OpenWrt Forum Archive

Topic: Port Forwarding doesn't work

The content of this topic has been archived on 6 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
AndyInNYC
20 Feb 2013, 18:43

I have a PBX inside my network (pbxinaflash - asterisk/freepbx) living at 192.168.40.29
My router is a Netgear WNDR3700 v 1 running Attitude Adjustment 12.09-rc1.


I need to forward ports 5060 and 15002-20000 to the .29 address.

After failing to make this work, I have installed the following packages: kmod-ipt-nat, kmod-ipt-nathelper and kmod-ipt-nathelper-extra (each is version 3.3.8-1).

Setting up this simple port forwarding with a $20 D-Link, the ports are correctly forwarded.  Using the Netgear with Openwrt, the packets never make it to the .29 address.

Under Luci -> Network -> Firewall -> Port Forwards I have the following text description of my rules:

Below is Section/Entry
Match: IPv4-TCP, UDP From any host in wan Via any router IP at port 5060
Forward To: IP 192.168.40.29, port 5060 in lan

And it is enabled.

The RTP ports read the same except the ports are 15002-20000


If I look at the same info under iptables, it reads as such (with iptables -t nat -L)

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
prerouting_rule  all  --  anywhere             anywhere
zone_lan_prerouting  all  --  anywhere             anywhere
zone_guest_prerouting  all  --  anywhere             anywhere
zone_wan_prerouting  all  --  anywhere             anywhere

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
postrouting_rule  all  --  anywhere             anywhere
zone_lan_nat  all  --  anywhere             anywhere
zone_guest_nat  all  --  anywhere             anywhere
zone_wan_nat  all  --  anywhere             anywhere

Chain nat_reflection_in (1 references)
target     prot opt source               destination
DNAT       tcp  --  192.168.40.0/24      MyAddy tcp dpt:32976 to:192.168.40.28:32976
DNAT       udp  --  192.168.40.0/24      MyAddy udp dpt:32976 to:192.168.40.28:32976
DNAT       tcp  --  192.168.40.0/24      MyAddy tcp dpt:sip to:192.168.40.29:5060
DNAT       udp  --  192.168.40.0/24      MyAddy udp dpt:sip to:192.168.40.29:5060
DNAT       tcp  --  192.168.40.0/24      MyAddy tcp dpts:15002:20000 to:192.168.40.29:15002-20000
DNAT       udp  --  192.168.40.0/24      MyAddy udp dpts:15002:20000 to:192.168.40.29:15002-20000

Chain nat_reflection_out (1 references)
target     prot opt source               destination
SNAT       tcp  --  192.168.40.0/24      192.168.40.28       tcp dpt:32976 to:192.168.40.1
SNAT       udp  --  192.168.40.0/24      192.168.40.28       udp dpt:32976 to:192.168.40.1
SNAT       tcp  --  192.168.40.0/24      192.168.40.29       tcp dpt:sip to:192.168.40.1
SNAT       udp  --  192.168.40.0/24      192.168.40.29       udp dpt:sip to:192.168.40.1
SNAT       tcp  --  192.168.40.0/24      192.168.40.29       tcp dpts:15002:20000 to:192.168.40.1
SNAT       udp  --  192.168.40.0/24      192.168.40.29       udp dpts:15002:20000 to:192.168.40.1

Chain postrouting_rule (1 references)
target     prot opt source               destination
nat_reflection_out  all  --  anywhere             anywhere

Chain prerouting_guest (1 references)
target     prot opt source               destination

Chain prerouting_lan (1 references)
target     prot opt source               destination

Chain prerouting_rule (1 references)
target     prot opt source               destination
nat_reflection_in  all  --  anywhere             anywhere

Chain prerouting_wan (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp dpt:openvpn

Chain zone_guest_nat (1 references)
target     prot opt source               destination

Chain zone_guest_prerouting (1 references)
target     prot opt source               destination
prerouting_guest  all  --  anywhere             anywhere

Chain zone_lan_nat (1 references)
target     prot opt source               destination

Chain zone_lan_prerouting (1 references)
target     prot opt source               destination
prerouting_lan  all  --  anywhere             anywhere

Chain zone_wan_nat (1 references)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

Chain zone_wan_prerouting (1 references)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere            tcp dpt:32976 to:192.168.40.28:32976
DNAT       udp  --  anywhere             anywhere            udp dpt:32976 to:192.168.40.28:32976
DNAT       tcp  --  anywhere             anywhere            tcp dpt:sip to:192.168.40.29:5060
DNAT       udp  --  anywhere             anywhere            udp dpt:sip to:192.168.40.29:5060
DNAT       tcp  --  anywhere             anywhere            tcp dpts:15002:20000 to:192.168.40.29:15002-20000
DNAT       udp  --  anywhere             anywhere            udp dpts:15002:20000 to:192.168.40.29:15002-20000
prerouting_wan  all  --  anywhere             anywhere

Clearly I'm doing something wrong if a cheap router does something basic that an opensource turbo-charged version doesn't.


