[Solved] Some traffic not being forwarded even though ports are open


#1

I am hoping someone can help me figure out why some traffic is being forwarded and some is not.

My setup:

  • I have a computer on the LAN running an SSH server on port 22 and web server on port 80
  • For testing purposes the server has no firewall or anything (I just threw together a test VM)
  • I can access SSH on port 22 and the web-server on port 80 from other devices on the LAN
  • I have forwarded ports on my router to this computer:
    • :12345 to lan_device:22
    • :80 to lan_device:80
  • I can use :12345 from outside my LAN to SSH to port 22 on the device
  • I can not use :80 from outside my LAN to access the web server on port 80
  • I can use some random port like :12345 from outside my LAN to access the web server on any port. For example, I forwarded wan:12345 to :80 of my device and I was able to connect to access it from public_ip:12345.

I checked network traffic on the router using tcpdump and can see it getting both the :12345 and :80 traffic. I don't really know how to read tcpdump logs but here it is.

(I uniformly changed my LAN and WAN IPs for security reasons. I hope it doesn't create issues reading the logs.)

When I try to SSH to :12345 from a device that is not on my network it gets to the password prompt meaning it does forward. This is what tcpdump -ni eth0.2 port 12345 or port 80 shows:

command output
22:48:32.563009 IP 107.107.60.95.48763 > 69.126.101.201.12345: Flags [S], seq 3643764460, win 65535, options [mss 1370,nop,wscale 6,nop,nop,TS val 480491007 ecr 0,sackOK,eol], length 0
22:48:32.564947 IP 69.126.101.201.12345 > 107.107.60.95.48763: Flags [S.], seq 2236148311, ack 3643764461, win 28960, options [mss 1460,sackOK,TS val 34898 ecr 480491007,nop,wscale 7], length 0
22:48:32.597238 IP 107.107.60.95.48763 > 69.126.101.201.12345: Flags [.], ack 1, win 2058, options [nop,nop,TS val 480491178 ecr 34898], length 0
22:48:32.603260 IP 107.107.60.95.48763 > 69.126.101.201.12345: Flags [P.], seq 1:22, ack 1, win 2058, options [nop,nop,TS val 480491178 ecr 34898], length 21
22:48:32.604627 IP 69.126.101.201.12345 > 107.107.60.95.48763: Flags [.], ack 22, win 227, options [nop,nop,TS val 34908 ecr 480491178], length 0
22:48:32.626291 IP 69.126.101.201.12345 > 107.107.60.95.48763: Flags [P.], seq 1:40, ack 22, win 227, options [nop,nop,TS val 34913 ecr 480491178], length 39
22:48:32.679345 IP 107.107.60.95.48763 > 69.126.101.201.12345: Flags [.], ack 40, win 2057, options [nop,nop,TS val 480491257 ecr 34913], length 0
22:48:32.680501 IP 69.126.101.201.12345 > 107.107.60.95.48763: Flags [P.], seq 40:1120, ack 22, win 227, options [nop,nop,TS val 34927 ecr 480491257], length 1080
22:48:32.686852 IP 107.107.60.95.48763 > 69.126.101.201.12345: Flags [P.], seq 22:1198, ack 40, win 2057, options [nop,nop,TS val 480491257 ecr 34913], length 1176
22:48:32.720632 IP 107.107.60.95.48763 > 69.126.101.201.12345: Flags [.], ack 1120, win 2040, options [nop,nop,TS val 480491292 ecr 34927], length 0
22:48:32.720776 IP 107.107.60.95.48763 > 69.126.101.201.12345: Flags [P.], seq 1198:1278, ack 1120, win 2048, options [nop,nop,TS val 480491293 ecr 34927], length 80
22:48:32.721844 IP 69.126.101.201.12345 > 107.107.60.95.48763: Flags [.], ack 1198, win 249, options [nop,nop,TS val 34937 ecr 480491257], length 0
22:48:32.723347 IP 69.126.101.201.12345 > 107.107.60.95.48763: Flags [P.], seq 1120:1432, ack 1278, win 249, options [nop,nop,TS val 34938 ecr 480491293], length 312
22:48:32.759261 IP 107.107.60.95.48763 > 69.126.101.201.12345: Flags [.], ack 1432, win 2043, options [nop,nop,TS val 480491336 ecr 34938], length 0
22:48:32.759387 IP 107.107.60.95.48763 > 69.126.101.201.12345: Flags [P.], seq 1278:1294, ack 1432, win 2048, options [nop,nop,TS val 480491339 ecr 34938], length 16
22:48:32.759451 IP 107.107.60.95.48763 > 69.126.101.201.12345: Flags [P.], seq 1294:1338, ack 1432, win 2048, options [nop,nop,TS val 480491339 ecr 34938], length 44
22:48:32.760620 IP 69.126.101.201.12345 > 107.107.60.95.48763: Flags [.], ack 1338, win 249, options [nop,nop,TS val 34947 ecr 480491339], length 0
22:48:32.760951 IP 69.126.101.201.12345 > 107.107.60.95.48763: Flags [P.], seq 1432:1476, ack 1338, win 249, options [nop,nop,TS val 34947 ecr 480491339], length 44
22:48:32.798984 IP 107.107.60.95.48763 > 69.126.101.201.12345: Flags [.], ack 1476, win 2047, options [nop,nop,TS val 480491375 ecr 34947], length 0
22:48:32.799119 IP 107.107.60.95.48763 > 69.126.101.201.12345: Flags [.], ack 1476, win 2047, options [nop,nop,TS val 480491375 ecr 34947], length 0
22:48:34.999344 IP 107.107.60.95.48763 > 69.126.101.201.12345: Flags [P.], seq 1338:1406, ack 1476, win 2048, options [nop,nop,TS val 480493489 ecr 34947], length 68
22:48:35.007434 IP 69.126.101.201.12345 > 107.107.60.95.48763: Flags [P.], seq 1476:1528, ack 1406, win 249, options [nop,nop,TS val 35509 ecr 480493489], length 52
22:48:35.080204 IP 107.107.60.95.48763 > 69.126.101.201.12345: Flags [.], ack 1528, win 2047, options [nop,nop,TS val 480493653 ecr 35509], length 0
22:48:36.838971 IP 107.107.60.95.48763 > 69.126.101.201.12345: Flags [F.], seq 1406, ack 1528, win 2048, options [nop,nop,TS val 480495319 ecr 35509], length 0
22:48:36.847071 IP 69.126.101.201.12345 > 107.107.60.95.48763: Flags [F.], seq 1528, ack 1407, win 249, options [nop,nop,TS val 35968 ecr 480495319], length 0
22:48:36.878913 IP 107.107.60.95.48763 > 69.126.101.201.12345: Flags [.], ack 1529, win 2048, options [nop,nop,TS val 480495451 ecr 35968], length 0

