Strange behavior in port forwarding

I'm attempting to forward some ports for my NAS, but when I try to forward port 80, it breaks my web access to luci. My router IP is 192.168.0.4, and my NAS is 192.168.0.10, and I discovered that the other ports I forwarded, such as 5001, are redirected from the router IP (that is, when I go to 192.168.0.4:5001, it displays the NAS' web UI), so that would explain why forwarding port 80 breaks luci, but why is this happening in the first place?

Here is an excerpt from /etc/config/firewall

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '5001'
        option dest_ip '192.168.0.10'
        option dest_port '5001'
        option name 'Synology Moments'

I assumed that this would make it so that when I navigate to :5001 that the traffic would forward to the NAS (but I get a connection refused error when I do this). I can post other configs or screenshots of my setup, but I'm not sure what else would be relevant. Maybe my interfaces?

Can you elaborate on the port forward of port 80 breaking LuCI? How are you trying to access LuCI? From the LAN or the WAN?

Is this router your main router, or is it connected behind some other router?

I'm also confused about this:

This should not happen if the defined source is on the WAN and you are testing this from the LAN.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

The only way that a port forwarding can break luci is to have nat loopback enabled and try to access the router from the wan or from lan on wan IP.

It seemed like it was in some sort of redirect loop, that's all I know.

From the LAN

Not sure what you mean about the source being on the WAN. I'm currently only testing from LAN and connecting to LAN devices. I don't know why I'd get NAS web ui at my router's address

Here is my /etc/config/network.

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd4b:f0c4:82f5::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option dns '1.1.1.1 1.0.0.1'
        option ipaddr '192.168.0.4'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'static'
        option ipaddr '192.168.0.4'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'
        option broadcast '255.255.255.255'
        option dns '1.1.1.1 1.0.0.1'

config interface 'wan6'
        option proto 'dhcpv6'
        option ifname 'eth1.2'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5t'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'
        option vid '2'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option dns '1.1.1.1 1.0.0.1'
        option type 'bridge'
        option ifname 'eth0'
        option ip6assign '64'

The modem is at 192.168.0.1. I'm also in the middle of setting up the guest network, so that part my be incomplete

Here's my /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'        
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '27016'
        option dest_port '27016'
        option name 'space engineers'
        option dest_ip '192.168.0.21'

config zone
        option name 'guest'
        option forward 'REJECT'
        option input 'REJECT'
        option network 'guest'
        option output 'ACCEPT'

config rule
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'
        option name 'guest dns'
        option src 'guest'

config rule
        option enabled '1'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '67-68'
        option name 'guest dhcp'
        option src 'guest'

config forwarding
        option dest 'wan'
        option src 'guest'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '443'
        option dest_ip '192.168.0.10'
        option dest_port '443'
        option name 'Synology HTTPS'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '5001'
        option dest_ip '192.168.0.10'
        option dest_port '5001'
        option name 'Synology Moments'    

Your LAN and WAN are on the same subnet. This will not work -- you must always have a different network on the LAN and on the WAN.

Your router cannot port forward in this context -- it is not able to route because of the subnets on both networks.

Can you draw a diagram of your network? A snapshot of a hand drawn diagram is perfectly sufficient.... please include any upstream routers and switches between the internet and you're NAS.

How's this?

                                                        +---------------+
                                                        |               |
                                                +-------+  Moca Adapter |
                                                |       |               |
                                                |       +---------------+
                                                |
+----------+      +----------+       +----------+       +---------+
|          |      |          |       |          |       |         |
| Internet +------+  Modem   +-------+  Router  +-------+   NAS   |
|          |      |          |       |          |       |         |
+----------+      +----------+       +----------+       +---------+
                                                |
                                                |
                                                |       +--------+
                                                |       |        |
                                                +-------+   PC   |
                                                        |        |
                                                        +--------+

Is the router in that picture the OpenWrt router that you are trying to resolve in this situation? If so, it would seem that your modem is also a modem+router combo unit -- is that correct? If so, do you have the option to change that modem+router into a modem only (bridge mode) device?

The router is the OpenWrt device, and it is a separate device than the modem. I don't remember the details because I set it up over a year ago, but I cannot switch it to bridge mode, I need that vlan stuff

Is the modem connected to the OpenWrt device's WAN or LAN port?

Cable from modem goes to the port labeled "internet" on the router

Ok... so if that is the case, you need to change your LAN address on the OpenWrt router to something other than 192.168.0.0/24. You could make it 192.168.1.1 if you want.

Sure, I can make that happen, but it doesn't seem like it explains why when, after setting up port forwarding, I go to 192.168.0.4:5001 from my PC (192.168.0.21), it returns the same web page as 192.168.0.10:5001
Also, forgot to mention, the modem has the router configured as a DMZ, but that's probably not relevant to the above issue.

You cannot look for reasonable explanations in a situation that is accidentally, even remotely, working a tad bit.
wan and lan IPs must not overlap.

DMZ is important, but only relevant when the OpenWrt router is actually configured properly. Change your OpenWrt LAN and port forwarding should work as expected.

Thank you, the WAN subnet is now in the 192.168.1.0 range, and things a less weird. The remaining problems may be a separate issue, so I started a new topic at Dns resolution windows (hairpin?)
I assumed DMZ meant it would forward all traffic to the router, but this appears to be different functionality than port forwarding, so I disabled that.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.