hello, I want to expose my nas service (192.168.1.8:8080) to wan (8080), then I've config following redirect rule in firewall
config redirect
option name 'nas-service'
option target 'DNAT'
option dest 'lan'
list proto 'tcp'
option dest_port '8080'
option src_dport '8080'
option src 'wan'
option dest_ip '192.168.1.8' <------- my nas ip
after restart firewall, I tried to test it worked from outside openwrt network (say, from my phone by cell data)
wget mypublicip:8080
it seems tcp connection established but hang, and finally failed. (I've confirmed I can access nas service from within lan by 192.168.1.8:8080)
but if I changed my redirect rule to forward port of openwrt itself (router ip 192.168.1.1), every port worked
config redirect
option name 'nas-service'
option target 'DNAT'
option dest 'lan'
list proto 'tcp'
option dest_port '8080'
option src_dport '80' <-----------expose openwrt web/ or 22 for ssh, all worked
option src 'wan'
option dest_ip '192.168.1.1' <------- my router (openwrt) ip
could anyone help me ?
BTW, I have multi-wan and multi-lan subnet configured, does it leads problem here?
Are you certain that the return traffic is sent out of the same wan?
The redirect you have there is correct. Make sure also that the NAS uses the OpenWrt as gateway and doesn't block connections from other subnets.
could you please explain it in more detail ? should I view iptables to confirm some sort of rules existed?
and I can confirm my nas (192.168.1.8) use openwrt (192.168.1.1) as gateway since I ran tracert from within my nas terminal shows that all traffic goes through openwrt.
I can use wget to access 192.168.1.8:8080 from openwrt terminal , doesn't the redirect connection to nas looks exactly as traffic goes from openwrt terminal ? I mean , if wget from openwrt worked, redirect rule should also work, but what makes the differences?
If you have multi-wan as you said in the first post, there is a chance that the policy for the nas is to send packets via wanA, while you are trying to access it from wanB.
How did you configure the multiwan policies?
I have
wan(pppoe1) + lan(br-lan) running as subnet 192.168.1.0/24
wan2(pppoe2) + lan2(br-lan2) running as subnet 192.168.20.0/24
and my nas connected as 192.168.1.8, I tried to access redirect port by wan(pppoe1) public ip.
BTW, I don't understand why 'wan interface' and 'wan zone ' both existed, I configure wan and wan2 in one 'wan zone'
Copy this into a script, fix the pppoe interface names, make it executable and run it:
#!/bin/sh
interfaces="pppoe-wan pppoe-wan2"
# When this exits, exit all background processes:
trap 'kill $(jobs -p) &> /dev/null && sleep 0.2 && echo ' EXIT
# Create one tcpdump output per interface and add an identifier to the beginning of each line:
for interface in $interfaces;
do tcpdump -l -i $interface $@ | sed 's/^/[Interface:'"$interface"'] /' 2>/dev/null & done;
# wait .. until CTRL+C
wait
Run it with ./filename.sh tcp port 80 or tcp port 8080 , try to access port 80 from the internet, gather the output and paste it here.
running this script got following output (I'm using 10443 instead of 8080, already confirmed I can access 192.168.1.8:10443 within lan or from openwrt. pppoe-wan is my default wan, only it has public ip. I'm accessing this ip during test from outside openwrt by browser. pppoe-wan_chmob is my second wan , it didn't have public ip)
There are only sync packets, but nothing in return.
Run a tcpdump -i br-lan tcp port 8080 to verify that the OpenWrt is forwarding the packets to the nas and gets the replies.
I’ve ran ssh from my nas to openwrt with -L 0.0.0.0:10443:192.168.1.8:10443 to expose nas 10443 port ,and allow 10443 input traffic in openwrt ,by this way ,I can access my nas port from internet ,does that mean my nas didn’t block traffic?
You’re correct,my nas do have firewall rules which block non-lan traffic ,change it fix the problem .and this is my first time to know ssh traffic src ip is from ssh peer, Thanks for the detail help!