[Solved]Strange behavior when port forwarding

s4ndm4n · March 31, 2020, 7:18am

Hey Guys,

I'm trying to figure out why my port forward isn't working.

First of all some information about the situation.

Due to the quarantine i want to host a Cities Skyline Multiplayer Server for me and my friends.

I have setup the Port Forwarding as explained in many Tutorials.
I have tried numerous of configuration and due to this i have also collected many Data about it.

Now some Infos about the actual configs and findings:

I have bought some options from my ISP:

All ports are open
Static IP: (84.20.xx.xx/28) / Gateway: 84.20.xx.xx

Below is a screenshot of the ordered and ACTIVE options of my ISP:

Now i will attach a screenshot of my Port Forwarding configured and active in OpenWRT done through LuCi because im not that familiar with the configuration of firewalls through CLI's:

Also here's a screenshot of my overall Firewall settings:

Also i opened the Ports in the Windows Firewall:

Now the curious things:

With the following tcpdump command:

tcpdump -pnvvi wwan1 port 49150

i sniff on the WAN port with tcpdump running on the OpenWRT device it get this when making a port check with Port Checker:

tcpdump: listening on wwan1, link-type RAW (Raw IP), capture size 262144 bytes
06:58:25.801812 IP (tos 0x0, ttl 49, id 63213, offset 0, flags [DF], proto TCP (6), length 60)
    198.199.98.246.38094 > 84.20.187.167.49150: Flags [S], cksum 0x6f23 (correct), seq 1773835175, win 14600, options [mss 1400,sackOK,TS val 2937873738 ecr 0,nop,wscale 8], length 0
06:58:25.802020 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    84.20.187.167.49150 > 198.199.98.246.38094: Flags [R.], cksum 0x2427 (correct), seq 0, ack 1773835176, win 0, length 0
06:58:25.986937 IP (tos 0x0, ttl 49, id 23, offset 0, flags [DF], proto TCP (6), length 60)
    198.199.98.246.38096 > 84.20.187.167.49150: Flags [S], cksum 0x8993 (correct), seq 2102551918, win 14600, options [mss 1400,sackOK,TS val 2937873785 ecr 0,nop,wscale 8], length 0
06:58:25.987227 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    84.20.187.167.49150 > 198.199.98.246.38096: Flags [R.], cksum 0x3ec6 (correct), seq 0, ack 2102551919, win 0, length 0
06:58:26.174914 IP (tos 0x0, ttl 49, id 64572, offset 0, flags [DF], proto TCP (6), length 60)
    198.199.98.246.38097 > 84.20.187.167.49150: Flags [S], cksum 0x7697 (correct), seq 1542625691, win 14600, options [mss 1400,sackOK,TS val 2937873831 ecr 0,nop,wscale 8], length 0
06:58:26.175190 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    84.20.187.167.49150 > 198.199.98.246.38097: Flags [R.], cksum 0x2bf8 (correct), seq 0, ack 1542625692, win 0, length 0

And thats the actual conclusion why i think my ISP isn't blocking it because the pakets are arriving.

And thats the next problem because i dont know if tcpdump actually sniffs/catches only the outgoing request or also the incoming?

But when sniffing on the Bridged LAN or only on the eth1 i dont get any pakets or sniffs.

What am i did wrong?

I ask you kindly to answer as detailed as possible so other inexperienced users and also me will understand the answers and may take advantage of this Thread.

Thanks in Advance for help!!

Answer from @psherman:

Your source and destination zones in the port forwarding configuration are backwards.

Thanks for the input!
Changed this setting but anyways when sniffing with tcpdump on eth1 or br-lan i still cant get a sniff.

root@OpenWrt:~#  tcpdump -pnvvi eth1 port 49150
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
root@OpenWrt:~#  tcpdump -pnvvi br-lan port 49150
tcpdump: listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
4 packets received by filter
0 packets dropped by kernel

Answer #2 of @psherman:

You also may need to add the port number 49150 to the internal port field.

