Server behind OpenWrt router visible on LAN but not WAN despite port forwarding

faser · September 26, 2022, 3:30am

WAN to be replaced with your WAN interface (can check on the interface page) assume eth0 but that depends on which interface set as WAN and which on br-lan.

psherman · September 26, 2022, 3:32am

The wan is eth1 in this config.

faser · September 26, 2022, 3:32am

Thanks, forgot that he posted it

Boethius · September 26, 2022, 3:41am

tcpdump -n -i eth1 tcp port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
22:31:44.415709 IP [External client IP] > [Public IP].80: Flags [S], seq 2732818022, win 65535, options [mss 1340,sackOK,TS val 4171930374 ecr 0,nop,wscale 9], length 0
22:31:44.416869 IP [Public IP].80 > [External client IP]: Flags [S.], seq 1180579313, ack 2732818023, win 16384, options [mss 1460,nop,nop,sackOK,nop,wscale 6,nop,nop,TS val 277993821 ecr 4171930374], length 0

Thanks for inspecting it. I'm a bit surprised that I haven't done something obviously wrong. Multiple representatives from my ISP have said that port 80 is not blocked and that it is alright to run a personal server (not a commercial server) on my plan. One of them pinged my external IP and said that it is the correct IP (given that I have dynamic DNS set up) and it is unique to me (not part of a supernet or something) and that the problem that I am having is strange.

faser · September 26, 2022, 3:45am

Next step is to output it to a file and check with Wireshark what is in it.
tcpdump -n -i eth1 tcp port 80 -w capture.cap
You then transfer that file via SCP to your PC and run it through wireshark.

Boethius · September 26, 2022, 3:53am

Thank you. I do not yet have Wireshark installed and have never used it before, so this will be a nice introduction to it. It will likely take me a bit . . .

trendy · September 26, 2022, 6:11am

It isn't necessary to install Wireshark. This is a synack packet sent from server to client. Now the client must respond with an ack to finish the TCP handshake, but it doesn't. So either the packet is dropped or lost, or the client is not doing its job properly. Most likely the first one.

Boethius · September 26, 2022, 6:59am

Here is a sample of the Wireshark analysis.

