Yet another request for Port Forwarding help

rayman22201 · September 4, 2021, 6:15pm

Hello everyone.

This is my first experience with Open-WRT, but I have intermediate *nix skills and Google fu.
I just cannot figure out why I can not get this damn router to port forward.

Here are the details:
Linksys EA8300 router running OpenWrt 19.07.4 r11208-ce6496d796

I'm trying to forward port 8080.
My first set of checks:
1.) Is the web server running and can I access from inside the lan? yes.
The server is running Ubuntu 20.04, nginx, and firewall is disabled.

2.) Is the router even getting packets from the internet? tcpdump on the router says yes.
3.) Is the server getting these packets from the router? tcpdump on the server says no.

tcpdump from the router:
What is interesting. The packet dump shows the forwarded packets with the destination ip of the server (192.168.2.57)
But they never get there!

$ tcpdump -n -i any port 8080
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
17:15:23.169591 IP 9999.xxxx.yyyy.zzzz.48665 > 9999.ffff.gggg.hhhh.8080: Flags [S], seq 601415774, win 65535, length 0
17:15:23.169740 IP 9999.xxxx.yyyy.zzzz.48665 > 192.168.2.57.8080: Flags [S], seq 601415774, win 65535, options [mss 536], length 0
17:15:23.169761 IP 9999.xxxx.yyyy.zzzz.48665 > 192.168.2.57.8080: Flags [S], seq 601415774, win 65535, options [mss 536], length 0
17:15:23.169776 ethertype IPv4, IP 9999.xxxx.yyyy.zzzz.48665 > 192.168.2.57.8080: Flags [S], seq 601415774, win 65535, options [mss 536], length 0
17:15:32.061870 IP 1111.aaaa.bbbb.cccc.25323 > 9999.ffff.gggg.hhhh.8080: Flags [SEW], seq 212185903, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 3028787069 ecr 0], length 0
17:15:32.062044 IP 1111.aaaa.bbbb.cccc.25323 > 192.168.2.57.8080: Flags [SEW], seq 212185903, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 3028787069 ecr 0], length 0
17:15:32.062064 IP 1111.aaaa.bbbb.cccc.25323 > 192.168.2.57.8080: Flags [SEW], seq 212185903, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 3028787069 ecr 0], length 0
17:15:32.062076 ethertype IPv4, IP 1111.aaaa.bbbb.cccc.25323 > 192.168.2.57.8080: Flags [SEW], seq 212185903, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 3028787069 ecr 0], length 0
17:15:33.063902 IP 1111.aaaa.bbbb.cccc.25323 > 999.ffff.gggg.hhhh.8080: Flags [SEW], seq 212185903, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 3028788069 ecr 0], length 0
17:15:33.064030 IP 1111.aaaa.bbbb.cccc.25323 > 192.168.2.57.8080: Flags [SEW], seq 212185903, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 3028788069 ecr 0], length 0
17:15:33.064049 IP 1111.aaaa.bbbb.cccc.25323 > 192.168.2.57.8080: Flags [SEW], seq 212185903, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 3028788069 ecr 0], length 0
17:15:33.064060 ethertype IPv4, IP 1111.aaaa.bbbb.cccc.25323 > 192.168.2.57.8080: Flags [SEW], seq 212185903, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 3028788069 ecr 0], length 0
17:15:35.133753 IP 1111.aaaa.bbbb.cccc.25700 > 9999.ffff.gggg.hhhh.8080: Flags [SEW], seq 1436001225, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 2341660145 ecr 0], length 0
17:15:35.133924 IP 11111.aaaa.bbbb.cccc.25700 > 192.168.2.57.8080: Flags [SEW], seq 1436001225, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 2341660145 ecr 0], length 0
17:15:35.133945 IP 11111.aaaa.bbbb.cccc.25700 > 192.168.2.57.8080: Flags [SEW], seq 1436001225, win 65535, options [mss 1460,nop,wscale 12,sackOK,TS val 2341660145 ecr 0], length 0
<ommitting the rest of the packets for brevity>
^C
48 packets captured
48 packets received by filter
0 packets dropped by kernel

