Buffalo WZR-HP-G300NH2, can't port forward TCP 80 for HTTP?

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Author Message
DarthContinent
DD-WRT Novice


Joined: 03 Jan 2012
Posts: 3

PostPosted: Tue Jan 03, 2012 21:10    Post subject: Buffalo WZR-HP-G300NH2, can't port forward TCP 80 for HTTP? Reply with quote
Buffalo WZR-HP-G300NH2

I had bricked my router and have managed to recover by installing the following firmware, which is reported in the upper-right of the DD-WRT interface as DD-WRT v24-sp2 (12/12/11) std:

Code:
wzr-hp-g300nh2-dd-wrt-webupgrade-MULTI20hex.bin


I performed the 30/30/30 reset and reconfigured the router with my settings, but I can't get the router to forward for TCP port 80.

In the wiki under the Check the WAN IP section, this is my setup:

Quote:
Any other WAN IP is likely a public (routable) address that just needs a properly configured port forward on the router.


I followed the steps in the Port Forwarding Troubleshooting and tried applying the Firewall commands recommended in the bug ticket as follows:

Code:
insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! 'get_wanface' -d 'nvram get wan_ipaddr' -j MARK --set-mark 0xd001
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE


I also ran the following command having had no success thus far, with the proper value for my subnet, 192.168.2.0:

Code:
iptables -t nat -I POSTROUTING -o br0 -s 192.168.2.0/24 -d 192.168.2.0/24 -j MASQUERADE


No joy.

Below is diagnostics output from the wiki using the following commands:

Code:
iptables -t nat -vnL PREROUTING
iptables -vnL FORWARD





I'm pretty certain my ISP (AT&T) isn't messing with my traffic, as I connected a spare Linksys WRTG54 router running factory firmware, and it forwarded port 80 without a hitch.

Please help! Something peculiar to this router and/or DD-WRT doesn't seem to be allowing me to forward HTTP. Thanks!


Crying or Very sad
Sponsor
-Oz-
DD-WRT Novice


Joined: 24 Aug 2007
Posts: 10

PostPosted: Thu Jan 05, 2012 3:23    Post subject: Reply with quote
I just got this router as well and am trying to forward a different port (8001) using the GUI and it isn't forwarding either.

Firmware: Buffalo Stock DD-WRT v24SP2-MULTI (10/31/11) std
(SVN revision 17798)
hatleyt
DD-WRT Novice


Joined: 06 Jan 2012
Posts: 6

PostPosted: Fri Jan 06, 2012 18:00    Post subject: Port forwarding not working here either Reply with quote
Same setup as Oz:
Quote:
Firmware: Buffalo Stock DD-WRT v24SP2-MULTI (10/31/11) std
(SVN revision 17798)


...and having same results. I am able to forward port 80 successfully, but if I use NAT to redirect [ext-ip]:3000-->[int-ip]:80, i get nothing.

Code:
:~# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     47   --  *      ppp0    192.168.0.0/24       0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      ppp0    192.168.0.0/24       0.0.0.0/0           tcp dpt:1723
    0     0 ACCEPT     0    --  br0    br0     0.0.0.0/0            0.0.0.0/0
 5398  299K TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
1646K 1603M lan2wan    0    --  *      *       0.0.0.0/0            0.0.0.0/0
1644K 1603M ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    3   156 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.180       tcp dpt:80
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.0.180       udp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.15        tcp dpt:80
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.0.15        udp dpt:80
    2   104 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.25        tcp dpt:80
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.0.25        udp dpt:80
    1    52 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.26        tcp dpt:80
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.0.26        udp dpt:80
    2   104 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.27        tcp dpt:80
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.0.27        udp dpt:80
    0     0 TRIGGER    0    --  ppp0   br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
 2732  162K trigger_out  0    --  br0    *       0.0.0.0/0            0.0.0.0/0
 2689  159K ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
   43  2738 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0


