Unable to Open/Forward Ports

In WAN zone chage input and forward to DROP or REJECT.

Then add more redirect rules if you want to open ports on the firewall to internal hosts, or add forwarding rules if you want to allow ipv6 traffic from wan to lan.
Last but not least, I think you are missing the wan in wan zone option option network 'wan6'

Are you trying to forward WOL packets?
Is that even supposed to work?

uci delete firewall.@zone[0].network
uci delete firewall.@zone[1].network
uci add_list firewall.@zone[0].network="lan"
uci add_list firewall.@zone[1].network="wan"
uci add_list firewall.@zone[1].network="wan6"
uci commit firewall
service firewall restart

Thanks for the replies
@trendy - I've made those changes to WAN Zone.

@eduperez - Yes it's for WOL - I used to have a working setup with another router. I'm also trying to open up some ports so I can VPN (1723) but I can't get that open either

@vgaetera I made those changes you suggested. Although instead of connection refused, it's now timing out. In case it's because of the WOL / I've also forwarded port 1723 (for a VPN to my machine), but both ports still time out.

uci show network; uci show firewall
root@OpenWrt:~# uci show network; uci show firewall
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fda7:c027:1729::/48'
network.atm=atm-bridge
network.atm.vpi='1'
network.atm.vci='32'
network.atm.encaps='llc'
network.atm.payload='bridged'
network.atm.nameprefix='dsl'
network.dsl=dsl
network.dsl.annex='b'
network.dsl.tone='a'
network.dsl.xfer_mode='ptm'
network.dsl.line_mode='vdsl'
network.dsl.ds_snr_offset='0'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan_dev=device
network.lan_dev.name='eth0.1'
network.lan_dev.macaddr=*removed*
network.wan=interface
network.wan.proto='dhcp'
network.wan.clientid=*removed*
network.wan.macaddr=*removed*
network.wan.ifname='dsl0.101'
network.wan_dev=device
network.wan_dev.name='dsl0'
network.wan_dev.macaddr=*removed*
network.wan6=interface
network.wan6.ifname='@wan'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0 1 2 4 5 6t'
network.@switch_vlan[0].vid='1'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='6t'
network.@switch_vlan[1].vid='2'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='ACCEPT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].network='wan wan6'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].proto='tcp udp'
firewall.@redirect[0].src_dport='1113'
firewall.@redirect[0].dest_ip='192.168.1.85'
firewall.@redirect[0].dest_port='7'
firewall.@redirect[0].name='WOL'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].proto='tcp udp'
firewall.@redirect[1].src_dport='1723'
firewall.@redirect[1].dest_ip='192.168.1.85'
firewall.@redirect[1].dest_port='1723'
firewall.@redirect[1].name='VPN'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='lan'
firewall.@forwarding[0].src='wan'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='wan'
firewall.@forwarding[1].src='lan'

Sorry, I have no experience with those technologies.
May be network level information can clarify the issue:

ip a; ip r; ip ru
root@OpenWrt:~# ip a; ip r; ip ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether ea:69:12:9a:e7:0e brd ff:ff:ff:ff:ff:ff
    inet6 fe80::e869:12ff:fe9a:e70e/64 scope link
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether c8:91:f9:16:70:1a brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fda7:c027:1729::1/60 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::ca91:f9ff:fe16:701a/64 scope link
       valid_lft forever preferred_lft forever
6: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether c8:91:f9:16:70:1a brd ff:ff:ff:ff:ff:ff
7: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether c8:91:f9:16:70:1c brd ff:ff:ff:ff:ff:ff
    inet6 fe80::ca91:f9ff:fe16:701c/64 scope link
       valid_lft forever preferred_lft forever
8: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether c8:91:f9:16:70:1d brd ff:ff:ff:ff:ff:ff
    inet6 fe80::ca91:f9ff:fe16:701d/64 scope link
       valid_lft forever preferred_lft forever
9: dsl0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether c8:91:f9:16:70:1b brd ff:ff:ff:ff:ff:ff
    inet6 fe80::ca91:f9ff:fe16:701b/64 scope link
       valid_lft forever preferred_lft forever
10: dsl0.101@dsl0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 70:50:af:c4:3e:98 brd ff:ff:ff:ff:ff:ff
    inet 176.26.147.103/22 brd 176.26.147.255 scope global dsl0.101
       valid_lft forever preferred_lft forever
    inet6 fe80::7250:afff:fec4:3e98/64 scope link
       valid_lft forever preferred_lft forever
default via 176.26.144.1 dev dsl0.101  src 176.26.147.103
176.26.144.0/22 dev dsl0.101 scope link  src 176.26.147.103
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

Looks like you need to add network dsl to firewall zone wan.