Make sure the service is active and can be reached from within your network. Once that is proven to work, test from outside your network

Also changed this but anyways tcpdump still can't sniff any pakets on the eth1 or br-lan when making a port check with the above mentioned port checker.

psherman · March 31, 2020, 7:20am

Your source and destination zones in the port forwarding configuration are backwards.

s4ndm4n · March 31, 2020, 7:30am

Replied in initial post for clearance!

psherman · March 31, 2020, 7:33am

You also may need to add the port number 49150 to the internal port field.

Make sure the service is active and can be reached from within your network. Once that is proven to work, test from outside your network.

s4ndm4n · March 31, 2020, 7:40am

You also may need to add the port number 49150 to the internal port field.
Make sure the service is active and can be reached from within your network. Once that is proven to work, test from outside your network.

Have changed the setting but tcpdump still can't sniff any pakets.

what did you mean with make sure the service is active?
which service did you mean? the Cities Skyline Server service?
If yes, when the port forwarding works as expected shouldn't tcpdump can sniff any pakets when making a port check when listening on port 49150?

Heres my firewall config file:
/etc/config/firewall


config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wantolan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'A1net wan wan6'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 A1net'
        option input 'REJECT'
        option forward 'DROP'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config redirect
        option target 'DNAT'
        option name 'cities skyline'
        option src_dport '49150'
        option src 'wan'
        option dest 'lan'
        option dest_port '49150'

eduperez · March 31, 2020, 8:23am

Your "redirect" section does not mention any internal IP address where packets should be sent.

s4ndm4n · March 31, 2020, 8:26am

its because its set to any

eduperez · March 31, 2020, 8:27am

Also, you mention a "wwan1" interface, there is also a "A1net" mentioned somewhere else, plus a "wantolan" zone that was not mentioned before...

s4ndm4n · March 31, 2020, 8:34am

For clarification:

A1net is the name of it and wwan1 is the interface itself. they are the same.

this wantolan zone was an old try of me to get it work but it looks like LuCi didn't deleted it complete.

I deleted this zone now but tcpdump still didn't sniffs something

ahmar16 · March 31, 2020, 9:24am

Is it just me or the WAN firewall zone is not connected to any of the interfaces above?

According to your config file, you have created another zone wantolan but this zone is not being forwarded to LAN and you mentioned you deleted it but please make sure any leftovers are completely gone from the config.

In my router, I have forwarded a port for torrent downloading and it works flawlessly. So I am not sure but there could be a problem with your current config if it is not working for you.

trendy · March 31, 2020, 10:25am

Add the ip of the windows server in the field destination ip in the redirect.
Restart firewall and if there is still problem post here the following:
uci export network; uci export firewall; iptables-save -c;

lleachii · March 31, 2020, 10:32am

You do understand that you're trying to forward to your server, correct?

Therefore, Port forwarding those server connections to Any_LAN_IP would obviously be invalid.

As noted by others, that needs to be fixed.

s4ndm4n · March 31, 2020, 10:34am

ok i typed in the destination ip.
still no luck.

heres the requested data @trendy

package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fddc:139c:3fbd::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1 eth2'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0'
        option proto 'dhcpv6'

config interface 'A1net'
        option proto 'modemmanager'
        option device '/sys/devices/pci0000:00/0000:00:13.0/usb1/1-1/1-1.3'
        option apn 'fixip.a1.net'
        option auth 'both'
        option username 'ppp@a1plus.at'
        option password 'ppp'
        option iptype 'ipv4v6'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 A1net'
        option input 'REJECT'
        option forward 'DROP'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config redirect
        option target 'DNAT'
        option name 'cities skyline'
        option src_dport '49150'
        option src 'wan'
        option dest 'lan'
        option dest_port '49150'
        option dest_ip '192.168.1.238'

