Problem with port forward having migrated to OpenWrt 18

montgomeryb · December 14, 2019, 8:14pm

I had an ASUS router that was playing up, so I've replaced it with a netgear router and loaded OpenWrt 18.06.

I previously had a bunch of port redirects set up to different servers on my lan. I recreated this I realized that since I switched, although I thought I had setup the port forwards - they are not working. I trimmed down the rules to those in my config below.

I see some other posts with similar issues but no concrete answer as to how to solve it. In this case I am trying to make ssh, http and https accessible from anywhere on the internet, and send it to the server on 10.192.168.197

I did see some other posts about zones - so I may have changed those from the default - although I think I set them back. I've tried stopping and starting the firewall service - that doesn't seem to complain about the config at all.

Thanks,
Bryan.


config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'REJECT'
        option forward 'REJECT'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '80'
        option dest_ip '10.192.168.197'
        option dest_port '80'
        option name 'http'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '443'
        option dest_ip '10.192.168.197'
        option dest_port '443'
        option name 'https'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '22'
        option dest_ip '10.192.168.197'
        option dest_port '22'
        option name 'ssh'

root@OpenWrt:/etc/config# /etc/init.d/firewall start
Warning: Unable to locate ipset utility, disabling ipset support
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Redirect 'http'
   * Redirect 'https'
   * Redirect 'ssh'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 nat table
   * Redirect 'http'
   * Redirect 'https'
   * Redirect 'ssh'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Flushing conntrack table ...
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'

jack33 · December 14, 2019, 8:22pm

esiest way to do it

backup your config then reset to defaults

then with LUCI, configure the rles and confirm they work

backup the config

open the config files from the 2 versons and compare /etc/config/firewall before and after.

trendy · December 14, 2019, 9:28pm

Your configuration is correct.
Run tcpdump and verify that you can see the packets:
tcpdump -i any -vn tcp port 80

montgomeryb · December 15, 2019, 1:38am

Thanks. I did try that from a remote machine - there was a lot of traffic on 80, but I have included the results below. I also added port 53 to the firewall and then tried that:

$ nc -vz 10.192.168.197 53
Connection to 10.192.168.197 53 port [tcp/domain] succeeded!

Then from a remote machine:

$ nc -vzw 1 71.190.235.23 53
nc: connect to 71.190.235.23 port 53 (tcp) timed out: Operation now in progress

And on the router with openwrt:

root@OpenWrt:/etc/config# tcpdump -i any  -vn tcp port 53
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
20:57:34.942898 ethertype IPv4, IP (tos 0x0, ttl 51, id 41265, offset 0, flags [DF], proto TCP (6), length 60)
    82.15.240.187.51706 > 71.190.235.23.53: Flags [S], cksum 0xcbfb (correct), seq 2878154236, win 29200, options [mss 1460,sackOK,TS val 1536072971 ecr 0,nop,wscale 7], length 0
20:57:34.942898 IP (tos 0x0, ttl 51, id 41265, offset 0, flags [DF], proto TCP (6), length 60)
    82.15.240.187.51706 > 71.190.235.23.53: Flags [S], cksum 0xcbfb (correct), seq 2878154236, win 29200, options [mss 1460,sackOK,TS val 1536072971 ecr 0,nop,wscale 7], length 0
20:57:34.943075 IP (tos 0x0, ttl 50, id 41265, offset 0, flags [DF], proto TCP (6), length 60)
    82.15.240.187.51706 > 10.192.168.197.53: Flags [S], cksum 0x4b4c (correct), seq 2878154236, win 29200, options [mss 1460,sackOK,TS val 1536072971 ecr 0,nop,wscale 7], length 0
20:57:34.943094 IP (tos 0x0, ttl 50, id 41265, offset 0, flags [DF], proto TCP (6), length 60)
    82.15.240.187.51706 > 10.192.168.197.53: Flags [S], cksum 0x4b4c (correct), seq 2878154236, win 29200, options [mss 1460,sackOK,TS val 1536072971 ecr 0,nop,wscale 7], length 0
20:57:34.943103 ethertype IPv4, IP (tos 0x0, ttl 50, id 41265, offset 0, flags [DF], proto TCP (6), length 60)
    82.15.240.187.51706 > 10.192.168.197.53: Flags [S], cksum 0x4b4c (correct), seq 2878154236, win 29200, options [mss 1460,sackOK,TS val 1536072971 ecr 0,nop,wscale 7], length 0
^C
5 packets captured
5 packets received by filter
0 packets dropped by kernel

