WRT3200ACM Port Forwards Malfunction

goopenwrt · November 26, 2019, 10:45pm

My port mappings don't work properly, I can't understand what I'm doing wrong with OpenWrt.
All services work correctly when access to the server is without having to go through the router, that is, connection to a network interface (10.10.10.1) of the server.

I have apache listening on ports 80 443 444 and I have an ftp server listening on ports 21 22 990.
I think something is not right, but I have no idea what it can be, I believe that the firewall does not handle the opening of ports, but I am not an expert in the networks.

The symptoms are as follows:
Access to the web server via http: 80, sometimes the page loads completely, in other cases no, I disable the cache in the browser, so it loads everything every time.
I do this tests from another ip of the same ISP, but I have also made http and https access from the onion network with similar results.

The certificate is 14 days to expire and is from Let's Encrypt.

Access to the web server via http: 443 generates errors, in Chrome I get the error ERR_SSL_BAD_RECORD_MAC_ALERT, in Firefox I get the errorSSL_ERROR_BAD_MAC_ALERT, in Brave I get the error ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Access to the webdav with WinSCP also fails, it is possible to login, but when you wait for a list of files and directories the connection is interrupted.

I have Wireshark on the server, checking the layout, you can see the following in the image:

There were moments that seemed to work, via webdav. I managed to transfer about 500 MiB.

I believed that the problem was generated, because after creating the rules, I did not run service firewall reload, service firewall restart, however this morning the connectivity problem reappeared and the connections are interrupted.

My Port Forwards configuration active in OpenWrt, generated with LuCI

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '20-22'
	option dest_ip '192.168.1.100'
	option dest_port '20-22'
	option name 'Forward-20:22'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '80'
	option dest_ip '192.168.1.100'
	option dest_port '80'
	option reflection '0'
	option name 'Forward-80'

config redirect
	option target 'DNAT'
	option src 'wan'
	option proto 'tcp'
	option dest_ip '192.168.1.100'
	option name 'Forward-443'
	option dest 'lan'
	option src_dport '443'
	option dest_port '443'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '444'
	option dest_ip '192.168.1.100'
	option dest_port '444'
	option name 'Forward-444'

config redirect
	option target 'DNAT'
	option src 'wan'
	option proto 'tcp'
	option dest_ip '192.168.1.100'
	option dest_port '990'
	option name 'Forward-990'
	option src_dport '990'
	option dest 'lan'

Greeting
Sorry, English is not my native language.

trendy · November 26, 2019, 11:29pm

Please post here the output of the following command, copy and paste the whole block:

uci show network; uci show firewall; uci show dhcp; \
ip link; ip -4 addr ; ip -4 ro ; ip -4 ru; \
iptables-save -c

Please use "Preformatted text </>" for logs, scripts, configs and general console output.