When I try to open an HTTP connection to :80 from a device that is not on my network, I see this in the tcpdump -ni eth0.2 port 12345 or port 80 log but nothing on my LAN device log.

command output
22:48:43.751160 IP 107.77.76.31.38114 > 69.126.101.201.80: Flags [S], seq 4099429798, win 29200, options [mss 1460,sackOK,TS val 442471976 ecr 0,nop,wscale 9], length 0
22:48:43.752339 IP 69.126.101.201.80 > 107.77.76.31.38114: Flags [S.], seq 2928009671, ack 4099429799, win 28960, options [mss 1460,sackOK,TS val 37695 ecr 442471976,nop,wscale 7], length 0
22:48:44.749701 IP 107.77.76.31.38114 > 69.126.101.201.80: Flags [S], seq 4099429798, win 29200, options [mss 1460,sackOK,TS val 442472226 ecr 0,nop,wscale 9], length 0
22:48:44.751718 IP 69.126.101.201.80 > 107.77.76.31.38114: Flags [S.], seq 2928009671, ack 4099429799, win 28960, options [mss 1460,sackOK,TS val 37945 ecr 442471976,nop,wscale 7], length 0
22:48:45.771207 IP 69.126.101.201.80 > 107.77.76.31.38114: Flags [S.], seq 2928009671, ack 4099429799, win 28960, options [mss 1460,sackOK,TS val 38200 ecr 442471976,nop,wscale 7], length 0
22:48:46.753996 IP 107.77.76.31.38114 > 69.126.101.201.80: Flags [S], seq 4099429798, win 29200, options [mss 1460,sackOK,TS val 442472727 ecr 0,nop,wscale 9], length 0
22:48:46.755603 IP 69.126.101.201.80 > 107.77.76.31.38114: Flags [S.], seq 2928009671, ack 4099429799, win 28960, options [mss 1460,sackOK,TS val 38446 ecr 442471976,nop,wscale 7], length 0
22:48:48.778974 IP 69.126.101.201.80 > 107.77.76.31.38114: Flags [S.], seq 2928009671, ack 4099429799, win 28960, options [mss 1460,sackOK,TS val 38952 ecr 442471976,nop,wscale 7], length 0
22:48:50.822446 IP 107.77.76.31.43140 > 69.126.101.201.80: Flags [S], seq 1533153456, win 29200, options [mss 1460,sackOK,TS val 442473743 ecr 0,nop,wscale 9], length 0
22:48:50.824266 IP 69.126.101.201.80 > 107.77.76.31.43140: Flags [S.], seq 3118189980, ack 1533153457, win 28960, options [mss 1460,sackOK,TS val 39463 ecr 442473743,nop,wscale 7], length 0
22:48:51.819027 IP 107.77.76.31.43140 > 69.126.101.201.80: Flags [S], seq 1533153456, win 29200, options [mss 1460,sackOK,TS val 442473993 ecr 0,nop,wscale 9], length 0
22:48:51.821021 IP 69.126.101.201.80 > 107.77.76.31.43140: Flags [S.], seq 3118189980, ack 1533153457, win 28960, options [mss 1460,sackOK,TS val 39712 ecr 442473743,nop,wscale 7], length 0
22:48:52.843059 IP 69.126.101.201.80 > 107.77.76.31.43140: Flags [S.], seq 3118189980, ack 1533153457, win 28960, options [mss 1460,sackOK,TS val 39968 ecr 442473743,nop,wscale 7], length 0
22:48:52.970573 IP 69.126.101.201.80 > 107.77.76.31.38114: Flags [S.], seq 2928009671, ack 4099429799, win 28960, options [mss 1460,sackOK,TS val 40000 ecr 442471976,nop,wscale 7], length 0
22:48:53.822866 IP 107.77.76.31.43140 > 69.126.101.201.80: Flags [S], seq 1533153456, win 29200, options [mss 1460,sackOK,TS val 442474494 ecr 0,nop,wscale 9], length 0
22:48:53.825488 IP 69.126.101.201.80 > 107.77.76.31.43140: Flags [S.], seq 3118189980, ack 1533153457, win 28960, options [mss 1460,sackOK,TS val 40213 ecr 442473743,nop,wscale 7], length 0
22:48:55.850426 IP 69.126.101.201.80 > 107.77.76.31.43140: Flags [S.], seq 3118189980, ack 1533153457, win 28960, options [mss 1460,sackOK,TS val 40720 ecr 442473743,nop,wscale 7], length 0
22:48:57.953670 IP 107.77.76.31.47825 > 69.126.101.201.80: Flags [S], seq 1233086113, win 29200, options [mss 1460,sackOK,TS val 442475526 ecr 0,nop,wscale 9], length 0
22:48:57.955681 IP 69.126.101.201.80 > 107.77.76.31.47825: Flags [S.], seq 1036346368, ack 1233086114, win 28960, options [mss 1460,sackOK,TS val 41246 ecr 442475526,nop,wscale 7], length 0
22:48:58.950466 IP 107.77.76.31.47825 > 69.126.101.201.80: Flags [S], seq 1233086113, win 29200, options [mss 1460,sackOK,TS val 442475776 ecr 0,nop,wscale 9], length 0
22:48:58.952251 IP 69.126.101.201.80 > 107.77.76.31.47825: Flags [S.], seq 1036346368, ack 1233086114, win 28960, options [mss 1460,sackOK,TS val 41495 ecr 442475526,nop,wscale 7], length 0
22:48:59.882549 IP 69.126.101.201.80 > 107.77.76.31.43140: Flags [S.], seq 3118189980, ack 1533153457, win 28960, options [mss 1460,sackOK,TS val 41728 ecr 442473743,nop,wscale 7], length 0
22:48:59.978650 IP 69.126.101.201.80 > 107.77.76.31.47825: Flags [S.], seq 1036346368, ack 1233086114, win 28960, options [mss 1460,sackOK,TS val 41752 ecr 442475526,nop,wscale 7], length 0
22:49:00.954477 IP 107.77.76.31.47825 > 69.126.101.201.80: Flags [S], seq 1233086113, win 29200, options [mss 1460,sackOK,TS val 442476277 ecr 0,nop,wscale 9], length 0
22:49:00.955945 IP 69.126.101.201.80 > 107.77.76.31.47825: Flags [S.], seq 1036346368, ack 1233086114, win 28960, options [mss 1460,sackOK,TS val 41996 ecr 442475526,nop,wscale 7], length 0
22:49:01.162432 IP 69.126.101.201.80 > 107.77.76.31.38114: Flags [S.], seq 2928009671, ack 4099429799, win 28960, options [mss 1460,sackOK,TS val 42048 ecr 442471976,nop,wscale 7], length 0
22:49:02.986387 IP 69.126.101.201.80 > 107.77.76.31.47825: Flags [S.], seq 1036346368, ack 1233086114, win 28960, options [mss 1460,sackOK,TS val 42504 ecr 442475526,nop,wscale 7], length 0
22:49:07.050208 IP 69.126.101.201.80 > 107.77.76.31.47825: Flags [S.], seq 1036346368, ack 1233086114, win 28960, options [mss 1460,sackOK,TS val 43520 ecr 442475526,nop,wscale 7], length 0
22:49:08.074120 IP 69.126.101.201.80 > 107.77.76.31.43140: Flags [S.], seq 3118189980, ack 1533153457, win 28960, options [mss 1460,sackOK,TS val 43776 ecr 442473743,nop,wscale 7], length 0
22:49:15.242017 IP 69.126.101.201.80 > 107.77.76.31.47825: Flags [S.], seq 1036346368, ack 1233086114, win 28960, options [mss 1460,sackOK,TS val 45568 ecr 442475526,nop,wscale 7], length 0
22:49:17.289956 IP 69.126.101.201.80 > 107.77.76.31.38114: Flags [S.], seq 2928009671, ack 4099429799, win 28960, options [mss 1460,sackOK,TS val 46080 ecr 442471976,nop,wscale 7], length 0

