[Solved] Can't get port forwarding to work properly on OpenWRT running on Dell Wyse

Hey all, I'm having great difficulty setting up port forwarding on my Dell Wyse running OpenWRT. I am completely stumped and have been very frustrated trying to get this to work for the past few days.

To provide context, in the house there is a main network with the ISP's router where most devices live, the IP range is 192.168.1.0/24. Connected to this network is my Dell Wyse which I use as my router and firewall for a private subnet where my home server and some other mostly Linux devices live. The subnet for this stuff has the IP range 172.16.0.0/24.

My goal is to port forward a Linux web server accepting HTTP and HTTPS to the main network (192.168.1.0/24) but not the internet, and port forward a Wireguard server running on the Wyse box to the main network and to the internet.

Previously I was running just Debian GNU/Linux on the Wyse box and configured the firewall from scratch using nftables, and I was able to achieve exactly what I wanted. My setup was as follows:

  • Primary network is 192.168.1.0/24
  • My private sub network is 172.16.0.0/24
  • My web server has the static ip 172.16.0.222
  • My router redirects HTTP/HTTPS traffic that originates from WAN to 192.168.1.189 (static IP of my Wyse box on the main network run by the ISP router) to LAN to 172.16.0.222
  • Wireguard is running directly on my router, so I allow traffic to 192.168.1.189 on port 51820.
  • I port forward from the ip 192.168.1.189 on port 51820 on my ISP router so I can connect to Wireguard from the internet.

Even though this worked fine I wanted to transition my firewall to OpenWRT for easier management and to have a nice place to see metrics, logs, DHCP licenses, what devices are connected to the network, and etc. I use OpenWRT on my Archer C7 which I use as a wireless access point and I like it a lot so I would like to use it as my firewall too. However, I can not recreate my previous setup on OpenWRT, and I am totally stumped.

Any of the port forwarding rules I add simply do not work. The packets seem to be being correctly forwarded and are not rejected by the kernel, I verified with tcpdump on my web server, but I still can not connect the my server on 80/443 when I try to access it from the 192.168.1.0/24 network. I can 100% confirm nginx is running on 80 and 443 and I can connect from my private network just fine. I tested other ports too and have the same problem. I resorted to completely wiping my installation and starting fresh but still the exact same problem after adding a port forwarding rule. Any guidance or help would be greatly appreciated. Thanks.

My redirect config:

config redirect                        
        option dest 'lan'              
        option target 'DNAT'           
        option name 'http'             
        list proto 'tcp'               
        option src 'wan'               
        option src_dport '80'         
        option dest_ip '172.16.0.222'  
        option dest_port '80'     

tcpdump from my webserver (192.168.1.138 is the ip address of my phone connected to the main network):

scott@kamino:~% sudo tcpdump -i br0 -vn tcp port 80 
tcpdump: listening on br0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
21:41:35.497908 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.138.63293 > 172.16.0.222.80: Flags [S], cksum 0x87d0 (correct), seq 3203677465, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2111688338 ecr 0,sackOK,eol], length 0

Let's see the complete config, please.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Hey Peter, thanks for the fast reply.

ubus call system board:

{
        "kernel": "5.15.150",
        "hostname": "OpenWrt",
        "system": "Intel(R) Pentium(R) Silver J5005 CPU @ 1.50GHz",
        "model": "Dell Inc. Wyse 5070 Extended Thin Client",
        "board_name": "dell-inc-wyse-5070-extended-thin-client",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "x86/64",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}

/etc/config/network


config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda6:7c15:843f::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '172.16.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth4'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth4'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '0'
        option limit '100'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

/etc/config/firewall
This is missing the redirect for HTTPS and Wireguard because this is after I wipped and started over

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'http'
        list proto 'tcp'
        option src 'wan'
        option src_dport '80'
        option dest_ip '172.16.0.222'
        option dest_port '80'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '2222'
        option dest_ip '172.16.0.222'
        option dest_port '2333'

I do not have any wireless configuration setup

Thanks again.

Probably unrelated, but the start value is invalid. It is an offset from the network address - that would make the first address in the DHCP pool the .0 address which is invalid for a /24. You must also ensure that the router's address is not within the DHCP pool. This means that the minimum value for start should be 2.

This rule looks fine.