Any help for the lost?

Andrew

Post #2
AndyInNYC
20 Feb 2013, 22:14

As a follow up, under
Network -> Firewall -> General Settings
do I neet to mark in
Zone Forwards
Wan -> forward as 'reject', 'accept', 'accept'?

By default it is set to 'reject', 'accept', 'reject'

Thanks

Post #3
jow
20 Feb 2013, 22:55

Run "iptables -t nat -nvL" to see if the rules are even reached.

Post #4
AndyInNYC
20 Feb 2013, 23:07

Here's the output to 'iptables -t nat -nvL'

root@OpenWrt:~# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 3802 packets, 544K bytes)
 pkts bytes target     prot opt in     out     source               destination
 3814  548K prerouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 2578  156K zone_lan_prerouting  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0
 1233  391K zone_wan_prerouting  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 zone_guest_prerouting  all  --  br-guest *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 1195 packets, 77186 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 628 packets, 43574 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 2024  123K postrouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 2022  122K MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 zone_lan_nat  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0
    0     0 zone_wan_nat  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
    0     0 zone_guest_nat  all  --  *      br-guest  0.0.0.0/0            0.0.0.0/0

Chain nat_reflection_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  *      *       192.168.40.0/24      68.36.200.190       tcp dpt:32976 to:192.168.40.28:32976
    0     0 DNAT       udp  --  *      *       192.168.40.0/24      68.36.200.190       udp dpt:32976 to:192.168.40.28:32976
    0     0 DNAT       tcp  --  *      *       192.168.40.0/24      68.36.200.190       tcp dpt:5060 to:192.168.40.29:5060
    1   674 DNAT       udp  --  *      *       192.168.40.0/24      68.36.200.190       udp dpt:5060 to:192.168.40.29:5060
    0     0 DNAT       tcp  --  *      *       192.168.40.0/24      68.36.200.190       tcp dpts:15002:20000 to:192.168.40.29:15002-20000
    0     0 DNAT       udp  --  *      *       192.168.40.0/24      68.36.200.190       udp dpts:15002:20000 to:192.168.40.29:15002-20000

Chain nat_reflection_out (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       tcp  --  *      *       192.168.40.0/24      192.168.40.28       tcp dpt:32976 to:192.168.40.1
    0     0 SNAT       udp  --  *      *       192.168.40.0/24      192.168.40.28       udp dpt:32976 to:192.168.40.1
    1    60 SNAT       tcp  --  *      *       192.168.40.0/24      192.168.40.29       tcp dpt:5060 to:192.168.40.1
    1   674 SNAT       udp  --  *      *       192.168.40.0/24      192.168.40.29       udp dpt:5060 to:192.168.40.1
    0     0 SNAT       tcp  --  *      *       192.168.40.0/24      192.168.40.29       tcp dpts:15002:20000 to:192.168.40.1
    0     0 SNAT       udp  --  *      *       192.168.40.0/24      192.168.40.29       udp dpts:15002:20000 to:192.168.40.1

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination
 2024  123K nat_reflection_out  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain prerouting_guest (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination
 3811  548K nat_reflection_in  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain prerouting_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194

Chain zone_guest_nat (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_guest_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 prerouting_guest  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_lan_nat (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_lan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
 2578  156K prerouting_lan  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_wan_nat (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_wan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:32976 to:192.168.40.28:32976
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:32976 to:192.168.40.28:32976
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:5060 to:192.168.40.29
    2  1420 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:5060 to:192.168.40.29
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:15002:20000 to:192.168.40.29
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:15002:20000 to:192.168.40.29
 1231  390K prerouting_wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0

I have, by the way set the zone forwards as referenced in my second post.  if this isn't required, I'd like to set it back (don't think forwarding policy as accept is likely a good idea).

Andrew


Andrew

Post #5
AndyInNYC
21 Feb 2013, 02:43

Just in case I'm in some manner unclear as to what I want for 'success':

A SIP phone (with IP address ZZZ) will attempt to register on port 5060 at andy.dyn.org which points to my router (my public IP address).  My internal address is 192.168.40.1 for the router.

I would like the router to pass this request to 192.168.40.29 port 5060 as though it came from ZZZ. (ie 192.168.40.29's iptables will see a request from ZZZ, not andy.dyn.org - it is set to whitelist ZZZ).

