Hello,
I've recently created a VLAN to act as a DMZ on one port of my WRT1900ACv2. I have created a firewall rule for the new VLAN, and setup default forwarding from LAN to DMZ. I have also used the port forwarding tab to forward WAN ports 80 and 443 to the DMZ, however it has not worked and I can't connect from WAN. What do I need to do to fix the port forwarding to allow connection from WAN?
The network and firewall configs are shown below.
/etc/config/network
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '2'
option ports '1 2 3 6t'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '100'
option ports '4 5t'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '3'
option ports '0 6t'
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdf3:6b18:a423::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'eth1.2'
config interface 'wan'
option ifname 'eth0.100'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0.100'
option proto 'dhcpv6'
config interface 'DMZ'
option proto 'static'
option ipaddr '192.168.2.1'
option ifname 'eth1.3'
option ip6assign '60'
option netmask '255.255.255.253'
/etc/config/firewall
config redirect
option target 'DNAT'
option src 'wan'
option dest 'DMZone'
option proto 'tcp'
option src_dport '80'
option dest_ip '192.168.2.2'
option dest_port '80'
option name 'DMZ-HTTP'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'DMZone'
option proto 'tcp'
option src_dport '443'
option dest_ip '192.168.2.2'
option dest_port '443'
option name 'DMZ-HTTPS'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '3074'
option dest_ip '192.168.1.177'
option dest_port '3074'
option name 'xbox'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_ip '192.168.1.177'
option dest_port '53'
option name 'xbox'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'udp'
option src_dport '88'
option dest_ip '192.168.1.177'
option dest_port '88'
option name 'xbox'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '80'
option dest_ip '192.168.1.177'
option dest_port '80'
option name 'xbox'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config defaults
option syn_flood '1'
option output 'ACCEPT'
option drop_invalid '1'
option input 'REJECT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config include
option path '/etc/firewall.user'
config zone
option output 'ACCEPT'
option log '1'
option name 'DMZone'
option network 'DMZ'
option input 'ACCEPT'
option forward 'REJECT'
config forwarding
option dest 'wan'
option src 'DMZone'
config rule
option target 'ACCEPT'
option dest_port '53'
option name 'dmz-dns'
option proto 'udp'
option dest_ip '192.168.2.1'
option src 'DMZone'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '67'
option name 'dmz-dhcp'
option src 'DMZone'
config rule
option target 'ACCEPT'
option name 'dmz-ping'
option proto 'icmp'
option icmp_type 'echo-reply'
option src '*'
option dest 'DMZone'
option enabled '0'
config forwarding
option dest 'DMZone'
option src 'lan'