Traffic rules not working and IPv4 not reachable

Hey, I just can't get my traffic rules to work. For example, when I try to reach port 5555 over the WAN, it doesn't work. Because of my ISP, I have to use ds-lite. Is there any chance that this is the problem? The rule I created for testing is called "test". PBR should not be the problem, as it did not work before I installed the PBR package, and it is currently disabled.

Another problem I have is that my IPv4 is not reachable. You can find my network and firewall config below. I am grateful for any kind of help.

# /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd3a:33fb:f175::/48'
	option packet_steering '1'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option annex 'j'
	option tone 'b'
	option ds_snr_offset '0'
	option firmware '/lib/firmware/xcpe_8.B.2.6.0.7_8.B.0.B.0.2.bin'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option ip6assign '64'

config device
	option name 'dsl0'
	option macaddr '48:5D:35:9A:AA:2D'

config interface 'wan'
	option proto 'pppoe'
	option username '<username>'
	option password '<password>'
	option ipv6 '1'
	option device 'dsl0.7'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'wan6'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option device 'pppoe-wan'
	option peerdns '0'
	list dns '2606:4700:4700::1111'
	list dns '2606:4700:4700::1001'

config interface 'wan4'
	option proto 'dslite'
	option peeraddr '::'
	option encaplimit 'ignore'
	option mtu '0'
	option tunlink 'wan6'

config interface 'wwan'
	option proto 'dhcp'

config device
	option type 'bridge'
	option name 'guest'

config interface 'guest'
	option proto 'static'
	option device 'guest'
	list ipaddr '192.168.2.1/24'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	list dns '2606:4700:4700::1111'
	list dns '2606:4700:4700::1001'

# /etc/config/firewall


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect 'dns_int'
	option name 'Intercept-DNS'
	option src 'lan'
	option src_dport '53'
	option proto 'tcp udp'
	option family 'any'
	option target 'DNAT'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config rule
	option name 'test'
	option src 'wan'
	list dest_ip '192.168.1.1'
	option dest_port '5555'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'

Your rule is missing src_dport option.
And the "rule" should be "redirect", if I understand you right that you want a port forward.

• https://openwrt.org/docs/guide-user/firewall/firewall_configuration#redirects

If you want an allow rule from wan to port 5555, the incoming packet won't have 192.168.1.1 as the destination address, as that 192.168.1.1 us only inside Lan)

Otherwise, I got lost with wan, wan6, wan4, wwan...
How do you think your interfaces' roles are?

(And leave pbr out until you have basic things straightened.)

Thank you for the quick reply.

Unfortunately, when I create a redirect rule, it doesn't work either. Is it correct in your opinion?

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'test'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'
	option src 'wan'
	option src_dport '5555'
	option dest_port '5555'

Even if I add option dest_ip '<any host IP>' I can't get it working.

I don't know exactly what you mean by interface roles, but what I can tell you is that 'wan6_4' and 'wan4' are my ds-lite tunnel interfaces and 'wan6' and 'wan' are my "normal" WAN interfaces.

No.
Now it is missing the LAN IP address, into which you are redirecting the incoming traffic.

Redirect would mean "forward traffic incoming from src zone to port src_dport into dest zone address dest_ip port dest_port "

You are missing dest_ip parameter" like you mention by yourself.

What are you actually trying to do? Allow traffic to a service program running in the router itself? Forward traffic to another device in LAN?

Firstly, I'm just trying to get the port open and reachable. Later on, I want to run a WireGuard VPN on the OpenWrt router. But let's say I add option dest_ip '<IP of my PC>' or dest_ip '<IP of the router>'. Then it doesn't work either. So, if I understand it correctly, I would actually need a traffic rule for the WireGuard VPN and not a redirect, as I don't want to open the port for my gaming PC, for example, but for the router.

If you are not looking for port forward ("redirect"), but just to allow one open port in the router itself, then your original rule might be otherwise ok, but the LAN related 192.168.1.1 is wrong and unnecessary. Like I said in my first message, the packets incoming from wan do not know about lan-specific 192.168.1.1. You might remove that line.

But I am unsure about the wan / wan6 / wan4 and dslite. Wan looks like a rather normal pppoe-wan, but is only used for IPv6 that then serves ipv4 via dslite? You might try wan4 in the rule.
(I am not sure if the dslite also causes a need for some IPv6 specific rule, so that you might also need wan6 allow rule.)

Have you searched the for for dslite specific advice? It is so rarely used, that help may be slow to come here.

Ps. How do you know that the rule doe not work? Do you have an active service running in port 5555?

Then the rule should look like this, shouldn't it? I have also tried to add the two ds-lite interfaces 'wan4' and 'wan6_4' to the rule and to the WAN zone in the firewall. (not in the image) Unfortunately without success.

image1409×892 52.5 KB

I don't know exactly how it works, either. But I set up my connection to my ISP via IPv6 using the 'wan' interface. Unfortunately, I don't understand everything that comes after that. What doesn't make sense to me, for example, is that I have an additional 'wan6' interface.

image896×1012 65.7 KB

Yes, I searched for it, but unfortunately I didn't find anything that really helped me. I also noticed that ds-lite is really not used much. That's why it was super difficult for me to get it up and running at the beginning. Everything apart from the port forwards / traffic rules has worked great so far. I've been using this setup for a few months now.

I assume that it does not work because I used online port checkers with my DDNS hostname and also PowerShell with my private IP test-netconncection -computername 192.168.1.1 -port 5555 and it fails. And a few days ago I had already tried to set up the WireGuard VPN and the handshake never went through because the host was not reachable.

If you are trying to port forward, there’s another possibility that your isp doesn’t allow it and activly blocks all ports, generally they do this for residential internet, but business internet is less restricted.

Not quite.
The outgoing "source port" at the original sender is likely not 5555, but some random high number.
You should likely leave that empty.

You might also add wan4 to the wan zone?

When I try it with FRITZ!OS from AVM (the original OS) on my router, it works, so it shouldn't actually be the ISP.