I recently switched from td-lte to adsl.
the td-lte had a modem that gave out a Ethernet connection that I would connect to my openwrt-enabled router/AP.
the td-lte modem had a dmz option which I would enable and then use port forwarding on my openwrt.
now my adsl (which is what I used before td-lte) has a modem that also has a dmz option too.
I have tried with using pppoe on adsl modem and also with bridge mode and pppoe on my openwrt router. but what ever I do I dont see my port from internet (ports are not open).
is there something that I am missing?
could this be my ISP firewall stopping incoming connections that are not originating from my side? I have asked them and they say no, but I could only ask from level 1 help service that are not really knowlegeable and was trying to convince my that my problem was that I didnt have static ip and I needed to buy that, and would just say that "we dont block ports"
when I ping my public ip from my mobile phone I get the massage that destination port unreachable.
I played around with firewall in luci and saw that if I change the wan rule for input to accept from reject I can ping my public ip but my ssh port forwarding still doesnt work.
I think this is not advised way to configure the wan side but I was just testing to see if anything changes.
also am I correct to assume that if I put the modem in bridge mode I dont have to enable dmz on it? as in all the connection and firewall are managed by my openwrt device?
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
Yes, then OpenWrt runs PPPoE and gets the public wan IP.
First you have disabled the rule to allow ping from wan. If you need it, you'd better enable it rather than changing wan input to accept.
The rule 'from 10.10.34.0/24' is not needed.
Redirect wan-ssh should be a rule, not a redirect.
Other than that you have hits on some DNAT rules:
1
the hits may be because I incorrectly tested first from my mobile by using the public ip but with my mobile phone still connected to home wifi?
I mean I also pinged my openwrt wan ip from my mobile phone I saw 2ms pings which only third world internet and speccialy on my adsl shocked me and showed my error that I was still connected to my home wifi with my phone.
can I restart my openwrt and then test again to be sure? with the same commands you put here?
2
also the 10.10.34... thing is the internal ip the censures use on iranian network for redirecting http ( which can be redirected unlike https) to a custom page that says the website is blocked.
I now use my own dns config so maybe that is not needed anymore.
3
the rule for disallowing ping from wan is where?
this openwrt config is result of some updates that I didnt use clean install (from after lede I think)
and I am not a network pro but use linux daily (just like it more that windows' trash) so if you says where the file is I can edit it my self.
4
is there a way to see iptables hits logs in realtime?
I suppose it is but I dont know where to set it to test for my rules.
what you told me to use is not real-time right?
this way I can debug more of my problems myself.
5
I dont understand this part:
"Redirect wan-ssh should be a rule, not a redirect."
6
the iptable-save -c command just saves rules right?
it doesnt show the hits correct?
so I dont know from where you see the hits.
those shows are rules not hits
UPDATE:
those numbers in the brackets are hits?
so my ssh redirect doesnt work but the torrent part does?
because when I use the rutorrent interface to check for open port at 1800 or use this website https://www.yougetsignal.com/tools/open-ports/ both show closed.
can the package path get messed with internally after that rule resulting in not reaching my torrent client?
does this have anything to do with connecting to modem via lan that my openwrt get two ips one for 192.168.1.1 and one from that lan for 192.168.2.2 (via that modem dhcp)
even when I connect via bridge to internet I can still add an interface to openwrt that goes through the same lan and connects via dhcp.
though I enabled and disabled this and the result didn't change.
in you opinion my best way to manage my internet connection is to bridge from my openwrt to modem and then manage ports because you said that firewall and dmz of modem don't interfere then right? because I read somewhere that many home modem/router don't really respect that.
I dont understand.
as I said I usually just copy paste command in linux with respect to ip and iptable commands.
when you say default one is that you mean I removed it right?
UPDATE: I enabled it and it works for ping.ty.
the second part I dont understand.
when I port forward from 1822 on openwrt to a lan client on port 22 what that has to do with port 22 on router os (which you mean openwrt right?)
I am not trying to connect to port 22 on router I am trying to connect to port 22 on a lan ip (which can be 192.168.1.1 for openwrt/router or a lan client like 192.168.1.20) so I forward from 1822 wan to 22 on lan. I have changed the dest ip from .1 to .20 and still I can ssh to it from wan on my mobile.
though now that I changed it from 1 to 20 my error massage is not the "destination port unreachable." but connection time out.
also all my redirects(port forwards) are to a lan client other than openwrt itself now.
btw if it is not clear all of these rules worked with my last modem (tdlte) without any change.
thats why I want to be sure that it is not my isp or my modem.
thats why I asked to see if I can see iptable events in realtime.
I see this getting bigger and bigger
[649:79322] -A zone_wan_prerouting -p udp -m udp --dport 1800:1802 -m comment --comment "!fw3: odroid-torrent" -j DNAT --to-destination 192.168.1.20:1800-1802
Yes, could be. But still, it demonstrates that port forwarding on OpenWrt works fine.
You can of course.
You'd have to add a lot of LOG lines in iptables before the actions you want to log.
I still don't think the problem is on the OpenWrt.
A redirect is to forward a port to a host in the lan. A rule is to allow a port on the router. You want to open ssh on the OpenWrt from the wan, then you need a rule.
No, will show them.
You answered yourself.
Yes, bridge the modem and manage everything on the OpenWrt.
Could you be clear if it is working or not?
