[SOLVED] Port forwarding not working

aaboyd · May 6, 2018, 3:07am

I'm trying to setup a port forward, but I am really stuck.

I want WAN port 553 -> 192.168.1.2 553

To make sure that the server is running and accepting connections, I did the following.

> nc -v -v 192.168.1.2 553
Connection to 192.168.1.2 553 port [tcp/*] succeeded!

Try to connect through WAN

> nc -v -v {wan_ip} 553
nc: connect to {wan_ip} port 553 (tcp) failed: Connection timed out

Also tried an open port checker tool --> http://canyouseeme.org/

I've tried about 900 different firewall configurations, but here is the current state /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option drop_invalid '1'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'lan'
        option forward 'REJECT'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option forward 'ACCEPT'
        option log '1'
        option network 'wan wan6'
        option mtu_fix '1'
        option input 'REJECT'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option src_dport '553'
        option dest_ip '192.168.1.2'
        option dest_port '553'
        option proto 'tcp udp'
        option name 'Allow Web Server'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'guest'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'Guest'
        option forward 'REJECT'

config forwarding
        option dest 'wan'
        option src 'guest'

config forwarding
        option dest 'wan'
        option src 'lan'

config forwarding
        option dest 'lan'
        option src 'wan'

Also, is there anyway to monitor the firewall rules to see which rule is stopping a specific packet? I don't see anything when I run logread -f that shows 192.168.1.2 or port 553

Thanks in advance for the help, I really appreciate it.

phuque99 · May 6, 2018, 9:39am

Your ISPs may block incoming traffic on privilege ports. To verify if packets are actually arriving to your router, you can install tcpdump package and run the following on command line:

tcpdump -pnvvi eth0 port 553

Visit that "can you see me" web site and see if there's anything on that port. (Substitute eth0 with the right interface if that's not the WAN port for your hardware).

aaboyd · May 6, 2018, 10:44am

@phuque99 I don't think the ISP is blocking it. I had it working yesterday on a different router, but I'll run that tcpdump command when I get a chance, thanks for the tip.

phuque99 · May 6, 2018, 11:39am

Well, tcpdump will also help chase that same packet internally out of the LAN interface to give you some clue.

JW0914 · May 6, 2018, 2:24pm

Please post the output of: /etc/init.d/firewall restart

/etc/firewall.user

#

   ##::[[---  OpenWrt Firewall Script  ---]]::##

####################################################
              ##----- IPtables -----##
####################################################


# Establish Custom Zones #
#---------------------------------------------------

# Apply:
  iptables      -N  Trace

# Log:
  iptables      -N  LOG_Trace


# Establish Trace #
#---------------------------------------------------

  # Trace Port:
    iptables    -I  INPUT       -p  tcp   --dport   553   -m  conntrack   --ctstate NEW   -j  Trace
    iptables    -I  INPUT       -p  udp   --dport   553   -m  conntrack   --ctstate NEW   -j  Trace


# Apply Trace #
#---------------------------------------------------

  # Trace Port:
    iptables    -A  Trace       -p  tcp   --dport   553                                   -j  LOG_Trace
    iptables    -A  Trace       -p  udp   --dport   553                                   -j  LOG_Trace


# Log Trace #
#---------------------------------------------------

  # Trace Port:
    iptables    -A  LOG_Trace   -p  tcp   --dport   553                                   -j  LOG         --log-prefix  "<[[--- Trace 553 ---]]> : "  --log-level 4
    iptables    -A  LOG_Trace   -p  udp   --dport   553                                   -j  LOG         --log-prefix  "<[[--- Trace 553 ---]]> : "  --log-level 4

aaboyd · May 6, 2018, 2:49pm

@JW0914
Here is the output of /etc/init.d/firewall restart

 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Rule 'ubus:igmpproxy[instance1] rule 0'
   * Rule 'ubus:igmpproxy[instance1] rule 1'
   * Rule 'ubus:igmpproxy[instance1] rule 2'
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'Guest DNS'
   * Rule 'Guest DHCP'
   * Redirect 'Allow 553'
   * Forward 'wan' -> 'lan'
   * Forward 'lan' -> 'wan'
   * Forward 'guest' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guest'
 * Populating IPv4 nat table
   * Redirect 'Allow 553'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guest'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guest'
 * Populating IPv6 filter table
   * Rule 'ubus:igmpproxy[instance1] rule 0'
   * Rule 'ubus:igmpproxy[instance1] rule 2'
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'Guest DNS'
   * Rule 'Guest DHCP'
   * Forward 'wan' -> 'lan'
   * Forward 'lan' -> 'wan'
   * Forward 'guest' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guest'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guest'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'
 * Running script '/usr/share/miniupnpd/firewall.include'

