Redirection just working from wan to lan, not lan to lan

eldeberde · April 19, 2022, 2:18pm

Hi, I am using openwrt 21.02 x86
I had a connection to the router using a private range ip and a DMZ redirection in the ISP router.
I also had some ports exposed to internet, https for example.

I was able to connect to the https server from the wan and also from the lan

Today I moved to a pppoe connection, with the public ip in my openwrt router. I assign this new interface to the wan zone
Everything looks to work except the port redirection from the lan.
I can still access the https server if connect via 4G (mobile) but I get a timeout trying to connect from other pc in the lan. If I add a local dns entry everything works, so I suspect is something related with the openwrt firewall.

Here the relevant config:

Previous rule: it worked from lan and wan and now just from wan

config redirect
        option dest_port '443'
        option src 'wan'
        option name 'HTTPS'
        option src_dport '443'
        option target 'DNAT'
        option dest_ip '192.168.1.11'
        option dest 'lan'
        option reflection_zone 'lan'

I try to create a new redirection lan to lan on top of the list, but get the same result.

config redirect
        option target 'DNAT'
        list proto 'tcp'
        option src_dport '443'
        option dest_ip '192.168.1.11'
        option src 'lan'
        option dest_port '443'
        option dest 'lan'
        option name 'LAN-HTTPS'
        option enabled '1'
        option src_dip 'MY_PUBLIC_IP'

I also played with the reflection_zone option with no luck

Any ideas?

Thanks!

frollic · April 19, 2022, 2:37pm

If it works with a local DNS entry, it's probably DNS related?

There's no fw on the LAN side, LAN traffic doesn't pass any firewall.

What if you use the IP on the LAN side?

eldeberde · April 19, 2022, 2:44pm

I mean a local dns entry pointing to the 192.168 instead of the public ip.
so when I try to reach whatever.domain.lt, it resolve to the public ip in the router, so request is not directly lan to lan. I try to reach the wan interface, which should be redirected to an internal server. That's the reason I tried creating a new redirection from lan to lan
And using the ip is not an option since I have several services running on the same ip, I need the names.

The question is why is this not working with the public ip directly in the router instead of a ISP router with a DMZ to the openwrt router
Thanks

frollic · April 19, 2022, 2:48pm

It kind of is, it doesn't bounce back anywhere, and come back, it stays within the router.

Same if you port scan your WAN IP from the LAN, it'd report ports open, even if they're not, looking from the WAN side.

I didn't say you should use the IP, but to try to see if it's accessible using the IP.

eldeberde · April 19, 2022, 2:53pm

It stays inside the router, but I just need the redirection when the request goes to the public IP, not the lan one.
The port is open in the internal ip serving other services, I just need the redirection on the public IP.

But again my question is why this was working with a private ip (non pppoe) and not now. I just added the new interface and remove the old one

And using the ip is not an option, I serve some docker services with traefik and certificates, Is not possible to use the ip

frollic · April 19, 2022, 3:07pm

This is because your router uses upstream DNSes, while your clients (probably) use your routers DNS?

I'm still not sure what the expected outcome should be.....?
DNS name should always resolve to public ip?

eldeberde · April 19, 2022, 3:12pm

All my network uses a pihole docker container running on openwrt as dns server, even the openwrt OS.
Pihole uses external dns resolvers when is not cached of course.

But you are not answering the question, why this redirection is not working anymore with this change. This was working yesterday before the pppoe interface

frollic · April 19, 2022, 3:16pm

Because you moved the public IP from someplace else to the router device?

Still not understanding your network layout

eldeberde · April 19, 2022, 3:20pm

Ok, so your answer is I cannot do this redirection with pppoe? Or I cannot have a public ip on the router?
I dont understand your answer, I know it doesn't work because of the new scenario. I am asking for a solution (if it is possible), not for this response (which is already in the post, it doesn't work after the change....)

trendy · April 19, 2022, 3:24pm

What is the output of uci export firewall; iptables-save -c -t nat ?

