Hi,
as the title says I'm very much stuck on getting port forwarding to work.
I've got a fiber connection (FTTH), so the setup looks like this:
CPE < WAN > OpenWrt < LAN > clients
Connecting to the CPE requires DHCP, so WAN is configured as a DHCP client.
This works fine, the WAN interface gets the external ip address and all the clients on LAN get internet access, great.
Now, I can even open ports on the OpenWrt router itself, Wireguard for example works just fine, but exposing any LAN client to the Internet does not work at all.
This part works:
config rule
option name Allow-WireGuard
option src wan
option dest_port 51820
option proto udp
option target ACCEPT
This part does not:
config redirect
option target DNAT
option src wan
option dest lan
option proto tcp
option src_dport 19900
option dest_ip 192.168.1.2
option dest_port 22
option name Test
The config is pretty much vanilla, but here it is none the less.
/etc/config/network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
config device 'lan_dev'
option name 'eth0.1'
option macaddr 'xx:xx:xx:xx:xx:xx'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_dev'
option name 'eth0.2'
option macaddr 'xx:xx:xx:xx:xx:xy'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 6t'
config interface 'vpn'
option proto 'wireguard'
option private_key '<somekey>'
option listen_port '51820'
list addresses '10.0.0.1/24'
config wireguard_vpn
option public_key '<somekey>'
list allowed_ips '10.0.0.0/24'
list allowed_ips '192.168.2.0/24'
option route_allowed_ips '1'
option endpoint_host '<somehost>'
option endpoint_port '51820'
option persistent_keepalive '25'
/etc/config/firewall:
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
option flow_offloading 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config zone
option name vpn
list network 'vpn'
option input ACCEPT
option output ACCEPT
option forward REJECT
option mtu_fix 1
config forwarding
option src lan
option dest wan
config forwarding
option src lan
option dest vpn
config forwarding
option src vpn
option dest lan
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fc00::/6
option dest_ip fc00::/6
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
config rule
option name Allow-WireGuard
option src wan
option dest_port 51820
option proto udp
option target ACCEPT
config include
option path /etc/firewall.user
config redirect
option target DNAT
option src wan
option dest lan
option proto tcp
option src_dport 19900
option dest_ip 192.168.1.2
option dest_port 22
option name Test
Any pointers would be appreciated.