Ports under 1024

Hello community,

I am using OpenWrt on my router. I am trying to forward ports under 1024, but only the port 22 is forwarded. Ports >= 1024 can also be forwarded.

I tried netcat with this command:
nc -vzn -w 3 MY_IP 1-1050

It succeds for the port 22 (which is forwarded) and all other ports >= 1024 that are forwarded. The ports >= 1024 that are not forwarded give "refused connection". But all ports under 1024 without 22 give " timeout" if forwarded or not.

Can this be a problem of my router? It has to be connected with the fact that ports under 1024 are privileged in Linux.

It might also be a problem with my provider. But I would like to make sure that it is not a problem with my router or OpenWrt before contacting the provider. Any suggestion on how to debug?

If I should conact the provider, what should I say? What do you think how they could have blocked these ports to time out? It might be also a mistake since I live in a students dorm and a part of the network infrastructure is maintained by some students (honorary).

Thank you!

It is usually blocked by some providers. Call and ask them to open the ports.


If port 22 is open, you can use it to tunnel all the other.

@trendy Thanks, I will ask the provider then.

@frollic How can I tunnel all other ports? LetsEncrypt for example wants to have the port 80 or 443 to generate a certificate.

Google ssh + tunnel.

That can't be done, it'd be for your own personal use.

But, you could get a free for life cloud server at Oracle, and expose whatever ports you'd like to internet, via that host, using a tunnel.

Since the firewall and most processes in OpenWrt run as root, there is no distinction in configuring ports under 1024 versus above 1024.

Yes it's very common for ISPs to block ports 80 and 443. To test this, install tcpdump on the router and run
tcpdump -i wan port 80
Replace wan with the name of the interface holding your public IP (use ip addr show to find this) if it is not wan.
Then use a port scan site to scan your public IP from outside. If you don't see any activity, the ISP has blocked the port before it reaches you. If the ISP does pass a connection but your router firewall blocks it (as is the default behavior) you should see one TCP packet coming in and one going out with the R (Reject) flag set.


Thank you for the instructions! I will try them out on the router on Monday :slight_smile:

The SSH tunnel cannot fully replace port forwarding, as the ssh client must first authenticate to the ssh server and then access other servers on the router or in the lan.

1 Like

I did try listening on different ports with tcpdump while sending pings with nc (netcat). It turns out, the ports are blocked by the provider.

I used a VPS to redirect traffic on ports 80 and 443 to other ports that are open on my network. The port forwarding of firewalld on the VPS is more than enough. Traefik takes care of the rest. Now everything is fine :slight_smile:

Thanks to all for the help! Great community and great OpenWrt :slight_smile:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.