eldeberde · April 19, 2022, 3:40pm

It is a very long response:

root@x86_fw:~# uci export firewall; iptables-save -c -t nat
package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'ACCEPT'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'vpn'
	option masq '1'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option forward 'REJECT'
	list network 'KPN'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone 'docker'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option name 'docker'
	list network 'docker'

config redirect
	option target 'DNAT'
	list proto 'tcp'
	option src_dport '443'
	option dest_ip '192.168.1.11'
	option src 'lan'
	option dest_port '443'
	option dest 'lan'
	option name 'LAN-HTTPS'
	option src_dip 'PUBLIC_IP'
	option enabled '0'

config redirect
	option dest_port '443'
	option src 'wan'
	option name 'HTTPS'
	option src_dport '443'
	option target 'DNAT'
	option dest_ip '192.168.1.11'
	option dest 'lan'

config redirect
	option src 'wan'
	option name 'HTTP'
	option src_dport '80'
	option target 'DNAT'
	option dest_ip '192.168.1.11'
	option dest 'lan'
	list proto 'tcp'
	option dest_port '80'

config redirect
	option dest_port '51413'
	option src 'wan'
	option name 'TORRENT'
	option src_dport '51413'
	option target 'DNAT'
	option dest 'lan'
	option dest_ip '192.168.1.11'

config redirect
	option dest_port '32400'
	option src 'wan'
	option name 'PLEX'
	option src_dport '32400'
	option target 'DNAT'
	option dest 'lan'
	option dest_ip '192.168.1.11'

config redirect
	option dest_port '993'
	option src 'wan'
	option name 'IMAP'
	option src_dport '993'
	option target 'DNAT'
	option dest_ip '192.168.1.11'
	option dest 'lan'

config redirect
	option dest_port '587'
	option src 'wan'
	option name 'SMTP'
	option src_dport '587'
	option target 'DNAT'
	option dest_ip '192.168.1.11'
	option dest 'lan'

config redirect
	option dest_port '25'
	option src 'wan'
	option name 'SMTP'
	option src_dport '25'
	option target 'DNAT'
	option dest_ip '192.168.1.11'
	option dest 'lan'

config redirect
	option dest_port '995'
	option src 'wan'
	option name '995'
	option src_dport '995'
	option target 'DNAT'
	option dest_ip '192.168.1.11'
	option dest 'lan'

config redirect
	option dest_port '22'
	option src 'wan'
	option name 'SSH'
	option src_dport '22'
	option target 'DNAT'
	option dest_ip '192.168.1.11'
	option dest 'lan'
	list proto 'tcp'
	option enabled '0'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option target 'DNAT'
	option name 'SSH VM'
	list proto 'tcp'
	option src 'wan'
	option src_dport '23'
	option dest 'lan'
	option dest_ip '192.168.1.49'
	option dest_port '22'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'SSH WAN'
	list proto 'tcp'
	list dest_ip '192.168.178.10'
	option dest_port '22'
	option target 'ACCEPT'
	option src 'wan'
	option enabled '0'


# Generated by iptables-save v1.8.7 on Tue Apr 19 17:34:24 2022
*nat
:PREROUTING ACCEPT [1306:426246]
:INPUT ACCEPT [1359:226122]
:OUTPUT ACCEPT [1064:69657]
:POSTROUTING ACCEPT [554:31961]
:DOCKER - [0:0]
:postrouting_docker_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_docker_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_docker_postrouting - [0:0]
:zone_docker_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[0:0] -A PREROUTING -s 192.168.1.1/32 -i br-lan -p udp -m udp --dport 853 -j ACCEPT
[0:0] -A PREROUTING -s 192.168.1.1/32 -i br-lan -p tcp -m tcp --dport 853 -j ACCEPT
[0:0] -A PREROUTING -s 192.168.1.1/32 -i br-lan -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A PREROUTING -s 192.168.1.1/32 -i br-lan -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A PREROUTING -s 192.168.1.0/24 -i br-lan -p udp -m udp --dport 853 -j DNAT --to-destination 192.168.1.1:53
[3:192] -A PREROUTING -s 192.168.1.0/24 -i br-lan -p tcp -m tcp --dport 853 -j DNAT --to-destination 192.168.1.1:53
[5929:393708] -A PREROUTING -s 192.168.1.0/24 -i br-lan -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.1.1:53
[3:156] -A PREROUTING -s 192.168.1.0/24 -i br-lan -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.1.1:53
[5795:1918424] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[1577:441424] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[1355:428336] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i vpn -m comment --comment "!fw3" -j zone_lan_prerouting
[102:5888] -A PREROUTING -i pppoe-KPN -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i docker0 -m comment --comment "!fw3" -j zone_docker_prerouting
[1930:116138] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A POSTROUTING -s 172.28.0.0/24 ! -o docker0 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.19.0.0/16 ! -o br-a46ef56205c1 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.20.0.0/16 ! -o br-37ac5b3d8bcc -j MASQUERADE
[9:564] -A POSTROUTING -s 172.18.0.0/16 ! -o br-1f71bab244f0 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p tcp -m tcp --dport 8082 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p tcp -m tcp --dport 443 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.20.0.2/32 -d 172.20.0.2/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.18.0.3/32 -d 172.18.0.3/32 -p tcp -m tcp --dport 9617 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.20.0.3/32 -d 172.20.0.3/32 -p tcp -m tcp --dport 9001 -j MASQUERADE
[1904:327002] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[305:52177] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o vpn -m comment --comment "!fw3" -j zone_lan_postrouting
[1045:242864] -A POSTROUTING -o pppoe-KPN -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o docker0 -m comment --comment "!fw3" -j zone_docker_postrouting
[0:0] -A DOCKER -i docker0 -j RETURN
[0:0] -A DOCKER -i br-a46ef56205c1 -j RETURN
[0:0] -A DOCKER -i br-37ac5b3d8bcc -j RETURN
[759:45540] -A DOCKER -i br-1f71bab244f0 -j RETURN
[3:410] -A DOCKER -d 192.168.1.1/32 ! -i br-1f71bab244f0 -p tcp -m tcp --dport 8082 -j DNAT --to-destination 172.18.0.2:8082
[39:2332] -A DOCKER -d 192.168.1.1/32 ! -i br-1f71bab244f0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.18.0.2:443
[0:0] -A DOCKER -d 192.168.1.1/32 ! -i br-1f71bab244f0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.18.0.2:80
[3:180] -A DOCKER -d 192.168.1.1/32 ! -i br-37ac5b3d8bcc -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.20.0.2:8080
[3:410] -A DOCKER -d 192.168.1.1/32 ! -i br-1f71bab244f0 -p tcp -m tcp --dport 9617 -j DNAT --to-destination 172.18.0.3:9617
[23:1380] -A DOCKER -d 192.168.1.1/32 ! -i br-37ac5b3d8bcc -p tcp -m tcp --dport 9001 -j DNAT --to-destination 172.20.0.3:9001
[0:0] -A zone_docker_postrouting -m comment --comment "!fw3: Custom docker postrouting rule chain" -j postrouting_docker_rule
[0:0] -A zone_docker_prerouting -m comment --comment "!fw3: Custom docker prerouting rule chain" -j prerouting_docker_rule
[305:52177] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[6:414] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.11/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.11/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: HTTPS (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.1.11/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.1.11/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: HTTPS (reflection)" -j SNAT --to-source 192.168.9.1
[4:240] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.11/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.1.11/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.11/32 -p tcp -m tcp --dport 51413 -m comment --comment "!fw3: TORRENT (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.11/32 -p udp -m udp --dport 51413 -m comment --comment "!fw3: TORRENT (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.1.11/32 -p tcp -m tcp --dport 51413 -m comment --comment "!fw3: TORRENT (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.1.11/32 -p udp -m udp --dport 51413 -m comment --comment "!fw3: TORRENT (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.11/32 -p tcp -m tcp --dport 32400 -m comment --comment "!fw3: PLEX (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.11/32 -p udp -m udp --dport 32400 -m comment --comment "!fw3: PLEX (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.1.11/32 -p tcp -m tcp --dport 32400 -m comment --comment "!fw3: PLEX (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.1.11/32 -p udp -m udp --dport 32400 -m comment --comment "!fw3: PLEX (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.11/32 -p tcp -m tcp --dport 993 -m comment --comment "!fw3: IMAP (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.11/32 -p udp -m udp --dport 993 -m comment --comment "!fw3: IMAP (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.1.11/32 -p tcp -m tcp --dport 993 -m comment --comment "!fw3: IMAP (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.1.11/32 -p udp -m udp --dport 993 -m comment --comment "!fw3: IMAP (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.11/32 -p tcp -m tcp --dport 587 -m comment --comment "!fw3: SMTP (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.11/32 -p udp -m udp --dport 587 -m comment --comment "!fw3: SMTP (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.1.11/32 -p tcp -m tcp --dport 587 -m comment --comment "!fw3: SMTP (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.1.11/32 -p udp -m udp --dport 587 -m comment --comment "!fw3: SMTP (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.11/32 -p tcp -m tcp --dport 25 -m comment --comment "!fw3: SMTP (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.11/32 -p udp -m udp --dport 25 -m comment --comment "!fw3: SMTP (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.1.11/32 -p tcp -m tcp --dport 25 -m comment --comment "!fw3: SMTP (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.1.11/32 -p udp -m udp --dport 25 -m comment --comment "!fw3: SMTP (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.11/32 -p tcp -m tcp --dport 995 -m comment --comment "!fw3: 995 (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.11/32 -p udp -m udp --dport 995 -m comment --comment "!fw3: 995 (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.1.11/32 -p tcp -m tcp --dport 995 -m comment --comment "!fw3: 995 (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.1.11/32 -p udp -m udp --dport 995 -m comment --comment "!fw3: 995 (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.49/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: SSH VM (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.1.49/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: SSH VM (reflection)" -j SNAT --to-source 192.168.9.1
[295:51523] -A zone_lan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[1355:428336] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[210:11902] -A zone_lan_prerouting -s 192.168.1.0/24 -d PUBLIC_IP/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS (reflection)" -j DNAT --to-destination 192.168.1.11:443
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d PUBLIC_IP/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: HTTPS (reflection)" -j DNAT --to-destination 192.168.1.11:443
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d PUBLIC_IP/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS (reflection)" -j DNAT --to-destination 192.168.1.11:443
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d PUBLIC_IP/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: HTTPS (reflection)" -j DNAT --to-destination 192.168.1.11:443
[4:240] -A zone_lan_prerouting -s 192.168.1.0/24 -d PUBLIC_IP/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP (reflection)" -j DNAT --to-destination 192.168.1.11:80
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d PUBLIC_IP/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP (reflection)" -j DNAT --to-destination 192.168.1.11:80
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d PUBLIC_IP/32 -p tcp -m tcp --dport 51413 -m comment --comment "!fw3: TORRENT (reflection)" -j DNAT --to-destination 192.168.1.11:51413
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d PUBLIC_IP/32 -p udp -m udp --dport 51413 -m comment --comment "!fw3: TORRENT (reflection)" -j DNAT --to-destination 192.168.1.11:51413
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d PUBLIC_IP/32 -p tcp -m tcp --dport 51413 -m comment --comment "!fw3: TORRENT (reflection)" -j DNAT --to-destination 192.168.1.11:51413
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d PUBLIC_IP/32 -p udp -m udp --dport 51413 -m comment --comment "!fw3: TORRENT (reflection)" -j DNAT --to-destination 192.168.1.11:51413
[2:120] -A zone_lan_prerouting -s 192.168.1.0/24 -d PUBLIC_IP/32 -p tcp -m tcp --dport 32400 -m comment --comment "!fw3: PLEX (reflection)" -j DNAT --to-destination 192.168.1.11:32400
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d PUBLIC_IP/32 -p udp -m udp --dport 32400 -m comment --comment "!fw3: PLEX (reflection)" -j DNAT --to-destination 192.168.1.11:32400
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d PUBLIC_IP/32 -p tcp -m tcp --dport 32400 -m comment --comment "!fw3: PLEX (reflection)" -j DNAT --to-destination 192.168.1.11:32400
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d PUBLIC_IP/32 -p udp -m udp --dport 32400 -m comment --comment "!fw3: PLEX (reflection)" -j DNAT --to-destination 192.168.1.11:32400
[5:300] -A zone_lan_prerouting -s 192.168.1.0/24 -d PUBLIC_IP/32 -p tcp -m tcp --dport 993 -m comment --comment "!fw3: IMAP (reflection)" -j DNAT --to-destination 192.168.1.11:993
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d PUBLIC_IP/32 -p udp -m udp --dport 993 -m comment --comment "!fw3: IMAP (reflection)" -j DNAT --to-destination 192.168.1.11:993
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d PUBLIC_IP/32 -p tcp -m tcp --dport 993 -m comment --comment "!fw3: IMAP (reflection)" -j DNAT --to-destination 192.168.1.11:993
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d PUBLIC_IP/32 -p udp -m udp --dport 993 -m comment --comment "!fw3: IMAP (reflection)" -j DNAT --to-destination 192.168.1.11:993
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d PUBLIC_IP/32 -p tcp -m tcp --dport 587 -m comment --comment "!fw3: SMTP (reflection)" -j DNAT --to-destination 192.168.1.11:587