My config:
/etc/config/firewall:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option mtu_fix '1'
	option output 'ACCEPT'
	option masq '1'
	option input 'REJECT'
	option forward 'REJECT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option src 'wan'
	option name 'http'
	option target 'DNAT'
	option dest 'lan'
	option dest_port '8080'
	option dest_ip '192.168.2.57'
	option reflection '0'
	option src_dport '8080'
	list proto 'tcp'

config forwarding
	option dest 'lan'
	option src 'wan'

config forwarding
	option dest 'wan'
	option src 'lan'

iptables:

$ iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N postrouting_lan_rule
-N postrouting_rule
-N postrouting_wan_rule
-N prerouting_lan_rule
-N prerouting_rule
-N prerouting_wan_rule
-N zone_lan_postrouting
-N zone_lan_prerouting
-N zone_wan_postrouting
-N zone_wan_prerouting
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 8080 -m comment --comment "!fw3: http" -j DNAT --to-destination 192.168.2.57:8080

# Generated by iptables-save v1.8.3 on Sat Sep  4 10:51:33 2021
*nat
:PREROUTING ACCEPT [646:180093]
:INPUT ACCEPT [134:11162]
:OUTPUT ACCEPT [163:10447]
:POSTROUTING ACCEPT [19:1129]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[648:180173] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[605:177438] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[43:2735] -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
[459:121235] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[2:88] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[440:120106] -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
[2:88] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[605:177438] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[440:120106] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[440:120106] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[43:2735] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[2:80] -A zone_wan_prerouting -p tcp -m tcp --dport 8080 -m comment --comment "!fw3: http" -j DNAT --to-destination 192.168.2.57:8080
COMMIT
# Completed on Sat Sep  4 10:51:33 2021
# Generated by iptables-save v1.8.3 on Sat Sep  4 10:51:33 2021
*mangle
:PREROUTING ACCEPT [11354:2665784]
:INPUT ACCEPT [1643:168658]
:FORWARD ACCEPT [9494:2438996]
:OUTPUT ACCEPT [1221:285770]
:POSTROUTING ACCEPT [10715:2724766]
[771:40156] -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[105:5444] -A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sat Sep  4 10:51:33 2021
# Generated by iptables-save v1.8.3 on Sat Sep  4 10:51:33 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[208:18528] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[1435:150130] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[878:92801] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[38:1568] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[490:52976] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[67:4353] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
[9494:2438996] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[8558:2283673] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[934:155235] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[2:88] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[208:18528] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[1013:267242] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[861:257462] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[152:9780] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
[61:2476] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[1:57] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[38:1568] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[2:88] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[934:155235] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[934:155235] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[490:52976] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[490:52976] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[490:52976] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[1086:165015] -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
[2:88] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[2:88] -A zone_wan_forward -m comment --comment "!fw3: Zone wan to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[67:4353] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[5:1820] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[62:2533] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[152:9780] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[152:9780] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[62:2533] -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sat Sep  4 10:51:33 2021

Interface info for reference:

 $ ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    inet wwww.xxxx.yyyy.zzzz/23 brd wwww.xxxx.yyyy.zzzz scope global eth1
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever

 $ ip -4 ro li tab all
default via wwww.xxxx.yyyy.zzzz dev eth1  src wwww.xxxx.yyyy.zzzz
wwww.xxxx.yyyy.zzzz/23 dev eth1 scope link  src wwww.xxxx.yyyy.zzzz
192.168.2.0/24 dev br-lan scope link  src 192.168.2.1
broadcast wwww.xxxx.yyyy.zzzz dev eth1 table local scope link  src wwww.xxxx.yyyy.zzzz
local wwww.xxxx.yyyy.zzzz dev eth1 table local scope host  src wwww.xxxx.yyyy.zzzz
broadcast wwww.xxxx.yyyy.zzzz dev eth1 table local scope link  src wwww.xxxx.yyyy.zzzz
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.2.0 dev br-lan table local scope link  src 192.168.2.1
local 192.168.2.1 dev br-lan table local scope host  src 192.168.2.1
broadcast 192.168.2.255 dev br-lan table local scope link  src 192.168.2.1

 $ ip -4 ru
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

Thank you in advance for any help!

trendy · September 4, 2021, 6:25pm

Are there any intermediate devices between the router and the server? Switch, Access Point, Powerlines, anything?
Ubuntu server is running on the hardware or as virtual machine?

rayman22201 · September 4, 2021, 6:31pm

Are there any intermediate devices between the router and the server?

