The story below details a Hamradio APRS situation whereby the Openwrt router, the RPI and another device will be setup on a remote tower.
There is internet acces at the tower and no ports are blocked. I had a similar setup with Chalmers Chaos working for years. Now i can't get it to work.
Here is the current situation.......
I have the latest Openwrt 19.07 up and runnng. The WAN is connected to my home network and I have one Raspberry PI connected to one of the LAN ports. They run on different ip adresses.
WAN gets ip192.168.178.136 from my home's DHCP.
Openwrt LAN is handing out 192,168.1.142 to the RPI.
From the terminal on my Imac desktop i can ssh into 192.168.178.136. I also see LUCI's webpage on 192.168.178.136 in my browser.
When I have ssh'ed into 192.168.178.136, i can then ssh into the RPI with ssh pi@192.168.1.142.
So far so good.
Now i would like to SSH from my desktop straight into the RPI.
I setup port forwarding from WAN - port 4003 to LAN - 192.168.1.142 - port 22.
So on my desktop i enter ssh pi@192.168.178.136 -p 4003.
However it is not working.
Portforwarding to the router itsself is working ok. If i add a port forwarding rule such as WAN - port 4001 -> LAN 192.168.178.136 (the router) - port 22, it works if i enter from my desktop ssh root@192.168.178.136 -p 4001.
Here is the output of network and firewall. Any help is much appreciated.
Erik
root@PI1TWE-APRS:/etc# uci show network
root@PI1TWE-APRS:/etc# uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd10:cb67:6e1a::/48'
network.wan=interface
network.wan.ifname='eth0.1'
network.wan.proto='dhcp'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.2'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0 5t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='1 2 3 4 5t'
root@PI1TWE-APRS:/etc# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].synflood_protect='1'
firewall.@defaults[0].forward='ACCEPT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan'
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].forward='ACCEPT'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='lan'
firewall.@forwarding[1].src='wan'
firewall.@rule[9]=rule
firewall.@rule[9].src_port='4003'
firewall.@rule[9].src='wan'
firewall.@rule[9].name='Web'
firewall.@rule[9].dest='lan'
firewall.@rule[9].dest_ip='192.168.1.142'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].dest_port='22'
firewall.@redirect[0]=redirect
firewall.@redirect[0].dest_port='22'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].src_dport='4003'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].dest_ip='192.168.1.142'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='SSH'
root@PI1TWE-APRS:/etc#