Unable to open ports

try-except · December 4, 2021, 3:09pm

Hi guys,
I've been trying to open (and forward) port 80 in my OpenWRT router for about a week with no success. I saw a post here from someone with a similar issue but when they forwarded a random port to their server it worked; I tried forwarding port 432 to my server but it also didn't work.

Server is located at 192.168.1.124 and running a simple apache server with a single test page.
I'm able to access the server from LAN, via browser or cURL but not from outside it.
Server is running Ubuntu 20.04.3 LTS x86_64 with firewall disabled.
OpenWRT router is connected to bridged ISP modem.
uhttpd is not listening on WAN, only LAN.
There's a Pi-Hole running on 192.168.1.123 so there's a couple of custom firewall rules

My Allow-http rule

config rule
        option name 'Allow-http'
        option src 'wan'
        option dest_port '80'
        option proto 'tcp udp'
        option target 'ACCEPT'

My redirect config

config redirect
        option target 'DNAT'
        option src 'wan'
        option src_dport '80'
        option family 'ipv4'
        option dest 'lan'
        option dest_ip '192.168.1.124'
        option dest_port '80'
        option name 'http'
        option proto 'tcp udp'
        option enabled '1'

uhttpd config

config uhttpd main

        # HTTP listen addresses, multiple allowed
        list listen_http        192.168.1.1:80

        # HTTPS listen addresses, multiple allowed
        list listen_https       192.168.1.1:443

Pi-Hole custom rules

iptables -t nat -A PREROUTING -i br-lan ! -s 192.168.1.123 -p udp --dport 53 -j REDIRECT
iptables -t nat -A PREROUTING -i br-lan ! -s 192.168.1.123 -p tcp --dport 53 -j REDIRECT
iptables -t nat -A PREROUTING -i eth0.2 -p udp --dport 53 -j REDIRECT
iptables -t nat -A PREROUTING -i eth0.2 -p tcp --dport 53 -j REDIRECT

I'm aware that my ISP might be blocking opening some ports, but I don't think they would block every single port. Their customer service is horrible and so far I have not been able to ask them about port blocking, but I'll keep on calling them and update my post if I ever get an answer.

Any help would be appreciated and please excuse me if my issue is way too basic.

EDIT:
This was an issue with my ISP, so if anyone else from Chile has a similar problem and is a VTR client, you just need to contact them and ask for bridge mode.

mk24 · December 4, 2021, 3:28pm

Opening a port and forwarding a port are two different things. Do one or the other not both. If the web server is the router itself you would open the port, since here it is an internal machine you need to forward the port. If you forward port 80 to a LAN machine, that is not the same as an open port-- services on the router like uhttpd will still not see requests from the wan.

Make sure the wan interface holds the public IP you are trying to connect to. You must test the connection from a separate Internet connection not from inside the LAN.

Install tcpdump on the router and confirm that your external web requests (as well as a bunch of others you will see from scripts probing the Internet) are reaching the wan port. Many ISPs have rules to the effect that "you cannot host a public web server on the line" and they attempt to enforce it by blocking ports 80 and 443.

try-except · December 4, 2021, 3:38pm

If the web server is the router itself you would open the port, since here it is an internal machine you need to forward the port.

I understand, but since default firewall rules for WAN reject incoming data should I allow incoming traffic in order to forward it to the internal machine? or is forwarding the port enough?

Make sure the wan interface holds the public IP you are trying to connect to.

I'm using the ip that wolframalpha says it's mine. I've also tried with the IPv4 address shown under the WAN interface in my router's web interface.

You must test the connection from a separate Internet connection not from inside the LAN.

I'm using my phone to test the connection and also a hosted server via cURL, none of them work

Install tcpdump on the router and confirm that your external web requests

tcpdump outputs a lot of lines when watching port 80, but none of them seem to be the ones I'm looking for. I forwarded another random port and used tcpdump to monitor it but there are no web requests reaching the WAN port aparently. logread show no rejection of packets.

mk24 · December 4, 2021, 3:43pm

Those two IPs must be the same or it will not work. When they are different it means your wan IP is not really public because the ISP is doing NAT (CGNAT) between you and the Internet. Many customers are sharing one real IP address, so incoming connections are not possible.

try-except · December 4, 2021, 3:44pm

Thanks, that must be the culprit. Does this mean the modem is not really in bridge mode or is it more of an ISP thing that I can't control?

mk24 · December 4, 2021, 3:47pm

If your wan IP is in the same range as the modem's administration page (e.g. 192.168.100.X) this usually means local NAT in the modem-- it is not really in bridge mode. If it is CGNAT you would usually have a 100.X.X.X or 10.X.X.X wan IP which was assigned by the carrier's NAT system.

try-except · December 4, 2021, 3:51pm

Thank you very much, I do have a 100.X WAN IP and my ISP has finally answered my calls and said they can take me out of NAT mode, so this seems to be a user side problem, sorry about that.

One last thing, you mentioned I should not open the port but rather forward it, does that mean that I should delete the Allow-http rule?

mk24 · December 4, 2021, 3:51pm

Yes delete the Allow-http rule. You really only need to change one thing in the router from defaults, and that is to add a forward-http rule.

try-except · December 4, 2021, 4:01pm

Thank you so much, everything is working as intended now. You're a genius

system · December 14, 2021, 4:01pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.