If it helps, here is the output of ip a; ip r; ip ru:

command output
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether 18:d6:c7:24:08:31 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::1ad6:c7ff:fe24:831/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether 18:d6:c7:24:08:30 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::1ad6:c7ff:fe24:830/64 scope link
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 18:d6:c7:24:08:30 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd07:22d6:bb00::1/60 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::1ad6:c7ff:fe24:830/64 scope link
       valid_lft forever preferred_lft forever
7: eth1.1@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 18:d6:c7:24:08:30 brd ff:ff:ff:ff:ff:ff
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 18:d6:c7:24:08:31 brd ff:ff:ff:ff:ff:ff
    inet 69.126.101.201/23 brd 69.126.107.255 scope global eth0.2
       valid_lft forever preferred_lft forever
    inet6 fe80::1ad6:c7ff:fe24:831/64 scope link
       valid_lft forever preferred_lft forever
9: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 18:d6:c7:24:08:2f brd ff:ff:ff:ff:ff:ff
    inet6 fe80::1ad6:c7ff:fe24:82f/64 scope link
       valid_lft forever preferred_lft forever
10: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 18:d6:c7:24:08:2e brd ff:ff:ff:ff:ff:ff
    inet6 fe80::1ad6:c7ff:fe24:82e/64 scope link
       valid_lft forever preferred_lft forever
default via 69.126.106.1 dev eth0.2  src 69.126.101.201
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
69.126.106.0/23 dev eth0.2 scope link  src 69.126.101.201
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

Here is the output of uci show network:

command output
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd07:22d6:bb00::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth1.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.1.1'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.wan6.auto='0'
network.wan6.reqaddress='none'
network.wan6.reqprefix='auto'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='2 3 4 5 0t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='1 6t'

Here is the output of uci show firewall:

command output
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].proto='tcp udp'
firewall.@redirect[0].src_dport='12345'
firewall.@redirect[0].dest_ip='192.168.1.96'
firewall.@redirect[0].dest_port='22'
firewall.@redirect[0].name='ssh @ vm'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].proto='tcp'
firewall.@redirect[1].src_dport='80'
firewall.@redirect[1].dest_ip='192.168.1.96'
firewall.@redirect[1].dest_port='80'
firewall.@redirect[1].name='http @ vm'

Here is the output of iptables-save:

command output
# Generated by iptables-save v1.6.2 on Fri Mar 15 07:01:33 2019
*nat
:PREROUTING ACCEPT [43:6301]
:INPUT ACCEPT [9:693]
:OUTPUT ACCEPT [8:595]
:POSTROUTING ACCEPT [2:160]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.96/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: ssh @ vm (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.96/32 -p udp -m udp --dport 22 -m comment --comment "!fw3: ssh @ vm (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.96/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: http @ vm (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_lan_prerouting -s 192.168.1.0/24 -d 69.126.101.201/32 -p tcp -m tcp --dport 12345 -m comment --comment "!fw3: ssh @ vm (reflection)" -j DNAT --to-destination 192.168.1.96:22
-A zone_lan_prerouting -s 192.168.1.0/24 -d 69.126.101.201/32 -p udp -m udp --dport 12345 -m comment --comment "!fw3: ssh @ vm (reflection)" -j DNAT --to-destination 192.168.1.96:22
-A zone_lan_prerouting -s 192.168.1.0/24 -d 69.126.101.201/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: http @ vm (reflection)" -j DNAT --to-destination 192.168.1.96:80
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 12345 -m comment --comment "!fw3: ssh @ vm" -j DNAT --to-destination 192.168.1.96:22
-A zone_wan_prerouting -p udp -m udp --dport 12345 -m comment --comment "!fw3: ssh @ vm" -j DNAT --to-destination 192.168.1.96:22
-A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: http @ vm" -j DNAT --to-destination 192.168.1.96:80
COMMIT
# Completed on Fri Mar 15 07:01:33 2019
# Generated by iptables-save v1.6.2 on Fri Mar 15 07:01:33 2019
*mangle
:PREROUTING ACCEPT [627:204182]
:INPUT ACCEPT [219:19852]
:FORWARD ACCEPT [384:181858]
:OUTPUT ACCEPT [206:47615]
:POSTROUTING ACCEPT [590:229473]
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Mar 15 07:01:33 2019
# Generated by iptables-save v1.6.2 on Fri Mar 15 07:01:33 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri Mar 15 07:01:33 2019

Does anyone know what is wrong? I am at a loss...


OpenVPN Server: no access to NAS and LAN clients
#2

Why are your firewall redirects set to enabled='0'?


#3

Oops. For right now I have the port forwarding disabled. I turned it back on and updated the command outputs. I of course did the testing with the port forwarding enabled. But for now I keep it off until I can figure out whats wrong.


#4
iptables-save

#5

I updated the question with the output of that command. Thanks!


#6

Use this way:

tcpdump -ni any port 80

And test 80/TCP.

I'm pretty sure the redirect should work.
And the root of the issue is most likely destination host firewall.
You need check both hypervisor and VM firewall.
Also verify that HTTP-service listener is not limited to localhost or local subnet.


#7

Have you verified that your ISP permits inbound port 80/tcp to customer devices?


#8

Looks like it does, see the 2-nd tcpdump log.