# Generated by iptables-save v1.8.4 on Tue Mar 31 10:32:04 2020
*nat
:PREROUTING ACCEPT [68:13802]
:INPUT ACCEPT [13:3228]
:OUTPUT ACCEPT [17:1551]
:POSTROUTING ACCEPT [13:1136]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[75:14202] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[59:12336] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_wan_prerouting
[16:1866] -A PREROUTING -i wwan1 -m comment --comment "!fw3" -j zone_wan_prerouting
[77:11339] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[13:1136] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_wan_postrouting
[64:10203] -A POSTROUTING -o wwan1 -m comment --comment "!fw3" -j zone_wan_postrouting
[13:1136] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.238/32 -p tcp -m tcp --dport 49150 -m comment --comment "!fw3: cities skyline (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.238/32 -p udp -m udp --dport 49150 -m comment --comment "!fw3: cities skyline (reflection)" -j SNAT --to-source 192.168.1.1
[59:12336] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 84.20.187.167/32 -p tcp -m tcp --dport 49150 -m comment --comment "!fw3: cities skyline (reflection)" -j DNAT --to-destination 192.168.1.238:49150
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 84.20.187.167/32 -p udp -m udp --dport 49150 -m comment --comment "!fw3: cities skyline (reflection)" -j DNAT --to-destination 192.168.1.238:49150
[64:10203] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[64:10203] -A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
[64:10203] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[16:1866] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[6:360] -A zone_wan_prerouting -p tcp -m tcp --dport 49150 -m comment --comment "!fw3: cities skyline" -j DNAT --to-destination 192.168.1.238:49150
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 49150 -m comment --comment "!fw3: cities skyline" -j DNAT --to-destination 192.168.1.238:49150
[10:1506] -A zone_wan_prerouting -j MINIUPNPD
COMMIT
# Completed on Tue Mar 31 10:32:04 2020
# Generated by iptables-save v1.8.4 on Tue Mar 31 10:32:04 2020
*raw
:PREROUTING ACCEPT [1640:727667]
:OUTPUT ACCEPT [337:52311]
:zone_lan_helper - [0:0]
[866:93903] -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
COMMIT
# Completed on Tue Mar 31 10:32:04 2020
# Generated by iptables-save v1.8.4 on Tue Mar 31 10:32:04 2020
*mangle
:PREROUTING ACCEPT [1642:727747]
:INPUT ACCEPT [297:20467]
:FORWARD ACCEPT [1345:707280]
:OUTPUT ACCEPT [342:53311]
:POSTROUTING ACCEPT [1669:759787]
[0:0] -A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[18:1056] -A FORWARD -o wwan1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Mar 31 10:32:04 2020
# Generated by iptables-save v1.8.4 on Tue Mar 31 10:32:04 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[300:20587] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[239:11569] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[2:88] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[40:6964] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
[21:2054] -A INPUT -i wwan1 -m comment --comment "!fw3" -j zone_wan_input
[1345:707280] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[1274:694713] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[59:11847] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward
[12:720] -A FORWARD -i wwan1 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[347:54359] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[320:52168] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[8:1056] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output
[19:1135] -A OUTPUT -o wwan1 -m comment --comment "!fw3" -j zone_wan_output
[20:2013] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[1:41] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[2:88] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[8:1056] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[59:11847] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[59:11847] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[40:6964] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[40:6964] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[8:1056] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[8:1056] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[40:6964] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
[18:804] -A zone_wan_dest_ACCEPT -o wwan1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[60:12178] -A zone_wan_dest_ACCEPT -o wwan1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_DROP -o eth0 -m comment --comment "!fw3" -j DROP
[0:0] -A zone_wan_dest_DROP -o wwan1 -m comment --comment "!fw3" -j DROP
[12:720] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[12:720] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -j MINIUPNPD
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_DROP
[21:2054] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[21:2054] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[19:1135] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[19:1135] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth0 -m comment --comment "!fw3" -j reject
[21:2054] -A zone_wan_src_REJECT -i wwan1 -m comment --comment "!fw3" -j reject
COMMIT

My Desktop is connected to eth1 BTW.