goopenwrt · November 27, 2019, 3:42pm

Hi, public ip appears as XXX.XXX.XXX.XXX

uci show network; uci show firewall; uci show dhcp; \
> ip link; ip -4 addr ; ip -4 ro ; ip -4 ru; \
> iptables-save -c
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd20:65f0:e87b::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.wan=interface
network.wan.ifname='eth1.2'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.ifname='eth1.2'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0 1 2 3 5t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='4 6t'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].proto='tcp'
firewall.@redirect[0].src_dport='20-22'
firewall.@redirect[0].dest_ip='192.168.1.100'
firewall.@redirect[0].dest_port='20-22'
firewall.@redirect[0].name='Forward-20:22'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].proto='tcp'
firewall.@redirect[1].src_dport='80'
firewall.@redirect[1].dest_ip='192.168.1.100'
firewall.@redirect[1].dest_port='80'
firewall.@redirect[1].reflection='0'
firewall.@redirect[1].name='Forward-80'
firewall.@redirect[2]=redirect
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].proto='tcp'
firewall.@redirect[2].dest_ip='192.168.1.100'
firewall.@redirect[2].name='Forward-443'
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].src_dport='443'
firewall.@redirect[2].dest_port='443'
firewall.@redirect[3]=redirect
firewall.@redirect[3].target='DNAT'
firewall.@redirect[3].src='wan'
firewall.@redirect[3].dest='lan'
firewall.@redirect[3].proto='tcp'
firewall.@redirect[3].src_dport='444'
firewall.@redirect[3].dest_ip='192.168.1.100'
firewall.@redirect[3].dest_port='444'
firewall.@redirect[3].name='Forward-444'
firewall.@redirect[4]=redirect
firewall.@redirect[4].target='DNAT'
firewall.@redirect[4].src='wan'
firewall.@redirect[4].proto='tcp'
firewall.@redirect[4].dest_ip='192.168.1.100'
firewall.@redirect[4].dest_port='990'
firewall.@redirect[4].name='Forward-990'
firewall.@redirect[4].src_dport='990'
firewall.@redirect[4].dest='lan'
firewall.@redirect[5]=redirect
firewall.@redirect[5].target='DNAT'
firewall.@redirect[5].src='wan'
firewall.@redirect[5].dest='lan'
firewall.@redirect[5].src_dport='33777'
firewall.@redirect[5].dest_ip='192.168.1.103'
firewall.@redirect[5].dest_port='33777'
firewall.@redirect[5].name='Forward'
firewall.@redirect[5].proto='tcp udp'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].forward='REJECT'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[3].enabled='0'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[5].enabled='0'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[6].enabled='0'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[7].enabled='0'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].domain='cisco'
dhcp.@dnsmasq[0].server='1.1.1.1' '8.8.8.8'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.leasetime='5m'
dhcp.lan.ra_management='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
dhcp.@host[0]=host
dhcp.@host[0].name='winserv'
dhcp.@host[0].dns='1'
dhcp.@host[0].mac='78:44:76:B0:CC:31'
dhcp.@host[0].ip='192.168.1.100'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 532
    link/ether 24:f5:a2:c4:71:10 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 532
    link/ether 26:f5:a2:c4:71:10 brd ff:ff:ff:ff:ff:ff
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 26:f5:a2:c4:71:10 brd ff:ff:ff:ff:ff:ff
9: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 26:f5:a2:c4:71:10 brd ff:ff:ff:ff:ff:ff
10: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 24:f5:a2:c4:71:10 brd ff:ff:ff:ff:ff:ff
11: wlan2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
    link/ether 24:f5:a2:c4:71:13 brd ff:ff:ff:ff:ff:ff
12: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
    link/ether 24:f5:a2:c4:71:12 brd ff:ff:ff:ff:ff:ff
13: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
    link/ether 24:f5:a2:c4:71:11 brd ff:ff:ff:ff:ff:ff
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
10: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet XXX.XXX.XXX.XXX/20 brd 179.62.255.255 scope global eth1.2
       valid_lft forever preferred_lft forever
default via 179.62.240.1 dev eth1.2  src XXX.XXX.XXX.XXX
179.62.240.0/20 dev eth1.2 scope link  src XXX.XXX.XXX.XXX
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
# Generated by iptables-save v1.6.2 on Wed Nov 27 15:35:06 2019
*nat
:PREROUTING ACCEPT [56578:6481498]
:INPUT ACCEPT [3843:626854]
:OUTPUT ACCEPT [6867:472795]
:POSTROUTING ACCEPT [580:44045]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[56970:6501582] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[51464:6178602] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[5506:322980] -A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[37512:4369033] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[411:24127] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[36931:4324936] -A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[411:24127] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.100/32 -p tcp -m tcp --dport 20:22 -m comment --comment "!fw3: Forward-20:22 (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.100/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Forward-443 (reflection)" -j SNAT --to-source 192.168.1.1
[1:52] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.100/32 -p tcp -m tcp --dport 444 -m comment --comment "!fw3: Forward-444 (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.100/32 -p tcp -m tcp --dport 990 -m comment --comment "!fw3: Forward-990 (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.103/32 -p tcp -m tcp --dport 33777 -m comment --comment "!fw3: Forward (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.103/32 -p udp -m udp --dport 33777 -m comment --comment "!fw3: Forward (reflection)" -j SNAT --to-source 192.168.1.1
[51464:6178602] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 20:22 -m comment --comment "!fw3: Forward-20:22 (reflection)" -j DNAT --to-destination 192.168.1.100:20-22
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Forward-443 (reflection)" -j DNAT --to-destination 192.168.1.100:443
[1:52] -A zone_lan_prerouting -s 192.168.1.0/24 -d XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 444 -m comment --comment "!fw3: Forward-444 (reflection)" -j DNAT --to-destination 192.168.1.100:444
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 990 -m comment --comment "!fw3: Forward-990 (reflection)" -j DNAT --to-destination 192.168.1.100:990
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 33777 -m comment --comment "!fw3: Forward (reflection)" -j DNAT --to-destination 192.168.1.103:33777
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d XXX.XXX.XXX.XXX/32 -p udp -m udp --dport 33777 -m comment --comment "!fw3: Forward (reflection)" -j DNAT --to-destination 192.168.1.103:33777
[36931:4324936] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[36931:4324936] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[5506:322980] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[55:2544] -A zone_wan_prerouting -p tcp -m tcp --dport 20:22 -m comment --comment "!fw3: Forward-20:22" -j DNAT --to-destination 192.168.1.100:20-22
[206:10240] -A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Forward-80" -j DNAT --to-destination 192.168.1.100:80
[126:7052] -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Forward-443" -j DNAT --to-destination 192.168.1.100:443
[3:156] -A zone_wan_prerouting -p tcp -m tcp --dport 444 -m comment --comment "!fw3: Forward-444" -j DNAT --to-destination 192.168.1.100:444
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 990 -m comment --comment "!fw3: Forward-990" -j DNAT --to-destination 192.168.1.100:990
[1:40] -A zone_wan_prerouting -p tcp -m tcp --dport 33777 -m comment --comment "!fw3: Forward" -j DNAT --to-destination 192.168.1.103:33777
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 33777 -m comment --comment "!fw3: Forward" -j DNAT --to-destination 192.168.1.103:33777
COMMIT
# Completed on Wed Nov 27 15:35:06 2019
# Generated by iptables-save v1.6.2 on Wed Nov 27 15:35:06 2019
*mangle
:PREROUTING ACCEPT [5085160:4085080086]
:INPUT ACCEPT [63896:10250657]
:FORWARD ACCEPT [4999364:4072942838]
:OUTPUT ACCEPT [49823:5473015]
:POSTROUTING ACCEPT [5046850:4078314892]
[7445:409408] -A FORWARD -o eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Nov 27 15:35:06 2019
# Generated by iptables-save v1.6.2 on Wed Nov 27 15:35:06 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[4082:419648] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[59814:9831009] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[32070:3410426] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[3892:160944] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[3223:582920] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[24521:5837663] -A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
[4999364:4072942838] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[4967773:4068304753] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[31154:4615341] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[437:22744] -A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[4082:419648] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[45738:5053139] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[38818:4583225] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[43:12102] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[6877:457812] -A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
[6758:279448] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[515:82893] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[3892:160944] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[43:12102] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[31154:4615341] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[31154:4615341] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[1:52] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[3223:582920] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[3223:582920] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[43:12102] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[43:12102] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[3223:582920] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[2334:100733] -A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[35696:4972368] -A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
[437:22744] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[437:22744] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[24521:5837663] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[16553:5431694] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[695:43628] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[7273:362341] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[6877:457812] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[6877:457812] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[7273:362341] -A zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Nov 27 15:35:06 2019