JW0914 · May 6, 2018, 3:01pm

I was hoping there might be an error in the output, so try the rules above. Copy and paste into /etc/firewall.user, then issue the following and try to access port 553:

/etc/init.d/firewall restart && logread -f
- If you see no lines containing <[[--- Trace 553 ---]]> : (after trying to access port 553), then the issue is likely on the router, not the client.
DId you rename your 553 redirect rule?
- Firewall config above has it titled "Allow Web Server", whereas that rule is not in the restart output... please post /etc/config/firewall again
On a side note, UPnP should not be utilized, as it is not secure in the slightest.
- Running script '/usr/share/miniupnpd/firewall.include'

aaboyd · May 6, 2018, 3:07pm

When I run tcpdump, I can see the packet coming in, but I still can't seem to figure out where the problem is.

14:57:08.322672 IP (tos 0x0, ttl 50, id 58981, offset 0, flags [DF], proto TCP (6), length 52)
    5.79.68.210.59532 > {wan_ip}.553: Flags [S], cksum 0x5ab8 (correct), seq 2373147884, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
14:57:09.334703 IP (tos 0x0, ttl 50, id 36416, offset 0, flags [DF], proto TCP (6), length 52)
    5.79.68.210.59536 > {wan_ip}.553: Flags [S], cksum 0x0ef3 (correct), seq 6174147, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0

@JW0914 Yea, I did rename the rule, that is my mistake. I noticed in the /etc/init.d/firewall restart output that it didn't give any indication of what port was being redirected, so I renamed the rule.

Here is the current /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option drop_invalid '1'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'lan'
        option forward 'REJECT'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option forward 'ACCEPT'
        option log '1'
        option mtu_fix '1'
        option input 'REJECT'
        option network 'wan wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config forwarding
        option dest 'lan'
        option src 'wan'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config forwarding
        option dest 'wan'
        option src 'lan'

config zone
        option name 'guest'
        option forward 'REJECT'
        option output 'ACCEPT'
        option network 'Guest'
        option input 'REJECT'

config forwarding
        option dest 'wan'
        option src 'guest'

config rule
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'
        option name 'Guest DNS'
        option src 'guest'

config rule
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '67-68'
        option name 'Guest DHCP'
        option src 'guest'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '553'
        option dest_ip '192.168.1.2'
        option dest_port '553'
        option name 'Allow 553'

JW0914 · May 6, 2018, 3:13pm

Try adding option family 'ipv4' to your redirect, as I've occasionally had issues when it's not specified.

aaboyd · May 6, 2018, 3:16pm

Same behavior.

I'm going to re-install and erase all settings, and try the port forward before any other settings and see if it works properly.

JW0914 · May 6, 2018, 3:17pm

Looks like I didn't edit my post fast enough...

Redirects should be specified at the top of the config

config defaults
   option  input           'ACCEPT'
   option  output          'ACCEPT'
   option  forward         'REJECT'
   option  syn_flood       1
   option  drop_invalid    1

config redirect
   option  target          'DNAT'
   option  family          'ipv4'
   option  proto           'tcp udp'
   option  src             'wan'
   option  src_dport       553
   option  dest            'lan'
   option  dest_port       553
   option  dest_ip         192.168.1.2
   option  name            'Allow 553'

iptables is a hierarchical firewall, so where rules are matters significantly.
- To see exactly how fw3 processes rules, issue: fw3 print

aaboyd · May 6, 2018, 3:57pm

I tried switching the order of the rules, no luck.

I also reset to factory settings and only added a dchp reservation and forwarding rule, still no luck.

I also, plugged in my old router again to see if the port forward was still working on that device, worked right away.

Is there a better method i could use to test this port forward?

JW0914 · May 7, 2018, 11:27am

Did you add the rules for logging to /etc/firewall.user?

If you see no lines containing <[[— Trace 553 —]]> : (after trying to access port 553), then the issue is likely on the router, and I would try restoring to defaults or reflashing, then only adding the redirect rule, as what you're experiencing is abnormal behavior.
If you do see lines with the aforementioned heading (after adding the aforementioned rules), the issue is likely on the client.

aaboyd · May 7, 2018, 2:45pm

Thanks for the help everybody, especially @JW0914, this ended up being just a boneheaded move on my part.

My ISP allows you to use their modem / router as just a modem, but when you set that up you designate a specific device that is plugged in to be your router ( it then passes through the WAN ip to that device ). Since that was setup to work with my previous router, the new one with lede installed was getting a LAN address. It was basically setup as double NAT as opposed to single NAT with the new router.

Sorry for running down that rabbit hole and taking everyone with me.

tmomas · May 13, 2018, 2:48pm

This topic was automatically closed 6 days after the last reply. New replies are no longer allowed.