On a remote machine I did: nc -vzw 1 71.190.235.23 80

nc: connect to 71.190.235.23 port 80 (tcp) timed out: Operation now in progress

On the openwrt router:

root@OpenWrt:/etc/config# tcpdump -i any  -vn tcp port 80
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
20:36:49.364749 ethertype IPv4, IP (tos 0x0, ttl 51, id 26600, offset 0, flags [DF], proto TCP (6), length 60)
    82.15.240.187.57954 > 71.190.235.23.80: Flags [S], cksum 0x0b8e (correct), seq 2168584663, win 29200, options [mss 1460,sackOK,TS val 1534827385 ecr 0,nop,wscale 7], length 0
20:36:49.364749 IP (tos 0x0, ttl 51, id 26600, offset 0, flags [DF], proto TCP (6), length 60)
    82.15.240.187.57954 > 71.190.235.23.80: Flags [S], cksum 0x0b8e (correct), seq 2168584663, win 29200, options [mss 1460,sackOK,TS val 1534827385 ecr 0,nop,wscale 7], length 0
20:36:49.364971 IP (tos 0x0, ttl 50, id 26600, offset 0, flags [DF], proto TCP (6), length 60)
    82.15.240.187.57954 > 10.192.168.197.80: Flags [S], cksum 0x8ade (correct), seq 2168584663, win 29200, options [mss 1460,sackOK,TS val 1534827385 ecr 0,nop,wscale 7], length 0
20:36:49.364996 IP (tos 0x0, ttl 50, id 26600, offset 0, flags [DF], proto TCP (6), length 60)
    82.15.240.187.57954 > 10.192.168.197.80: Flags [S], cksum 0x8ade (correct), seq 2168584663, win 29200, options [mss 1460,sackOK,TS val 1534827385 ecr 0,nop,wscale 7], length 0
20:36:49.365011 ethertype IPv4, IP (tos 0x0, ttl 50, id 26600, offset 0, flags [DF], proto TCP (6), length 60)
    82.15.240.187.57954 > 10.192.168.197.80: Flags [S], cksum 0x8ade (correct), seq 2168584663, win 29200, options [mss 1460,sackOK,TS val 1534827385 ecr 0,nop,wscale 7], length 0
20:36:54.616778 IP (tos 0x0, ttl 64, id 49408, offset 0, flags [DF], proto TCP (6), length 52)
    10.192.168.26.53888 > 172.217.11.35.80: Flags [.], cksum 0x452d (correct), ack 3850455636, win 229, options [nop,nop,TS val 4294957712 ecr 87705191], length 0
20:36:54.616778 IP (tos 0x0, ttl 64, id 49408, offset 0, flags [DF], proto TCP (6), length 52)
    10.192.168.26.53888 > 172.217.11.35.80: Flags [.], cksum 0x452d (correct), ack 1, win 229, options [nop,nop,TS val 4294957712 ecr 87705191], length 0
20:36:54.616906 IP (tos 0x0, ttl 63, id 49408, offset 0, flags [DF], proto TCP (6), length 52)
    71.190.235.23.53888 > 172.217.11.35.80: Flags [.], cksum 0xc531 (correct), ack 3850455636, win 229, options [nop,nop,TS val 4294957712 ecr 87705191], length 0
20:36:54.616926 ethertype IPv4, IP (tos 0x0, ttl 63, id 49408, offset 0, flags [DF], proto TCP (6), length 52)
    71.190.235.23.53888 > 172.217.11.35.80: Flags [.], cksum 0xc531 (correct), ack 1, win 229, options [nop,nop,TS val 4294957712 ecr 87705191], length 0
20:36:54.622263 ethertype IPv4, IP (tos 0x80, ttl 124, id 5999, offset 0, flags [none], proto TCP (6), length 52)
    172.217.11.35.80 > 71.190.235.23.53888: Flags [.], cksum 0x5b68 (correct), ack 1, win 240, options [nop,nop,TS val 87750310 ecr 4294939662], length 0
20:36:54.622263 IP (tos 0x80, ttl 124, id 5999, offset 0, flags [none], proto TCP (6), length 52)