#9

Here is the output of tcpdump -ni any port 80 when connecting to :80 from another device on the LAN where the connection *does work:

command output
21:16:21.446892 IP 192.168.1.201.62415 > 192.168.1.69.80: Flags [S], seq 2372878417, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:16:21.446923 IP 192.168.1.201.62415 > 192.168.1.69.80: Flags [S], seq 2372878417, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:16:21.447281 ethertype IPv4, IP 192.168.1.69.80 > 192.168.1.201.62415: Flags [S.], seq 3918520370, ack 2372878418, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
21:16:21.447281 IP 192.168.1.69.80 > 192.168.1.201.62415: Flags [S.], seq 3918520370, ack 2372878418, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
21:16:21.447325 IP 192.168.1.69.80 > 192.168.1.201.62415: Flags [S.], seq 3918520370, ack 2372878418, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
21:16:21.448530 IP 192.168.1.201.62415 > 192.168.1.69.80: Flags [.], ack 1, win 513, length 0
21:16:21.448571 IP 192.168.1.201.62415 > 192.168.1.69.80: Flags [.], ack 1, win 513, length 0
21:16:21.448618 IP 192.168.1.201.62415 > 192.168.1.69.80: Flags [P.], seq 1:415, ack 1, win 513, length 414: HTTP: GET / HTTP/1.1
21:16:21.448637 IP 192.168.1.201.62415 > 192.168.1.69.80: Flags [P.], seq 1:415, ack 1, win 513, length 414: HTTP: GET / HTTP/1.1
21:16:21.448888 ethertype IPv4, IP 192.168.1.69.80 > 192.168.1.201.62415: Flags [.], ack 415, win 237, length 0
21:16:21.448888 IP 192.168.1.69.80 > 192.168.1.201.62415: Flags [.], ack 415, win 237, length 0
21:16:21.448925 IP 192.168.1.69.80 > 192.168.1.201.62415: Flags [.], ack 415, win 237, length 0
21:16:21.450396 ethertype IPv4, IP 192.168.1.69.80 > 192.168.1.201.62415: Flags [P.], seq 1:18, ack 415, win 237, length 17: HTTP: HTTP/1.0 200 OK
21:16:21.450396 IP 192.168.1.69.80 > 192.168.1.201.62415: Flags [P.], seq 1:18, ack 415, win 237, length 17: HTTP: HTTP/1.0 200 OK
21:16:21.450451 IP 192.168.1.69.80 > 192.168.1.201.62415: Flags [P.], seq 1:18, ack 415, win 237, length 17: HTTP: HTTP/1.0 200 OK
21:16:21.450673 ethertype IPv4, IP 192.168.1.69.80 > 192.168.1.201.62415: Flags [FP.], seq 18:356, ack 415, win 237, length 338: HTTP
21:16:21.450673 IP 192.168.1.69.80 > 192.168.1.201.62415: Flags [FP.], seq 18:356, ack 415, win 237, length 338: HTTP
21:16:21.450720 IP 192.168.1.69.80 > 192.168.1.201.62415: Flags [FP.], seq 18:356, ack 415, win 237, length 338: HTTP
21:16:21.452383 IP 192.168.1.201.62415 > 192.168.1.69.80: Flags [.], ack 357, win 511, length 0
21:16:21.452420 IP 192.168.1.201.62415 > 192.168.1.69.80: Flags [.], ack 357, win 511, length 0
21:16:21.454358 IP 192.168.1.201.62415 > 192.168.1.69.80: Flags [F.], seq 415, ack 357, win 511, length 0
21:16:21.454391 IP 192.168.1.201.62415 > 192.168.1.69.80: Flags [F.], seq 415, ack 357, win 511, length 0
21:16:21.454667 ethertype IPv4, IP 192.168.1.69.80 > 192.168.1.201.62415: Flags [.], ack 416, win 237, length 0
21:16:21.454667 IP 192.168.1.69.80 > 192.168.1.201.62415: Flags [.], ack 416, win 237, length 0
21:16:21.454709 IP 192.168.1.69.80 > 192.168.1.201.62415: Flags [.], ack 416, win 237, length 0

Here is the output of tcpdump -ni any port 80 when connecting to :80 from a device NOT on the LAN where the connection does NOT work. The browser tries loading for a few seconds before timing out:

