TCP port forwarding Modem - OpenWrt - local server not working

Hi there,

I am using an OpenWRT router behind a modem (FritzBox). Now, I would like to open a port of one of my local machines (behind openwrt). I added a rule using LuCi for this purpose. The rule has been successfully applied:

firewall.@redirect[0].name='My Port Forwarding'

When I check if the port has been opened using the LAN address of the opwnWRT router, it is shown as being closed:

nmap -p 8895

8895/tcp closed unknown

What am I doing wrong?

Thanks for any hint.

you're doing this from what side of the openwrt router ? wan or lan ?

From another machine in the same local network, so lan.

that's not reliable.

use your phones mobile network to scan the public IP from outside.

Hm, I don't understand your point. Of course I tried to use the external (WAN) ip address with the port opened, so


but this returns an error:

connect to X.X.X.X port 8895 failed: Connection refused

not so very of course, since you wrote you used nmap -p 8895, and that's hardly an external IP.

1 Like

I tried accessing the port using the WAN address first and then to find the reason I used the nmap command using the local ip address.

and the public IP sits on your openwrt routers wan port ?

1 Like

Let's start with some basic checks:

  • From your local network, if you try to access on port 8895, what happens?
  • Do you have a public IP address?
    • Look at the IPv4 upstream status on the main LuCI status page and find the IP address listed there.
    • compare that against the google result for "what's my IP"
    • do they match? If in doubt, post the first 2 octets of the IPv4 upstream address (in bold: aaa.bbb.ccc.ddd )

You would test a WAN port forward from WAN (i.e. the Internet) using the WAN IP.

nmap -p 8895 <public_IP>

Wow, first of all: thanks a lot for the various suggestions and questions. I am happy to get such a support here! :slight_smile:

  • the access to the port from within the local network works fine
  • using nmap with the public IP returns
8895/tcp filtered unknown

and using the same url in the browser leads to "This site can’t be reached"

  • the IPv4 upstream ip is not the same as my public ip address, I have added a static route from the modem to the openwrt router

Let’s get more info here.
What is in front of your openwrt router? Is it a modem only or a modem+router?

A static route may not be required or useful here. If your openwrt router wan has nat masquerading enabled, the static route does nothing.

If the modem is a modem+router, it is likely performing nat masquerading and would therefore need to have port forwarding to the openwrt router (or the actual host if masquerading is not being used on the openwrt device)

Finally, have you verified that the device in front of the openwrt router does actually have a public ip?

In front of my openwrt router there is a modem with a public IP. I did not want to expose the openwrt to the internet therefore I did a "double natting" and to reduce the performance losses I added the static routes.

Good! This is key.

The openwrt router is likely more secure than the routing firmware that is in the modem. But whatever makes you most comfortable is fine

If you’re double natting, static routes do literally nothing. There is no performance improvement by having it enabled. And in most cases, nat does not have any significant performance penalty from a bandwidth perspective.

If you turn off nat masquerading on your openwrt router, then the route becomes necessary.

Meanwhile, because you have double nat, you must perform port forwarding twice. Once in the upstream router > forward to the openwrt router, and then from the openwrt router > host with services running.

Let’s see your upstream forwarding rule.

... or convert the openwrt device to a dumb AP., unless you have other reasons for the double NAT.

1 Like

I’d agree with this, but actually I’d sooner recommend setting the modem in bridge mode and using the openwrt router as the only router.

But yes, double nat is not ideal and it does not actually increase the security of the network compared to a properly configured single nat + firewall config.

I agree too, assuming the modem can be set in bridge mode.
OP did also say he trusted the modem (why?) more than the openwrt device ...

1 Like

Thanks for all your suggestions. I managed to enable the port forwarding by following those steps (it's a FritzBox modem):

  • Open "Internet" section
  • Choose "Permit Access"
  • Create new sharing for openwrt router (select from the list)
  • create permit access (name is not relevant) entering the port which should be forwarded (8895 in my case) and enter the port that should be visible to the internet (I have chosen 8895, again)

Thanks a lot!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.