    172.217.11.35.80 > 71.190.235.23.53888: Flags [.], cksum 0x5b68 (correct), ack 1, win 240, options [nop,nop,TS val 87750310 ecr 4294939662], length 0
20:36:54.622413 IP (tos 0x80, ttl 123, id 5999, offset 0, flags [none], proto TCP (6), length 52)
    172.217.11.35.80 > 10.192.168.26.53888: Flags [.], cksum 0xdb63 (correct), ack 1, win 240, options [nop,nop,TS val 87750310 ecr 4294939662], length 0
20:36:54.622438 IP (tos 0x80, ttl 123, id 5999, offset 0, flags [none], proto TCP (6), length 52)
    172.217.11.35.80 > 10.192.168.26.53888: Flags [.], cksum 0xdb63 (correct), ack 1, win 240, options [nop,nop,TS val 87750310 ecr 4294939662], length 0
20:37:01.332211 ethertype IPv4, IP (tos 0x0, ttl 59, id 53261, offset 0, flags [none], proto TCP (6), length 44)
    164.163.31.1.80 > 71.190.235.23.59565: Flags [S.], cksum 0xd552 (correct), seq 257866785, ack 1820420938, win 16384, options [mss 1460], length 0
20:37:01.332211 IP (tos 0x0, ttl 59, id 53261, offset 0, flags [none], proto TCP (6), length 44)
    164.163.31.1.80 > 71.190.235.23.59565: Flags [S.], cksum 0xd552 (correct), seq 257866785, ack 1820420938, win 16384, options [mss 1460], length 0
20:37:39.735524 IP (tos 0x0, ttl 64, id 49409, offset 0, flags [DF], proto TCP (6), length 52)
    10.192.168.26.53888 > 172.217.11.35.80: Flags [.], cksum 0x834d (correct), ack 1, win 229, options [nop,nop,TS val 4294962224 ecr 87750310], length 0
20:37:39.735524 IP (tos 0x0, ttl 64, id 49409, offset 0, flags [DF], proto TCP (6), length 52)
    10.192.168.26.53888 > 172.217.11.35.80: Flags [.], cksum 0x834d (correct), ack 1, win 229, options [nop,nop,TS val 4294962224 ecr 87750310], length 0
20:37:39.735618 IP (tos 0x0, ttl 63, id 49409, offset 0, flags [DF], proto TCP (6), length 52)
    71.190.235.23.53888 > 172.217.11.35.80: Flags [.], cksum 0x0352 (correct), ack 1, win 229, options [nop,nop,TS val 4294962224 ecr 87750310], length 0
20:37:39.735633 ethertype IPv4, IP (tos 0x0, ttl 63, id 49409, offset 0, flags [DF], proto TCP (6), length 52)
    71.190.235.23.53888 > 172.217.11.35.80: Flags [.], cksum 0x0352 (correct), ack 1, win 229, options [nop,nop,TS val 4294962224 ecr 87750310], length 0
20:37:39.739363 ethertype IPv4, IP (tos 0x80, ttl 124, id 31020, offset 0, flags [none], proto TCP (6), length 52)
    172.217.11.35.80 > 71.190.235.23.53888: Flags [.], cksum 0xab2a (correct), ack 1, win 240, options [nop,nop,TS val 87795427 ecr 4294939662], length 0
20:37:39.739363 IP (tos 0x80, ttl 124, id 31020, offset 0, flags [none], proto TCP (6), length 52)
    172.217.11.35.80 > 71.190.235.23.53888: Flags [.], cksum 0xab2a (correct), ack 1, win 240, options [nop,nop,TS val 87795427 ecr 4294939662], length 0
20:37:39.739497 IP (tos 0x80, ttl 123, id 31020, offset 0, flags [none], proto TCP (6), length 52)
    172.217.11.35.80 > 10.192.168.26.53888: Flags [.], cksum 0x2b26 (correct), ack 1, win 240, options [nop,nop,TS val 87795427 ecr 4294939662], length 0
20:37:39.739519 IP (tos 0x80, ttl 123, id 31020, offset 0, flags [none], proto TCP (6), length 52)
