Hi there,
I could not manage to implement the simplest configuration of the world and I don't know why.
I have a fresh openwrt install on an archer c7. I have public IP and forwarding from wan to lan on tcp and udp on port 80 and 443.
My firewall:
root@ROCKER_HQ:~# /etc/init.d/firewall restart
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv6 filter table
* Flushing IPv6 mangle table
* Flushing conntrack table ...
* Populating IPv4 filter table
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-Ping'
* Rule 'Allow-IGMP'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Redirect 'HTTP_80_redirect'
* Redirect 'HTTPS_443_redirect'
* Forward 'lan' -> 'wan'
* Zone 'lan'
* Zone 'wan'
* Populating IPv4 nat table
* Redirect 'HTTP_80_redirect'
* Redirect 'HTTPS_443_redirect'
* Zone 'lan'
* Zone 'wan'
* Populating IPv4 mangle table
* Zone 'lan'
* Zone 'wan'
* Populating IPv6 filter table
* Rule 'Allow-DHCPv6'
* Rule 'Allow-MLD'
* Rule 'Allow-ICMPv6-Input'
* Rule 'Allow-ICMPv6-Forward'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Forward 'lan' -> 'wan'
* Zone 'lan'
* Zone 'wan'
* Populating IPv6 mangle table
* Zone 'lan'
* Zone 'wan'
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.user'
My iptables DNAT:
root@ROCKER_HQ:~# iptables-save -t nat -c | grep DNAT
[8:480] -A zone_lan_prerouting -s 192.168.199.0/24 -d 84.236.28.204/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP_80_redirect (reflection)" -j DNAT --to-destination 192.168.199.90:80
[0:0] -A zone_lan_prerouting -s 192.168.199.0/24 -d 84.236.28.204/32 -p udp -m udp --dport 80 -m comment --comment "!fw3: HTTP_80_redirect (reflection)" -j DNAT --to-destination 192.168.199.90:80
[27:1620] -A zone_lan_prerouting -s 192.168.199.0/24 -d 84.236.28.204/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS_443_redirect (reflection)" -j DNAT --to-destination 192.168.199.90:443
[0:0] -A zone_lan_prerouting -s 192.168.199.0/24 -d 84.236.28.204/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: HTTPS_443_redirect (reflection)" -j DNAT --to-destination 192.168.199.90:443
[16:940] -A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP_80_redirect" -j DNAT --to-destination 192.168.199.90:80
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 80 -m comment --comment "!fw3: HTTP_80_redirect" -j DNAT --to-destination 192.168.199.90:80
[15:824] -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS_443_redirect" -j DNAT --to-destination 192.168.199.90:443
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 443 -m comment --comment "!fw3: HTTPS_443_redirect" -j DNAT --to-destination 192.168.199.90:443
...and a tcpdump of the packets (phone(WAN-100.120.110.43)->webpage(LAN-192.168.199.90:80)):
16:22:14.645093 IP 100.120.110.43.37447 > 84.236.28.204.80: Flags [S], seq 577414775, win 64240, options [mss 1370,sackOK,TS val 16826639 ecr 0,nop,wscale 9], length 0
16:22:14.645243 IP 100.120.110.43.37447 > 192.168.199.90.80: Flags [S], seq 577414775, win 64240, options [mss 1370,sackOK,TS val 16826639 ecr 0,nop,wscale 9], length 0
16:22:14.645265 IP 100.120.110.43.37447 > 192.168.199.90.80: Flags [S], seq 577414775, win 64240, options [mss 1370,sackOK,TS val 16826639 ecr 0,nop,wscale 9], length 0