command output
21:16:26.788646 ethertype IPv4, IP 166.137.252.84.47677 > 69.126.101.201.80: Flags [S], seq 781762488, win 29200, options [mss 1460,sackOK,TS val 1453617499 ecr 0,nop,wscale 9], length 0
21:16:26.788646 IP 166.137.252.84.47677 > 69.126.101.201.80: Flags [S], seq 781762488, win 29200, options [mss 1460,sackOK,TS val 1453617499 ecr 0,nop,wscale 9], length 0
21:16:26.788790 IP 166.137.252.84.47677 > 192.168.1.69.80: Flags [S], seq 781762488, win 29200, options [mss 1460,sackOK,TS val 1453617499 ecr 0,nop,wscale 9], length 0
21:16:26.788813 IP 166.137.252.84.47677 > 192.168.1.69.80: Flags [S], seq 781762488, win 29200, options [mss 1460,sackOK,TS val 1453617499 ecr 0,nop,wscale 9], length 0
21:16:26.789908 ethertype IPv4, IP 192.168.1.69.80 > 166.137.252.84.47677: Flags [S.], seq 2624113833, ack 781762489, win 28960, options [mss 1460,sackOK,TS val 65236 ecr 1453617499,nop,wscale 7], length 0
21:16:26.789908 IP 192.168.1.69.80 > 166.137.252.84.47677: Flags [S.], seq 2624113833, ack 781762489, win 28960, options [mss 1460,sackOK,TS val 65236 ecr 1453617499,nop,wscale 7], length 0
21:16:26.789908 IP 192.168.1.69.80 > 166.137.252.84.47677: Flags [S.], seq 2624113833, ack 781762489, win 28960, options [mss 1460,sackOK,TS val 65236 ecr 1453617499,nop,wscale 7], length 0
21:16:26.790034 IP 69.126.101.201.80 > 166.137.252.84.47677: Flags [S.], seq 2624113833, ack 781762489, win 28960, options [mss 1460,sackOK,TS val 65236 ecr 1453617499,nop,wscale 7], length 0
21:16:27.789162 ethertype IPv4, IP 166.137.252.84.47677 > 69.126.101.201.80: Flags [S], seq 781762488, win 29200, options [mss 1460,sackOK,TS val 1453617749 ecr 0,nop,wscale 9], length 0
21:16:27.789162 IP 166.137.252.84.47677 > 69.126.101.201.80: Flags [S], seq 781762488, win 29200, options [mss 1460,sackOK,TS val 1453617749 ecr 0,nop,wscale 9], length 0
21:16:27.789270 IP 166.137.252.84.47677 > 192.168.1.69.80: Flags [S], seq 781762488, win 29200, options [mss 1460,sackOK,TS val 1453617749 ecr 0,nop,wscale 9], length 0
21:16:27.789291 IP 166.137.252.84.47677 > 192.168.1.69.80: Flags [S], seq 781762488, win 29200, options [mss 1460,sackOK,TS val 1453617749 ecr 0,nop,wscale 9], length 0
21:16:27.789760 ethertype IPv4, IP 192.168.1.69.80 > 166.137.252.84.47677: Flags [S.], seq 2624113833, ack 781762489, win 28960, options [mss 1460,sackOK,TS val 65486 ecr 1453617499,nop,wscale 7], length 0
21:16:27.789760 IP 192.168.1.69.80 > 166.137.252.84.47677: Flags [S.], seq 2624113833, ack 781762489, win 28960, options [mss 1460,sackOK,TS val 65486 ecr 1453617499,nop,wscale 7], length 0
21:16:27.789760 IP 192.168.1.69.80 > 166.137.252.84.47677: Flags [S.], seq 2624113833, ack 781762489, win 28960, options [mss 1460,sackOK,TS val 65486 ecr 1453617499,nop,wscale 7], length 0
21:16:27.789861 IP 69.126.101.201.80 > 166.137.252.84.47677: Flags [S.], seq 2624113833, ack 781762489, win 28960, options [mss 1460,sackOK,TS val 65486 ecr 1453617499,nop,wscale 7], length 0
21:16:28.817867 ethertype IPv4, IP 192.168.1.69.80 > 166.137.252.84.47677: Flags [S.], seq 2624113833, ack 781762489, win 28960, options [mss 1460,sackOK,TS val 65744 ecr 1453617499,nop,wscale 7], length 0
21:16:28.817867 IP 192.168.1.69.80 > 166.137.252.84.47677: Flags [S.], seq 2624113833, ack 781762489, win 28960, options [mss 1460,sackOK,TS val 65744 ecr 1453617499,nop,wscale 7], length 0
21:16:28.817867 IP 192.168.1.69.80 > 166.137.252.84.47677: Flags [S.], seq 2624113833, ack 781762489, win 28960, options [mss 1460,sackOK,TS val 65744 ecr 1453617499,nop,wscale 7], length 0
21:16:28.817988 IP 69.126.101.201.80 > 166.137.252.84.47677: Flags [S.], seq 2624113833, ack 781762489, win 28960, options [mss 1460,sackOK,TS val 65744 ecr 1453617499,nop,wscale 7], length 0
21:16:29.792206 ethertype IPv4, IP 166.137.252.84.47677 > 69.126.101.201.80: Flags [S], seq 781762488, win 29200, options [mss 1460,sackOK,TS val 1453618250 ecr 0,nop,wscale 9], length 0
21:16:29.792206 IP 166.137.252.84.47677 > 69.126.101.201.80: Flags [S], seq 781762488, win 29200, options [mss 1460,sackOK,TS val 1453618250 ecr 0,nop,wscale 9], length 0
21:16:29.792299 IP 166.137.252.84.47677 > 192.168.1.69.80: Flags [S], seq 781762488, win 29200, options [mss 1460,sackOK,TS val 1453618250 ecr 0,nop,wscale 9], length 0
21:16:29.792319 IP 166.137.252.84.47677 > 192.168.1.69.80: Flags [S], seq 781762488, win 29200, options [mss 1460,sackOK,TS val 1453618250 ecr 0,nop,wscale 9], length 0
21:16:29.792856 ethertype IPv4, IP 192.168.1.69.80 > 166.137.252.84.47677: Flags [S.], seq 2624113833, ack 781762489, win 28960, options [mss 1460,sackOK,TS val 65987 ecr 1453617499,nop,wscale 7], length 0
21:16:29.792856 IP 192.168.1.69.80 > 166.137.252.84.47677: Flags [S.], seq 2624113833, ack 781762489, win 28960, options [mss 1460,sackOK,TS val 65987 ecr 1453617499,nop,wscale 7], length 0
21:16:29.792856 IP 192.168.1.69.80 > 166.137.252.84.47677: Flags [S.], seq 2624113833, ack 781762489, win 28960, options [mss 1460,sackOK,TS val 65987 ecr 1453617499,nop,wscale 7], length 0
21:16:29.792964 IP 69.126.101.201.80 > 166.137.252.84.47677: Flags [S.], seq 2624113833, ack 781762489, win 28960, options [mss 1460,sackOK,TS val 65987 ecr 1453617499,nop,wscale 7], length 0
21:16:31.793917 ethertype IPv4, IP 192.168.1.69.80 > 166.137.252.84.47677: Flags [S.], seq 2624113833, ack 781762489, win 28960, options [mss 1460,sackOK,TS val 66488 ecr 1453617499,nop,wscale 7], length 0
21:16:31.793917 IP 192.168.1.69.80 > 166.137.252.84.47677: Flags [S.], seq 2624113833, ack 781762489, win 28960, options [mss 1460,sackOK,TS val 66488 ecr 1453617499,nop,wscale 7], length 0
21:16:31.793917 IP 192.168.1.69.80 > 166.137.252.84.47677: Flags [S.], seq 2624113833, ack 781762489, win 28960, options [mss 1460,sackOK,TS val 66488 ecr 1453617499,nop,wscale 7], length 0
