TCP port forwarding Modem - OpenWrt - local server not working

Hallodry · January 9, 2023, 3:17pm

Hi there,

I am using an OpenWRT router behind a modem (FritzBox). Now, I would like to open a port of one of my local machines (behind openwrt). I added a rule using LuCi for this purpose. The rule has been successfully applied:

firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='My Port Forwarding'
firewall.@redirect[0].proto='tcp'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].src_dport='8895'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].dest_ip='192.168.200.57'
firewall.@redirect[0].dest_port='8895'

When I check if the port has been opened using the LAN address of the opwnWRT router, it is shown as being closed:

nmap -p 8895 192.168.200.1

PORT     STATE  SERVICE
8895/tcp closed unknown

What am I doing wrong?

Thanks for any hint.

frollic · January 9, 2023, 3:19pm

you're doing this from what side of the openwrt router ? wan or lan ?

Hallodry · January 9, 2023, 3:28pm

From another machine in the same local network, so lan.

frollic · January 9, 2023, 4:01pm

that's not reliable.

use your phones mobile network to scan the public IP from outside.

Hallodry · January 9, 2023, 4:20pm

Hm, I don't understand your point. Of course I tried to use the external (WAN) ip address with the port opened, so

X.X.X.X:8895/

but this returns an error:

connect to X.X.X.X port 8895 failed: Connection refused

frollic · January 9, 2023, 4:33pm

not so very of course, since you wrote you used nmap -p 8895 192.168.200.1, and that's hardly an external IP.

Hallodry · January 9, 2023, 4:44pm

I tried accessing the port using the WAN address first and then to find the reason I used the nmap command using the local ip address.

frollic · January 9, 2023, 4:47pm

and the public IP sits on your openwrt routers wan port ?

psherman · January 9, 2023, 4:53pm

Let's start with some basic checks:

From your local network, if you try to access 192.168.200.57 on port 8895, what happens?
Do you have a public IP address?
- Look at the IPv4 upstream status on the main LuCI status page and find the IP address listed there.
- compare that against the google result for "what's my IP"
- do they match? If in doubt, post the first 2 octets of the IPv4 upstream address (in bold: aaa.bbb.ccc.ddd )

lleachii · January 9, 2023, 6:07pm

You would test a WAN port forward from WAN (i.e. the Internet) using the WAN IP.

nmap -p 8895 <public_IP>

Hallodry · January 10, 2023, 7:01am

Wow, first of all: thanks a lot for the various suggestions and questions. I am happy to get such a support here!

the access to the port from within the local network works fine
using nmap with the public IP returns

PORT     STATE    SERVICE
8895/tcp filtered unknown

and using the same url in the browser leads to "This site can’t be reached"

the IPv4 upstream ip is not the same as my public ip address, I have added a static route from the modem to the openwrt router

psherman · January 10, 2023, 7:06am

Let’s get more info here.
What is in front of your openwrt router? Is it a modem only or a modem+router?

A static route may not be required or useful here. If your openwrt router wan has nat masquerading enabled, the static route does nothing.

If the modem is a modem+router, it is likely performing nat masquerading and would therefore need to have port forwarding to the openwrt router (or the actual host if masquerading is not being used on the openwrt device)

Finally, have you verified that the device in front of the openwrt router does actually have a public ip?

Hallodry · January 10, 2023, 7:11am

In front of my openwrt router there is a modem with a public IP. I did not want to expose the openwrt to the internet therefore I did a "double natting" and to reduce the performance losses I added the static routes.

psherman · January 10, 2023, 7:18am

Good! This is key.

The openwrt router is likely more secure than the routing firmware that is in the modem. But whatever makes you most comfortable is fine

If you’re double natting, static routes do literally nothing. There is no performance improvement by having it enabled. And in most cases, nat does not have any significant performance penalty from a bandwidth perspective.

If you turn off nat masquerading on your openwrt router, then the route becomes necessary.

Meanwhile, because you have double nat, you must perform port forwarding twice. Once in the upstream router > forward to the openwrt router, and then from the openwrt router > host with services running.

Let’s see your upstream forwarding rule.

frollic · January 10, 2023, 7:23am

... or convert the openwrt device to a dumb AP., unless you have other reasons for the double NAT.

psherman · January 10, 2023, 7:27am

I’d agree with this, but actually I’d sooner recommend setting the modem in bridge mode and using the openwrt router as the only router.

But yes, double nat is not ideal and it does not actually increase the security of the network compared to a properly configured single nat + firewall config.

frollic · January 10, 2023, 7:32am

I agree too, assuming the modem can be set in bridge mode.
OP did also say he trusted the modem (why?) more than the openwrt device ...

Hallodry · January 10, 2023, 8:37am

Thanks for all your suggestions. I managed to enable the port forwarding by following those steps (it's a FritzBox modem):

Open "Internet" section
Choose "Permit Access"
Create new sharing for openwrt router (select from the list)
create permit access (name is not relevant) entering the port which should be forwarded (8895 in my case) and enter the port that should be visible to the internet (I have chosen 8895, again)

Thanks a lot!

system · January 20, 2023, 8:38am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.