Thanks for all your help with this, That isn't an option in the dropdown menu using the web interface / so I edited the firewall file. Unfortunately I've tried various combinations of dsl, dsl0, dsl0.101 and I keep getting the same issue - Section @zone[1] (wan) cannot resolve device of network 'xxx'

I see, it should work via network wan:

Can you access the internet through it?
Specifically, does the masquerading work properly?

I suggest to start tcpdump on the router, run tests from the internet and see if you can catch the queries on the ports you want to open/forward.

Yeah the internet works on it.
Unsure about masquerading, is there a way I can test this remotely without losing internet connection?

I've run tcpdump accross all interfaces and filtered the port, then sent the WOL packet and tested for the open port. Results below

root@OpenWrt:~# tcpdump -i any 'port 1113'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
12:19:55.165068 ethertype IPv4, IP depicus.plus.com.33407 > b01a9367.bb.sky.com.1113: UDP, length 102
12:19:55.165068 IP depicus.plus.com.33407 > b01a9367.bb.sky.com.1113: UDP, length 102
12:20:11.135391 ethertype IPv4, IP 198.199.98.246.34153 > b01a9367.bb.sky.com.1113: Flags [S], seq 451996426, win 14600, options [mss 1460,sackOK,TS val 3259700636 ecr 0,nop,wscale 8], length 0
12:20:11.135391 IP 198.199.98.246.34153 > b01a9367.bb.sky.com.1113: Flags [S], seq 451996426, win 14600, options [mss 1460,sackOK,TS val 3259700636 ecr 0,nop,wscale 8], length 0
12:20:12.134849 ethertype IPv4, IP 198.199.98.246.34153 > b01a9367.bb.sky.com.1113: Flags [S], seq 451996426, win 14600, options [mss 1460,sackOK,TS val 3259700886 ecr 0,nop,wscale 8], length 0
12:20:12.134849 IP 198.199.98.246.34153 > b01a9367.bb.sky.com.1113: Flags [S], seq 451996426, win 14600, options [mss 1460,sackOK,TS val 3259700886 ecr 0,nop,wscale 8], length 0
12:20:12.140570 ethertype IPv4, IP 198.199.98.246.34158 > b01a9367.bb.sky.com.1113: Flags [S], seq 3868181705, win 14600, options [mss 1460,sackOK,TS val 3259700886 ecr 0,nop,wscale 8], length 0
12:20:12.140570 IP 198.199.98.246.34158 > b01a9367.bb.sky.com.1113: Flags [S], seq 3868181705, win 14600, options [mss 1460,sackOK,TS val 3259700886 ecr 0,nop,wscale 8], length 0
12:20:13.137929 ethertype IPv4, IP 198.199.98.246.34163 > b01a9367.bb.sky.com.1113: Flags [S], seq 3514426930, win 14600, options [mss 1460,sackOK,TS val 3259701136 ecr 0,nop,wscale 8], length 0
12:20:13.137929 IP 198.199.98.246.34163 > b01a9367.bb.sky.com.1113: Flags [S], seq 3514426930, win 14600, options [mss 1460,sackOK,TS val 3259701136 ecr 0,nop,wscale 8], length 0
12:20:13.139137 ethertype IPv4, IP 198.199.98.246.34158 > b01a9367.bb.sky.com.1113: Flags [S], seq 3868181705, win 14600, options [mss 1460,sackOK,TS val 3259701136 ecr 0,nop,wscale 8], length 0
12:20:13.139137 IP 198.199.98.246.34158 > b01a9367.bb.sky.com.1113: Flags [S], seq 3868181705, win 14600, options [mss 1460,sackOK,TS val 3259701136 ecr 0,nop,wscale 8], length 0
12:20:14.134852 ethertype IPv4, IP 198.199.98.246.34163 > b01a9367.bb.sky.com.1113: Flags [S], seq 3514426930, win 14600, options [mss 1460,sackOK,TS val 3259701386 ecr 0,nop,wscale 8], length 0
12:20:14.134852 IP 198.199.98.246.34163 > b01a9367.bb.sky.com.1113: Flags [S], seq 3514426930, win 14600, options [mss 1460,sackOK,TS val 3259701386 ecr 0,nop,wscale 8], length 0
^C
14 packets captured
14 packets received by filter
0 packets dropped by kernel
root@OpenWrt:~#
iptables-save | grep 1113

