[SOLVED] Firewall help: open ports to internal address

I have a femtocell device (T-Mobile cellspot) which requires UDP ports 123, 500, and 4500 to be open to the device. I've set the device to have a static lease at 192.168.1.22, but it's not clear to me how to open those ports specifically for the device. Here's what I've done with /etc/config/firewall:

config redirect
	option src		wan
	option src_dport 	123
	option dest		lan
	option dest_ip		192.168.1.22
	option dest_port	123
	option proto		udp

config redirect
        option src              wan
        option src_dport        500
        option dest             lan
        option dest_ip          192.168.1.22
        option dest_port        500
        option proto            udp

config redirect
        option src              wan
        option src_dport        4500
        option dest             lan
        option dest_ip          192.168.1.22
        option dest_port        4500
        option proto            udp

This does not seem to work as the device still fails to connect to T-Mobile's servers for initial setup. Am I going about opening these ports correctly?

Use putty. Read the wiki.

I have SSH access to the router already, but it's not clear why you think putty is specifically necessary.

The wiki hasn't helped me — I don't understand what the config is asking from me conceptually. As best I can tell the above is correctly configured:

  • I have the source zone name set as 'wan' and destination zone set as 'lan'
  • I have the destination port (DNAT) set for each port and proto type (UDP on 123, 500, 4500)
  • The source port matches the same as the incoming port as desired
  • The destination IP is the one statically-leased by the device (pings and checks out with nmap scan

Perhaps you can help me from there.

Assuming you're starting with a more-or-less-default firewall configuration (i.e. 'wan' zone is unmodified, no other rules that might take precedence, try the following:

  1. add single quotes (' ') around the values
  2. add a name (not sure if this matters)
  3. add a target type

So the entires will look like this (rinse and repeat for the others):

config redirect
	option src		'wan'
	option src_dport 	'123'
	option dest		'lan'
	option dest_ip		'192.168.1.22'
	option dest_port	'123'
	option proto		'udp'
	option name		'femto_cell_123'
	option target		'DNAT'
1 Like

Thanks, psherman. It turns out that my original config snippet above does work, but the femtocell needed to be reset to engage a second attempt at contacting T-Mobile's servers.

In any case, those are good suggestions to explicitly tag the config sections with a name and target.
Marking the ticket as solved if I can figure out how...