[SOLVED]Help Port forwarding configuration

I have a wrt1900acs V2 running OpenWrt 18.06.1 r7258-5eb055306f / LuCI openwrt-18.06 branch (git-18.228.31946-f64b152)
I am trying to make a device on the internal network available externally via SSH to single external IP. When I try to connect the connection times out.

network config;

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd33:e992:01f6::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	option delegate '0'

config interface 'wan'
	option proto 'pppoe'
	option username ,***********@plusdsl.net'
	option password '************'
	option ifname 'eth1.2'
	option delegate '0'
	option ipv6 '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'
	option vid '2'

firewall;

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'
	option forward 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option dest_ip '192.168.1.50'
	option dest_port '22'
	option name 'SSH-to-HA'
	option src_ip '*.*.*.*'
	option proto 'tcp udp'
	option src_dport '22'

Please what have I missed this is driving me nuts?

Remove that line.

That is the IP that is allowed to connect. I have removed the actual IP for obvious reasons. that bit seems to work because if I try to connect from another IP I get 'connection refused'.

It's temporary for testing:
https://www.google.com/search?q=nmap+online

Ok removed the source IP, used an online scanner and get status 'filtered'
tried to connect but again but it times out. reapplying source restriction as I do not want the world battering the port.

Add port opening rule for some active service (SSH/HTTP/HTTPS) and test it.
If that won't work, then something is blocking your traffic, most likely NAT.

Interesting......http worked ok. SSH forwarding used to work fine with previous router (Billion 7800) nothing else has changed so strongly suspect there is a config error somewhere. Also tried ssh forwarding to other devices on internal network just to rule out single device. Any suggestions for debugging the connection through the router?
Also tried forwarding port 22 to 2222 on wan but that timed out also

Is dropbear listening on port 22?

Is the host you're forwarding to using the OpenWrt router as default route?
I am asking because a timeout hints at a possible problem with the return route.

I think the problem is the ssh-daemon (dropbear) on the router. Normaly it is listening on port 22. I would change the source destination port to 2222 or something else.

Doh! ...I think you are probably right. I am at work now (and cannot remote in!) Will check later and report.

NAT-rules override local services:
https://en.wikipedia.org/wiki/Iptables#/media/File:Netfilter-packet-flow.svg

I didn't think that plusnet allowed ports below 1024 to propogate on the network did it?

On nftables I use:

		tcp dport 12345 dnat to 192.168.2.111:ssh

To have to ssh to port 12345, but then that gets forwarding internally to my NAS, on the ssh port. I've tested this and it works ...

There's already enough chaos and uncertainty in the topic.
If we add nftables it will become complete mess.

@vgaetera No I didn't say use nftables. What I said is that externally on the wan which is plusnet, I believe they don't allow ports below 1024 to propagate. This would cause the problem seen, so is a possible cause.

Both the original poster and I are using dnat to do the connection.

I don't believe the implementation, be it iptables or nftables is important here.
Plusnet broadband firewall

People thank you soooo much for all your suggestions.
I cannot believe I missed it but the problem was caused by the wrong gateway on the internal clients. I was so convinced the problem was with openwrt config. Changed router but dis-engaged brain!

If your problem is solved, please consider marking this topic as [Solved]. (Click the pencil behind the topic...)

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.