Thanks for all your help on this btw...

root@OpenWrt:~# iptables-save | grep 1113
-A zone_lan_prerouting -s 192.168.1.0/24 -d 176.26.147.103/32 -p tcp -m tcp --dport 1113 -m comment --comment "!fw3: WOL (reflection)" -j DNAT --to-destination 192.168.1.85:7
-A zone_lan_prerouting -s 192.168.1.0/24 -d 176.26.147.103/32 -p udp -m udp --dport 1113 -m comment --comment "!fw3: WOL (reflection)" -j DNAT --to-destination 192.168.1.85:7
-A zone_wan_prerouting -p tcp -m tcp --dport 1113 -m comment --comment "!fw3: WOL" -j DNAT --to-destination 192.168.1.85:7
-A zone_wan_prerouting -p udp -m udp --dport 1113 -m comment --comment "!fw3: WOL" -j DNAT --to-destination 192.168.1.85:7
root@OpenWrt:~#
1 Like
tcpdump -ni any port 1113 or port 7
root@OpenWrt:~# tcpdump -ni any port 1113 or port 7
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
13:15:25.289305 ethertype IPv4, IP 212.159.110.168.47570 > 176.26.147.103.1113: UDP, length 102
13:15:25.289305 IP 212.159.110.168.47570 > 176.26.147.103.1113: UDP, length 102
13:15:25.289611 IP 212.159.110.168.47570 > 192.168.1.85.7: UDP, length 102
13:15:25.289669 IP 212.159.110.168.47570 > 192.168.1.85.7: UDP, length 102
13:15:40.797274 ethertype IPv4, IP 198.199.98.246.50961 > 176.26.147.103.1113: Flags [S], seq 1087738189, win 14600, options [mss 1460,sackOK,TS val 3260533066 ecr 0,nop,wscale 8], length 0
13:15:40.797274 IP 198.199.98.246.50961 > 176.26.147.103.1113: Flags [S], seq 1087738189, win 14600, options [mss 1460,sackOK,TS val 3260533066 ecr 0,nop,wscale 8], length 0
13:15:40.797572 IP 198.199.98.246.50961 > 192.168.1.85.7: Flags [S], seq 1087738189, win 14600, options [mss 1460,sackOK,TS val 3260533066 ecr 0,nop,wscale 8], length 0
13:15:40.797636 IP 198.199.98.246.50961 > 192.168.1.85.7: Flags [S], seq 1087738189, win 14600, options [mss 1460,sackOK,TS val 3260533066 ecr 0,nop,wscale 8], length 0
13:15:41.796941 ethertype IPv4, IP 198.199.98.246.50961 > 176.26.147.103.1113: Flags [S], seq 1087738189, win 14600, options [mss 1460,sackOK,TS val 3260533316 ecr 0,nop,wscale 8], length 0
13:15:41.796941 IP 198.199.98.246.50961 > 176.26.147.103.1113: Flags [S], seq 1087738189, win 14600, options [mss 1460,sackOK,TS val 3260533316 ecr 0,nop,wscale 8], length 0
13:15:41.797174 IP 198.199.98.246.50961 > 192.168.1.85.7: Flags [S], seq 1087738189, win 14600, options [mss 1460,sackOK,TS val 3260533316 ecr 0,nop,wscale 8], length 0
13:15:41.797223 IP 198.199.98.246.50961 > 192.168.1.85.7: Flags [S], seq 1087738189, win 14600, options [mss 1460,sackOK,TS val 3260533316 ecr 0,nop,wscale 8], length 0
13:15:41.798304 ethertype IPv4, IP 198.199.98.246.50964 > 176.26.147.103.1113: Flags [S], seq 3504779838, win 14600, options [mss 1460,sackOK,TS val 3260533316 ecr 0,nop,wscale 8], length 0
13:15:41.798304 IP 198.199.98.246.50964 > 176.26.147.103.1113: Flags [S], seq 3504779838, win 14600, options [mss 1460,sackOK,TS val 3260533316 ecr 0,nop,wscale 8], length 0
13:15:41.798616 IP 198.199.98.246.50964 > 192.168.1.85.7: Flags [S], seq 3504779838, win 14600, options [mss 1460,sackOK,TS val 3260533316 ecr 0,nop,wscale 8], length 0