What changed now is that tcpdump can sniff now pakets on br-lan when making a port check but port check still fails:

 tcpdump -pnvvi br-lan port 49150
tcpdump: listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
10:39:25.814516 IP (tos 0x0, ttl 48, id 20949, offset 0, flags [DF], proto TCP (6), length 60)
    198.199.98.246.56542 > 192.168.1.238.49150: Flags [S], cksum 0xf167 (correct), seq 1064348439, win 14600, options [mss 1400,sackOK,TS val 2941188802 ecr 0,nop,wscale 8], length 0
10:39:26.813512 IP (tos 0x0, ttl 48, id 20950, offset 0, flags [DF], proto TCP (6), length 60)
    198.199.98.246.56542 > 192.168.1.238.49150: Flags [S], cksum 0xf06d (correct), seq 1064348439, win 14600, options [mss 1400,sackOK,TS val 2941189052 ecr 0,nop,wscale 8], length 0
10:39:26.817611 IP (tos 0x0, ttl 48, id 18413, offset 0, flags [DF], proto TCP (6), length 60)
    198.199.98.246.56546 > 192.168.1.238.49150: Flags [S], cksum 0x2b09 (correct), seq 4086742097, win 14600, options [mss 1400,sackOK,TS val 2941189052 ecr 0,nop,wscale 8], length 0
10:39:27.840706 IP (tos 0x0, ttl 48, id 18414, offset 0, flags [DF], proto TCP (6), length 60)
    198.199.98.246.56546 > 192.168.1.238.49150: Flags [S], cksum 0x2a0f (correct), seq 4086742097, win 14600, options [mss 1400,sackOK,TS val 2941189302 ecr 0,nop,wscale 8], length 0
10:39:27.841597 IP (tos 0x0, ttl 48, id 7014, offset 0, flags [DF], proto TCP (6), length 60)
    198.199.98.246.56548 > 192.168.1.238.49150: Flags [S], cksum 0x0990 (correct), seq 3902072784, win 14600, options [mss 1400,sackOK,TS val 2941189302 ecr 0,nop,wscale 8], length 0
10:39:28.880087 IP (tos 0x0, ttl 48, id 7015, offset 0, flags [DF], proto TCP (6), length 60)
    198.199.98.246.56548 > 192.168.1.238.49150: Flags [S], cksum 0x0896 (correct), seq 3902072784, win 14600, options [mss 1400,sackOK,TS val 2941189552 ecr 0,nop,wscale 8], length 0

@ahmar16 How can i search for things LuCi didnt reset for the Future?

lleachii · March 31, 2020, 10:45am

I think you forgot that your graphic shows the OpenWrt declared WAN interface isn't in the WAN zone for some reason...that would need to be fixed too.

It's there by default...not sure how you managed to remove it.

You mean br-lan (which hopefully contains eth0), correct?

s4ndm4n · March 31, 2020, 10:47am

@lleachii

eth0 is the WAN-port? should it be a member of the br-lan?

br-lan is the bridge as i understood and eth1 is the interface/port on my APU2c4 whereas eth1 is a member of the br-lan bridge

trendy · March 31, 2020, 10:47am

Don't use port checks, they are often misleading.
Try to play the game.
Packets are forwarded to your server and if everything is configured properly there it will work.

s4ndm4n · March 31, 2020, 10:50am

@trendy
configs looks good so far?

and is there another possibility or way to check the function of the port forwarding i.E. netstat or something like that?
because right now my friends not on the pc and therefore i cant told them to test the connection.
but i think there must be another way to proof that the portforwarding works?

trendy · March 31, 2020, 10:52am

Port forwarding works. There are hits on the firewall and packets captured on the br-lan.
If something doesn't work, then it is the windows server.

lleachii · March 31, 2020, 10:53am

As long as you setup your tcpdump and firewall zone correctly...you can listen on the Windows Machine (with e.g. Wireshark). That would be best to see thru-and-thru forwarding.

Testing the game is always best (as that would eliminate the Windows Firewall as well).

s4ndm4n · March 31, 2020, 11:01am

ok as i understood start wireshark and put a filter like below for my ethernet port on my windows machine:

tcp.port == 49150 || udp.port == 49150

Thats the output of it after making a port check:

is it possible that the port scan fails because my computer doesnt send any SYN ACK?