Code:
 iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       icmp --  anywhere             97-115-xxx-xxx.qwest.net to:192.168.0.1
DNAT       tcp  --  anywhere             97-115-xxx-xxx.qwest.net tcp dpt:www to:192.168.0.180:80
DNAT       udp  --  anywhere             97-115-xxx-xxx.qwest.net udp dpt:www to:192.168.0.180:80
DNAT       tcp  --  anywhere             97-115-xxx-xxx.qwest.net tcp dpt:2000 to:192.168.0.15:80
DNAT       udp  --  anywhere             97-115-xxx-xxx.qwest.net udp dpt:2000 to:192.168.0.15:80
DNAT       tcp  --  anywhere             97-115-xxx-xxx.qwest.net tcp dpt:3000 to:192.168.0.25:80
DNAT       udp  --  anywhere             97-115-xxx-xxx.qwest.net udp dpt:3000 to:192.168.0.25:80
DNAT       tcp  --  anywhere             97-115-xxx-xxx.qwest.net tcp dpt:3001 to:192.168.0.26:80
DNAT       udp  --  anywhere             97-115-xxx-xxx.qwest.net udp dpt:3001 to:192.168.0.26:80
DNAT       tcp  --  anywhere             97-115-xxx-xxx.qwest.net tcp dpt:3002 to:192.168.0.27:80
DNAT       udp  --  anywhere             97-115-xxx-xxx.qwest.net udp dpt:3002 to:192.168.0.27:80
TRIGGER    0    --  anywhere             97-115-xxx-xxx.qwest.net TRIGGER type:dnat match:0 relate:0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       0    --  192.168.0.0/24       anywhere            to:97.115.xxx.xxx
RETURN     0    --  anywhere             anywhere            PKTTYPE = broadcast
MASQUERADE  0    --  anywhere             anywhere            MARK match 0xd001


Hope this might help Darth resolve his port 80 issue, any help in getting other ports forwarding correctly would be greatly appreciated Very Happy
hatleyt
DD-WRT Novice


Joined: 06 Jan 2012
Posts: 6

PostPosted: Fri Jan 06, 2012 18:35    Post subject: Forwarded ports making it into/through NAT.... ? Reply with quote
When turning on logging, I can see that the forwarded ports make it into NAT, per the following log entries:

Code:
Jan  6 10:20:57 Hatley's Router kern.notice kernel: [502862.600000] incomingIN=ppp0 OUT= MAC= SRC=159.121.xxx.xxx DST=97.115.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=15791 DF PROTO=TCP SPT=43119 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  6 10:20:58 Hatley's Router kern.notice kernel: [502862.930000] incomingIN=ppp0 OUT= MAC= SRC=159.121.xxx.xxx DST=97.115.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=15861 DF PROTO=TCP SPT=43837 DPT=3000 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  6 10:20:58 Hatley's Router kern.notice kernel: [502862.950000] incomingIN=ppp0 OUT= MAC= SRC=159.121.xxx.xxx DST=97.115.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=15864 DF PROTO=TCP SPT=23275 DPT=3001 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  6 10:20:58 Hatley's Router kern.notice kernel: [502862.970000] incomingIN=ppp0 OUT= MAC= SRC=159.121.xxx.xxx DST=97.115.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=15865 DF PROTO=TCP SPT=30351 DPT=3002 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  6 10:20:58 Hatley's Router kern.notice kernel: [502863.110000] incomingIN=ppp0 OUT= MAC= SRC=159.121.xxx.xxx DST=97.115.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=15888 DF PROTO=TCP SPT=55625 DPT=3001 WINDOW=65535 RES=0x00 SYN URGP=0


The "DPT" aka destination port is clearly identified (e.g.: 3000) as the port the incoming http request is tagged with, not sure if this gets NAT'd <?> over to the interal server's <local-ip>:80 correctly or not. Will see if I can get more logging farther down the chain.
hatleyt
DD-WRT Novice


Joined: 06 Jan 2012
Posts: 6

PostPosted: Sat Jan 07, 2012 18:51    Post subject: "Chicken Little" figures out the sky is not fall Reply with quote
OK, first let me apologize Embarassed to the hundreds that have read these previous posts who might have invested any amount of time trying to resolve this issue with my router operation/config....

....the good news is port forwarding is working as it should with the given configuration & dd-wrt distro. Very Happy

After spending quite a bit of time trying to think this issue through, I decided to simplify some things to remove any other possibilities. On 3 of the ports (3000-3002) I had webcams, and 2 of these had some basic authentication turned on...my thought was "if the authentication is an issue, one of the cams will still get through since it does not have authentication turned on". As soon as I turned authentication off for the two cameras where it was on, all three camera images started showing up in my web page. Appears the authentication stuff is still an issue, but with it turned off the port forward/translation is performed as expected.

So that solved 3 of my 4 ports that weren't performing....

Even though I had looked around to see if using port 2000 for my 4th web server would/could be an issue, I found none...but I went ahead and tried moving it to another port (3500 in this case) and it immediately started serving up content to the exterior side of my router immediately.

So, by removing some other features/layers in the technology stack, I was able to get my internal web content from 4 internal devices (all which run on port 80) routed out through my dd-wrt v24sr2 router as was originally intended.