13:15:41.798668 IP 198.199.98.246.50964 > 192.168.1.85.7: Flags [S], seq 3504779838, win 14600, options [mss 1460,sackOK,TS val 3260533316 ecr 0,nop,wscale 8], length 0
13:15:42.796394 ethertype IPv4, IP 198.199.98.246.50964 > 176.26.147.103.1113: Flags [S], seq 3504779838, win 14600, options [mss 1460,sackOK,TS val 3260533566 ecr 0,nop,wscale 8], length 0
13:15:42.796394 IP 198.199.98.246.50964 > 176.26.147.103.1113: Flags [S], seq 3504779838, win 14600, options [mss 1460,sackOK,TS val 3260533566 ecr 0,nop,wscale 8], length 0
13:15:42.796660 IP 198.199.98.246.50964 > 192.168.1.85.7: Flags [S], seq 3504779838, win 14600, options [mss 1460,sackOK,TS val 3260533566 ecr 0,nop,wscale 8], length 0
13:15:42.796716 IP 198.199.98.246.50964 > 192.168.1.85.7: Flags [S], seq 3504779838, win 14600, options [mss 1460,sackOK,TS val 3260533566 ecr 0,nop,wscale 8], length 0
13:15:42.801180 ethertype IPv4, IP 198.199.98.246.50971 > 176.26.147.103.1113: Flags [S], seq 2705694570, win 14600, options [mss 1460,sackOK,TS val 3260533566 ecr 0,nop,wscale 8], length 0
13:15:42.801180 IP 198.199.98.246.50971 > 176.26.147.103.1113: Flags [S], seq 2705694570, win 14600, options [mss 1460,sackOK,TS val 3260533566 ecr 0,nop,wscale 8], length 0
13:15:42.801450 IP 198.199.98.246.50971 > 192.168.1.85.7: Flags [S], seq 2705694570, win 14600, options [mss 1460,sackOK,TS val 3260533566 ecr 0,nop,wscale 8], length 0
13:15:42.801489 IP 198.199.98.246.50971 > 192.168.1.85.7: Flags [S], seq 2705694570, win 14600, options [mss 1460,sackOK,TS val 3260533566 ecr 0,nop,wscale 8], length 0
13:15:43.798554 ethertype IPv4, IP 198.199.98.246.50971 > 176.26.147.103.1113: Flags [S], seq 2705694570, win 14600, options [mss 1460,sackOK,TS val 3260533816 ecr 0,nop,wscale 8], length 0
13:15:43.798554 IP 198.199.98.246.50971 > 176.26.147.103.1113: Flags [S], seq 2705694570, win 14600, options [mss 1460,sackOK,TS val 3260533816 ecr 0,nop,wscale 8], length 0
13:15:43.798768 IP 198.199.98.246.50971 > 192.168.1.85.7: Flags [S], seq 2705694570, win 14600, options [mss 1460,sackOK,TS val 3260533816 ecr 0,nop,wscale 8], length 0
13:15:43.798805 IP 198.199.98.246.50971 > 192.168.1.85.7: Flags [S], seq 2705694570, win 14600, options [mss 1460,sackOK,TS val 3260533816 ecr 0,nop,wscale 8], length 0
^C
28 packets captured
28 packets received by filter
0 packets dropped by kernel
root@OpenWrt:~#

Redirect works:

Check and fix destination host firewall.
Verify WoL is not limited to local subnet.
Use SNAT on OpenWrt if required.

Can't believe I didn't check that first - Looks like you're right. Disabled the firewall and I can see the WOL packet I generate online is received on my machine.
Although when I use a port checker, it still says that the port is closed? :confused: Guess it doesn't matter as long as it's received

Thanks for all your help (and patience) with this

2 Likes

Some services doesn't detect UDP properly:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.