21:16:31.794040 IP 69.126.101.201.80 > 166.137.252.84.47677: Flags [S.], seq 2624113833, ack 781762489, win 28960, options [mss 1460,sackOK,TS val 66488 ecr 1453617499,nop,wscale 7], length 0
21:16:33.978716 ethertype IPv4, IP 166.137.252.84.29067 > 69.126.101.201.80: Flags [S], seq 3884870141, win 29200, options [mss 1460,sackOK,TS val 1453619296 ecr 0,nop,wscale 9], length 0
21:16:33.978716 IP 166.137.252.84.29067 > 69.126.101.201.80: Flags [S], seq 3884870141, win 29200, options [mss 1460,sackOK,TS val 1453619296 ecr 0,nop,wscale 9], length 0
21:16:33.978865 IP 166.137.252.84.29067 > 192.168.1.69.80: Flags [S], seq 3884870141, win 29200, options [mss 1460,sackOK,TS val 1453619296 ecr 0,nop,wscale 9], length 0
21:16:33.978887 IP 166.137.252.84.29067 > 192.168.1.69.80: Flags [S], seq 3884870141, win 29200, options [mss 1460,sackOK,TS val 1453619296 ecr 0,nop,wscale 9], length 0
21:16:33.979469 ethertype IPv4, IP 192.168.1.69.80 > 166.137.252.84.29067: Flags [S.], seq 2920045006, ack 3884870142, win 28960, options [mss 1460,sackOK,TS val 67034 ecr 1453619296,nop,wscale 7], length 0
21:16:33.979469 IP 192.168.1.69.80 > 166.137.252.84.29067: Flags [S.], seq 2920045006, ack 3884870142, win 28960, options [mss 1460,sackOK,TS val 67034 ecr 1453619296,nop,wscale 7], length 0
21:16:33.979469 IP 192.168.1.69.80 > 166.137.252.84.29067: Flags [S.], seq 2920045006, ack 3884870142, win 28960, options [mss 1460,sackOK,TS val 67034 ecr 1453619296,nop,wscale 7], length 0
21:16:33.979589 IP 69.126.101.201.80 > 166.137.252.84.29067: Flags [S.], seq 2920045006, ack 3884870142, win 28960, options [mss 1460,sackOK,TS val 67034 ecr 1453619296,nop,wscale 7], length 0
21:16:34.979376 ethertype IPv4, IP 166.137.252.84.29067 > 69.126.101.201.80: Flags [S], seq 3884870141, win 29200, options [mss 1460,sackOK,TS val 1453619546 ecr 0,nop,wscale 9], length 0
21:16:34.979376 IP 166.137.252.84.29067 > 69.126.101.201.80: Flags [S], seq 3884870141, win 29200, options [mss 1460,sackOK,TS val 1453619546 ecr 0,nop,wscale 9], length 0
21:16:34.979486 IP 166.137.252.84.29067 > 192.168.1.69.80: Flags [S], seq 3884870141, win 29200, options [mss 1460,sackOK,TS val 1453619546 ecr 0,nop,wscale 9], length 0
21:16:34.979506 IP 166.137.252.84.29067 > 192.168.1.69.80: Flags [S], seq 3884870141, win 29200, options [mss 1460,sackOK,TS val 1453619546 ecr 0,nop,wscale 9], length 0
21:16:34.980044 ethertype IPv4, IP 192.168.1.69.80 > 166.137.252.84.29067: Flags [S.], seq 2920045006, ack 3884870142, win 28960, options [mss 1460,sackOK,TS val 67284 ecr 1453619296,nop,wscale 7], length 0
21:16:34.980044 IP 192.168.1.69.80 > 166.137.252.84.29067: Flags [S.], seq 2920045006, ack 3884870142, win 28960, options [mss 1460,sackOK,TS val 67284 ecr 1453619296,nop,wscale 7], length 0
21:16:34.980044 IP 192.168.1.69.80 > 166.137.252.84.29067: Flags [S.], seq 2920045006, ack 3884870142, win 28960, options [mss 1460,sackOK,TS val 67284 ecr 1453619296,nop,wscale 7], length 0
21:16:34.980152 IP 69.126.101.201.80 > 166.137.252.84.29067: Flags [S.], seq 2920045006, ack 3884870142, win 28960, options [mss 1460,sackOK,TS val 67284 ecr 1453619296,nop,wscale 7], length 0
21:16:35.921994 ethertype IPv4, IP 192.168.1.69.80 > 166.137.252.84.47677: Flags [S.], seq 2624113833, ack 781762489, win 28960, options [mss 1460,sackOK,TS val 67520 ecr 1453617499,nop,wscale 7], length 0
21:16:35.921994 IP 192.168.1.69.80 > 166.137.252.84.47677: Flags [S.], seq 2624113833, ack 781762489, win 28960, options [mss 1460,sackOK,TS val 67520 ecr 1453617499,nop,wscale 7], length 0
21:16:35.921994 IP 192.168.1.69.80 > 166.137.252.84.47677: Flags [S.], seq 2624113833, ack 781762489, win 28960, options [mss 1460,sackOK,TS val 67520 ecr 1453617499,nop,wscale 7], length 0
21:16:35.922111 IP 69.126.101.201.80 > 166.137.252.84.47677: Flags [S.], seq 2624113833, ack 781762489, win 28960, options [mss 1460,sackOK,TS val 67520 ecr 1453617499,nop,wscale 7], length 0
21:16:35.985986 ethertype IPv4, IP 192.168.1.69.80 > 166.137.252.84.29067: Flags [S.], seq 2920045006, ack 3884870142, win 28960, options [mss 1460,sackOK,TS val 67536 ecr 1453619296,nop,wscale 7], length 0
21:16:35.985986 IP 192.168.1.69.80 > 166.137.252.84.29067: Flags [S.], seq 2920045006, ack 3884870142, win 28960, options [mss 1460,sackOK,TS val 67536 ecr 1453619296,nop,wscale 7], length 0
21:16:35.985986 IP 192.168.1.69.80 > 166.137.252.84.29067: Flags [S.], seq 2920045006, ack 3884870142, win 28960, options [mss 1460,sackOK,TS val 67536 ecr 1453619296,nop,wscale 7], length 0
21:16:35.986102 IP 69.126.101.201.80 > 166.137.252.84.29067: Flags [S.], seq 2920045006, ack 3884870142, win 28960, options [mss 1460,sackOK,TS val 67536 ecr 1453619296,nop,wscale 7], length 0
21:16:36.982984 ethertype IPv4, IP 166.137.252.84.29067 > 69.126.101.201.80: Flags [S], seq 3884870141, win 29200, options [mss 1460,sackOK,TS val 1453620047 ecr 0,nop,wscale 9], length 0
21:16:36.982984 IP 166.137.252.84.29067 > 69.126.101.201.80: Flags [S], seq 3884870141, win 29200, options [mss 1460,sackOK,TS val 1453620047 ecr 0,nop,wscale 9], length 0
21:16:36.983078 IP 166.137.252.84.29067 > 192.168.1.69.80: Flags [S], seq 3884870141, win 29200, options [mss 1460,sackOK,TS val 1453620047 ecr 0,nop,wscale 9], length 0
21:16:36.983097 IP 166.137.252.84.29067 > 192.168.1.69.80: Flags [S], seq 3884870141, win 29200, options [mss 1460,sackOK,TS val 1453620047 ecr 0,nop,wscale 9], length 0
21:16:36.983506 ethertype IPv4, IP 192.168.1.69.80 > 166.137.252.84.29067: Flags [S.], seq 2920045006, ack 3884870142, win 28960, options [mss 1460,sackOK,TS val 67785 ecr 1453619296,nop,wscale 7], length 0
