Portforward WAN -> OpenWrt -> S2S Fritzbox

dancekid · April 12, 2023, 10:57am

Hello Community,
i am still trying to forward TCP / UDP Ports.

I upgraded my mothers Fritzbox 4040 to OpenWRT and established a Site2Site Connection to my Fritzbox 7530 using Wireguard.

Both Boxes uses DynDNS (examples) and different internal ip:
Moms OpenWRT:
external: mom.dyn.de internal: 192.168.178.0

my own Fritzbox 7530 (Fritz OS)
external: son.dyn.de internal: 192.168.179.0

Accessing my mothers network works.

how to portforward from mom.dyn.de via s2s to 192.168.179.200:25100/tcp and /upd ?

Alternative in Mom Network ?

use one Fritzbox 4040 with Fritz OS to S2S to son-fritzbox
connect openwrt-box as client.
in Fritzbox 4040: forward 25100 tcp + upd to OpenWRT Client
in OpenWRT Client forward 25100 tcp + udp to son.dyn.de:25100

how to forward the ports ?

greetings michael

dankatapich · April 12, 2023, 11:08am

Just use firewall zone rules?

trendy · April 12, 2023, 12:18pm

There is no point in forwarding ports if you have established a site to site tunnel. You can reach the internal addresses with native routing.

dancekid · April 14, 2023, 11:56am

uhm perhaps i did not explain my usecase exactly.

I want to use storj.
each storj-node needs one TCP and one UDP port to be forwarded in my router.
two storj-nodes reachable within the same IP-address are treated as one node.

i have 2 internal subnets connected to eachother: SON and MOM
Mom: 192.168.178.0
Son: 192.168.179.0

Both storj-nodes are running on 192.168.179.2 but should talk to internet via different gateways

Node1 -> 192.168.179.2:25001 -> Gateway 192.168.179.1 (Son-Fritzbox) -> son.dyn.de
Node2 -> 192.168.179.2:25002 -> Gateway 192.168.178.1 (Mom OpenWRT) -> mom.dyn.de

i tried to just create a new network on docker with mom-gateway.
i tried to portforward 25002 tcp + udp to 192.168.179.2:25002
nothing worked.

All Requests from external to 192.168.178.1:25002 needs routing to Node2
All Answers needs to be routed to Gateway mom.dyn.de

Perhaps use OpenWRT as Proxy ?

trendy · April 14, 2023, 7:11pm

You need policy routing to route the packets from 179.2:25002 via Mom's. The port forwarding from Mom to 179.2:25002 is nothing special.

dancekid · April 14, 2023, 10:36pm

I will try to google it.

Policy based routing need docker + macvlan ? Or works with bridged standard ?

dancekid · April 14, 2023, 11:18pm

My second usecase: dad - son

Dad: Fritzbox 7490 FritzOS 7.50
Son: Fritzbox 7590 FritzOS 7.50

Both Networks connected via Wireguard.
Dad 192.168.177.0
Son 192.168.179.0

I cannot replace his 7490 because of Telephone + DSL Modem usage.

Placed one OpenWRT Fritzbox 4040 at his 192.168.177.2 and forwarded Wireguard Port + storj port 25003.
Tried Docker Wireguard Client and was able to connect via dad.dyn.de.

Policy based routing possible using docker ?

mom-macvlan 192.168.179.10
dad-macvlan 192.168.179.11

I need to route to dad fritzbox or openwrt ?

trendy · April 15, 2023, 5:56pm

Policy routing has nothing to do with docker or macvlan.
Use firewall to mark the packets then a rule to send them to a different routing table

dancekid · April 17, 2023, 4:24pm

Good Evening Trendy,

in OpenWRT i created 3 Rules in etc/config/firewall:

config rule
        option src 'wan'
        option target 'ACCEPT'
        option family 'ipv4'
        option dest_port '25002'
        option name 'storj incoming'
        option dest '*'

config rule
        option name 'storj outgoing'
        option src 'lan'
        option src_port '25002'
        option dest 'wan'
        option target 'ACCEPT'
        option family 'ipv4'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option src 'wan'
        option name 'storj'
        option src_dport '25002'
        option dest_port '25002'
        option dest_ip '192.168.179.2'

dancekid · April 17, 2023, 4:42pm

now i tried to config my linux nuc:

iptables -A OUTPUT -t mangle -p tcp --sport 25002 -j MARK --set-mark 1
sudo ip rule add to all fwmark 1 lookup mama
sudo ip route add default via 192.168.178.1 dev enp0s25 table mama onlink

dancekid · April 17, 2023, 4:43pm

I am still getting an error:

cannot ping from mom openwrt through wireguard to my pc.