Not as far as I know. It's physical hardware plugged directly into the router ethernet port.

Powerlines

Just my flux capacitor j/k

Ubuntu server is running on the hardware or as virtual machine?

Real Hardware. It's an old laptop I use as a personal server.

psherman · September 4, 2021, 6:35pm

Turn of reflection if you are testing from inside your network.

Does it work if you use an external network connection (such as cellular, or a physically remote network)?

rayman22201 · September 4, 2021, 6:40pm

Turn of reflection if you are testing from inside your network.

Yup. Tried that. No luck.

Does it work if you use an external network connection (such as cellular, or a physically remote network)?

I tried using my phone on cell connection, as well as using a vpn. No luck

psherman · September 4, 2021, 6:42pm

Do you have a vpn setup on your router?

rayman22201 · September 4, 2021, 6:45pm

Do you have a vpn setup on your router?

No.
I have the vpn set up on my pc directly.

I also have the vpn configured on the server, but it should be disabled.

psherman · September 4, 2021, 6:47pm

Verify that the vpn is disabled.

Then, please post your configuration files:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

trendy · September 4, 2021, 6:49pm

tcpdump is capturing the packets on the wire, before or after the firewall. So not capturing a packet sent from the router on the server means the packet was lost on the wire, which is not possible.
Can the router ping the server?

rayman22201 · September 4, 2021, 7:03pm

Sure.

On the server, I verified that I am getting my expected external ip with curl:
VPN is disabled

$ curl whatismyip.akamai.com
wwww.xxxx.yyyy.zzzz <this is the correct ip given from my isp>

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'ffff:ffff:ffff::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option stp '1'
	option ifname 'bat0 eth0.101'
	option ipaddr '192.168.2.1'

config interface 'bat0'
	option proto 'batadv'
	option aggregated_ogms '1'
	option ap_isolation '0'
	option bonding '0'
	option fragmentation '1'
	option gw_mode 'off'
	option log_level '0'
	option orig_interval '1000'
	option bridge_loop_avoidance '1'
	option distributed_arp_table '1'
	option multicast_mode '1'
	option network_coding '0'
	option hop_penalty '10'
	option isolation_mark '0x00000000/0x00000000'
	option routing_algo 'BATMAN_IV'

config interface 'bat_mesh0'
	option mtu '2304'
	option proto 'batadv_hardif'
	option master 'bat0'

config device
	option name 'eth0'
	option mtu '1600'

config interface 'bat_eth'
	option mtu '1600'
	option proto 'batadv_hardif'
	option master 'bat0'
	option ifname 'eth0.102'
	option macaddr 'FF:FF:FF:FF:FF:FF'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth1'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '101'
	option vid '101'
	option ports '0t 3 4'

config switch_vlan
	option device 'switch0'
	option vlan '102'
	option vid '102'
	option ports '0t 1 2'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel 'auto'
	option hwmode '11g'
	option path 'platform/soc/a000000.wifi'
	option htmode 'HT20'

config wifi-iface 'ap_2g_1'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option encryption 'psk2'
	option ieee80211r '1'
	option ft_over_ds '1'
	option ft_psk_generate_local '1'
	option ssid 'YYYYYYYYYYYYY'
	option key 'XXXXXXXXXXXXXX'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11a'
	option path 'soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'VHT80'
	option channel '149'

config wifi-iface 'mesh0'
	option device 'radio1'
	option mode 'mesh'
	option mesh_rssi_threshold '-75'
	option ifname 'mesh0'
	option mesh_fwding '0'
	option network 'bat_mesh0'
	option encryption 'sae'
	option mesh_id 'MESH_ID'
	option key 'XXXXXXXXXXXXXX'

config wifi-iface 'ap_5g_1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option encryption 'psk2'
	option ieee80211r '1'
	option ft_over_ds '1'
	option ft_psk_generate_local '1'
	option ssid 'YYYYYYYYYYYYY'
	option key 'XXXXXXXXXXXXXX'

config wifi-device 'radio2'
	option type 'mac80211'
	option channel 'auto'
	option hwmode '11a'
	option path 'platform/soc/a800000.wifi'
	option htmode 'VHT80'

config wifi-iface 'ap_5g_2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option encryption 'psk2'
	option ieee80211r '1'
	option ft_over_ds '1'
	option ft_psk_generate_local '1'
	option ssid 'YYYYYYYYYYYYYY'
	option key 'XXXXXXXXXXXXXX'