21:16:36.983506 IP 192.168.1.69.80 > 166.137.252.84.29067: Flags [S.], seq 2920045006, ack 3884870142, win 28960, options [mss 1460,sackOK,TS val 67785 ecr 1453619296,nop,wscale 7], length 0
21:16:36.983506 IP 192.168.1.69.80 > 166.137.252.84.29067: Flags [S.], seq 2920045006, ack 3884870142, win 28960, options [mss 1460,sackOK,TS val 67785 ecr 1453619296,nop,wscale 7], length 0
21:16:36.983607 IP 69.126.101.201.80 > 166.137.252.84.29067: Flags [S.], seq 2920045006, ack 3884870142, win 28960, options [mss 1460,sackOK,TS val 67785 ecr 1453619296,nop,wscale 7], length 0
21:16:38.994043 ethertype IPv4, IP 192.168.1.69.80 > 166.137.252.84.29067: Flags [S.], seq 2920045006, ack 3884870142, win 28960, options [mss 1460,sackOK,TS val 68288 ecr 1453619296,nop,wscale 7], length 0
21:16:38.994043 IP 192.168.1.69.80 > 166.137.252.84.29067: Flags [S.], seq 2920045006, ack 3884870142, win 28960, options [mss 1460,sackOK,TS val 68288 ecr 1453619296,nop,wscale 7], length 0
21:16:38.994043 IP 192.168.1.69.80 > 166.137.252.84.29067: Flags [S.], seq 2920045006, ack 3884870142, win 28960, options [mss 1460,sackOK,TS val 68288 ecr 1453619296,nop,wscale 7], length 0
21:16:38.994136 IP 69.126.101.201.80 > 166.137.252.84.29067: Flags [S.], seq 2920045006, ack 3884870142, win 28960, options [mss 1460,sackOK,TS val 68288 ecr 1453619296,nop,wscale 7], length 0
21:16:41.079200 ethertype IPv4, IP 166.137.252.84.38117 > 69.126.101.201.80: Flags [S], seq 1212099599, win 29200, options [mss 1460,sackOK,TS val 1453621071 ecr 0,nop,wscale 9], length 0
21:16:41.079200 IP 166.137.252.84.38117 > 69.126.101.201.80: Flags [S], seq 1212099599, win 29200, options [mss 1460,sackOK,TS val 1453621071 ecr 0,nop,wscale 9], length 0
21:16:41.079345 IP 166.137.252.84.38117 > 192.168.1.69.80: Flags [S], seq 1212099599, win 29200, options [mss 1460,sackOK,TS val 1453621071 ecr 0,nop,wscale 9], length 0
21:16:41.079368 IP 166.137.252.84.38117 > 192.168.1.69.80: Flags [S], seq 1212099599, win 29200, options [mss 1460,sackOK,TS val 1453621071 ecr 0,nop,wscale 9], length 0
21:16:41.079953 ethertype IPv4, IP 192.168.1.69.80 > 166.137.252.84.38117: Flags [S.], seq 2187288046, ack 1212099600, win 28960, options [mss 1460,sackOK,TS val 68809 ecr 1453621071,nop,wscale 7], length 0
21:16:41.079953 IP 192.168.1.69.80 > 166.137.252.84.38117: Flags [S.], seq 2187288046, ack 1212099600, win 28960, options [mss 1460,sackOK,TS val 68809 ecr 1453621071,nop,wscale 7], length 0
21:16:41.079953 IP 192.168.1.69.80 > 166.137.252.84.38117: Flags [S.], seq 2187288046, ack 1212099600, win 28960, options [mss 1460,sackOK,TS val 68809 ecr 1453621071,nop,wscale 7], length 0
21:16:41.080072 IP 69.126.101.201.80 > 166.137.252.84.38117: Flags [S.], seq 2187288046, ack 1212099600, win 28960, options [mss 1460,sackOK,TS val 68809 ecr 1453621071,nop,wscale 7], length 0
21:16:42.073933 ethertype IPv4, IP 166.137.252.84.38117 > 69.126.101.201.80: Flags [S], seq 1212099599, win 29200, options [mss 1460,sackOK,TS val 1453621321 ecr 0,nop,wscale 9], length 0
21:16:42.073933 IP 166.137.252.84.38117 > 69.126.101.201.80: Flags [S], seq 1212099599, win 29200, options [mss 1460,sackOK,TS val 1453621321 ecr 0,nop,wscale 9], length 0
21:16:42.074030 IP 166.137.252.84.38117 > 192.168.1.69.80: Flags [S], seq 1212099599, win 29200, options [mss 1460,sackOK,TS val 1453621321 ecr 0,nop,wscale 9], length 0
21:16:42.074050 IP 166.137.252.84.38117 > 192.168.1.69.80: Flags [S], seq 1212099599, win 29200, options [mss 1460,sackOK,TS val 1453621321 ecr 0,nop,wscale 9], length 0
21:16:42.075174 ethertype IPv4, IP 192.168.1.69.80 > 166.137.252.84.38117: Flags [S.], seq 2187288046, ack 1212099600, win 28960, options [mss 1460,sackOK,TS val 69058 ecr 1453621071,nop,wscale 7], length 0
21:16:42.075174 IP 192.168.1.69.80 > 166.137.252.84.38117: Flags [S.], seq 2187288046, ack 1212099600, win 28960, options [mss 1460,sackOK,TS val 69058 ecr 1453621071,nop,wscale 7], length 0
21:16:42.075174 IP 192.168.1.69.80 > 166.137.252.84.38117: Flags [S.], seq 2187288046, ack 1212099600, win 28960, options [mss 1460,sackOK,TS val 69058 ecr 1453621071,nop,wscale 7], length 0
21:16:42.075295 IP 69.126.101.201.80 > 166.137.252.84.38117: Flags [S.], seq 2187288046, ack 1212099600, win 28960, options [mss 1460,sackOK,TS val 69058 ecr 1453621071,nop,wscale 7], length 0
21:16:43.090137 ethertype IPv4, IP 192.168.1.69.80 > 166.137.252.84.29067: Flags [S.], seq 2920045006, ack 3884870142, win 28960, options [mss 1460,sackOK,TS val 69312 ecr 1453619296,nop,wscale 7], length 0
21:16:43.090137 IP 192.168.1.69.80 > 166.137.252.84.29067: Flags [S.], seq 2920045006, ack 3884870142, win 28960, options [mss 1460,sackOK,TS val 69312 ecr 1453619296,nop,wscale 7], length 0
21:16:43.090137 IP 192.168.1.69.80 > 166.137.252.84.29067: Flags [S.], seq 2920045006, ack 3884870142, win 28960, options [mss 1460,sackOK,TS val 69312 ecr 1453619296,nop,wscale 7], length 0
21:16:43.090257 IP 69.126.101.201.80 > 166.137.252.84.29067: Flags [S.], seq 2920045006, ack 3884870142, win 28960, options [mss 1460,sackOK,TS val 69312 ecr 1453619296,nop,wscale 7], length 0
21:16:43.090290 ethertype IPv4, IP 192.168.1.69.80 > 166.137.252.84.38117: Flags [S.], seq 2187288046, ack 1212099600, win 28960, options [mss 1460,sackOK,TS val 69312 ecr 1453621071,nop,wscale 7], length 0
21:16:43.090290 IP 192.168.1.69.80 > 166.137.252.84.38117: Flags [S.], seq 2187288046, ack 1212099600, win 28960, options [mss 1460,sackOK,TS val 69312 ecr 1453621071,nop,wscale 7], length 0
21:16:43.090290 IP 192.168.1.69.80 > 166.137.252.84.38117: Flags [S.], seq 2187288046, ack 1212099600, win 28960, options [mss 1460,sackOK,TS val 69312 ecr 1453621071,nop,wscale 7], length 0