perhaps still some rules wrong or a route missing ? how to check this ?

trendy · April 17, 2023, 6:52pm

The first 2 rules are not needed. You only need the redirect.

marking is supposed to take place in OpenWrt firewall. There is a special target in the firewall rules to mark. Then use this mark to create an ip rule and forward the matched traffic to custom routing table. Finally create a default route in the custom routing table.

dancekid · April 17, 2023, 8:15pm

i dont have an OpenWRT Router inside my network. just can use iptables at my intel nuc outgoing.

In: dad-inet (DynDNS) -> 7490 (Portforward 25002) -> OpenWRT (Portforward 25002) -> Intel Nuc Port 25002 both tcp+udp
Out: Storj -> Docker -> Intel NUC (PBR) -> Route to 7490 -> Internet

I can ping dad openwrt <-> intel nuc both ways.

dancekid · April 18, 2023, 8:18am

uhm now i missconfigured my moms router....
she cannot access internet anymore.
will factory reset her 4040 this evening and start from scratch

trendy · April 18, 2023, 8:24am

Better draw a complete diagram because in one post there is mom-son in another dad-son.
Policy routing should take place on the router which is running the S2S tunnel. Firewall marks are not passed from one device to another.

dancekid · April 19, 2023, 8:53am

Good Morning Trendy,

I tried to draw my Connections. Will try to change my 7590 with 4040 OpenWRT, too.

Got Problems forwarding my Phone after getting a new IP every 24h....

played with PBR on Debian Linux PC like: forward all outgoing on port xx to 192.168.178.1 or 192.168.177.2

trendy · April 19, 2023, 12:22pm

And the site to site tunnel with wireguard is from your 7590 to 4040 at your mother?
Then on your Fritzbox you need to route the packets with source port 25002 via the wireguard tunnel to your network. I don't know if there is policy routing in Fritzbox.
You have already forwarded 25002. So you are almost finished.

dancekid · April 21, 2023, 6:28am

Hello Trendy,

connected via WG: 7590 + 7490 (dad) + OpenWRT 4040 (mom).
fritzbox does not support PBR. tried to PBR on my linux machine.
found another thread with "macvlan" option to identify different traffic.

i just see 2 other options:

change 7590 to 4040 running OpenWRT
try storj without docker on linux machine (use services instead)

option 1: problem ip-phone. every 24h auto reconnect from ISP to change IP.
old Fritz FW did not reconnect phone after ip change....
will try again.
option 2: dont know if PBR on linux machine will work.

trendy · April 21, 2023, 7:23am

PBR works fine on any Linux and docker is not the problem here.
The problem is that the tunnel runs on the router. If, for example, you migrate the tunnel from the 7590 to the Debian, then it will be easy to direct traffic from 25002 towards the tunnel.

dancekid · April 21, 2023, 10:19pm

played the whole day with openwrt as mainrouter and fb7530 as phone client... on my network.
incoming calls did not work. tried any hint i was able to catch... SIP from LAN to wan, sipproxd,
portforwarding, traffic rules. used wireshark to analyse... i am still a newbie. will open a new thread "VoIP 1&1 with OpenWRT and IP-Client Fritzbox" and collect all Infos.
In Future i can change my 7590 to 4040 OpenWRT hopefully... would be easier that way.

install WG on Debian or inside Docker ?
full expansion: 5 nodes on linux.
3 nodes routing to dad, 2 nodes routing to mom

I think changing dad 7490 to 7530 OpenWRT needs still some development to establish DSL Modem.
lets focus on son <-> mom routing.