Unblock ports 19000-19002 locally to a single machine

tsanford · January 5, 2022, 4:58pm

I am looking for some guidance to help unblock internal routing to ports 19000-19002 on my local machine. It does not need any connection from outside the local network. Only other devices on the same network would need to connect.

I am trying to run a local Expo server on my MacBook. It runs various services on ports 19000-19002 and my local machine is 192.168.1.168

I am then trying to connect to this local server from my iPhone on the same internal 5g wireless network.

The issue is my phone has no connection to 192.168.1.168.

I have turned off all firewall and security on my mac, and I am sure the issue is related to the router. I can host a hotspot connection on my phone or an adhoc local network from the MacBook and have no issue connecting.

I have tried adding several Firewall > Traffic rules to no avail.

psherman · January 5, 2022, 5:00pm

In the vast majority of cases, the router/firewall has zero impact on your issue. Hosts on the same network are not filtered/firewalled by the router since all of the traffic is switched (L2) not routed (L3).

Start by looking at your local server and your MacBook to ensure it is properly configured and that it doesn't have a local firewall (on the Mac itself) that is blocking those connections.

tsanford · January 5, 2022, 5:16pm

As I mentioned in my original post, I have disabled all security and firewall on my machine and can connect if I join my phone's hotspot or machines adhoc wifi network.

psherman · January 5, 2022, 5:16pm

Can you create a diagram of your network?

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

tsanford · January 5, 2022, 5:39pm

etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc6:3e83:6591::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option country 'US'
	option legacy_rates '0'
	option noscan '1'
	option htmode 'VHT160'
	option channel '120'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option macaddr ''
	option key ''
	option ssid 'CenturyLink3908_5G'
	option encryption 'psk2'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option country 'US'
	option channel 'auto'
	option legacy_rates '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option macaddr ''
	option encryption 'psk-mixed'
	option ssid 'CenturyLink3908'
	option key ''

etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'TSanford-MBP'
	option dns '1'
	option mac ''
	option ip '192.168.1.168'

etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config include 'bcp38'
	option type 'script'
	option path '/usr/lib/bcp38/run.sh'
	option family 'IPv4'
	option reload '1'

config rule
	option name 'Allow Expo App'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	option src '*'
	option dest '*'
	list dest_ip ''
	list dest_ip '192.168.1.168'
	option dest_port '19000-19002'

psherman · January 5, 2022, 5:54pm

There is nothing in your configuration that could cause any connectivity issues between devices on your network.

Are there any other wifi APs or routers in the system, or is it just this one?

Also, let's see the output of this:

ubus call system board

tsanford · January 5, 2022, 6:00pm

All network devices are connect to this router. The router is hardwired to a dsl modem. No other wifi APs.

ubus call system board

{
	"kernel": "4.19.108",
	"hostname": "DevilDog",
	"system": "ARMv7 Processor rev 1 (v7l)",
	"model": "Linksys WRT32X",
	"board_name": "linksys,venom",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r12570-f68c48f7dd",
		"target": "mvebu/cortexa9",
		"description": "OpenWrt SNAPSHOT r12570-f68c48f7dd"
	}
}

tsanford · January 5, 2022, 6:10pm

I just put both my phone and my computer on the ssid 'CenturyLink3908'(WLAN1) and had no issues connecting. It seems to be only an issue on ssid 'CenturyLink3908_5G' (WLAN0)...

Any leads on this discovery?

psherman · January 5, 2022, 6:22pm

Well, you could try adjusting your 5G radio configuration.

For example, noscan should probably be 0.

Do not scan for overlapping BSSs in HT40+/- mode.
Turning this on will violate regulatory requirements!

You also might change it to VHT40 or VHT80 and ensure that you are not using a DFS channel.

tsanford · January 5, 2022, 6:34pm

Thanks! Got it working!

system · January 15, 2022, 6:35pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.