trendy · November 27, 2019, 4:13pm

I don't see anything wrong here.
Could you explain what is the IP 10.10.10.1 you mentioned in the first post?
The ports are forwarded to 192.168.1.100. Is there a secondary network card or interface?

goopenwrt · November 27, 2019, 4:52pm

Yes, sorry.

10.10.10.1 is another server ip. I use that interface to test ftp web services. This way the packets do not have to go through the router.

I mention this point, to give guarantees that the services work correctly. Problems appear when packets pass through the router.

trendy · November 27, 2019, 5:52pm

Do you shutdown the secondary IP of the server to make sure there are no routing problems?
You can also access the server directly with 192.168.1.100 from some host in the LAN. It will not go through the router. How does this work?

goopenwrt · November 27, 2019, 7:17pm

Just tried, everything works perfectly via 192.168.1.100.

I have spent 3 years with the E900 and its factory firmware (updated), I never had a problem with this configuration and its RJ45 cable directly to the server on 10.10.10.1

The server indicates that at night there was a power outage, therefore, the router has restarted as well.

Right now I have access via https, ftp and dav, but attention !!!

The same happened the first day I installed the WRT3200ACM, everything worked, but then stopped working as it happened yesterday for the umpteenth time.

That's why I showed, a capture of Wireshark at the time that a connection interrupt occurs, TCP [RST, ACK].

That's why I decided to make this entry for help.

trendy · November 27, 2019, 10:57pm

You could avoid adding another IP in the server, as this might cause asymmetric routing (if not configured properly), which could be a reason for dropping a connection as invalid.

goopenwrt · November 27, 2019, 11:06pm

Ok I understand, I will disable the other interface, let's see how things go.

Thank you very much, trendy.

trendy · November 27, 2019, 11:13pm

If your problem is solved, feel free to mark the relevant post as the solution; and edit the title to add "[SOLVED]" to the beginning (click the pencil behind the topic).

grafik

goopenwrt · November 27, 2019, 11:21pm

Okay, I'll wait a few days to not create a false positive.

Thanks again, trendy.

goopenwrt · December 5, 2019, 10:08pm

It is difficult to indicate a solution to this issue, when in my opinion it seems that only the problem has been solved.

I have all the settings as the first day I changed the router for the WRT3200ACM.

However everything seems to work, several days ago there is no interruption.

It is not a pleasant solution, but waiting a few days seems to work. I don't know, maybe some cache was updated and everything is fine.

Thanks for helping..

system · December 15, 2019, 10:08pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.