Hello good day
sorry for my English
I have a problem with port redirection and VPN
I have a wrt1900acs router with vpn client, I also have a qnap server with apache and teamspeak3, because the problem is that port redirection does not work when the vpn is up, if I stop it it works and people can enter the server.
I have the server that does not go through vpn with the plugin (Policy-Based Routing).
If you could help me.
Thank you.
Are you forwarding the ports on the VPN server? Or are you trying to connect directly? How is the router supposed to handle answers to those incoming connections?
the ports are forwarded to the private ip, where is the server,
the server is not supposed to go through vpn
I don't have a vpn server, I have a client
First, you are forwarding some ports from your public IP address to the private IP address where there is a server, right?
Then you are connecting to a VPN server (no, you do not have a VPN server, you have a VPN client, that connects to a VPN server somewhere), and telling the device to route all traffic through the VPN connection, right?
Now, when someone tries to connect to your web server, do they use your public IP address, or do they use the public IP address on the VPN server?
If they try to connect using your public IP address, then your router is going to do as instructed, and send the answers through the VPN, and that is not going to work.
If they try to connect using the public IP address on the VPN server, then the VPN server should be forwarding those ports, too.
Do you see the issue now?
Hi thank you very much eduperez,
I'm sorry for English, my mother tongue is Spanish.
I have already realized the problem, I have installed and reconfigured the router and the problem I see is that when installing the VPN client, only the redirects of the tcp ports work, and the udp redirects do not work.
I leave my firewall file if you can help me
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list device 'tun0'
config forwarding 'lan_wan'
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '80'
option dest_ip '172.17.0.20'
option dest_port '80'
option name 'HTTP'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '443'
option dest_ip '172.17.0.20'
option dest_port '443'
option name 'HTTPS'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option dest_ip '172.17.0.20'
option name 'qnap-http'
option src_dport '8081'
option dest_port '8081'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option dest_ip '172.17.0.20'
option name 'qnap-https'
option src_dport '8086'
option dest_port '8086'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option src_dport '6969'
option dest_ip '172.17.0.20'
option dest_port '6969'
option name 'Teamspeak3'
option proto 'udp'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '10011'
option dest_ip '172.17.0.20'
option dest_port '10011'
option name 'Teamspeak3'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '30033'
option dest_ip '172.17.0.20'
option dest_port '30033'
option name 'Teamspeak3'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '25'
option dest_port '25'
option name 'Email'
option dest_ip '172.17.0.20'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '110'
option dest_port '110'
option name 'Email-pop3'
option dest_ip '172.17.0.20'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '143'
option dest_port '143'
option name 'Email-Imap'
option dest_ip '172.17.0.20'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '465'
option dest_ip '172.17.0.20'
option dest_port '465'
option name 'Forward465'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '993'
option dest_port '993'
option name 'Email-Imaps'
option dest_ip '172.17.0.20'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '995'
option dest_port '995'
option name 'Email-pop3S'
option dest_ip '172.17.0.20'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '8082'
option dest_ip '172.17.0.20'
option dest_port '8082'
option name 'Forward8082'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '2288'
option dest_ip '172.17.0.20'
option dest_port '2288'
option name 'Forward2288'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '448'
option dest_ip '172.17.0.20'
option dest_port '448'
option name 'Forward448'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '587'
option dest_ip '172.17.0.20'
option dest_port '587'
option name 'Forward587'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '6080'
option dest_ip '172.17.0.20'
option dest_port '6080'
option name 'Forward6080'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '9981'
option dest_ip '172.17.0.20'
option dest_port '9981'
option name 'TVHeadend'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '25'
option dest_port '25'
option name 'isp-mail'
option dest_ip '172.17.0.50'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '110'
option dest_port '110'
option name 'isp-pop3'
option dest_ip '172.17.0.50'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '143'
option dest_port '143'
option name 'isp-imap'
option dest_ip '172.17.0.50'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '993'
option dest_port '993'
option name 'isp-imaps'
option dest_ip '172.17.0.50'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '995'
option dest_port '995'
option name 'isp-pop3s'
option dest_ip '172.17.0.50'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option dest_ip '172.17.0.50'
option name 'ISP-config-3'
option src_dport '8080'
option dest_port '8080'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '6078'
option dest_ip '172.17.0.100'
option dest_port '6078'
option name 'Emule-TCP'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '59813'
option dest_ip '172.17.0.100'
option dest_port '59813'
option name 'Emule-UDP'
You have +20 redirects configured... can you be a bit more specific about what works and what not? Also, VoIP is a hell to make work when NAT is involved, I cannot even imagine VoIP over a VPN.
Hi, thanks again.
I only have four open ports, one tcp for https and another three for teamspeak3 and the one that doesn't work for me is 6969 udp
`
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '80'
option dest_ip '172.17.0.20'
option dest_port '80'
option name 'HTTP'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '443'
option dest_ip '172.17.0.20'
option dest_port '443'
option name 'HTTPS'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option dest_ip '172.17.0.20'
option name 'qnap-http'
option src_dport '8081'
option dest_port '8081'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option dest_ip '172.17.0.20'
option name 'qnap-https'
option src_dport '8086'
option dest_port '8086'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'udp'
option dest_ip '172.17.0.20'
option name 'Teamspeak3'
option src_dport '6969'
option dest_port '6969'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '10011'
option dest_ip '172.17.0.20'
option dest_port '10011'
option name 'Teamspeak3'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '30033'
option dest_ip '172.17.0.20'
option dest_port '30033'
option name 'Teamspeak3'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '9981'
option dest_ip '172.17.0.20'
option dest_port '9981'
option name 'TVHeadend'
option enabled '0'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone 'wan'
option name 'wan'
option output 'ACCEPT'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
option masq '1'
list device 'tun0'
option network 'wan wan6 wan2'
config forwarding 'lan_wan'
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option name 'guest'
option input 'REJECT'
option network 'wifilan guest'
config forwarding
option dest 'wan'
option src 'guest'
config rule
option target 'ACCEPT'
option src 'wan'
option dest 'lan'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'guest DNS'
option src 'guest'
config rule
option enabled '1'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67 68'
option name 'guest DHCP'
option src 'guest'
The IP 172.17.0.20 is where I have apache (it is a qnap I have several applications installed in addition to teamspeak3)
and that is why port 6969 udp does not open, only with redirection can I open tcp ports, I think it is something from the firewall, but I am new to openwrt, I come from dd wrt and I had no problem with vpn client and server udp or tcp. Now I like more openwrt.
If someone could help me.
Then you have to use policy based routing so that the server uses WAN.
Those tests are unreliable for UDP.
You need to run tcpdump on your router or destination host to verify the port forwarding works:
tcpdump -n -i any udp port 6969
20:21:00.778379 IP 172.17.0.1.49916 > 172.17.0.20.6969: UDP, length 66
I have already installed it, and I have executed the command that told me, but I don't know what else to do or where the error is.
If I could be more explicit I am new and I have little knowledge
Thank you very much to all.
I think I have solved it with the policies I leave you an image.
First I put in local port but it didn't open ,but in remote ports yes.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.