So, the things to test are:

  • verify that the host at 172.16.0.222 is up and listening on port 80.
  • verify that you can reach it via a web browser from another device on the same subnet (172.16.0.0/24)

If those are successful, please show us what you're seeing (in a web browser) when you try to connect from the upstream (specifically, what address are you entering)?

1 Like

Probably unrelated, but the start value is invalid. It is an offset from the network address - that would make the first address in the DHCP pool the .0 address which is invalid for a /24. You must also ensure that the router's address is not within the DHCP pool. This means that the minimum value for start should be 2.

Yep you're right, thanks for calling that out.

verify that the host at 172.16.0.222 is up and listening on port 80.

I am 100% sure the host is up and listening on port 80

verify that you can reach it via a web browser from another device on the same subnet (172.16.0.0/24)

172.16.0.0/24 -> 172.16.0.222 This is from connecting from the private subnet to 172.16.0.222. The 404 page is expected and correct behavior.

192.168.1.0/24 -> 192.168.1.236 This is from connecting to 192.168.1.236 from the main network which I expect to redirect me to the same 404 page. 192.168.1.236 is the ip address assigned to OpenWRT from the ISP router, I have not setup a static IP on my fresh install. I have disabled the firewall on the server to see if that was the issue but same result.

172.16.0.0/24 -> 192.168.1.236 This is connecting to 192.168.1.236 from my private subnet 172.16.0.0/24 which redirects me to the 404 page being served from my webserver. This is also confusing behavior to me, I am not sure why it is redirecting on LAN to LAN connections when I have setup port forwarding to redirect on connections from WAN to LAN. Connecting to 192.168.1.236 from the private network should take you to the router login page and redirects should only happen on connections from WAN / 192.168.1.0/24.

When I completely disable the firewall on the OpenWRT router I am able to get to the router login page from the main 192.168.1.0/24 network by connecting to 192.168.1.236, but that is not what I want.

Thanks for your help again, if there is anything else I can provide to help with troubleshooting let me know.

What operating system on the host that has the web server?

The web server is running in docker container with a Debian Linux base image. The docker host is also Debian Linux.

what happens if you run a service on the main/host OS instead of the container. It seems likely that the container is the problem.

SSH is running directly on the main OS, so tried creating a portforwarding rule to redirect WAN traffic on port 2222 to my server listening on port 22. Same issue. 172.16.0.0/24 -> 172.16.0.222 works, 192.168.1.0/24 -> 192.168.1.236 does not work, and 172.16.0.0/24 -> 192.168.1.236 somehow also works.

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '2222'
        option dest_ip '172.16.0.222'
        option dest_port '22'

What about if you use port 22 as the src_dport (and of course also use that as the port when making the ssh connection)?

Same issue using port 22 to 22. Connection timed out on 192.168.1.0/24 -> 172.16.0.222. But still running tcpdump on my server at 172.16.0.222 I can see the packets are reaching my server and not dropped, but still can't make any connection. Very strange.

Ok... so try another host in the 172.16.0.0/24 network. Setup a server (could be web, ssh, etc.) on that new host and then create a port forward accordingly.

It works, I just plugged in my raspberrypi to the network and installed nginx on it, then changed the redirect rule to the raspberrypi, and I can see the nginx page hosted by the raspberrypi by connecting to 192.168.1.236 from the main network.

I don't know why it never occurred to me to try a different host and see if I was getting the same issue. I guess I was too fixated on getting it working on my main server since that's where all my services live.

But the issue still stands on my main server. Any ideas on what could be causing this weirdness?

I don't know, but the experiment provides 100% confidence in the OpenWrt configuration. The problem is the server host, not OpenWrt. I'd recommend that you investigate all the config settings on the host -- from the host's local firewall and other security services (including antivirus software) to the configuration of the services themselves and their configurations (do they allow or prohibit connections from different subnets). It could be something with docker (as a layer) and/or with the container itself.

But, with that in mind, the one thing we can conclude is that port forwarding is working as expected on the OpenWrt side.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

Alright, looks like I will have to investigate further and see what's up with my server. It is still very strange to me though because I never had this issue when I was running Debian on my router and used nftables to port forward. I only ran into this issue after switching to OpenWRT which is why I thought OpenWRT must be the problem. I didn't make any changes to any configurations or the services running on the server before I switched the OS on my router. But yeah so far port forwarding seems to work to my raspberrypi.

Thank you so much for your help on this, it is much appreciated!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.