Problem
I'm pretty confused about what Im missing on my port forwarding issue.
My goal is to have incoming requests from my wifi network to: 192.168.1.62:8080
foward to the lan address of: 172.27.153.1:80
- Router Lan IP:
172.27.153.10
- Router Wan (wifi) IP:
192.168.1.62
Config Script
I have a couple scripts which I've been using to prototype this - starting from a factory reset.
Configure the Device IP & wait until its ready
#!/bin/bash
# ASSUME ROUTER IS FACTORY RESET @ 192.168.1.1
ROUTER_IP=172.27.153.10
echo " > Waiting on ROUTER @ 192.168.1.1"
until ping -c1 192.168.1.1 >/dev/null 2>&1; do sleep 1; done
echo " > Router up"
EXIT_CODE=255
while [[ $EXIT_CODE -ne 0 ]]; do
sleep 5
ssh -o StrictHostKeyChecking=no root@192.168.1.1 ls
EXIT_CODE=$?
echo " > Waiting for SSHD to start"
done
echo " > SSH Is up and running..."
timeout 5s ssh -o StrictHostKeyChecking=no root@192.168.1.1 "
echo uci set network.lan.ipaddr="$ROUTER_IP"
uci set network.lan.ipaddr="$ROUTER_IP"
uci commit network
/etc/init.d/network restart;
"
echo " > Waiting on ROUTER @ $ROUTER_IP"
echo "until ping -c1 $ROUTER_IP >/dev/null 2>&1; do :; done"
until ping -c1 $ROUTER_IP >/dev/null 2>&1; do sleep 1; done
echo " > Router up"
Modify device Name
#!/bin/bash
ROUTER_IP=172.27.153.10
ssh -o StrictHostKeyChecking=no root@$ROUTER_IP "
echo setting name
uci set system.@system[0].hostname='SolarMonitor'
uci set system.@system[0].description='PV6 SunPower Monitor'
uci set system.@system[0].timezone='America/Denver'
uci commit system
echo restarting
/etc/init.d/system reload
"
Setup the WiFi Connection
#!/bin/bash
ROUTER_IP=172.27.153.10
WIFI=<WIFI_SSID>
WIFI_PASS=<WIFI_PASS>
echo Updating /etc/config/firewall
ssh -o StrictHostKeyChecking=no root@$ROUTER_IP "
echo Updating /etc/config/firewall
uci del firewall.cfg02dc81.network
uci add_list firewall.cfg02dc81.network='lan'
uci del firewall.cfg03dc81.network
uci add_list firewall.cfg03dc81.network='wan'
uci add_list firewall.cfg03dc81.network='wan6'
uci add_list firewall.cfg03dc81.network='wwan'
echo Updating /etc/config/network
uci set network.wwan=interface
uci set network.wwan.proto='dhcp'
echo Updating /etc/config/wireless
uci del wireless.radio0.disabled
uci set wireless.wifinet2=wifi-iface
uci set wireless.wifinet2.device='radio0'
uci set wireless.wifinet2.mode='sta'
uci set wireless.wifinet2.network='wwan'
uci set wireless.wifinet2.ssid=$WIFI
uci set wireless.wifinet2.encryption='psk2'
uci set wireless.wifinet2.key=$WIFI_PASS
uci set wireless.default_radio0.disabled='1'
uci set wireless.radio0.cell_density='0'
echo Reloading Network
/etc/init.d/network reload
"
Configure the Firewall
(this is probably where the error is)
ROUTER_IP=172.27.153.10
PVS_IP=172.27.153.1
ssh -o StrictHostKeyChecking=no root@$ROUTER_IP "
echo Opening Port 80
uci add firewall redirect
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].name='GUI Access'
uci set firewall.@redirect[-1].src='wan'
uci set firewall.@redirect[-1].src_dport='80'
uci set firewall.@redirect[-1].dest='lan'
uci set firewall.@redirect[-1].dest_ip=$ROUTER_IP
uci set firewall.@redirect[-1].dest_port='80'
uci add_list firewall.@redirect[-1].proto='tcp'
echo Opening Port 22
uci add firewall redirect
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].name='SSH Access'
uci set firewall.@redirect[-1].src='wan'
uci set firewall.@redirect[-1].src_dport='22'
uci set firewall.@redirect[-1].dest='lan'
uci set firewall.@redirect[-1].dest_ip=$ROUTER_IP
uci set firewall.@redirect[-1].dest_port='22'
uci add_list firewall.@redirect[-1].proto='tcp'
echo Opening 8080
uci add firewall redirect
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].name='SunPower API'
uci set firewall.@redirect[-1].src='wan'
uci set firewall.@redirect[-1].src_dport='8080'
uci set firewall.@redirect[-1].dest='lan'
uci set firewall.@redirect[-1].dest_ip=$PVS_IP
uci set firewall.@redirect[-1].dest_port='80'
uci add_list firewall.@redirect[-1].proto='tcp'
echo Adding default route
uci add firewall nat
uci set firewall.@nat[-1].dest_port='8080'
uci set firewall.@nat[-1].src='lan'
uci set firewall.@nat[-1].name='test'
uci set firewall.@nat[-1].target='SNAT'
uci set firewall.@nat[-1].dest_ip=$PVS_IP
uci set firewall.@nat[-1].snat_ip=$ROUTER_IP
uci add_list firewall.@nat[-1].proto='tcp'
uci commit firewall
echo Save & Restart
uci commit firewall
fw3 reload
"
Disable DHCP server on Ethernet Port
#!/bin/bash
ROUTER_IP=172.27.153.10
echo "Disabling DHCP Server"
ssh -o StrictHostKeyChecking=no root@$ROUTER_IP /etc/init.d/dnsmasq disable
ssh -o StrictHostKeyChecking=no root@$ROUTER_IP /etc/init.d/dnsmasq stop
In my initial testing I configured a computer with the ip of
172.27.153.1
and ran a docker container to mock the API i was trying to connect to. I was able to hit curl http://192.168.1.62:8080/poll
and it would pass through correctly. Once I got out of testing I found things weren't working as expected.
