I am using an OpenWRT router behind a modem (FritzBox). Now, I would like to open a port of one of my local machines (behind openwrt). I added a rule using LuCi for this purpose. The rule has been successfully applied:
Let’s get more info here.
What is in front of your openwrt router? Is it a modem only or a modem+router?
A static route may not be required or useful here. If your openwrt router wan has nat masquerading enabled, the static route does nothing.
If the modem is a modem+router, it is likely performing nat masquerading and would therefore need to have port forwarding to the openwrt router (or the actual host if masquerading is not being used on the openwrt device)
Finally, have you verified that the device in front of the openwrt router does actually have a public ip?
In front of my openwrt router there is a modem with a public IP. I did not want to expose the openwrt to the internet therefore I did a "double natting" and to reduce the performance losses I added the static routes.
The openwrt router is likely more secure than the routing firmware that is in the modem. But whatever makes you most comfortable is fine
If you’re double natting, static routes do literally nothing. There is no performance improvement by having it enabled. And in most cases, nat does not have any significant performance penalty from a bandwidth perspective.
If you turn off nat masquerading on your openwrt router, then the route becomes necessary.
Meanwhile, because you have double nat, you must perform port forwarding twice. Once in the upstream router > forward to the openwrt router, and then from the openwrt router > host with services running.
I’d agree with this, but actually I’d sooner recommend setting the modem in bridge mode and using the openwrt router as the only router.
But yes, double nat is not ideal and it does not actually increase the security of the network compared to a properly configured single nat + firewall config.
Thanks for all your suggestions. I managed to enable the port forwarding by following those steps (it's a FritzBox modem):
Open "Internet" section
Choose "Permit Access"
Create new sharing for openwrt router (select from the list)
create permit access (name is not relevant) entering the port which should be forwarded (8895 in my case) and enter the port that should be visible to the internet (I have chosen 8895, again)