Stuck on port forwarding

chw22 · July 2, 2019, 7:09pm

Hi,

as the title says I'm very much stuck on getting port forwarding to work.

I've got a fiber connection (FTTH), so the setup looks like this:

CPE < WAN > OpenWrt < LAN > clients

Connecting to the CPE requires DHCP, so WAN is configured as a DHCP client.
This works fine, the WAN interface gets the external ip address and all the clients on LAN get internet access, great.

Now, I can even open ports on the OpenWrt router itself, Wireguard for example works just fine, but exposing any LAN client to the Internet does not work at all.

This part works:

config rule
	option name		Allow-WireGuard
	option src		wan
	option dest_port	51820
	option proto		udp
	option target		ACCEPT

This part does not:

config redirect
	option target		DNAT
	option src		wan
	option dest		lan
	option proto		tcp
	option src_dport	19900
	option dest_ip		192.168.1.2
	option dest_port	22
	option name		Test

The config is pretty much vanilla, but here it is none the less.

/etc/config/network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr 'xx:xx:xx:xx:xx:xy'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

config interface 'vpn'
	option proto 'wireguard'
	option private_key '<somekey>'
	option listen_port '51820'
	list addresses '10.0.0.1/24'

config wireguard_vpn
	option public_key '<somekey>'
	list allowed_ips '10.0.0.0/24'
	list allowed_ips '192.168.2.0/24'
	option route_allowed_ips '1'
	option endpoint_host '<somehost>'
	option endpoint_port '51820'
	option persistent_keepalive '25'

/etc/config/firewall:

config defaults
	option syn_flood	1
	option input		ACCEPT
	option output		ACCEPT
	option forward		REJECT
	option flow_offloading	1


config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config zone
	option name		vpn
	list network		'vpn'
	option input		ACCEPT
	option output		ACCEPT
	option forward		REJECT
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

config forwarding
	option src		lan
	option dest		vpn

config forwarding
	option src		vpn
	option dest		lan

config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option src_ip		fc00::/6
	option dest_ip		fc00::/6
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT

config rule
	option name		Allow-WireGuard
	option src		wan
	option dest_port	51820
	option proto		udp
	option target		ACCEPT

config include
	option path /etc/firewall.user

config redirect
	option target		DNAT
	option src		wan
	option dest		lan
	option proto		tcp
	option src_dport	19900
	option dest_ip		192.168.1.2
	option dest_port	22
	option name		Test

Any pointers would be appreciated.

lleachii · July 2, 2019, 7:29pm

Are you sure you opened the firewall on the SSH server itself?

The port forward rule for SSH is OK.

chw22 · July 2, 2019, 7:49pm

Yes, I did.

I've also tried HTTP on port 80 and port 8081, same thing unfortunately.
Also tried other clients, but to no avail.

jow · July 2, 2019, 7:56pm

Make sure that 192.168.1.2 is using 192.168.1.1 as default gateway.

chw22 · July 2, 2019, 7:58pm

It does, WireGuard would not work otherwise.

jow · July 2, 2019, 8:01pm

Run iptables -t nat -nxvL | grep 19900 to see whether the DNAT rule was hit at all.

lleachii · July 2, 2019, 8:20pm

Incorrect, Wireguard is on your router. Ensure that you have the proper gateway configured on the server.

chw22 · July 2, 2019, 9:40pm

Thanks, I will try that tomorrow.
For now I've swapped the OpenWrt box with a proprietary one to get forwarding to work.

chw22 · July 2, 2019, 9:42pm

Yes, WireGuard would work router to router, but I would not be able to access anything on the other side of the tunnel with my client unless the gateway was correctly configured, or am I mistaken?
But, I've checked again, and the default gateway is most definitely 192.168.1.1.

chw22 · July 3, 2019, 7:38pm

Well, this is a new and "interesting" development I could certainly live without:
I've swapped back to the OpenWrt Box just to find that DHCP on WAN stopped working.
There is no IP address assigned, so I don't even get an internet connection any more

Power cycling both the CPE and the OpenWrt Box did not change anything.
I tried resetting and reflashing OpenWrt, which, again, did nothing.
At this point I thought, that there is something wrong with my box, so I swapped again to another OpenWrt box I have.
Unfortunately the result is the same, not IP on WAN.

Strangely enough plugging any other client, like my Laptop, straight into the CPE works instantly, I get the external IP on the interface and the internet access works just fine.

Any ideas as to what might be going on here?

lleachii · July 3, 2019, 7:54pm

Your ISP is doing a MAC lockdown for X period of time?

chw22 · July 3, 2019, 8:19pm

Maybe, but why would the Laptop plugged straight into the CPE work?
It's a different MAC after all.

lleachii · July 3, 2019, 9:03pm

What MAC did you configure into the WAN Interface?

chw22 · July 3, 2019, 9:28pm

The default, I tried to change as little as possible.
As said above, the config is pretty much vanilla.

I guess I'm going to copy the WAN MAC of the proprietary router to the OpenWrt one next.
If that works, it confirms the lock down, if not, it's something else.