Help?

Post #6
AndyInNYC
21 Feb 2013, 15:02

Just so everyone listenting can play at home, the current settings on my machine are as follows:

OpenWRT Attitude Adjustment 12.09-rc1 running on a WNDR3700 v 1

Luci - Network - Firewall - General Settings shows
ticked - Syn Flood protection and drop invalid packets
Accept, Accept and Reject

Zones - Zone Forwarding
(section is in form ZoneA to ZoneB  Input, Output Forward Masquarading MSS Clamping)
Lan Wan Accept Accept Reject NoTick Notick
wan (blank/Reject) Reject Accept Reject Tick, Tick
Guest Wan Reject Accept Reject NoTick Notick

Must I set the wan (which points to reject) to Accept forwarding?  This seems globally dangerous in case I have another machine internally with an open port thinking the firewall is blocking.


Port Forwards Section
Match: IPv4-TCP, UDP From any host in wan Via any router IP at port 5060
Forward To: IP 192.168.40.29, port 5060 in lan

Same Forward for 15002-20000

Everything else appears vanilla.

I am sure of my ports and sure of my IP addresses.

If I plug in a D-Link router with stock firmware, the port forwarding works - this just shows that the machines are speaking to each other, etc.

Thanks for the assist.

Andrew

Post #7
jow
22 Feb 2013, 08:23

That rule: "2022  122K MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0" does not belong there.
Post the contents of /etc/firewall.user .

Post #8
AndyInNYC
22 Feb 2013, 13:35

I added MASQ on LAN to WAN as well as on WAN to (reject).
I can now register, but I shortly thereafter time out and have no audio on either side - but the call goes though

I saw the masq note on a post somewhere and it seems to get me further (but no audio, which appears/people state is a NAT issue).

Here is my /etc/config/firewall file

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option drop_invalid '1'

config zone
        option name 'lan'
        option network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'

config zone
        option name 'wan'
        option network 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
config rule
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'

        option family 'ipv6'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'guest'
        option input 'REJECT'
        option forward 'REJECT'
        option output 'ACCEPT'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option src 'guest'
        option dest_port '53'
        option proto 'tcpudp'
        option target 'ACCEPT'

config rule
        option src 'guest'
        option src_port '67-68'
        option dest_port '67-68'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '32976'
        option dest_ip '192.168.40.28'
        option name 'NeoRouter'
        option dest_port '32976'

config redirect
        option _name 'Sip to Pi'
        option src 'wan'
        option proto 'tcpudp'
        option dest 'lan'
        option dest_ip '192.168.40.30'
        option dest_port '5061'
        option src_dport '5061'

config redirect
        option _name 'RTP Ports to Pi'
        option src 'wan'
        option proto 'tcpudp'
        option dest 'lan'
        option dest_ip '192.168.40.30'
        option dest_port '10000-15000'
        option src_dport '10000-15000'

config redirect
        option _name 'Sip to PiAF'
        option src 'wan'
        option proto 'tcpudp'
        option dest 'lan'
        option dest_ip '192.168.40.29'
        option dest_port '5060'
        option src_dport '5060'

config redirect
        option src 'wan'
        option proto 'tcpudp'
        option dest 'lan'
        option dest_ip '192.168.40.29'
        option dest_port '15002-20000'
        option src_dport '15002-20000'
        option name 'RTP Ports to Piaf'

contents of /etc/firewall.user

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

iptables -t nat -A prerouting_wan -p udp --dport 1194 -j ACCEPT
iptables -A input_wan -p udp --dport 1194 -j ACCEPT

iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT

# Added to forward Google voice (we hope)
iptables -A input_wan -p udp -m udp --dport 5222 -j ACCEPT

# attempt to open ports for the raspberry Pi
#iptables -t nat -I PREROUTING -i eth1 -p udp -m udp --dport 10000:15000 -j DNAT --to-destination 192.168.40.30
#iptables -t nat -I PREROUTING -i eth1 -p udp -m udp --dport 5061 -j DNAT --to-destination 192.168.40.30

# attempt to open ports for the PIAF
#iptables -t nat -I PREROUTING -i eth1 -p udp -m udp --dport 15002:20000 -j DNAT --to-destination 192.168.40.29
#iptables -t nat -I PREROUTING -i eth1 -p udp -m udp --dport 5060 -j DNAT --to-destination 192.168.40.29

# still for Pi, let's route 8K-8500 to see if this changes X-Lite
#iptables -t nat -I PREROUTING -i eth1 -p udp -m udp --dport 8000:8500 -j DNAT --to-destination 192.168.40.30

i.e. nothing is in .user except my VPN and port 5222.

Post #9
jow
22 Feb 2013, 13:49

Don't masquerade on lan, thats useless.
For SIP ALG support you need kmod-ipt-nathelper-extra.

Post #10
AndyInNYC
22 Feb 2013, 13:59

Are there any settings/actions I need to take other than installing kmod-ipt-nathelper-extra? i.e. does it have a config file, etc.

Thanks - I seem to be stumbling my way closer to connection and audio.

Andrew

Post #11
AndyInNYC
23 Feb 2013, 02:28

I have installed kmod-ipt-nathelper-extra.
I now have
kmod-ipt-nat
kmod-ipt-nathelper
kmod-ipt-nathelper-extra
installed on the router

The .29 machine (the destination of the port forwarding) is running a program call 'Travelin Man 3' which is an iptables modifying program which incorporates dynamic IP addresses for remote phones - the IP allowed into the .29 machine is updated if the DYNDNS entry is changed.

IF I have masqerading set up, the phone registers as though it is coming from the router.

IF I have masquerading off (again, this is on the wan to lan) then the phone won't register

IF I have masquerading off and tell the .29 machine to accept all packet (iptables -A INPUT -p udp -j ACCEPT and the same for tcp) then the phone registers as though coming from the external (actual IP) address (which is what should happen)

Regardless of how I actually get the phone to register (1 or 3 above) I still get no audio on either side of the connection and after a point the call drops and the phone becomes unreachable.

Asterisk gives the message
"[2013-02-22 19:58:03] NOTICE[2927]: chan_sip.c:26786 sip_poke_noanswer: Peer '1030' is now UNREACHABLE!  Last qualify: 1321
Really destroying SIP dialog '7238a5f90cf43b1a3c95f35a0ea3a485@127.0.0.1:5061' Method: OPTIONS"

So, I'm lead to believe at least one of two things - 1) the router is passing the port forward in a manner inconsistent with how the .29 machine expects to see it and/or 2) the iptables command for the DYN address is somehow wrong.

#2 is harder to believe because all I give it is the dyndns address and the routine does the rest - and the rest of the world isn't complaining that is doesn't work.  Since a routine called 'ipchecker' correctly loads the data and changes the IP address when I test it, #2 becomes even more difficult to believe.

On the .29 machine, the command iptables -L includes the lines:

ACCEPT     udp  --  remotephoneIP       anywhere             udp dpts:sip:5069
ACCEPT     tcp  --  remotephoneIP       anywhere             tcp dpts:sip:5069
ACCEPT     udp  --  remotephoneIP       anywhere             udp dpt:iax
ACCEPT     tcp  --  remotephoneIP       anywhere             tcp dpt:ftp
ACCEPT     udp  --  remotephoneIP       anywhere             udp dpt:tftp
ACCEPT     tcp  --  remotephoneIP       anywhere             multiport dports ssh,9022

along with the line:
ACCEPT     udp  --  anywhere             anywhere             udp dpts:10000:15000

which covers all the RTP ports.  This should allow the phone call to go in and out.

So somehow, my forwards aren't getting through.  I assume the masquerade on lan changes whatever the actual IP was into my lan's ip (192.168.40.1) which doesn't work.

Are there any sniffing programs I should run or any other actions to take to unravel this mystery?

Help?


Andrew

Post #12
DB1
23 Feb 2013, 10:35

I don't know that router - is it a modem as well? If so then there is not much you can do WRT sniffing. If it is plugged into a modem then you could put an old fashioned hub, *not* a switch, in between and plug a *nix box in and run wireshark to see the packets.

I take it you know that just NATting a SIP connection will not work on its own as the protocol buries the device's IP *inside* the packet and NAT never changes it. That is why you either need the SIP device on a public address or use a SIP ALG in the router or set it up to use proxies or STUN servers. All designed to get around the NAT problem.

HTH

Post #13
AndyInNYC
23 Feb 2013, 16:02

Well, I'm hardly an expert.  I am using a Stun server for the iPhone app (3cx).

The rest of the world seems to have no difficulty getting this working - just me.

What else can I try?

Andrew

Post #14
AndyInNYC
25 Feb 2013, 01:19

More weirdness.
If on the target machine (.29) I clear all the iptables rules and let everything in, my remote extension will register and make a call (no audio still on either side).

What's really unusual, is that dyndns says that my extension's IP is 166.137.101.15 while the PBX sees the IP as 166.137.104.105.

Is dyndns not updating fast enough?  Before making the call I did a manual update from the iPhone, so it seems weird that that's the answer?

Is Openwrt somehow mangling the incoming IP?

Andrew

The discussion might have continued from here.