[SOLVED] Port forwarding not working on wan

chowtime_embattled · May 9, 2025, 5:04pm

I bought a new router - TP-Link Archer AX23 and installed OpenWrt on it. I configured wireless and added few ports (80, 81, 443) to port forwarding. I have a RPi server on 192.168.1.214. That's it, I haven't changed anything else.

I have a little weird network:
Internet <—> ISP modem/router 192.168.64.1 <—> OpenWRT 192.168.64.2 and 192.168.1.1 <—> Devices 192.168.1.0/24
It's called double NAT I think. My ISP's modem-router has very little config options, only usefull config is port forwarding and wireless and that's it. That's the reason I bought a new router and installed OpenWrt on it.

LAN is 192.168.1.0/24 and WAN is 192.168.64.0/24 (including everything else) in my case, right?

So the problem is that I can't access forwarded ports from WAN but I can from LAN through WAN's IP. For example, I'm on a laptop with 192.168.1.111 and I can connect to any forwarded port on 192.168.64.2. Nmap scan:

PORT    STATE SERVICE
22/tcp  open  ssh
53/tcp  open  domain
80/tcp  open  http
81/tcp  open  hosts2-ns
443/tcp open  https

But if I port forward from my ISP's router to the internet I can't connect. Similarly if I connect to ISP's router's wireless (then my IP is 192.168.64.111) I still can't connect. Normal nmap scan shows the host is down but if I enable -Pn option:

PORT    STATE    SERVICE
80/tcp  filtered http
81/tcp  filtered hosts2-ns
443/tcp filtered https

As you can see all forwarded port are shown as filtered. WHY?

And another VERY WEIRD THING. I also opened 18080 and 18089 port for my Monero node on 192.168.1.192 and they are working like they should, no problem at all!

My firewall config:

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option target 'DNAT'
	option name 'Monero P2P'
	list proto 'tcp'
	option src 'wan'
	option src_dport '18080'
	option dest_ip '192.168.1.192'
	option dest_port '18080'
	option dest 'lan'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Monero RPC'
	list proto 'tcp'
	option src 'wan'
	option src_dport '18089'
	option dest_ip '192.168.1.192'
	option dest_port '18089'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HTTP'
	list proto 'tcp'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.168.1.214'
	option dest_port '80'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HTTPS'
	list proto 'tcp'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.1.214'
	option dest_port '443'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Nginx'
	list proto 'tcp'
	option src 'wan'
	option src_dport '81'
	option dest_ip '192.168.1.214'
	option dest_port '81'

frollic · May 9, 2025, 5:14pm

A lot of ISPs will block the standard ports, try something different, like 8443 instead of 443.

AndrewZ · May 9, 2025, 5:19pm

What is your ISP modem/router WAN IP address? Hide the second half of it for privacy but keep the most left part.

chowtime_embattled · May 9, 2025, 5:22pm

I can't even access 443 from inside of the network of the first router. And my ISP blocks 8443 port. I tried 8444 but it doesn't work.

chowtime_embattled · May 9, 2025, 5:24pm

Public IP is 89.212.xxx.xxx, private is 192.168.64.1.

AndrewZ · May 9, 2025, 5:29pm

Then, as said by @frollic not all the ports are equal.
If your ISP router has DMZ setting - configure 192.168.64.2 there.
Use tcpdump on OpenWrt to see the incoming traffic.
Use any external service like https://canyouseeme.org/ to test various TCP ports.

chowtime_embattled · May 9, 2025, 5:54pm

It's not my ISP's problem, it's OpenWrt. Port 18089 was working so in OpenWrt I chanegd internal port for that rule to my RPi on port 81 and it just does not work. Port shows as filtered in nmap and every connection timeouts.

AndrewZ · May 9, 2025, 6:03pm

Forget about the rules for a while and see if you can receive traffic on the given TCP port.
Once confirmed you can proceed with the rules.
root@OpenWrt:~# tcpdump -i wan -Q in tcp port 18089

canyouseeme.org

chowtime_embattled · May 9, 2025, 6:14pm

Yes, the website says success and I can see traffic in the terminal.

frollic · May 9, 2025, 6:16pm

Then it's not an Openwrt problem

AndrewZ · May 9, 2025, 6:20pm

If it says "success" then tcp connection has been established. This usually happens when the forwarding works because someone on the local network has accepted the connection.
In my example there is no forwarding configured, hence the error message on the screenshot.