What does Work
- SSH Port Forwarding:
ssh -L 8080:172.27.153.1:80 root@192.168.1.62
- Curl from the Router
ssh root@192.168.1.62 curl 172.27.153.1
- SSH Access to router
ssh root@192.168.1.62
- LuCI access from web
curl http://192.168.1.62
What does Not work
- My port forware:
curl http://192.168.1.62:8080
What I've done so far
I installed tcpdump
on the system and am struggling to understand whats going on:
curl http://192.168.1.62:8080
NOTE: sunpowerconsole.net
maps to 172.27.153.1
root@SolarMonitor:~# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
20:07:02.659891 ARP, Request who-has sunpowerconsole.net tell 172.27.153.10, length 28
20:07:02.661317 ARP, Reply sunpowerconsole.net is-at e2:e9:b4:2a:f2:13 (oui Unknown), length 46
20:07:03.162402 IP 192.168.1.76.49654 > sunpowerconsole.net.80: Flags [S], seq 2874673515, win 65535, options [mss 1360,nop,wscale 6,nop,nop,TS val 3970748062 ecr 0,sackOK,eol], length 0
20:07:04.177553 IP 192.168.1.76.49654 > sunpowerconsole.net.80: Flags [S], seq 2874673515, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3970749062 ecr 0,sackOK,eol], length 0
20:07:05.191531 IP 192.168.1.76.49654 > sunpowerconsole.net.80: Flags [S], seq 2874673515, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3970750062 ecr 0,sackOK,eol], length 0
20:07:06.206191 IP 192.168.1.76.49654 > sunpowerconsole.net.80: Flags [S], seq 2874673515, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3970751063 ecr 0,sackOK,eol], length 0
20:07:07.217159 IP 192.168.1.76.49654 > sunpowerconsole.net.80: Flags [S], seq 2874673515, win 65535, options [mss 1360,nop,wscale 6,nop,nop,TS val 3970752063 ecr 0,sackOK,eol], length 0
20:07:08.227595 IP 192.168.1.76.49654 > sunpowerconsole.net.80: Flags [S], seq 2874673515, win 65535, options [mss 1360,nop,wscale 6,nop,nop,TS val 3970753063 ecr 0,sackOK,eol], length 0
20:07:10.262349 IP 192.168.1.76.49654 > sunpowerconsole.net.80: Flags [S], seq 2874673515, win 65535, options [mss 1360,nop,wscale 6,nop,nop,TS val 3970755063 ecr 0,sackOK,eol], length 0
20:07:14.318508 IP 192.168.1.76.49654 > sunpowerconsole.net.80: Flags [S], seq 2874673515, win 65535, options [mss 1360,nop,wscale 6,nop,nop,TS val 3970759063 ecr 0,sackOK,eol], length 0
20:07:22.376989 IP 192.168.1.76.49654 > sunpowerconsole.net.80: Flags [S], seq 2874673515, win 65535, options [mss 1360,nop,wscale 6,nop,nop,TS val 3970767063 ecr 0,sackOK,eol], length 0
20:07:38.520396 IP 192.168.1.76.49654 > sunpowerconsole.net.80: Flags [S], seq 2874673515, win 65535, options [mss 1360,nop,wscale 6,nop,nop,TS val 3970783063 ecr 0,sackOK,eol], length 0
20:07:43.619855 ARP, Request who-has sunpowerconsole.net tell 172.27.153.10, length 28
20:07:43.621323 ARP, Reply sunpowerconsole.net is-at e2:e9:b4:2a:f2:13 (oui Unknown), length 46
I see that the incoming requests are coming from 192.168.1.76
where as when I hit it from the router itself (where it works)
20:08:23.233958 IP 172.27.153.10.60268 > sunpowerconsole.net.80: Flags [S], seq 386560607, win 64240, options [mss 1460,sackOK,TS val 722566016 ecr 0,nop,wscale 3], length 0
20:08:23.234738 IP 172.27.153.10.45090 > sunpowerconsole.net.53: 48178+ PTR? 10.153.27.172.in-addr.arpa. (44)
20:08:23.236024 IP sunpowerconsole.net.80 > 172.27.153.10.60268: Flags [S.], seq 2536045490, ack 386560608, win 28960, options [mss 1460,sackOK,TS val 4359233 ecr 722566016,nop,wscale 7], length 0
20:08:23.236248 IP 172.27.153.10.60268 > sunpowerconsole.net.80: Flags [.], ack 1, win 8030, options [nop,nop,TS val 722566019 ecr 4359233], length 0
