Trying to do something pretty simple - OpenConnect is running on my router on port 4443. I want any WAN IPv4 inbound 443 traffic to be redirected to it.
I'm 99.9% certain this worked before the switch to nftables, but whatever the case, it's definitely not working now.
Here's the defined rule (my router's internal IP is 172.16.0.1):
config redirect
option dest 'lan'
option target 'DNAT'
option name 'OpenConnect'
option src 'wan'
option src_dport '443'
list proto 'tcp'
list proto 'udp'
option dest_ip '172.16.0.1'
option dest_port '4443'
With this rule in place, the port appears blocked to the outside world. The service is definitely listening on the proper port:
I've done this on one of my systems, but I found that I had to actually redirect to the wan zone and wan address. Try it and let me know if that helps.
After pointing the destination back to the WAN zone, whether I specify the external IP (which is dynamic, and would be a problem in and of itself) or 'any', I get the same result - a port scanner sees it as 'open' (yay!), but nothing can actually connect to it at a socket level (boo!).
I didn't check to see if also opening 4443 to the world would resolve that, because that shouldn't be necessary and would represent serious brokenness in FW4.
I truly believe this is a FW4 bug/implementation deficit of some form, but I'm not yet proficient enough with nftables to properly debug.
I made some tests (using rc4) with a similar configuration and both variants seem to work.
DNAT rule to forward requests to port 443 on the wan interface to port 22 on the LAN interface.
config redirect
option target 'DNAT'
list proto 'tcp'
option src 'wan'
option dest_port '22'
option src_dport '443'
option name 'Test1'
option dest 'lan'
option dest_ip '192.168.92.1'
option reflection '0'
A redirect rule to forward requests to port 80 on the wan interface to port 22 of the same interface.
BTW, you don't need to specify the IP address of the wan interface in the rule. The request will be forwarded to the current IP address of the incoming (wan) interface.
config redirect
option target 'DNAT'
list proto 'tcp'
option src 'wan'
option src_dport '80'
option dest_port '22'
option name 'Test2'
option reflection '0'
Both rules are created in the dstnat_wan chain, so you could check the hits.
root@OpenWrt:~# nft list chain inet fw4 dstnat_wan
table inet fw4 {
chain dstnat_wan {
meta nfproto ipv4 tcp dport 443 counter packets 2 bytes 120 dnat ip to 192.168.92.1:22 comment "!fw4: Test1"
meta nfproto ipv4 tcp dport 80 counter packets 3 bytes 180 redirect to :22 comment "!fw4: Test2"
}
}
Keep in mind that both rules require additional rules in the forward_wan and input_wan chains to work properly, but they should be available by default.
root@OpenWrt:~# nft list chain inet fw4 forward_wan | grep dnat
ct status dnat accept comment "!fw4: Accept port forwards"
root@OpenWrt:~# nft list chain inet fw4 input_wan | grep dnat
ct status dnat accept comment "!fw4: Accept port redirections"