I don't see any evidence that OpenWrt is not working, other than the unreliable online open port tools.
why?
it is not on a standard ssh 22 port
it is on port 1822
can this be from my side , as in torrent client that is configured to listen to that port tries to check and use it and openwrt logs that?
these two contradict eachother?
sorry meant to type cant and dropped the t.
so the redirect from 1822 wan to 22 lan client also opens a port on 1822 too right?
I dont have to add that too? cause these rules worked for my last modem-to-openwrt layout.
also could this possibaly be a openwrt config bug
like this?
maybe I should wait for 21.02 and use a clean one.
because I got other wired issues too.
for example when I tried to bridge the modem when it didnt get pppoe connection (my modem/isp issue maybe. not important) and I would restart that interface then my wifi connection to router would be fine but my network would be gone. as in I couldnt even ping 192.168.1.1 and only way to fix it was to restart the router.(because my router is in a high place and I dont have easy ethernet access to it from my laptop, but I can push its power button.
What difference does it make? It should be open regardless of standard and non standard.
No, the hits on wan prerouting lines show what is incoming from the wan.
Not necessarily. You tested with your mobile phone connected to the wifi of the ISP modem and you mentioned that it worked and there were hits on the firewall. That is evidence that OpenWrt is working as configured.
If you try from the internet and there are no hits on the firewall, then I would assume that your ISP is blocking them.
No, it is not a bug, you are overcomplicating a simple function. You want to allow a port on the firewall, yet you are redirecting to another IP on the same device.
I meant that to as an answer to your answer that you said my isp blocked it.
if you meant my isp blocked port 22.
as I said I used port 1822 on was side so my isp doesnt see port 22.
if you mean my isp closed port 1822 then my answer was that why would my isp close that.
I dont think my isp closed that port. maybe their firewall closes all the incoming ports but not just one and one that I use that is random.
the hits where for my torrent client not ssh.
and again are you sure my isp closes the 1822 port? if I change that to 18202 and still no hits does that mean my isp closes that port too?
it is possible my isp closes all incoming ports (I have not heard something like this before) but not one randomly.
this was for the next part not the
and I dont want to just open a port.
I want to redirect a port from wan to a lan client.
maybe the language got confusing.
the port opening on internet is not the same as openwrt rules.
they usually use it for torrent so it usually is done with redirect too.
but my question was that if I want to redirect to a lan client (not the ssh on openwrt router but ssh on a device connected to it by lan cable) then a redirect rule is enough and I dont have to add a open rule too. is that correct?
again I dont want to open port 22 on openwrt. nor do I want to open port 1822 for openwrt only. I want to be able to ssh from my phone connected to my cellular network to my home, and I used to be able to do that on port 1822 with the rules I created.
This is not getting us anywhere.
Do something simple: opkg update; opkg install tcpdump
Then run: tcpdump -i eth0 port 22 or port 1822 or port ... add as many more ports you want to test.
If you see some output on the screen it means a packet arrived on the OpenWrt, therefore it is not blocked by the ISP (if it came from the internet) and there will be a hit on the firewall.
if I want to test that how do I open port 22 on openwrt?
the rule part in luci is a bit complicated.
can you put a text for editing firewall that I could put and be sure it mean my port 22 is open on my router. this way I can test the simple ssh on router and forgo the lan redirect and torrent and be sure that my isp or my modem does/doesnt block this.
update:
I added this
config rule
option name 'Allow-SSH'
option target ACCEPT
option src 'wan'
option dest_port '22'
option proto 'tcp'
option family 'ipv4'
and test from my mobile. it doesnt work.
does dropbear need any setting for it to listed to wan?
also changed to openssh to be sure and still nothing.
tcpdump captures the packets before they hit the firewall, so for testing whether the ISP is blocking or not it doesn't matter.
The rule you added is correct. You need to make sure that dropbear (or openssh) is listening to the wan interface too. netstat -lnp | grep 22
I understand the first part, which you mean that tcpdump sees all the traffic (even internal ones?) and it doesnt matter if openwrt drops port 22 or not, if it arrives on the interface the tcmpdump sees it. right?
the second part, what you mean is that isp blocking checking is before my openwrt (on modem maybe ) so this doesnt help with that right?
I called my isp again and the help line (which is staffed with .... well the polite way would be to say just copy-paste readers) didnt help at all and would say to check the port I need to buy a static ip for them to even check me and "we gave you internet ,do you have speed issues, port is not internet" .
I still have my tdlte connection and by just swapping adsl with td-lte I got all my things back,even my ssh remote.
so I know that wasnt openwrt bug/config or my noobness messing it up.
btw I check two output of this:
iptables-save -c |grep 1800
but on my adsl one I would not get hit on that.
also on adsl one the upper oneswould get hits but on the working tdlte one that one as you see doesnt get hits ( well all the lan ones really) .
maybe I need to cancel my adsl and just accept td-lte one speed.
also thank you for all the answers.
english is not my first language and in writing it (typing it) I make mistakes.
I need to proof read my answers more.
use to have a firefox extension that would allow to open text field area in firefox inside the a text editor, but that is long gone with firefox new architecture.
What do you mean internal? It is capturing traffic on interfaces, it can be wan interface or lan interface.
Correct.
Well, that was more or less evident from the beginning of the troubleshooting.
You should be looking at the zone_wan_prerouting lines for traffic incoming from the wan. The other lines are not connected to your issue.
That's up to you to decide.
You're welcome and if your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.