Unable to port forward from WAN -> LAN (HTTP, SSH)

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi all,
I have deployed OpenWRT 15.05.1 r48532 (Chaos Calmer) as a virtual machine (VM), as part of a test/lab environment. The setup is as follows:
Client VM (192.168.60.147/24) ----> OpenWRT WAN (192.168.60.146/24) ==== OpenWRT LAN (172.16.1.8/24)-----> Server VM (172.16.1.3/24)

The firewall configuration is as follows:

config defaults
	option syn_flood	1
	option input		ACCEPT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name			lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name			wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq			1
	option mtu_fix		1

config forwarding
	option src			lan
	option dest			wan


# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule 
	option name			Allow-SSH
	option src			wan
	option proto		tcp
	option dest_port	22
	option target		ACCEPT
	option family		ipv4

config rule
	option name			Allow-DHCP-Renew
	option src			wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name			Allow-Ping
	option src			wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name			Allow-IGMP
	option src			wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
	option name			Allow-DHCPv6
	option src			wan
	option proto		udp
	option src_ip		fe80::/10
	option src_port		547
	option dest_ip		fe80::/10
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name			Allow-MLD
	option src			wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name			Allow-ICMPv6-Input
	option src			wan
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name			Allow-ICMPv6-Forward
	option src			wan
	option dest			*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# include a file with users custom iptables rules
config include
	option path /etc/firewall.user

# port redirect port coming in on wan to lan
config redirect
	option src			wan
	option src_dport	80
	option dest			lan
	option dest_ip		172.16.1.3
	option dest_port	80
	option proto		tcp
	option target		DNAT

# port redirect of remapped ssh port (22001) on wan
config redirect
	option src			wan
	option src_dport	22001
	option dest			lan
	option dest_ip		172.16.1.3
	option dest_port	22
	option proto		tcp
	option target 		DNAT

# allow IPsec/ESP and ISAKMP passthrough
config rule
	option src			wan
	option dest			lan
	option proto		esp
	option target		ACCEPT

config rule
	option src			wan
	option dest			lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT

Route and network configuration:

root@OpenWrt:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.16.1.1      0.0.0.0         UG    0      0        0 br-lan
172.16.1.0      0.0.0.0         255.255.255.0   U     0      0        0 br-lan
172.16.1.1      0.0.0.0         255.255.255.255 UH    0      0        0 br-lan
192.168.60.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.60.11   0.0.0.0         255.255.255.255 UH    0      0        0 eth1
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option ifname 'eth0'
        option type 'bridge'
#       option ipaddr '192.168.1.1'
#       option netmask '255.255.255.0'
#       option ip6assign '60'
        option proto 'dhcp'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config globals 'globals'
        option ula_prefix 'fdd9:1062:ac9f::/48'

I am able to connect to port 80 and 22 of the server from the router's LAN interface. The issue is when I try to do it from the Client side (WAN). I can't seem to find an issue with the configuration. Could anyone help in pointing out what could be the problem ?
Thanks.

2
  • Per your config, SSH should be working to access the router:
  • Are you attempting to reach port 80 on your VM server, or the router???
3

I am trying to reach port 80 and 22 on my server VM, via port 80 and port 22001 of the router respectively (see the two redirect rules for HTTP and SSH).

The "Allow-SSH" rule was added so that I could SSH into the router for management purposes.

Are the redirect rules correct ?

4

I must have missed them...they appear correct.