    1   0.000000 [Public IP] → [External client IP] TCP 78 80 → 47402 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 SACK_PERM=1 WS=64 TSval=2372824251 TSecr=4172310340
    2   0.151072 [External client IP] → [Public IP] TCP 74 [TCP Port numbers reused] 47402 → 80 [SYN] Seq=0 Win=65535 Len=0 MSS=1340 SACK_PERM=1 TSval=4172312474 TSecr=0 WS=512
    3   0.153836 [Public IP] → [External client IP] TCP 78 [TCP Retransmission] 80 → 47402 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 SACK_PERM=1 WS=64 TSval=2372824251 TSecr=4172312474
    4   0.159847 [Public IP] → [External client IP] TCP 78 80 → 47404 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 SACK_PERM=1 WS=64 TSval=1232133419 TSecr=4172310499
    5   0.360638 [External client IP] → [Public IP] TCP 74 [TCP Port numbers reused] 47404 → 80 [SYN] Seq=0 Win=65535 Len=0 MSS=1340 SACK_PERM=1 TSval=4172312686 TSecr=0 WS=512
    6   0.361348 [Public IP] → [External client IP] TCP 78 [TCP Retransmission] 80 → 47404 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 SACK_PERM=1 WS=64 TSval=1232133419 TSecr=4172312686
    7   4.201140 [External client IP] → [Public IP] TCP 74 [TCP Retransmission] [TCP Port numbers reused] 47402 → 80 [SYN] Seq=0 Win=65535 Len=0 MSS=1340 SACK_PERM=1 TSval=4172316528 TSecr=0 WS=512
    8   4.203801 [Public IP] → [External client IP] TCP 78 [TCP Retransmission] 80 → 47402 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 SACK_PERM=1 WS=64 TSval=2372824259 TSecr=4172316528
    9   4.411275 [External client IP] → [Public IP] TCP 74 [TCP Retransmission] [TCP Port numbers reused] 47404 → 80 [SYN] Seq=0 Win=65535 Len=0 MSS=1340 SACK_PERM=1 TSval=4172316740 TSecr=0 WS=512
   10   4.412028 [Public IP] → [External client IP] TCP 78 [TCP Retransmission] 80 → 47404 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 SACK_PERM=1 WS=64 TSval=1232133428 TSecr=4172316740
   11   5.998970 [Public IP] → [External client IP] TCP 78 [TCP Retransmission] 80 → 47402 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 SACK_PERM=1 WS=64 TSval=2372824263 TSecr=4172316528
   12   6.158982 [Public IP] → [External client IP] TCP 78 [TCP Retransmission] 80 → 47404 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 SACK_PERM=1 WS=64 TSval=1232133431 TSecr=4172316740
   13  12.311668 [External client IP] → [Public IP] TCP 74 [TCP Retransmission] [TCP Port numbers reused] 47402 → 80 [SYN] Seq=0 Win=65535 Len=0 MSS=1340 SACK_PERM=1 TSval=4172324633 TSecr=0 WS=512
   14  12.314546 [Public IP] → [External client IP] TCP 78 [TCP Retransmission] 80 → 47402 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 SACK_PERM=1 WS=64 TSval=2372824275 TSecr=4172324633
   15  12.522127 [External client IP] → [Public IP] TCP 74 [TCP Retransmission] [TCP Port numbers reused] 47404 → 80 [SYN] Seq=0 Win=65535 Len=0 MSS=1340 SACK_PERM=1 TSval=4172324848 TSecr=0 WS=512
   16  12.524592 [Public IP] → [External client IP] TCP 78 [TCP Retransmission] 80 → 47404 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 SACK_PERM=1 WS=64 TSval=1232133444 TSecr=4172324848

d687r02j8g · September 26, 2022, 6:59am

On your server can you run

pfctl -sr # Show the current ruleset

Perhaps pf is blocking the connections?

Boethius · September 26, 2022, 7:10am

pfctl -sr

block return all
pass all flags S/SA
block return in on ! lo0 proto tcp from any to any port 6000:6010
block return out log proto tcp all user = 55
block return out log proto udp all user = 55

d687r02j8g · September 26, 2022, 7:24am

Can you try

service pf stop

Then see if it works please?

trendy · September 26, 2022, 7:28am

It is the same, the client never sends an ACK to the SYNACK sent by the server.

Boethius · September 26, 2022, 8:15am

I disabled pf with pfctl -d and the result is the same.

trendy · September 26, 2022, 9:56am

Try from a different client and internet connection, just to be sure.

Boethius · September 26, 2022, 4:36pm

Thanks, trendy. While pf was down I tried from a workstation and from two different phones (with two different browsers) on an LTE connection.

trendy · September 26, 2022, 4:47pm

And what was the outcome?

Boethius · September 26, 2022, 4:59pm

The outcome of all attempts was that the requested connection timed out. In browsers I got messages like: Unable to load page. Error while opening [redacted URL]. ERR_TIMED_OUT and The request timed out. NSURL ErrorDomain and Your connection was interrupted. A network change was detected. ERR_NETWORK_CHANGED.

trendy · September 26, 2022, 6:34pm

And do you see the same behaviour in tcpdump? One SYN from client to server and then one SYNACK from server to client?

Boethius · September 27, 2022, 12:10am

Yes, regardless of the type of client or network that it is on, or whether the client is behind a VPN or not, or whether or not pf is disabled on the server, the pattern is that there is a SYN from client to server and then a SYNACK from server to client (alternating repeatedly).

faser · September 27, 2022, 1:57am

Check with tcpdump on the client to see what you get
As you are opening your Webserver on a public IP there is nothing to loose by posting your public IP, security (e.g. with banIP or reverse proxy) you anyway have to ensure. So maybe let us know you IP and we can test from our devices.