21:16:44.080468 ethertype IPv4, IP 166.137.252.84.38117 > 69.126.101.201.80: Flags [S], seq 1212099599, win 29200, options [mss 1460,sackOK,TS val 1453621822 ecr 0,nop,wscale 9], length 0
21:16:44.080468 IP 166.137.252.84.38117 > 69.126.101.201.80: Flags [S], seq 1212099599, win 29200, options [mss 1460,sackOK,TS val 1453621822 ecr 0,nop,wscale 9], length 0
21:16:44.080559 IP 166.137.252.84.38117 > 192.168.1.69.80: Flags [S], seq 1212099599, win 29200, options [mss 1460,sackOK,TS val 1453621822 ecr 0,nop,wscale 9], length 0
21:16:44.080578 IP 166.137.252.84.38117 > 192.168.1.69.80: Flags [S], seq 1212099599, win 29200, options [mss 1460,sackOK,TS val 1453621822 ecr 0,nop,wscale 9], length 0
21:16:44.081114 ethertype IPv4, IP 192.168.1.69.80 > 166.137.252.84.38117: Flags [S.], seq 2187288046, ack 1212099600, win 28960, options [mss 1460,sackOK,TS val 69559 ecr 1453621071,nop,wscale 7], length 0
21:16:44.081114 IP 192.168.1.69.80 > 166.137.252.84.38117: Flags [S.], seq 2187288046, ack 1212099600, win 28960, options [mss 1460,sackOK,TS val 69559 ecr 1453621071,nop,wscale 7], length 0
21:16:44.081114 IP 192.168.1.69.80 > 166.137.252.84.38117: Flags [S.], seq 2187288046, ack 1212099600, win 28960, options [mss 1460,sackOK,TS val 69559 ecr 1453621071,nop,wscale 7], length 0
21:16:44.081223 IP 69.126.101.201.80 > 166.137.252.84.38117: Flags [S.], seq 2187288046, ack 1212099600, win 28960, options [mss 1460,sackOK,TS val 69559 ecr 1453621071,nop,wscale 7], length 0
21:16:44.114153 ethertype IPv4, IP 192.168.1.69.80 > 166.137.252.84.47677: Flags [S.], seq 2624113833, ack 781762489, win 28960, options [mss 1460,sackOK,TS val 69568 ecr 1453617499,nop,wscale 7], length 0
21:16:44.114153 IP 192.168.1.69.80 > 166.137.252.84.47677: Flags [S.], seq 2624113833, ack 781762489, win 28960, options [mss 1460,sackOK,TS val 69568 ecr 1453617499,nop,wscale 7], length 0
21:16:44.114153 IP 192.168.1.69.80 > 166.137.252.84.47677: Flags [S.], seq 2624113833, ack 781762489, win 28960, options [mss 1460,sackOK,TS val 69568 ecr 1453617499,nop,wscale 7], length 0
21:16:44.114269 IP 69.126.101.201.80 > 166.137.252.84.47677: Flags [S.], seq 2624113833, ack 781762489, win 28960, options [mss 1460,sackOK,TS val 69568 ecr 1453617499,nop,wscale 7], length 0
21:16:46.098187 ethertype IPv4, IP 192.168.1.69.80 > 166.137.252.84.38117: Flags [S.], seq 2187288046, ack 1212099600, win 28960, options [mss 1460,sackOK,TS val 70064 ecr 1453621071,nop,wscale 7], length 0
21:16:46.098187 IP 192.168.1.69.80 > 166.137.252.84.38117: Flags [S.], seq 2187288046, ack 1212099600, win 28960, options [mss 1460,sackOK,TS val 70064 ecr 1453621071,nop,wscale 7], length 0
21:16:46.098187 IP 192.168.1.69.80 > 166.137.252.84.38117: Flags [S.], seq 2187288046, ack 1212099600, win 28960, options [mss 1460,sackOK,TS val 70064 ecr 1453621071,nop,wscale 7], length 0
21:16:46.098306 IP 69.126.101.201.80 > 166.137.252.84.38117: Flags [S.], seq 2187288046, ack 1212099600, win 28960, options [mss 1460,sackOK,TS val 70064 ecr 1453621071,nop,wscale 7], length 0
21:16:50.258271 ethertype IPv4, IP 192.168.1.69.80 > 166.137.252.84.38117: Flags [S.], seq 2187288046, ack 1212099600, win 28960, options [mss 1460,sackOK,TS val 71104 ecr 1453621071,nop,wscale 7], length 0
21:16:50.258271 IP 192.168.1.69.80 > 166.137.252.84.38117: Flags [S.], seq 2187288046, ack 1212099600, win 28960, options [mss 1460,sackOK,TS val 71104 ecr 1453621071,nop,wscale 7], length 0
21:16:50.258271 IP 192.168.1.69.80 > 166.137.252.84.38117: Flags [S.], seq 2187288046, ack 1212099600, win 28960, options [mss 1460,sackOK,TS val 71104 ecr 1453621071,nop,wscale 7], length 0
21:16:50.258396 IP 69.126.101.201.80 > 166.137.252.84.38117: Flags [S.], seq 2187288046, ack 1212099600, win 28960, options [mss 1460,sackOK,TS val 71104 ecr 1453621071,nop,wscale 7], length 0
21:16:51.282289 ethertype IPv4, IP 192.168.1.69.80 > 166.137.252.84.29067: Flags [S.], seq 2920045006, ack 3884870142, win 28960, options [mss 1460,sackOK,TS val 71360 ecr 1453619296,nop,wscale 7], length 0
21:16:51.282289 IP 192.168.1.69.80 > 166.137.252.84.29067: Flags [S.], seq 2920045006, ack 3884870142, win 28960, options [mss 1460,sackOK,TS val 71360 ecr 1453619296,nop,wscale 7], length 0
21:16:51.282289 IP 192.168.1.69.80 > 166.137.252.84.29067: Flags [S.], seq 2920045006, ack 3884870142, win 28960, options [mss 1460,sackOK,TS val 71360 ecr 1453619296,nop,wscale 7], length 0
21:16:51.282401 IP 69.126.101.201.80 > 166.137.252.84.29067: Flags [S.], seq 2920045006, ack 3884870142, win 28960, options [mss 1460,sackOK,TS val 71360 ecr 1453619296,nop,wscale 7], length 0

#10

I have tried this on my bare-metal server too. It is a clean install of Linux with nothing on it, no firewall or anything.

Also, if I forward port :12345 from the WAN to the web server on the LAN device, regardless of the port it is on, then it does work. It's only if I try :80 from the WAN.

So I know the HTTP-service is not limited to localhost or local subnet.


#11

The only thing I am wondering is, I had followed a guide online to configure my DNS to use TLS. I don't know if maybe that would cause an issue?

This is the guide I followed: https://candrews.integralblue.com/2018/08/dns-over-tls-on-openwrt-18-06/.


#12

See, port forwarding works as expected:

It means, OpenWrt firewall does its work properly.
There's also a reply and masquerading:

You can add verbosity or run wireshark to see, what is inside of it.


#13

I am so sorry guys. This was a user error. It turns out my ISP was blocking the traffic. I called them and they unblocked it.

It still confuses me since the router was getting the traffic but I guess they were doing something on their end to block it from going back out.