    172.217.11.35.80 > 10.192.168.26.53888: Flags [.], cksum 0x2b26 (correct), ack 1, win 240, options [nop,nop,TS val 87795427 ecr 4294939662], length 0
20:37:40.146153 ethertype IPv4, IP (tos 0x0, ttl 64, id 43697, offset 0, flags [DF], proto TCP (6), length 52)
    10.192.168.218.36496 > 52.33.198.30.80: Flags [F.], cksum 0x9f21 (correct), seq 1798300970, ack 2975049875, win 980, options [nop,nop,TS val 11865638 ecr 3403944715], length 0
20:37:40.146153 IP (tos 0x0, ttl 64, id 43697, offset 0, flags [DF], proto TCP (6), length 52)
    10.192.168.218.36496 > 52.33.198.30.80: Flags [F.], cksum 0x9f21 (correct), seq 0, ack 1, win 980, options [nop,nop,TS val 11865638 ecr 3403944715], length 0
20:37:40.146153 IP (tos 0x0, ttl 64, id 43697, offset 0, flags [DF], proto TCP (6), length 52)
    10.192.168.218.36496 > 52.33.198.30.80: Flags [F.], cksum 0x9f21 (correct), seq 0, ack 1, win 980, options [nop,nop,TS val 11865638 ecr 3403944715], length 0
20:37:40.153683 ethertype IPv4, IP (tos 0x0, ttl 64, id 51855, offset 0, flags [DF], proto TCP (6), length 60)
    10.192.168.218.36506 > 52.33.198.30.80: Flags [S], cksum 0x900a (correct), seq 1856488616, win 14600, options [mss 1460,sackOK,TS val 11865639 ecr 0,nop,wscale 4], length 0
20:37:40.153683 IP (tos 0x0, ttl 64, id 51855, offset 0, flags [DF], proto TCP (6), length 60)
    10.192.168.218.36506 > 52.33.198.30.80: Flags [S], cksum 0x900a (correct), seq 1856488616, win 14600, options [mss 1460,sackOK,TS val 11865639 ecr 0,nop,wscale 4], length 0
20:37:40.153683 IP (tos 0x0, ttl 64, id 51855, offset 0, flags [DF], proto TCP (6), length 60)
    10.192.168.218.36506 > 52.33.198.30.80: Flags [S], cksum 0x900a (correct), seq 1856488616, win 14600, options [mss 1460,sackOK,TS val 11865639 ecr 0,nop,wscale 4], length 0
20:37:40.153862 IP (tos 0x0, ttl 63, id 51855, offset 0, flags [DF], proto TCP (6), length 60)
    71.190.235.23.36506 > 52.33.198.30.80: Flags [S], cksum 0x10cf (correct), seq 1856488616, win 14600, options [mss 1460,sackOK,TS val 11865639 ecr 0,nop,wscale 4], length 0
20:37:40.153878 ethertype IPv4, IP (tos 0x0, ttl 63, id 51855, offset 0, flags [DF], proto TCP (6), length 60)
    71.190.235.23.36506 > 52.33.198.30.80: Flags [S], cksum 0x10cf (correct), seq 1856488616, win 14600, options [mss 1460,sackOK,TS val 11865639 ecr 0,nop,wscale 4], length 0
20:37:40.225483 ethertype IPv4, IP (tos 0x0, ttl 230, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    52.33.198.30.80 > 71.190.235.23.36506: Flags [S.], cksum 0x801f (correct), seq 651475182, ack 1856488617, win 26847, options [mss 1460,sackOK,TS val 3404379669 ecr 11865639,nop,wscale 8], length 0
20:37:40.225483 IP (tos 0x0, ttl 230, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    52.33.198.30.80 > 71.190.235.23.36506: Flags [S.], cksum 0x801f (correct), seq 651475182, ack 1856488617, win 26847, options [mss 1460,sackOK,TS val 3404379669 ecr 11865639,nop,wscale 8], length 0
