Issue with Firewall Rules (Port Forwarding)

Hi. I keep getting this error "Rejected request from RFC1918 IP to public server address" while accessing all my internal hosted websites from the internet. This issue arose immediately when I upgraded to the new snapshot "r18717-0e32c6baf3". Can someone help? I think it has something to do with the firewall.

I can see in Github that there is a lot of iptables related commits. Not sure if something is broken in those commits. Refer screenshot below for the issue.

I can access my internally hosted websites through my cellular internet. Disabling "Ignore private IPs on public interface" connects me to luci from public IP and not my internal hosted webserver. I am also not able to access my network drives on lan. How can I resolve all this?

Firewall config output is as follows

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option name 'http'
        list proto 'tcp'
        option src 'wan'
        option src_dport '80'
        option dest 'lan'
        option dest_ip '192.168.31.150'
        option dest_port '80'
        option reflection_src 'external'

config redirect
        option target 'DNAT'
        option name 'https'
        option src 'wan'
        option src_dport '443'
        option dest 'lan'
        option dest_ip '192.168.31.150'
        option dest_port '443'
        list proto 'tcp'
        list proto 'udp'
        option reflection_src 'external'

config redirect
        option target 'DNAT'
        option name 'ftp'
        list proto 'tcp'
        option src 'wan'
        option src_dport '21'
        option dest 'lan'
        option dest_ip '192.168.31.150'
        option dest_port '21'
        option reflection_src 'external'

config redirect
        option target 'DNAT'
        option src 'wan'
        option src_dport '61761'
        option dest 'lan'
        option dest_ip '192.168.31.150'
        option dest_port '61761'
        option name 'qbittorrent'

config redirect
        option target 'DNAT'
        option name 'wireguard'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest 'lan'
        option dest_ip '192.168.31.150'
        option dest_port '51820'

config redirect
        option target 'DNAT'
        option name 'ftps'
        list proto 'tcp'
        option src 'wan'
        option src_dport '40000-45000'
        option dest 'lan'
        option dest_ip '192.168.31.150'
        option dest_port '40000-45000'
        option reflection_src 'external'

config redirect
        option target 'DNAT'
        option name 'plex'
        list proto 'tcp'
        option src 'wan'
        option src_dport '32400'
        option dest 'lan'
        option dest_ip '192.168.31.150'
        option dest_port '32400'

config rule
        option name 'Filter-Parental-Controls'
        list proto 'all'
        option src 'lan'
        list src_mac '92:EE:B9:50:14:3A'
        option dest 'wan'
        option target 'REJECT'
        option enabled '0'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config include 'opennds'
        option type 'script'
        option path '/usr/lib/opennds/restart.sh'

Remove or comment that option.

This didn't work. Firewall4 was the issue. Reverted back to firewall.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.