[SOLVED] Simple http/https forwarding not working from wan

Hi there,

I could not manage to implement the simplest configuration of the world and I don't know why.

I have a fresh openwrt install on an archer c7. I have public IP and forwarding from wan to lan on tcp and udp on port 80 and 443.

My firewall:

root@ROCKER_HQ:~# /etc/init.d/firewall restart
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Redirect 'HTTP_80_redirect'
   * Redirect 'HTTPS_443_redirect'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 nat table
   * Redirect 'HTTP_80_redirect'
   * Redirect 'HTTPS_443_redirect'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'

My iptables DNAT:

root@ROCKER_HQ:~# iptables-save -t nat -c | grep DNAT
[8:480] -A zone_lan_prerouting -s 192.168.199.0/24 -d 84.236.28.204/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP_80_redirect (reflection)" -j DNAT --to-destination 192.168.199.90:80
[0:0] -A zone_lan_prerouting -s 192.168.199.0/24 -d 84.236.28.204/32 -p udp -m udp --dport 80 -m comment --comment "!fw3: HTTP_80_redirect (reflection)" -j DNAT --to-destination 192.168.199.90:80
[27:1620] -A zone_lan_prerouting -s 192.168.199.0/24 -d 84.236.28.204/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS_443_redirect (reflection)" -j DNAT --to-destination 192.168.199.90:443
[0:0] -A zone_lan_prerouting -s 192.168.199.0/24 -d 84.236.28.204/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: HTTPS_443_redirect (reflection)" -j DNAT --to-destination 192.168.199.90:443
[16:940] -A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP_80_redirect" -j DNAT --to-destination 192.168.199.90:80
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 80 -m comment --comment "!fw3: HTTP_80_redirect" -j DNAT --to-destination 192.168.199.90:80
[15:824] -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS_443_redirect" -j DNAT --to-destination 192.168.199.90:443
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 443 -m comment --comment "!fw3: HTTPS_443_redirect" -j DNAT --to-destination 192.168.199.90:443

...and a tcpdump of the packets (phone(WAN-100.120.110.43)->webpage(LAN-192.168.199.90:80)):