16:22:14.648955 IP 100.120.110.43.37448 > 84.236.28.204.80: Flags [S], seq 1085402765, win 64240, options [mss 1370,sackOK,TS val 16826641 ecr 0,nop,wscale 9], length 0
16:22:14.649090 IP 100.120.110.43.37448 > 192.168.199.90.80: Flags [S], seq 1085402765, win 64240, options [mss 1370,sackOK,TS val 16826641 ecr 0,nop,wscale 9], length 0
16:22:14.649111 IP 100.120.110.43.37448 > 192.168.199.90.80: Flags [S], seq 1085402765, win 64240, options [mss 1370,sackOK,TS val 16826641 ecr 0,nop,wscale 9], length 0
16:22:14.720352 IP 100.120.110.43.37449 > 84.236.28.204.80: Flags [S], seq 291617668, win 64240, options [mss 1370,sackOK,TS val 16826669 ecr 0,nop,wscale 9], length 0
16:22:14.720501 IP 100.120.110.43.37449 > 192.168.199.90.80: Flags [S], seq 291617668, win 64240, options [mss 1370,sackOK,TS val 16826669 ecr 0,nop,wscale 9], length 0
16:22:14.720521 IP 100.120.110.43.37449 > 192.168.199.90.80: Flags [S], seq 291617668, win 64240, options [mss 1370,sackOK,TS val 16826669 ecr 0,nop,wscale 9], length 0
16:22:15.780933 IP 100.120.110.43.37447 > 84.236.28.204.80: Flags [S], seq 577414775, win 64240, options [mss 1370,sackOK,TS val 16826940 ecr 0,nop,wscale 9], length 0
16:22:15.781030 IP 100.120.110.43.37447 > 192.168.199.90.80: Flags [S], seq 577414775, win 64240, options [mss 1370,sackOK,TS val 16826940 ecr 0,nop,wscale 9], length 0
16:22:15.781048 IP 100.120.110.43.37447 > 192.168.199.90.80: Flags [S], seq 577414775, win 64240, options [mss 1370,sackOK,TS val 16826940 ecr 0,nop,wscale 9], length 0
16:22:15.802936 IP 100.120.110.43.37448 > 84.236.28.204.80: Flags [S], seq 1085402765, win 64240, options [mss 1370,sackOK,TS val 16826942 ecr 0,nop,wscale 9], length 0
16:22:15.803050 IP 100.120.110.43.37448 > 192.168.199.90.80: Flags [S], seq 1085402765, win 64240, options [mss 1370,sackOK,TS val 16826942 ecr 0,nop,wscale 9], length 0
16:22:15.803068 IP 100.120.110.43.37448 > 192.168.199.90.80: Flags [S], seq 1085402765, win 64240, options [mss 1370,sackOK,TS val 16826942 ecr 0,nop,wscale 9], length 0
16:22:15.805335 IP 100.120.110.43.37449 > 84.236.28.204.80: Flags [S], seq 291617668, win 64240, options [mss 1370,sackOK,TS val 16826970 ecr 0,nop,wscale 9], length 0
16:22:15.805441 IP 100.120.110.43.37449 > 192.168.199.90.80: Flags [S], seq 291617668, win 64240, options [mss 1370,sackOK,TS val 16826970 ecr 0,nop,wscale 9], length 0
16:22:15.805460 IP 100.120.110.43.37449 > 192.168.199.90.80: Flags [S], seq 291617668, win 64240, options [mss 1370,sackOK,TS val 16826970 ecr 0,nop,wscale 9], length 0
16:22:17.730914 IP 100.120.110.43.37447 > 84.236.28.204.80: Flags [S], seq 577414775, win 64240, options [mss 1370,sackOK,TS val 16827542 ecr 0,nop,wscale 9], length 0
16:22:17.731027 IP 100.120.110.43.37447 > 192.168.199.90.80: Flags [S], seq 577414775, win 64240, options [mss 1370,sackOK,TS val 16827542 ecr 0,nop,wscale 9], length 0
16:22:17.731047 IP 100.120.110.43.37447 > 192.168.199.90.80: Flags [S], seq 577414775, win 64240, options [mss 1370,sackOK,TS val 16827542 ecr 0,nop,wscale 9], length 0
16:22:17.731506 IP 100.120.110.43.37448 > 84.236.28.204.80: Flags [S], seq 1085402765, win 64240, options [mss 1370,sackOK,TS val 16827544 ecr 0,nop,wscale 9], length 0
The problem is, that I can't open the webpages of my server from outside. Inside LAN it works.
Can someone tell my, what am I missing? Thank you in advance!