chowtime_embattled · May 9, 2025, 6:24pm

It 100% is. From my phone 192.168.64.131 I tried to connect to OpenWrt 192.168.64.2 on port 81 while running tcpdump on it. This is the output:

root@OpenWrt:~# tcpdump -i wan -Q in tcp port 81
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wan, link-type EN10MB (Ethernet), snapshot length 262144 bytes
20:19:25.338560 IP 192.168.64.131.35176 > 192.168.64.2.81: Flags [S], seq 1032003334, win 65535, options [mss 1460,sackOK,TS val 832304368 ecr 0,nop,wscale 8], length 0
20:19:25.536483 IP 192.168.64.131.35190 > 192.168.64.2.81: Flags [S], seq 348331709, win 65535, options [mss 1460,sackOK,TS val 832304624 ecr 0,nop,wscale 8], length 0
20:19:27.408182 IP 192.168.64.131.35176 > 192.168.64.2.81: Flags [S], seq 1032003334, win 65535, options [mss 1460,sackOK,TS val 832306384 ecr 0,nop,wscale 8], length 0
20:19:31.657015 IP 192.168.64.131.35176 > 192.168.64.2.81: Flags [S], seq 1032003334, win 65535, options [mss 1460,sackOK,TS val 832310608 ecr 0,nop,wscale 8], length 0
20:19:31.791257 IP 192.168.64.131.35190 > 192.168.64.2.81: Flags [S], seq 348331709, win 65535, options [mss 1460,sackOK,TS val 832310864 ecr 0,nop,wscale 8], length 0

So the connection is made but OpenWrt just would not respond.

chowtime_embattled · May 9, 2025, 6:26pm

And this is the output if I check on canyouseeme.org:

root@OpenWrt:~# tcpdump -i wan -Q in tcp port 81
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wan, link-type EN10MB (Ethernet), snapshot length 262144 bytes
20:25:03.795818 IP ec2-52-202-215-126.compute-1.amazonaws.com.52396 > 192.168.64.2.81: Flags [S], seq 2085106795, win 26883, options [mss 1460,sackOK,TS val 1099389641 ecr 0,nop,wscale 7], length 0
20:25:04.794597 IP ec2-52-202-215-126.compute-1.amazonaws.com.52396 > 192.168.64.2.81: Flags [S], seq 2085106795, win 26883, options [mss 1460,sackOK,TS val 1099389891 ecr 0,nop,wscale 7], length 0
20:25:06.798649 IP ec2-52-202-215-126.compute-1.amazonaws.com.52396 > 192.168.64.2.81: Flags [S], seq 2085106795, win 26883, options [mss 1460,sackOK,TS val 1099390392 ecr 0,nop,wscale 7], length 0

AndrewZ · May 9, 2025, 6:30pm

If you remove -Q in you could see traffic in both directions.

chowtime_embattled · May 9, 2025, 6:34pm

root@OpenWrt:~# tcpdump -i wan tcp port 81
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wan, link-type EN10MB (Ethernet), snapshot length 262144 bytes
20:34:03.450308 IP ec2-52-202-215-126.compute-1.amazonaws.com.57256 > 192.168.64.2.81: Flags [S], seq 1774838497, win 26883, options [mss 1460,sackOK,TS val 1099524556 ecr 0,nop,wscale 7], length 0
20:34:04.447382 IP ec2-52-202-215-126.compute-1.amazonaws.com.57256 > 192.168.64.2.81: Flags [S], seq 1774838497, win 26883, options [mss 1460,sackOK,TS val 1099524806 ecr 0,nop,wscale 7], length 0
20:34:06.451376 IP ec2-52-202-215-126.compute-1.amazonaws.com.57256 > 192.168.64.2.81: Flags [S], seq 1774838497, win 26883, options [mss 1460,sackOK,TS val 1099525307 ecr 0,nop,wscale 7], length 0
20:34:10.455384 IP ec2-52-202-215-126.compute-1.amazonaws.com.57256 > 192.168.64.2.81: Flags [S], seq 1774838497, win 26883, options [mss 1460,sackOK,TS val 1099526308 ecr 0,nop,wscale 7], length 0

Don't give me false hope...

mk24 · May 9, 2025, 6:35pm

OpenWrt is not going to respond, it only forwards the packet to the server on its LAN, which will then respond. Run tcpdump on the LAN to confirm that packets were forwarded, and that the server responds.

chowtime_embattled · May 9, 2025, 6:39pm

By LAN you mean RPi server right? It doesn't have tcpdump installed so I ssh into it and try to install it bu there is no internet connection... I think I found the problem, will see if it's fixed.

AndrewZ · May 9, 2025, 6:40pm

As said by @mk24 repeat the same on LAN side of the router:
tcpdump -i br-lan tcp port X

Where X is the destination port number from the forwarding rule.

mk24 · May 9, 2025, 6:41pm

On OpenWrt, use tcpdump -i br-lan ... to sniff packets on the LAN side of the routing. You should see them going out to the Pi's address with the port number rewritten if you have the forward configured that way.

chowtime_embattled · May 9, 2025, 6:54pm

Yes, they are forwarded correctly.

The problem was my RPi still had 2 IPs, one old static IP that was before I installed OpenWrt and new dynamic and it blocked internet connection for some reason. Now it's fixed and everything works like it should. I feel stupid . Thanks for all help!