[Solved] Port forwarding doesn't work

I just switched from an old Asus router running Tomato, to Nanopi R4S running OpenWRT. Everything runs fine, devices have access to internet, except for port forwarding. I can't reach any LAN device from the internet.

In my case I have a router from ISP, which assigns a private IP address to my OpenWRT (192.168.64.XXX; it did the same to my Asus), and my OpenWRT assigns my LAN IPs (192.168.0.XXX; again, same as Asus did).

With Asus, if I needed to forward a port, I would just create a new rule, provide protocol (TCP), external port (5001 in my case), internal IP (192.168.0.143 in my case), give it a name, and done. Port forwarding works, regardless if I had two routers (ISP's + mine) in the chain.
But not in OpenWRT. I can't make this thing send any such packets from internet to my server

I left firewall rules on OpenWRT on default, just created new port forwarding rule as per numerous guides I found on internet: in LUCI I specified source zone (WAN), destination zone (LAN), external port, internal port, internal IP address and gave it a name. No go. My port still shows as closed by all online port-checkers, and I can't connect to my server using device on internet.

How does one make OpenWRT forward a port so that it actually works??

P.S.: My ISP let's me set up port forwarding rules on their device via webUI, and port forwarding setting on ISP device have remained the same when switching from Asus router w Tomato (where port forwarding worked without issues) to openWRT.
Oh, and the service on port 5001 works fine if I access from LAN using internal IP and port number (192.168.0.143:5001).

Let's make sure that everything is configured properly on OpenWrt:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ifstatus wan | grep address

ubus call system board

{
        "kernel": "5.15.167",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "FriendlyElec NanoPi R4S",
        "board_name": "friendlyarm,nanopi-r4s",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "rockchip/armv8",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc8:3bf3:b9ac::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        option ipv6 '0'
        option promisc '1'

config device
        option name 'eth1'
        option macaddr <redacted>

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0'
        option macaddr <redacted>

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option family 'ipv4'
        option masq '1'
        list network 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'DSM'
        list proto 'tcp'
        option src 'wan'
        option src_dport '5001'
        option dest_ip '192.168.0.143'
        option dest_port '5001'

config rule
        option name 'DSM'
        option src 'wan'
        option target 'ACCEPT'
        option dest_port '5001'

ifstatus wan | grep address

                "addresses",
        "ipv4-address": [
                        "address": "192.168.64.102",
        "ipv6-address": [
                "ipv4-address": [
                "ipv6-address": [

First things first:

Make sure that the ISP router is port forwarding to the address above. This is absolutely critical.

Next, remove the promiscuous option from below:

Next, make sure that the host that is actually hosting the service is indeed at 192.168.0.143 and also verify that it is listening for inbound connections on TCP port 5001. One good method to verify is to ensure that you can access it from another device on the 192.168.0.0/24 network by directly entering 192.168.0.143 as the address.

Delete the rule below:

Don't forget to reboot after making the changes and then test after the reboot.

Well... this is awkward. I'll start with me not being complete idiot, and then do a full turnaround.

I deleted traffic rule.
Host service is running on 192.168.0.143:5001 and can be accessed from LAN.
I removed promiscuous option.

...and then I went back to check forwarding rules on ISP's device. They're IP based. When I unplugged my old Asus and plugged in OpenWRT, for some reason I expected OpenWRT would be assigned same IP. It didn't, IP changed form .101 to .102.

I went back and re-wrote all forwarding rules on ISP side, and create very simple rules on OpenWRT side (I specified only ext port and target IP, nothing else). Port forwarding now works as expected.
Thank you for all the help and for making me go back to double-check settings on ISP's device!

You're welcome.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.