.7000: Flags [S], cksum 0x7e08 (correct), seq 2441550657, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 488408490 ecr 0,sackOK,eol], length 0
13:01:10.359402 wan-client-mac > rpi-openwrt-mac, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61751 > 172.17.2.90.7000: Flags [S], cksum 0x7a20 (correct), seq 2441550657, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 488409490 ecr 0,sackOK,eol], length 0
13:01:11.353792 wan-client-mac > rpi-openwrt-mac, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61751 > 172.17.2.90.7000: Flags [S], cksum 0x7638 (correct), seq 2441550657, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 488410490 ecr 0,sackOK,eol], length 0
13:01:12.355931 wan-client-mac > rpi-openwrt-mac, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61751 > 172.17.2.90.7000: Flags [S], cksum 0x7250 (correct), seq 2441550657, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 488411490 ecr 0,sackOK,eol], length 0
13:01:13.353627 wan-client-mac > rpi-openwrt-mac, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61751 > 172.17.2.90.7000: Flags [S], cksum 0x6e67 (correct), seq 2441550657, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 488412491 ecr 0,sackOK,eol], length 0
13:01:15.356338 wan-client-mac > rpi-openwrt-mac, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61751 > 172.17.2.90.7000: Flags [S], cksum 0x6696 (correct), seq 2441550657, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 488414492 ecr 0,sackOK,eol], length 0
13:01:19.357538 wan-client-mac > rpi-openwrt-mac, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61751 > 172.17.2.90.7000: Flags [S], cksum 0x56f6 (correct), seq 2441550657, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 488418492 ecr 0,sackOK,eol], length 0
13:01:27.368257 wan-client-mac > rpi-openwrt-mac, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61751 > 172.17.2.90.7000: Flags [S], cksum 0x37b6 (correct), seq 2441550657, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 488426492 ecr 0,sackOK,eol], length 0
13:01:43.390152 wan-client-mac > rpi-openwrt-mac, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61751 > 172.17.2.90.7000: Flags [S], cksum 0xf935 (correct), seq 2441550657, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 488442492 ecr 0,sackOK,eol], length 0
18

I went ahead and ran same tcpdump on eth1 also. I will admit, I don't understand tcpdump result, but I will read.

root@OpenWrt:~# tcpdump -i eth1 -evn port 7000
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
13:05:00.669733 not-sure-whatIsThis-mac-1 > not-sure-whatIsThis-mac-2, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61755 > 10.20.30.177.7000: Flags [S], cksum 0x371c (correct), seq 2103014646, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 488639662 ecr 0,sackOK,eol], length 0
13:05:01.673336 not-sure-whatIsThis-mac-1 > not-sure-whatIsThis-mac-2, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61755 > 10.20.30.177.7000: Flags [S], cksum 0x3334 (correct), seq 2103014646, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 488640662 ecr 0,sackOK,eol], length 0
13:05:02.685141 not-sure-whatIsThis-mac-1 > not-sure-whatIsThis-mac-2, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61755 > 10.20.30.177.7000: Flags [S], cksum 0x2f4c (correct), seq 2103014646, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 488641662 ecr 0,sackOK,eol], length 0
13:05:03.683717 not-sure-whatIsThis-mac-1 > not-sure-whatIsThis-mac-2, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61755 > 10.20.30.177.7000: Flags [S], cksum 0x2b64 (correct), seq 2103014646, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 488642662 ecr 0,sackOK,eol], length 0
13:05:04.683662 not-sure-whatIsThis-mac-1 > not-sure-whatIsThis-mac-2, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61755 > 10.20.30.177.7000: Flags [S], cksum 0x277c (correct), seq 2103014646, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 488643662 ecr 0,sackOK,eol], length 0
13:05:05.684689 not-sure-whatIsThis-mac-1 > not-sure-whatIsThis-mac-2, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61755 > 10.20.30.177.7000: Flags [S], cksum 0x2394 (correct), seq 2103014646, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 488644662 ecr 0,sackOK,eol], length 0
13:05:07.683709 not-sure-whatIsThis-mac-1 > not-sure-whatIsThis-mac-2, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61755 > 10.20.30.177.7000: Flags [S], cksum 0x1bc4 (correct), seq 2103014646, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 488646662 ecr 0,sackOK,eol], length 0
13:05:11.691608 not-sure-whatIsThis-mac-1 > not-sure-whatIsThis-mac-2, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61755 > 10.20.30.177.7000: Flags [S], cksum 0x0c23 (correct), seq 2103014646, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 488650663 ecr 0,sackOK,eol], length 0
19

Thanks, it is visible that now DNAT is working, and you should see hits on the firewall.
The webserver is not replying back though, so I'll ask again.

2 Likes
20

i captured 2 things on 10.20.30.177, it's ubuntu machine, and i see benefit of tcpdump

1. gateway configured
--------------------------------
route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.20.30.1      0.0.0.0         UG    20100  0        0 enp0s25
10.20.30.0      0.0.0.0         255.255.255.0   U     100    0        0 enp0s25
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0

2. tcpdump on webserver
----------------------------------

sudo tcpdump -i enp0s25 -evn port 7000

tcpdump: listening on enp0s25, link-type EN10MB (Ethernet), capture size 262144 bytes
07:19:19.616091 notsure-what-mac > webserver-mac, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61766 > 10.20.30.177.7000: Flags [S], cksum 0xf8ef (correct), seq 1867818880, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 489498173 ecr 0,sackOK,eol], length 0
07:19:20.618167 notsure-what-mac > webserver-mac, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61766 > 10.20.30.177.7000: Flags [S], cksum 0xf507 (correct), seq 1867818880, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 489499173 ecr 0,sackOK,eol], length 0
07:19:21.645612 notsure-what-mac > webserver-mac, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61766 > 10.20.30.177.7000: Flags [S], cksum 0xf11e (correct), seq 1867818880, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 489500174 ecr 0,sackOK,eol], length 0
07:19:22.613906 notsure-what-mac > webserver-mac, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61766 > 10.20.30.177.7000: Flags [S], cksum 0xed35 (correct), seq 1867818880, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 489501175 ecr 0,sackOK,eol], length 0
07:19:23.620456 notsure-what-mac > webserver-mac, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61766 > 10.20.30.177.7000: Flags [S], cksum 0xe94c (correct), seq 1867818880, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 489502176 ecr 0,sackOK,eol], length 0
07:19:24.619337 notsure-what-mac > webserver-mac, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61766 > 10.20.30.177.7000: Flags [S], cksum 0xe564 (correct), seq 1867818880, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 489503176 ecr 0,sackOK,eol], length 0
07:19:26.617659 notsure-what-mac > webserver-mac, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    172.17.2.88.61766 > 10.20.30.177.7000: Flags [S], cksum 0xdd93 (correct), seq 1867818880, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 489505177 ecr 0,sackOK,eol], length 0
^C
7 packets captured
7 packets received by filter
0 packets dropped by kernel