Thanks to all who were interested in this, and hopefully some of the content I posted will prove valuable to others who are also struggling to get content out onto the web. Overall I'm thrilled with the rich set of features that dd-wrt provides us with, some things that are only available on commercial router distros that are many time more expensive. Great work dd-wrt team!
DarthContinent
DD-WRT Novice


Joined: 03 Jan 2012
Posts: 3

PostPosted: Sun Jan 08, 2012 15:23    Post subject: Reply with quote
hatleyt, thanks for replying to my thread!

Unfortunately I'm not sure how to apply your findings to my situation. When it comes to IP routing I'm very much a newbie, despite my other extensive experience in IT, routing has been sort of the red-headed step child in my mind and I've just avoided digging deep into it whenever possible.

In my situation I'm trying to port forward traffic on port 80 to IIS 7.5 (Windows 7's web server). As I mentioned my current setup specific to IIS was visible when using a spare Linksys router with its factory firmware I had lying around, but with my current router with the noted build of DD-WRT, no joy.

Any suggestions you or anyone else might have would be greatly appreciated! I'd rather not dump DD-WRT for a relatively small problem. Confused
hatleyt
DD-WRT Novice


Joined: 06 Jan 2012
Posts: 6

PostPosted: Mon Jan 09, 2012 1:32    Post subject: Reply with quote
Hi Darth - I definitely sympathize w/you regarding routing being somewhat foreign to you... I'm a senior Java developer, but don't think I've ever had to roll up my sleeves and get under the hood of a router, ugh! Makes my head hurt! Laughing

Something that may help is to turn on some logging using a script like:

Code:
iptables -t nat -I PREROUTING -i ppp0 -j LOG --log-prefix "incoming " --log-level 5


I put this script in the Command dialog (Admin/Commands), then use "Run Commands" button. Once this is done, and some requests come in, you can then look in the logs by connecting to the router via SSH, then "cat /tmp/var/log/messages" which will display the contents. You should see the messages with "incoming" attached to them:

================================================
Jan 6 10:20:57 Hatley's Router kern.notice kernel: [502862.600000] incomingIN=ppp0 OUT= MAC= SRC=159.121.xxx.xxx DST=97.115.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=15791 DF PROTO=TCP SPT=43119 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 6 10:20:58 Hatley's Router kern.notice kernel: [502862.930000] incomingIN=ppp0 OUT= MAC= SRC=159.121.xxx.xxx DST=97.115.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=15861 DF PROTO=TCP SPT=43837 DPT=3000 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 6 10:20:58 Hatley's Router kern.notice kernel: [502862.950000] incomingIN=ppp0 OUT= MAC= SRC=159.121.xxx.xxx DST=97.115.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=15864 DF PROTO=TCP SPT=23275 DPT=3001 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 6 10:20:58 Hatley's Router kern.notice kernel: [502862.970000] incomingIN=ppp0 OUT= MAC= SRC=159.121.xxx.xxx DST=97.115.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=15865 DF PROTO=TCP SPT=30351 DPT=3002 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 6 10:20:58 Hatley's Router kern.notice kernel: [502863.110000] incomingIN=ppp0 OUT= MAC= SRC=159.121.xxx.xxx DST=97.115.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=15888 DF PROTO=TCP SPT=55625 DPT=3001 WINDOW=65535 RES=0x00 SYN URGP=0
===================================

This should at least give you a chance to see that the requests are coming in. Once the requests are being seen at this point, you should be able to add logging to POSTROUTING with a similar script. If you can confirm the requests are making it through POSTROUTING, you could then set up a tcp sniffer (TCPMON is one, Fiddler http://www.fiddler2.com/fiddler2/ is another), to watch tcp traffic between your router & IIS.

Here's another thread I posted some info on, I think it may have more details http://www.dd-wrt.com/phpBB2/viewtopic.php?t=149158

I wish I knew more, but as I said I avoid this piece of the technology stack as much as you do. Best wishes for a successful outcome...[/b]
DarthContinent
DD-WRT Novice


Joined: 03 Jan 2012
Posts: 3

PostPosted: Tue Jan 17, 2012 23:27    Post subject: Reply with quote
No luck so far. I posted on ServerFault as well, but thus far nothing I've tried according to the suggestions has worked for me.

I might just get a new router. This seems to be either a bug with DD-WRT itself, a conspiracy to get people away from hosting websites from their home internet, or both, or neither. I don't know, and I'm rather fed up with troubleshooting at this point.

Thanks again for your help, regardless. Smile
virremova
DD-WRT User


Joined: 24 Aug 2010
Posts: 62

PostPosted: Wed Jan 18, 2012 16:14    Post subject: Reply with quote
cahnge the webgui port for ddwrt to something else then port 80.
_________________
to many to mention
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum