Replace the firewall.user

I am despairing. By switching to fw4 I am forced to replace the firewall.user.
Here's how it worked perfectly:
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 4431 -d $WAN -j DNAT --to 192.168.166.11
If I deactivate this and activate the following in /etc/config/firewall it doesn't work:
config redirect
option target 'DNAT'
option proto 'tcp'
option src 'wan'
option src_dport '4431'
option dest 'dmz'
option dest_ip '192.168.166.11'
option dest_port '4431'

What am I doing wrong? Who can help?``

In the iptables rule you are defining the IP of the interface WAN and applying in PREROUTING.
In the UCI redirect you are applying to all interfaces of wan firewall zone.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export firewall; \
nft list ruleset

previously had a snapshot on it, so that it still works with iptable
I would like to implement it on another router, but with the implementation on fw4 I have the same problem

{
        "kernel": "5.10.146",
        "hostname": "router-home1",
        "system": "ARMv8 Processor rev 4",
        "model": "Linksys E8450 (UBI)",
        "board_name": "linksys,e8450-ubi",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.2",
                "revision": "r19803-9a599fee93",
                "target": "mediatek/mt7622",
                "description": "OpenWrt 22.03.2 r19803-9a599fee93"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd79:105b:269a::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        option bridge_empty '1'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1'
        list ports 'lan2'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.115.1'
        option netmask '255.255.255.0'
        option delegate '0'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan4:u*'

config interface 'dmz'
        option device 'br-lan.3'
        option proto 'static'
        option ipaddr '192.168.166.1'
        option netmask '255.255.255.0'
        option delegate '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '4'
        list ports 'lan1:t'
        list ports 'lan2:t'

config interface 'gast'
        option device 'br-lan.4'
        option proto 'static'
        option ipaddr '192.168.177.1'
        option netmask '255.255.255.0'
        option delegate '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '5'
        list ports 'lan1:t'
        list ports 'lan2:t'

config interface 'iot'
        option device 'br-lan.5'
        option proto 'static'
        option ipaddr '192.168.188.1'
        option netmask '255.255.255.0'
        option delegate '0'
...

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '0'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'dmz'

config forwarding
        option src 'lan'
        option dest 'gast'

config forwarding
        option src 'lan'
        option dest 'iot'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config zone
        option name 'dmz'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option log '1'
        option masq '1'
        list network 'dmz'

config forwarding
        option src 'dmz'
        option dest 'wan'

config forwarding
        option src 'dmz'
        option dest 'lan'

config forwarding
        option src 'dmz'
        option dest 'iot'

config zone
        option name 'gast'
        option output 'ACCEPT'
        option forward 'REJECT'
        option log '1'
        option masq '1'
        option input 'ACCEPT'
        list network 'gast'

config forwarding
        option src 'gast'
        option dest 'wan'

config zone
        option name 'iot'
        option output 'ACCEPT'
        option forward 'REJECT'
        option log '1'
        option masq '1'
        option input 'ACCEPT'
        list network 'iot'

config forwarding
        option src 'iot'
        option dest 'wan'

config forwarding
        option src 'iot'
        option dest 'lan'

config forwarding
        option src 'iot'
        option dest 'dmz'
...

config redirect
        option name 'nc 4431'
        option target 'DNAT'
        option proto 'tcp'
        option src 'wan'
        option src_dport '4431'
        option dest 'dmz'
        option dest_ip '192.168.166.11'
        option dest_port '4431'

config rule
        option name 'allow nc 4431'
        option target 'ACCEPT'
        option proto 'tcp'
        option src '*'
        option src_port '4431'
        option dest 'dmz'
        option dest_ip '192.168.166.11'
        option dest_port '4431'
...
/etc/init.d/firewall restart
Warning: Section @defaults[0] requires unavailable target extension FLOWOFFLOAD, disabling
Warning: Section @defaults[0] requires unavailable target extension FLOWOFFLOAD, disabling
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv4 raw table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Rule 'allow nc 4431'
...
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.

I have the same problem with forwarding to the mail and xmpp server

You should not need masquerading on this zone. And I believe that is why the port forwarding is failing. Try turning this option off.

after switching off in firewall.user and restart firewall the same problem

Are there any other things in firewall.user?

As I look through your firewall file, I see masquerading enabled on the other zones, too. It should only be enabled on the wan zone. The others should not have it.

Also, you appear to have redirect (port forwarding) as well as a traffic rule for the same port. Remove the rule.

sorry, didn't help

 * Populating IPv4 raw table
   * Zone 'lan'
     - Using automatic conntrack helper attachment
   * Zone 'wan'
   * Zone 'dmz'
     - Using automatic conntrack helper attachment
   * Zone 'gast'
     - Using automatic conntrack helper attachment

in the firewall.user I still convert the mail and xmpp server, as well as openvpn tun+

let's see the latest firewall and firewall.user files.

firewall.user

# firewall.user
LAN=$(uci get network.lan.ipaddr)
WAN=$(ifconfig wan | grep inet | awk '{print $2}' | awk -F 'addr:' '{print $2}')

# SMTP Server
iptables -t nat -A PREROUTING -p tcp --dport 25  -d $WAN -j DNAT --to 192.168.166.30
...
# HTTPS, NC
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 4431 -d $WAN -j DNAT --to 192.168.166.11
...
# openvpn
/usr/sbin/iptables -A input_wan -p tcp --dport 995 -j ACCEPT
/usr/sbin/iptables -t nat -A prerouting_wan -p tcp --dport 995 -j ACCEPT
/usr/sbin/iptables -I OUTPUT -o tun+ -j ACCEPT
/usr/sbin/iptables -I FORWARD -o tun+ -j ACCEPT
/usr/sbin/iptables -I INPUT -i tun+ -j ACCEPT
/usr/sbin/iptables -I FORWARD -i tun+ -j ACCEPT
...

for many years up to version 21 everything ran perfectly, now with the switch to fw4 / version 22 it doesn't want to work. sorry, I'm still a layman here.

It seems to me that these can be handled by the higher level firewall rules (redirect, rule).

Let's get one thing working at a time... let's focus on the service on 192.168.166.11 @ port 4431.

Can you post the latest /etc/config/firewall file for review?

You forgot to paste this.

nft list ruleset is empty, obviously fw3

...
config redirect
	option name 'nextcloud 4431'
	option target 'DNAT'
	option proto 'tcp'
	option src 'wan'
	option src_dport '4431'
	option dest 'dmz'
	option dest_ip '192.168.166.11'
	option dest_port '4431'
...
config rule
	option name 'allow DHCP'
	option target 'ACCEPT'
	option proto 'udp'
	option family 'ipv4'
	option src '*'
	option src_port '67-68'
	option dest_port '67-68'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
...

In principle, nothing has changed compared to the publication above.
What should the solution be if I omit the firewall.user entirely?
Obviously the redirect isn't working.

22.03 is using fw4.
Then what is the output of iptables-save -c ?

iptables-save -c
# Generated by iptables-save v1.8.7 on Fri Jan 13 10:05:15 2023
*nat
:PREROUTING ACCEPT [199163:23596897]
:INPUT ACCEPT [67794:4429531]
:OUTPUT ACCEPT [11295:838462]
:POSTROUTING ACCEPT [91874:5567547]
:postrouting_dmz_rule - [0:0]
:postrouting_gast_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_dmz_rule - [0:0]
:prerouting_gast_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_dmz_postrouting - [0:0]
:zone_dmz_prerouting - [0:0]
:zone_gast_postrouting - [0:0]
:zone_gast_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[0:0] -A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 465 -j DNAT --to-destination 192.168.166.xxx
[645:38628] -A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 587 -j DNAT --to-destination 192.168.166.xxx
[1138:68132] -A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 993 -j DNAT --to-destination 192.168.166.xxx
[90:5339] -A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 5223 -j DNAT --to-destination 192.168.166.xxx
[1669:100104] -A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 5222 -j DNAT --to-destination 192.168.166.xxx
[494:29640] -A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 5269 -j DNAT --to-destination 192.168.166.xxx
[11:512] -A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 5000 -j DNAT --to-destination 192.168.166.xxx
[0:0] -A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 5281 -j DNAT --to-destination 192.168.166.xxx
[0:0] -A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 3478 -j DNAT --to-destination 192.168.166.xxx
[0:0] -A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 5349 -j DNAT --to-destination 192.168.166.xxx
[891:50972] -A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 4431 -j DNAT --to-destination 192.168.166.xxx
[[213159:24755954] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[18:7306] -A PREROUTING -i br-lan.1 -m comment --comment "!fw3" -j zone_lan_prerouting
[8499:361635] -A PREROUTING -i wan -m comment --comment "!fw3" -j zone_wan_prerouting
[105298:7944534] -A PREROUTING -i br-lan.3 -m comment --comment "!fw3" -j zone_dmz_prerouting
[13964:2142648] -A PREROUTING -i br-lan.4 -m comment --comment "!fw3" -j zone_gast_prerouting
[0:0] -A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 465 -j DNAT --to-destination 192.168.166.xxx
[0:0] -A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 587 -j DNAT --to-destination 192.168.166.xxx
[0:0] -A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 993 -j DNAT --to-destination 192.168.166.xxx
[0:0] -A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 5223 -j DNAT --to-destination 192.168.166.xxx
[0:0] -A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 5222 -j DNAT --to-destination 192.168.166.xxx
[0:0] -A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 5269 -j DNAT --to-destination 192.168.166.xxx
[0:0] -A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 5000 -j DNAT --to-destination 192.168.166.xxx
[0:0] -A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 5281 -j DNAT --to-destination 192.168.166.xxx
[0:0] -A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 3478 -j DNAT --to-destination 192.168.166.xxx
[0:0] -A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 5349 -j DNAT --to-destination 192.168.166.xxx
[0:0] -A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 4431 -j DNAT --to-destination 192.168.166.xxx
[114088:7373540] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[2796:168806] -A POSTROUTING -o br-lan.1 -m comment --comment "!fw3" -j zone_lan_postrouting
[21968:1791233] -A POSTROUTING -o wan -m comment --comment "!fw3" -j zone_wan_postrouting
[9774:603651] -A POSTROUTING -o br-lan.3 -m comment --comment "!fw3" -j zone_dmz_postrouting
[0:0] -A POSTROUTING -o br-lan.4 -m comment --comment "!fw3" -j zone_gast_postrouting
[9774:603651] -A zone_dmz_postrouting -m comment --comment "!fw3: Custom dmz postrouting rule chain" -j postrouting_dmz_rule
[244:14640] -A zone_dmz_postrouting -s 192.168.166.0/24 -d 192.168.166.xxx/32 -p tcp -m tcp --dport 4431 -m comment --comment "!fw3: nextcloud 4431 (reflection)" -j SNAT --to-source 192.168.166.1
[105298:7944534] -A zone_dmz_prerouting -m comment --comment "!fw3: Custom dmz prerouting rule chain" -j prerouting_dmz_rule
[0:0] -A zone_dmz_prerouting -s 192.168.16.0/24 -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 4431 -m comment --comment "!fw3: nextcloud 4431 (reflection)" -j DNAT --to-destination 192.168.166.xxx:4431
...
[8499:361635] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 4431 -m comment --comment "!fw3: nextcloud 4431" -j DNAT --to-destination 192.168.166.xxx:4431
COMMIT
# Completed on Fri Jan 13 10:05:15 2023
# Generated by iptables-save v1.8.7 on Fri Jan 13 10:05:15 2023
*raw
:PREROUTING ACCEPT [3364259:2714632802]
:OUTPUT ACCEPT [235270:31233029]
:zone_dmz_helper - [0:0]
:zone_gast_helper - [0:0]
[28986:9288902] -A PREROUTING -i br-lan.1 -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[1161495:175567296] -A PREROUTING -i br-lan.3 -m comment --comment "!fw3: dmz CT helper assignment" -j zone_dmz_helper
[14935:2453926] -A PREROUTING -i br-lan.4 -m comment --comment "!fw3: gast CT helper assignment" -j zone_gast_helper
COMMIT
# Completed on Fri Jan 13 10:05:15 2023
# Generated by iptables-save v1.8.7 on Fri Jan 13 10:05:15 2023
*mangle
:PREROUTING ACCEPT [3364179:2714625879]
:INPUT ACCEPT [295934:44091883]
:FORWARD ACCEPT [3026526:2657051609]
:OUTPUT ACCEPT [235244:31231621]
:POSTROUTING ACCEPT [3264453:2690147595]
...

The rule is there and has some hits.

Is this from 22.03 or 21.02?

actual from 22.03

Did you modify the image to contain iptables?
If not where from did you download the image?

my upgrade