/etc/config/dhcp


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option limit '230'
	option start '20'
	option ra_management '1'
	option force '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option mac 'FF:FF:FF:FF:FF:FF'
	option dns '1'
	option ip '192.168.2.57'
	option name 'server'

config domain
	option name 'a.server.lan'
	option ip '192.168.2.57'

config domain
	option name 'b.server.lan'
	option ip '192.168.2.57'

config domain
	option name 'c.server.lan'
	option ip '192.168.2.57'

config domain
	option name 'b-node.lan'
	option ip '192.168.2.2'

config domain
	option name 'main-node.lan'
	option ip '192.168.2.1'

config domain
	option name 'd.server.lan'
	option ip '192.168.2.57'

/etc/config/firewall (I posted this in the original post btw. reposting for completeness)


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option mtu_fix '1'
	option output 'ACCEPT'
	option masq '1'
	option input 'REJECT'
	option forward 'REJECT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option src 'wan'
	option name 'http'
	option target 'DNAT'
	option dest 'lan'
	option dest_port '8080'
	option dest_ip '192.168.2.57'
	option reflection '0'
	option src_dport '8080'
	list proto 'tcp'

config forwarding
	option dest 'lan'
	option src 'wan'

config forwarding
	option dest 'wan'
	option src 'lan'

rayman22201 · September 4, 2021, 7:07pm

tcpdump is capturing the packets on the wire, before or after the firewall. So not capturing a packet sent from the router on the server means the packet was lost on the wire, which is not possible.
Can the router ping the server?

I completely agree. This is why I'm very confused. I must be missing something. I just don't know what.
something is eating my packets!

ping from the router to the server:

$ ping 192.168.2.57 -c 10
PING 192.168.2.57 (192.168.2.57): 56 data bytes
64 bytes from 192.168.2.57: seq=0 ttl=64 time=0.642 ms
64 bytes from 192.168.2.57: seq=1 ttl=64 time=0.587 ms
64 bytes from 192.168.2.57: seq=2 ttl=64 time=0.597 ms
64 bytes from 192.168.2.57: seq=3 ttl=64 time=0.424 ms
64 bytes from 192.168.2.57: seq=4 ttl=64 time=0.569 ms
64 bytes from 192.168.2.57: seq=5 ttl=64 time=0.509 ms
64 bytes from 192.168.2.57: seq=6 ttl=64 time=0.582 ms
64 bytes from 192.168.2.57: seq=7 ttl=64 time=0.540 ms
64 bytes from 192.168.2.57: seq=8 ttl=64 time=0.556 ms
64 bytes from 192.168.2.57: seq=9 ttl=64 time=0.596 ms

--- 192.168.2.57 ping statistics ---
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max = 0.424/0.560/0.642 ms

ping from server to the router:

$ ping 192.168.2.1 -c 10
PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=0.551 ms
64 bytes from 192.168.2.1: icmp_seq=2 ttl=64 time=0.472 ms
64 bytes from 192.168.2.1: icmp_seq=3 ttl=64 time=0.466 ms
64 bytes from 192.168.2.1: icmp_seq=4 ttl=64 time=0.471 ms
64 bytes from 192.168.2.1: icmp_seq=5 ttl=64 time=0.493 ms
64 bytes from 192.168.2.1: icmp_seq=6 ttl=64 time=0.456 ms
64 bytes from 192.168.2.1: icmp_seq=7 ttl=64 time=0.474 ms
64 bytes from 192.168.2.1: icmp_seq=8 ttl=64 time=0.471 ms
64 bytes from 192.168.2.1: icmp_seq=9 ttl=64 time=0.474 ms
64 bytes from 192.168.2.1: icmp_seq=10 ttl=64 time=0.530 ms

--- 192.168.2.1 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9201ms
rtt min/avg/max/mdev = 0.456/0.485/0.551/0.029 ms

rayman22201 · September 4, 2021, 8:28pm

I figured it out.

It was the VPN on the server. There were some settings that I didn't save when I disabled it.

edit: To be more specific. I need to figure out split tunneling, because by default all your traffic gets locked down in the iptables. And make sure your iptable changes actually get saved...

Thanks for all the help!

system · September 14, 2021, 8:28pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.