16:22:14.645093 IP 100.120.110.43.37447 > 84.236.28.204.80: Flags [S], seq 577414775, win 64240, options [mss 1370,sackOK,TS val 16826639 ecr 0,nop,wscale 9], length 0
16:22:14.645243 IP 100.120.110.43.37447 > 192.168.199.90.80: Flags [S], seq 577414775, win 64240, options [mss 1370,sackOK,TS val 16826639 ecr 0,nop,wscale 9], length 0
16:22:14.645265 IP 100.120.110.43.37447 > 192.168.199.90.80: Flags [S], seq 577414775, win 64240, options [mss 1370,sackOK,TS val 16826639 ecr 0,nop,wscale 9], length 0
16:22:14.648955 IP 100.120.110.43.37448 > 84.236.28.204.80: Flags [S], seq 1085402765, win 64240, options [mss 1370,sackOK,TS val 16826641 ecr 0,nop,wscale 9], length 0
16:22:14.649090 IP 100.120.110.43.37448 > 192.168.199.90.80: Flags [S], seq 1085402765, win 64240, options [mss 1370,sackOK,TS val 16826641 ecr 0,nop,wscale 9], length 0
16:22:14.649111 IP 100.120.110.43.37448 > 192.168.199.90.80: Flags [S], seq 1085402765, win 64240, options [mss 1370,sackOK,TS val 16826641 ecr 0,nop,wscale 9], length 0
16:22:14.720352 IP 100.120.110.43.37449 > 84.236.28.204.80: Flags [S], seq 291617668, win 64240, options [mss 1370,sackOK,TS val 16826669 ecr 0,nop,wscale 9], length 0
16:22:14.720501 IP 100.120.110.43.37449 > 192.168.199.90.80: Flags [S], seq 291617668, win 64240, options [mss 1370,sackOK,TS val 16826669 ecr 0,nop,wscale 9], length 0
16:22:14.720521 IP 100.120.110.43.37449 > 192.168.199.90.80: Flags [S], seq 291617668, win 64240, options [mss 1370,sackOK,TS val 16826669 ecr 0,nop,wscale 9], length 0
16:22:15.780933 IP 100.120.110.43.37447 > 84.236.28.204.80: Flags [S], seq 577414775, win 64240, options [mss 1370,sackOK,TS val 16826940 ecr 0,nop,wscale 9], length 0
16:22:15.781030 IP 100.120.110.43.37447 > 192.168.199.90.80: Flags [S], seq 577414775, win 64240, options [mss 1370,sackOK,TS val 16826940 ecr 0,nop,wscale 9], length 0
16:22:15.781048 IP 100.120.110.43.37447 > 192.168.199.90.80: Flags [S], seq 577414775, win 64240, options [mss 1370,sackOK,TS val 16826940 ecr 0,nop,wscale 9], length 0
16:22:15.802936 IP 100.120.110.43.37448 > 84.236.28.204.80: Flags [S], seq 1085402765, win 64240, options [mss 1370,sackOK,TS val 16826942 ecr 0,nop,wscale 9], length 0
16:22:15.803050 IP 100.120.110.43.37448 > 192.168.199.90.80: Flags [S], seq 1085402765, win 64240, options [mss 1370,sackOK,TS val 16826942 ecr 0,nop,wscale 9], length 0
16:22:15.803068 IP 100.120.110.43.37448 > 192.168.199.90.80: Flags [S], seq 1085402765, win 64240, options [mss 1370,sackOK,TS val 16826942 ecr 0,nop,wscale 9], length 0
16:22:15.805335 IP 100.120.110.43.37449 > 84.236.28.204.80: Flags [S], seq 291617668, win 64240, options [mss 1370,sackOK,TS val 16826970 ecr 0,nop,wscale 9], length 0
16:22:15.805441 IP 100.120.110.43.37449 > 192.168.199.90.80: Flags [S], seq 291617668, win 64240, options [mss 1370,sackOK,TS val 16826970 ecr 0,nop,wscale 9], length 0
16:22:15.805460 IP 100.120.110.43.37449 > 192.168.199.90.80: Flags [S], seq 291617668, win 64240, options [mss 1370,sackOK,TS val 16826970 ecr 0,nop,wscale 9], length 0
16:22:17.730914 IP 100.120.110.43.37447 > 84.236.28.204.80: Flags [S], seq 577414775, win 64240, options [mss 1370,sackOK,TS val 16827542 ecr 0,nop,wscale 9], length 0
16:22:17.731027 IP 100.120.110.43.37447 > 192.168.199.90.80: Flags [S], seq 577414775, win 64240, options [mss 1370,sackOK,TS val 16827542 ecr 0,nop,wscale 9], length 0
16:22:17.731047 IP 100.120.110.43.37447 > 192.168.199.90.80: Flags [S], seq 577414775, win 64240, options [mss 1370,sackOK,TS val 16827542 ecr 0,nop,wscale 9], length 0
16:22:17.731506 IP 100.120.110.43.37448 > 84.236.28.204.80: Flags [S], seq 1085402765, win 64240, options [mss 1370,sackOK,TS val 16827544 ecr 0,nop,wscale 9], length 0

The problem is, that I can't open the webpages of my server from outside. Inside LAN it works.
Can someone tell my, what am I missing? Thank you in advance!

You don't need to forward UDP for your web server.
If you run tcpdump on your web server and see packets coming from outside, then forwarding is probably OK and you should check your web server configuration.

4 Likes

Thank you - I was looking on the false place for errors. Webserver is only listening on ipv6 - I will have to correct it.

I know it is slowly out of scope, but does not work - on webserver I can see the incoming packets but there is no answer.
The apache logs are empty - however the port looks open to me:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN off (0.00/0/0)
From LAN it is working as expected.