20:37:40.225604 IP (tos 0x0, ttl 229, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    52.33.198.30.80 > 10.192.168.218.36506: Flags [S.], cksum 0xff5a (correct), seq 651475182, ack 1856488617, win 26847, options [mss 1460,sackOK,TS val 3404379669 ecr 11865639,nop,wscale 8], length 0
20:37:40.225623 IP (tos 0x0, ttl 229, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    52.33.198.30.80 > 10.192.168.218.36506: Flags [S.], cksum 0xff5a (correct), seq 651475182, ack 1856488617, win 26847, options [mss 1460,sackOK,TS val 3404379669 ecr 11865639,nop,wscale 8], length 0
20:37:40.225632 ethertype IPv4, IP (tos 0x0, ttl 229, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    52.33.198.30.80 > 10.192.168.218.36506: Flags [S.], cksum 0xff5a (correct), seq 651475182, ack 1856488617, win 26847, options [mss 1460,sackOK,TS val 3404379669 ecr 11865639,nop,wscale 8], length 0
20:37:40.226052 ethertype IPv4, IP (tos 0x0, ttl 64, id 51856, offset 0, flags [DF], proto TCP (6), length 52)
    10.192.168.218.36506 > 52.33.198.30.80: Flags [.], cksum 0x936f (correct), ack 1, win 913, options [nop,nop,TS val 11865646 ecr 3404379669], length 0
20:37:40.226052 IP (tos 0x0, ttl 64, id 51856, offset 0, flags [DF], proto TCP (6), length 52)
    10.192.168.218.36506 > 52.33.198.30.80: Flags [.], cksum 0x936f (correct), ack 1, win 913, options [nop,nop,TS val 11865646 ecr 3404379669], length 0
20:37:40.226052 IP (tos 0x0, ttl 64, id 51856, offset 0, flags [DF], proto TCP (6), length 52)
    10.192.168.218.36506 > 52.33.198.30.80: Flags [.], cksum 0x936f (correct), ack 1, win 913, options [nop,nop,TS val 11865646 ecr 3404379669], length 0
20:37:40.226191 IP (tos 0x0, ttl 63, id 51856, offset 0, flags [DF], proto TCP (6), length 52)
    71.190.235.23.36506 > 52.33.198.30.80: Flags [.], cksum 0x1434 (correct), ack 1, win 913, options [nop,nop,TS val 11865646 ecr 3404379669], length 0
20:37:40.226552 ethertype IPv4, IP (tos 0x0, ttl 64, id 51857, offset 0, flags [DF], proto TCP (6), length 256)
    10.192.168.218.36506 > 52.33.198.30.80: Flags [P.], cksum 0x4e4a (correct), seq 1:205, ack 1, win 913, options [nop,nop,TS val 11865646 ecr 3404379669], length 204: HTTP, length: 204
        POST /Command/SMS2DataCollector.aspx HTTP/1.1
        Host: collector.sunpowermonitor.com
        Content-Type: text/plain
        Content-Length: 72

        100     SPMS    10      ZT162985000441C0597     20191215013739
        102     xpl8saqPRZ82yH8md9lL

trendy · December 15, 2019, 9:54am

As you can see the translation is working fine.
Check with the server if the ip,mask and gateway are correct, or if firewall is dropping packets.

montgomeryb · December 15, 2019, 8:07pm

I confirmed the service was running from another host in the lan with netcat.

However, I decided to update to the newer version and reset the settings as also suggested. In short, I tested conservatively and it worked as expected. I then put back the original dhcp and firewall rules and it seems to be working normally. I compared the files in /etc/config and didn't find any obvious differences.
For now, I'll just be keeping an eye on things. A mystery ....