Problem on Port redirection on another ip network range

MrGreen · September 9, 2018, 8:50am

Hello

I was on old chaoscalmer and i've update.

All port foward is ok on LAN network range (192.168.2.0/24)

But when i forward on another network range (on my VPN network range) it's won't work.

My configuration :

OPENWRT ROUTEUR IP : 192.168.2.2
On this openwrt routeur i've openvpn server and client give ip 192.168.49.6 for exemple

When i do redirection : LAN to LAN, source port 12399 to port 80 on IP 192.168.49.6 it's ok : the website on 192.168.2.2:12399 is show
When i do redirection : WAN to LAN, source port 12399 to port 80 on IP 192.168.49.6 it's ok : the website on public_ip:12399 is not show... (but not reject immediatly ... like if the return route don't work ?)

On ssh to openwrt, i can ping 192.168.49.6 and on all my computer on network, i can access to 192.168.49.6

Only the redirection WAN to LAN don't work

an idea ?

JW0914 · September 9, 2018, 2:03pm

Please post /etc/config/firewall

MrGreen · September 9, 2018, 5:10pm



config rule
	option target 'ACCEPT'
	option src 'wan'
	option dest_port '48194'
	option name 'OpenVPN'
	option proto 'tcp'


config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option target 'DNAT'
	option proto 'tcp'
	option src_dport '12399'
	option name 'Jeedom CM http'
	option dest_port '80'
	option src 'wan'
	option dest 'vpnmrc'
	option dest_ip '192.168.180.2'

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option syn_flood '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option network 'lan'
	list masq_src '192.168.2.0/24'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 wan4g'

config include
	option path '/etc/firewall.user'

config zone
	option name 'languest'
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'LAN_GUEST'

config forwarding
	option dest 'wan'
	option src 'languest'

config zone
	option name 'vpnmrc'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'OPENVPN'
	option masq '1'
	option forward 'ACCEPT'
	list masq_src '192.168.180.0/24'
	list masq_src '192.168.49.0/24'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option dest 'lan'
	option src 'vpnmrc'

config forwarding
	option dest 'wan'
	option src 'vpnmrc'

config forwarding
	option dest 'vpnmrc'
	option src 'lan'

JW0914 · September 10, 2018, 11:36am

The only [port] redirect rule you have is:

config redirect
	option  target      'DNAT'
	option  proto       'tcp'
	option  src_dport   '12399'
	option  name        'Jeedom CM http'
	option  dest_port   '80'
	option  src         'wan'
	option  dest        'vpnmrc'
	option  dest_ip     '192.168.180.2'

If your web server is on 192.168.49.6, change dest_ip to 192.168.49.6

MrGreen · September 10, 2018, 2:55pm

It's the same problem.

192.168.49.6 is an openwrt client openvpn connected to 192.168.2.2.

If i do a redirection on this ip, it's won't run on WAN network (with public_ip:12399)

but if i change the rule : "lan" to "lan" and i do 192.168.2.2:12399 it's run correctly.

my problem seem to be that the return traffic is blocked when rules is WAN to another ip that is not in 192.168.2.0/24

(a rule wan to network 192.168.2.0/24 run correctly)...