tcpdump: listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
09:38:24.438627 IP (tos 0x0, ttl 57, id 36871, offset 0, flags [DF], proto TCP (6), length 60)
    100.120.210.66.43909 > 192.168.199.90.80: Flags [S], cksum 0x4a4a (correct), seq 1536997413, win 64240, options [mss 1370,sackOK,TS val 19104676 ecr 0,nop,wscale 9], length 0
09:38:24.438648 IP (tos 0x0, ttl 57, id 36233, offset 0, flags [DF], proto TCP (6), length 60)
    100.120.210.66.43910 > 192.168.199.90.80: Flags [S], cksum 0xa41b (correct), seq 694390922, win 64240, options [mss 1370,sackOK,TS val 19104678 ecr 0,nop,wscale 9], length 0
09:38:25.469610 IP (tos 0x0, ttl 57, id 36872, offset 0, flags [DF], proto TCP (6), length 60)
    100.120.210.66.43909 > 192.168.199.90.80: Flags [S], cksum 0x491d (correct), seq 1536997413, win 64240, options [mss 1370,sackOK,TS val 19104977 ecr 0,nop,wscale 9], length 0
09:38:25.477465 IP (tos 0x0, ttl 57, id 36234, offset 0, flags [DF], proto TCP (6), length 60)
    100.120.210.66.43910 > 192.168.199.90.80: Flags [S], cksum 0xa2ee (correct), seq 694390922, win 64240, options [mss 1370,sackOK,TS val 19104979 ecr 0,nop,wscale 9], length 0
09:38:27.468532 IP (tos 0x0, ttl 57, id 36873, offset 0, flags [DF], proto TCP (6), length 60)
    100.120.210.66.43909 > 192.168.199.90.80: Flags [S], cksum 0x46c4 (correct), seq 1536997413, win 64240, options [mss 1370,sackOK,TS val 19105578 ecr 0,nop,wscale 9], length 0
09:38:27.468549 IP (tos 0x0, ttl 57, id 36235, offset 0, flags [DF], proto TCP (6), length 60)
    100.120.210.66.43910 > 192.168.199.90.80: Flags [S], cksum 0xa095 (correct), seq 694390922, win 64240, options [mss 1370,sackOK,TS val 19105580 ecr 0,nop,wscale 9], length 0
09:38:31.480529 IP (tos 0x0, ttl 57, id 36874, offset 0, flags [DF], proto TCP (6), length 60)
    100.120.210.66.43909 > 192.168.199.90.80: Flags [S], cksum 0x4212 (correct), seq 1536997413, win 64240, options [mss 1370,sackOK,TS val 19106780 ecr 0,nop,wscale 9], length 0
09:38:31.480546 IP (tos 0x0, ttl 57, id 36236, offset 0, flags [DF], proto TCP (6), length 60)
    100.120.210.66.43910 > 192.168.199.90.80: Flags [S], cksum 0x9be1 (correct), seq 694390922, win 64240, options [mss 1370,sackOK,TS val 19106784 ecr 0,nop,wscale 9], length 0
09:38:39.488716 IP (tos 0x0, ttl 57, id 36237, offset 0, flags [DF], proto TCP (6), length 60)
    100.120.210.66.43910 > 192.168.199.90.80: Flags [S], cksum 0x9279 (correct), seq 694390922, win 64240, options [mss 1370,sackOK,TS val 19109192 ecr 0,nop,wscale 9], length 0
09:38:39.488756 IP (tos 0x0, ttl 57, id 36875, offset 0, flags [DF], proto TCP (6), length 60)
    100.120.210.66.43909 > 192.168.199.90.80: Flags [S], cksum 0x38ae (correct), seq 1536997413, win 64240, options [mss 1370,sackOK,TS val 19109184 ecr 0,nop,wscale 9], length 0

Can someone suggest me a next step?

sudo iptables-save
sudo nft list ruleset
sudo iptables-save
# Generated by iptables-save v1.6.1 on Tue Dec  1 10:10:23 2020
*filter
:INPUT ACCEPT [30151:15568343]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [39186:10760934]
COMMIT
# Completed on Tue Dec  1 10:10:23 2020

sudo iptables-save
sudo: nft: command not found

Using old iptables (18.04LTS), with no filtering.

1 Like

I completely disabled ipv6 on router to bring it out of scope.

What makes me wonder is: after factory reset, only setting a port forward - it does not work. On previous router from same type (C7), but trunk SFE firmware - everything worked like a charm. Now the simplest forwarding causes problems... I can start from scratch if it helps.

# OpenWrt
curl -I http://192.168.199.90/
nc 192.168.199.90 80 << EOF
GET /
EOF
john@kb-orig4:~$ curl -I http://192.168.199.90/
HTTP/1.1 200 OK
Date: Tue, 01 Dec 2020 10:17:12 GMT
Server: Apache/2.4.29 (Ubuntu)
X-Frame-Options: SAMEORIGIN
Set-Cookie: pll_language=hu; expires=Wed, 01-Dec-2021 10:17:14 GMT; Max-Age=31536000; path=/
Link: <https://www.aqex.hu/wp-json/>; rel="https://api.w.org/"
X-XSS-Protection: 1; mode=block
Content-Type: text/html; charset=UTF-8
john@kb-orig4:~$ nc 192.168.199.90 80 << EOF
> GET /
> EOF
HTTP/1.1 400 Bad Request
Date: Tue, 01 Dec 2020 10:18:14 GMT
Server: Apache/2.4.29 (Ubuntu)
X-Frame-Options: SAMEORIGIN
Content-Length: 303
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at www.aqex.hu Port 80</address>
</body></html>

And thank you for your time...

1 Like

This is a misconfiguration issue on the web server, and completely unrelated to OpenWrt.

4 Likes

You are right, sorry for taking your time.

My webserver was untouched and fully functional before router-exchange - but somehow the config broke (perhaps update - I will figure it out).

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.