20:08:23.237286 IP sunpowerconsole.net.53 > 172.27.153.10.45090: 48178 NXDomain* 0/0/0 (44)
20:08:23.238728 IP 172.27.153.10.42176 > sunpowerconsole.net.53: 43182+ PTR? 1.153.27.172.in-addr.arpa. (43)
20:08:23.241044 IP sunpowerconsole.net.53 > 172.27.153.10.42176: 43182* 1/0/0 PTR sunpowerconsole.net. (76)
20:08:23.246200 IP 172.27.153.10.60268 > sunpowerconsole.net.80: Flags [P.], seq 1:77, ack 1, win 8030, options [nop,nop,TS val 722566029 ecr 4359233], length 76: HTTP: GET / HTTP/1.1
20:08:23.247707 IP sunpowerconsole.net.80 > 172.27.153.10.60268: Flags [.], ack 77, win 227, options [nop,nop,TS val 4359235 ecr 722566029], length 0
20:08:23.248921 IP sunpowerconsole.net.80 > 172.27.153.10.60268: Flags [.], seq 1:1449, ack 77, win 227, options [nop,nop,TS val 4359235 ecr 722566029], length 1448: HTTP: HTTP/1.1 200 OK
20:08:23.249050 IP 172.27.153.10.60268 > sunpowerconsole.net.80: Flags [.], ack 1449, win 8011, options [nop,nop,TS val 722566032 ecr 4359235], length 0
20:08:23.250209 IP sunpowerconsole.net.80 > 172.27.153.10.60268: Flags [P.], seq 1449:4212, ack 77, win 227, options [nop,nop,TS val 4359235 ecr 722566029], length 2763: HTTP
20:08:23.250344 IP 172.27.153.10.60268 > sunpowerconsole.net.80: Flags [.], ack 4212, win 7826, options [nop,nop,TS val 722566033 ecr 4359235], length 0
20:08:23.252763 IP 172.27.153.10.60268 > sunpowerconsole.net.80: Flags [F.], seq 77, ack 4212, win 8011, options [nop,nop,TS val 722566035 ecr 4359235], length 0
20:08:23.254487 IP sunpowerconsole.net.80 > 172.27.153.10.60268: Flags [F.], seq 4212, ack 78, win 227, options [nop,nop,TS val 4359235 ecr 722566035], length 0
20:08:23.254684 IP 172.27.153.10.60268 > sunpowerconsole.net.80: Flags [.], ack 4213, win 8011, options [nop,nop,TS val 722566037 ecr 4359235], length 0
So in this case i see the reuest is coming from 172.27.153.10
which I'm assuming is perhaps the problem. I "thought" i had a NAT rule to help fix this but its very clear I'm not really sure what I'm doing. I'm hoping there is a clear and easy fix for this.
Thanks!!
CONFIG FILES
I've been messing around in the gui so these may not fully match the install scripts
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wwan'
option input 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config redirect
option target 'DNAT'
option name 'SunPower API'
option src 'wan'
option src_dport '8080'
option dest 'lan'
option dest_ip '172.27.153.1'
option dest_port '80'
list proto 'tcp'
config redirect
option target 'DNAT'
option name 'GUI Access'
option src 'wan'
option src_dport '80'
option dest 'lan'
option dest_ip '172.27.153.10'
option dest_port '80'
list proto 'tcp'
config redirect
option target 'DNAT'
option name 'SSH Access'
option src 'wan'
option src_dport '22'
option dest 'lan'
option dest_ip '172.27.153.10'
option dest_port '22'
list proto 'tcp'
config nat
option dest_port '8080'
option name 'test'
option target 'SNAT'
option snat_ip '172.27.153.10'
list proto 'tcp'
option src_port '8080'
option src '*'
option snat_port '80'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'platform/10300000.wmac'
option htmode 'HT20'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
option disabled '1'
config wifi-device 'radio1'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
option htmode 'VHT80'
option disabled '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'sta'
option network 'wwan'
option ssid 'xxxxxxxx'
option encryption 'psk2'
option key 'xxxxxxxx'