Trouble forwarding port 80


I apologize for the newbie question.. I am running OpenWrt 18.06.4 on my Linksys WRT3200ACM. I'd like to set up a web server to run from behind the OpenWrt firewall. I have set up the web server to respond to requests on ports 80 and 8080, and the web server responds to requests from other machines on the LAN. I used LuCI to set up port forwarding, resulting in the following two rules at the top of my /etc/config/firewall file:

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option name 'HTTP 80'
        option src_dport '80'
        option dest_ip ''
        option dest_port '80'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '8080'
        option name 'HTTP 8080'
        option dest_ip ''
        option dest_port '8080'

From the outside world, I'm now trying to connect to the web server. What I am finding is that requests sent to port 8080 on the external IP address are being honored. But requests sent to port 80 are not getting through somehow.

Following some of the help articles, I enabled logging on rejected packets on the WAN. I'm seeing some activity there, but nothing corresponding to port 80. The only dropped packet that I see that came from the external machine (at abc.def.ghi.jkl):

Mon Dec 30 20:57:48 2019 kern.warn kernel: [182637.676888] REJECT wan in: IN=eth1 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=abc.def.ghi.jkl LEN=152 TOS=0x10 PREC=0x00 TTL=56 ID=45889 DF PROTO=TCP SPT=22 DPT=49879 WINDOW=1026 RES=0x00 ACK PSH URGP=0

And I'm not seeing the packet on the internal network either. I'm seeing the 8080 packets on a tcpdump:

20:28:28.772739 IP > webservermachine.lan.8080: Flags [S], seq 1542747305, win 29200, options [mss 1460,sackOK,TS val 545492952 ecr 0,nop,wscale 7], length 0

But I'm not seeing anything to webservermachine.lan.80 that's coming from the external ip address.

Some things that I don't think are related, but I wanted to mention in case it matters:

  1. I modified /etc/config/uhttpd to have LuCI listen on port 8080. I wanted to rule out that this was somehow interfering with the routing.
  2. I am running standard Adblock, HDD Idle, p910nd, watchcat, and samba services.



1 Like

the conf looks good...

I would try a tcpdump on the openwrt if no packets arrives on the LAN

80/TCP could be blocked by ISP, worth to check with tcpdump on WAN
Bad idea to use unsecured http.

1 Like

Nothing to do with your configuration
but I must point out MyY ISP blocks port 80 by default and a few others for mail & networking
when you just sing up they put you on CGNAT & you witch won't work
if you ask they will give you a "Sticky IP" a real IP to yourself but it may change
but it still won't work cos then you have to get them to unblock it
I ordered a Static IP & still have to get them to unblock everything
so don't discount your ISP after all they will happy sell you WEB services at an extra cost :slight_smile:

I have enabled both 80 and 443, then put in place a redirect, still it's OK and I would say needed to have 80 open

really? I would change ISP for sure... what's this crap?

they unblocked it for me with just a phone call but I did know how it all works
My clinical side is sure it's just a way of trying to up sell services to the newbies

1 Like

LOL, OK then :slight_smile:

Thanks guys!

The ISP is blocking it. Worse yet, they won't stop unless I upgrade to a business-grade account for a lot more money. I'd surely switch to a different ISP, but there's nobody else here that provides internet access other than the old phone company with their slow DSL offering.

This happens on a lot on copper-based local cable provider/ISP is the same

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.