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d PUBLIC_IP/32 -p udp -m udp --dport 587 -m comment --comment "!fw3: SMTP (reflection)" -j DNAT --to-destination 192.168.1.11:587
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d PUBLIC_IP/32 -p tcp -m tcp --dport 587 -m comment --comment "!fw3: SMTP (reflection)" -j DNAT --to-destination 192.168.1.11:587
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d PUBLIC_IP/32 -p udp -m udp --dport 587 -m comment --comment "!fw3: SMTP (reflection)" -j DNAT --to-destination 192.168.1.11:587
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d PUBLIC_IP/32 -p tcp -m tcp --dport 25 -m comment --comment "!fw3: SMTP (reflection)" -j DNAT --to-destination 192.168.1.11:25
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d PUBLIC_IP/32 -p udp -m udp --dport 25 -m comment --comment "!fw3: SMTP (reflection)" -j DNAT --to-destination 192.168.1.11:25
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d PUBLIC_IP/32 -p tcp -m tcp --dport 25 -m comment --comment "!fw3: SMTP (reflection)" -j DNAT --to-destination 192.168.1.11:25
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d PUBLIC_IP/32 -p udp -m udp --dport 25 -m comment --comment "!fw3: SMTP (reflection)" -j DNAT --to-destination 192.168.1.11:25
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d PUBLIC_IP/32 -p tcp -m tcp --dport 995 -m comment --comment "!fw3: 995 (reflection)" -j DNAT --to-destination 192.168.1.11:995
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d PUBLIC_IP/32 -p udp -m udp --dport 995 -m comment --comment "!fw3: 995 (reflection)" -j DNAT --to-destination 192.168.1.11:995
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d PUBLIC_IP/32 -p tcp -m tcp --dport 995 -m comment --comment "!fw3: 995 (reflection)" -j DNAT --to-destination 192.168.1.11:995
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d PUBLIC_IP/32 -p udp -m udp --dport 995 -m comment --comment "!fw3: 995 (reflection)" -j DNAT --to-destination 192.168.1.11:995
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d PUBLIC_IP/32 -p tcp -m tcp --dport 23 -m comment --comment "!fw3: SSH Carlos (reflection)" -j DNAT --to-destination 192.168.1.49:22
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d PUBLIC_IP/32 -p tcp -m tcp --dport 23 -m comment --comment "!fw3: SSH Carlos (reflection)" -j DNAT --to-destination 192.168.1.49:22
[1045:242864] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[1045:242864] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[102:5888] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[39:2056] -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS" -j DNAT --to-destination 192.168.1.11:443
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 443 -m comment --comment "!fw3: HTTPS" -j DNAT --to-destination 192.168.1.11:443
[5:260] -A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP" -j DNAT --to-destination 192.168.1.11:80
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 51413 -m comment --comment "!fw3: TORRENT" -j DNAT --to-destination 192.168.1.11:51413
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 51413 -m comment --comment "!fw3: TORRENT" -j DNAT --to-destination 192.168.1.11:51413
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 32400 -m comment --comment "!fw3: PLEX" -j DNAT --to-destination 192.168.1.11:32400
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 32400 -m comment --comment "!fw3: PLEX" -j DNAT --to-destination 192.168.1.11:32400
[3:180] -A zone_wan_prerouting -p tcp -m tcp --dport 993 -m comment --comment "!fw3: IMAP" -j DNAT --to-destination 192.168.1.11:993
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 993 -m comment --comment "!fw3: IMAP" -j DNAT --to-destination 192.168.1.11:993
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 587 -m comment --comment "!fw3: SMTP" -j DNAT --to-destination 192.168.1.11:587
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 587 -m comment --comment "!fw3: SMTP" -j DNAT --to-destination 192.168.1.11:587
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 25 -m comment --comment "!fw3: SMTP" -j DNAT --to-destination 192.168.1.11:25
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 25 -m comment --comment "!fw3: SMTP" -j DNAT --to-destination 192.168.1.11:25
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 995 -m comment --comment "!fw3: 995" -j DNAT --to-destination 192.168.1.11:995
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 995 -m comment --comment "!fw3: 995" -j DNAT --to-destination 192.168.1.11:995
[3:120] -A zone_wan_prerouting -p tcp -m tcp --dport 23 -m comment --comment "!fw3: SSH Carlos" -j DNAT --to-destination 192.168.1.49:22
COMMIT
# Completed on Tue Apr 19 17:34:24 2022

Thanks!

trendy · April 19, 2022, 9:32pm

You can remove masquerade from lan zone, it is not needed there. There is no point redirecting 853 to 53 on the router, DNS and DoT are different protocols.
Regarding the reflection, rules are there and they have hits.

[210:11902] -A zone_lan_prerouting -s 192.168.1.0/24 -d PUBLIC_IP/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS (reflection)" -j DNAT --to-destination 192.168.1.11:443
[4:240] -A zone_lan_prerouting -s 192.168.1.0/24 -d PUBLIC_IP/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP (reflection)" -j DNAT --to-destination 192.168.1.11:80
[6:414] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.11/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS (reflection)" -j SNAT --to-source 192.168.1.1
[4:240] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.11/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP (reflection)" -j SNAT --to-source 192.168.1.1

You should check on the server if it is dropping the packets or investigate what is going on.