Upgraded from OpenWrt to LEDE now port forwards dont work

Hello All,

i upgraded from OpenWrt (Barrier Breaker - 14.07) to LEDE Reboot 17.01.4 r3560-79f57e422d / LuCI lede-17.01 branch (git-17.290.79498-d3f0685)

Before upgrading all my port forwarding worked. Now they do not. Unsure as to why not.

Here is the rule as it appears in the config file. (note that I only used Luci to configure the rules and have never made any changes via ssh)

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan2'
        option proto 'tcp udp'
        option src_dport '35002'
        option dest_port '80'
        option name ' PacRim-HTTP'
        option dest_ip '192.168.15.19'

My WAN side IP is 192.168.0.16

When I use a computer on the LAN side of my router and try http://192.168.0.16:35002 the expected connection is made.

When I use a computer on the WAN side of my router I am unable to make the connection.

I have no idea why at this point so if someone could help me out here I would be very happy.

Here is my complete configuration:

root@Home:~# cat /etc/config/firewall 

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'lan1'
        option network 'lan_1'
        option family 'ipv4'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'
        option log '1'

config forwarding
        option dest 'wan'
        option src 'lan1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fe80::/10'
        option src_port '547'
        option dest_ip 'fe80::/10'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option name 'lan2'
        option network 'lan_2'
        option forward 'REJECT'

config forwarding
        option dest 'wan'
        option src 'lan2'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan2'
        option src_dport '35001'
        option dest_port '35001'
        option name ' PacRim-UDP '
        option proto 'udp'
        option dest_ip '192.168.15.19'

config redirect
        option target 'DNAT'
        option proto 'tcp'
        option src_dport '35000'
        option dest_port '35000'
        option name ' PacRim-TCP '
        option src 'wan'
        option dest 'lan2'
        option dest_ip '192.168.15.19'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan2'
        option proto 'tcp udp'
        option src_dport '35002'
        option dest_port '80'
        option name ' PacRim-HTTP'
        option dest_ip '192.168.15.19'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan2'
        option proto 'tcp udp'
        option src_dport '35003'
        option dest_port '443'
        option name ' PacRim-HTTPS'
        option dest_ip '192.168.15.19'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan2'
        option proto 'tcp'
        option src_dport '35004'
        option dest_port '554'
        option name ' PacRim-RTSP '
        option dest_ip '192.168.15.19'

Interesting addition; and hopefully useful for anyone out there able to help...

I reset my router to LEDE defaults then added a port forward:

IPv4-tcp, udp From any host in wan Via any router IP at port 35002 forwarded to IP 192.168.15.18, port 22 in lan

This allowed me to ssh to my laptop on the LAN side from my Phone via my providers network.

I then changed the port forward rule as bellow:

IPv4-tcp, udp From any host in wan Via any router IP at port 35002 forwarded to IP 192.168.15.19, port 80 in lan

Which did not allow me to connect to my security cameras as it should have.

I am able to connect to my security cameras without issue from the LAN side of the router sooo...

is there a reason SSH will work and not HTTP??

If your WAN IP is 192.168.0.16 then it means you have two levels of NAT. I'm not sure if it's possible to forward ports through that at all, but if it is then you would need to forward the ports at the first level as well. If the router gets its IP from your phone then that would explain why your phone can connect the forwarded port on your router.

Appreciate your answer Per but it looks like I should give you a better picture of the network and keep in mind that this all worked prior to upgrading the router from OpenWrt to LEDE.

router A -> router B -> Security camera DVR

1. router A:

• WAN side is INTERNET IP 123.123.123.123
• LAN side IP 192.168.0.1
  has firewall rule to forward any incoming WAN connections on port 35002 to 192.168.0.16 port 35002 on its LAN side.

2. router B:

• WAN side IP 192.168.0.16
• LAN side IP 192.168.15.17
• has firewall rule to forward any incoming WAN connections on port 35002 to 192.168.15.19 port 80 on its LAN side.

3. Security camera DVR.

• IP 192.168.15.19
• Has web interface access set up on port 80.

As long as your rules are set up properly you can forward through a dozen routers with no problem.
The problem here is that since I upgraded Router B to LEDE i can only get ssh to forward. http and rtsp have stopped working for some reason I am unable to work out.

Thanks

I neglected to mention the phone.. the phone is not in any way connected to any of the devices above. I use my cell phone providers network when I SSH into any of the systems so it is an incoming connection to Router A from the internet...

Also here is my complete configuration since i reset the router to LEDE defaults in my second addendum.
There are 2 lans and the ports are split.

I can still establish an ssh connection to my laptop 192.168.15.18.
I can not establish an http connection to my DVR 192.168.15.19

root@LEDE:~# cat /etc/config/network

config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fda2:7639:3e28::/48'

config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ip6assign '60'
option ipaddr '192.168.15.17'
option netmask '255.255.255.240'

config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'

config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'

root@LEDE:~# cat /etc/config/
dhcp dropbear firewall luci network rpcd system ubootenv ucitrack uhttpd wireless
root@LEDE:~# cat /etc/config/firewall

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'

config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option src_dport '35002'
option name 'ssh'
option proto 'tcp udp'
option dest_port '80'
option dest_ip '192.168.15.19'

root@LEDE:~# cat /etc/config/dhcp

config dnsmasq
option domainneeded '1'
option boguspriv '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
option nonwildcard '0'

config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option start '20'
option limit '10'
option ra_management '1'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'

config host
option mac '3c:97:0e:6f:8d:d4'
option ip '192.168.15.18'

config host
option mac '00:40:7f:8a:ab:ce'
option ip '192.168.15.19'

Fixed.

Apparently LEDE wanted my DVR set to DHCP. Once that happened everything was 'cool'
I am unsure why manually setting the IP, Netmask, and Broadcast Address was not good enough but it wasn't

Thanks to all those who took the time to ponder.