Port Forwarding Issues - WNDR3700v4

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Author Message
skiglades
DD-WRT Novice


Joined: 17 Dec 2014
Posts: 7

PostPosted: Wed Dec 17, 2014 5:08    Post subject: Port Forwarding Issues - WNDR3700v4 Reply with quote
Summary:
Netgear WNDR3700
DD-WRT v24-sp2 (11/07/14) std
(SVN revision 25279)

So I've configured port forwarding under the NAT/QoS tab and those changes are reflected in the iptables output below (2002/tcp, 1194/UDP but both were tested using both TCP and UDP):

Code:
# iptables -nL FORWARD
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           
logaccept  0    --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
logaccept  47   --  192.168.1.0/24       0.0.0.0/0           
logaccept  tcp  --  192.168.1.0/24       0.0.0.0/0           tcp dpt:1723
lan2wan    0    --  0.0.0.0/0            0.0.0.0/0           
logaccept  0    --  0.0.0.0/0            0.0.0.0/0           
logaccept  tcp  --  0.0.0.0/0            192.168.1.50        tcp dpt:2002
logaccept  udp  --  0.0.0.0/0            192.168.1.50        udp dpt:1194
TRIGGER    0    --  0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
trigger_out  0    --  0.0.0.0/0            0.0.0.0/0           
logaccept  0    --  0.0.0.0/0            0.0.0.0/0           state NEW
logdrop    0    --  0.0.0.0/0            0.0.0.0/0           



In Administration > Commands, I have the workaround iptables code:
Code:
insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE


Like most others with this issues, I'm able to connect to these ports when going from LAN to WAN but the ports are inaccessible from the Internet, which nmap and numerous online port scanners confirmed.

I'm hoping it's not the case, but the port forwarding troubleshooting article mentions doing a 30/30/30 (hard) reset in cases where there's a legitimate iptables issue:

http://www.dd-wrt.com/wiki/index.php/Port_Forwarding_Troubleshooting

Might anyone have a fix or workaround for the port forwarding issue?

If a hard reset is the only option, can I restore from a previous configuration or must I manually re-enter the configuration?
Sponsor
skiglades
DD-WRT Novice


Joined: 17 Dec 2014
Posts: 7

PostPosted: Sat Dec 20, 2014 19:38    Post subject: Solved Reply with quote
Deleted numerous disabled port forwarding rules, applied settings, and this was enough to get the two remaining port forwarding rules working. Keep the rules clean, otherwise it may disrupt enabled port forwarding.
tatsuya46
DD-WRT Guru


Joined: 03 Jan 2010
Posts: 7568
Location: YWG, Canada

PostPosted: Sat Dec 20, 2014 20:37    Post subject: Reply with quote
update build
_________________
LATEST FIRMWARE(S)

BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers

[x86_64] Haswell i3-4150/QCA9984/QCA9882 ------> r55488 std
[QUALCOMM] DIR-862L --------------------------------> r55460 std
▲ ACTIVE / INACTIVE ▼
[QUALCOMM] WNDR4300 v1 --------------------------> r50485 std
[BROADCOM] DIR-860L A1 ----------------------------> r50485 std


Sigh.. why do i exist anyway.. | I love you Anthony.. never forget that.. my other 99% that ill never see again..

skiglades
DD-WRT Novice


Joined: 17 Dec 2014
Posts: 7

PostPosted: Sat Dec 20, 2014 21:18    Post subject: Reply with quote
Well, rebooted the router and port forwarding no longer works again. I'm also running an OpenVPN client in DD-WRT so I changed my internal OpenVPN server to port 1195 since OpenVPN client on DD-WRT was using 1194.

Quote:
update build

tatsuya46, am I not running the newest build for the WNDR3700v4? The link below lists "r25279" as the build, which I'm already running.

ftp://ftp.dd-wrt.com/betas/2014/11-07-2014-r25279/netgear-wndr3700v4/wndr3700v4-factory.img

New DD-WRT iptables below...
Code:
iptables -nL FORWARD
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0           
logaccept  0    --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
logaccept  47   --  192.168.1.0/24       0.0.0.0/0           
logaccept  tcp  --  192.168.1.0/24       0.0.0.0/0           tcp dpt:1723
lan2wan    0    --  0.0.0.0/0            0.0.0.0/0           
logaccept  0    --  0.0.0.0/0            0.0.0.0/0           
logaccept  tcp  --  0.0.0.0/0            192.168.1.50        tcp dpt:2002
logaccept  udp  --  0.0.0.0/0            192.168.1.50        udp dpt:2002
logaccept  tcp  --  0.0.0.0/0            192.168.1.50        tcp dpt:1195
logaccept  udp  --  0.0.0.0/0            192.168.1.50        udp dpt:1195
TRIGGER    0    --  0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
trigger_out  0    --  0.0.0.0/0            0.0.0.0/0           
logaccept  0    --  0.0.0.0/0            0.0.0.0/0           state NEW
logdrop    0    --  0.0.0.0/0            0.0.0.0/0
skiglades
DD-WRT Novice


Joined: 17 Dec 2014
Posts: 7

PostPosted: Sat Dec 20, 2014 22:15    Post subject: Reply with quote
eibgrad, thanks for the reply.

To start, here's the full iptables output:
Code:

iptables -vnL FORWARD && iptables -t nat -vnL PREROUTING
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 426K  377M ACCEPT     0    --  *      tun1    0.0.0.0/0            0.0.0.0/0           
 262K   43M ACCEPT     0    --  tun1   *       0.0.0.0/0            0.0.0.0/0           
 1089  155K logaccept  0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 logaccept  47   --  *      vlan2   192.168.1.0/24       0.0.0.0/0           
    0     0 logaccept  tcp  --  *      vlan2   192.168.1.0/24       0.0.0.0/0           tcp dpt:1723
  451 37234 lan2wan    0    --  *      *       0.0.0.0/0            0.0.0.0/0           
    3   126 logaccept  0    --  br0    br0     0.0.0.0/0            0.0.0.0/0           
    4   176 logaccept  tcp  --  *      *       0.0.0.0/0            192.168.1.50        tcp dpt:2002
    0     0 logaccept  udp  --  *      *       0.0.0.0/0            192.168.1.50        udp dpt:2002
    0     0 logaccept  tcp  --  *      *       0.0.0.0/0            192.168.1.50        tcp dpt:1195
    3   126 logaccept  udp  --  *      *       0.0.0.0/0            192.168.1.50        udp dpt:1195
    0     0 TRIGGER    0    --  vlan2  br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
  441 36806 trigger_out  0    --  br0    *       0.0.0.0/0            0.0.0.0/0           
  438 36416 logaccept  0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
    3   390 logdrop    0    --  *      *       0.0.0.0/0            0.0.0.0/0           
Chain PREROUTING (policy ACCEPT 65849 packets, 4592K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       icmp --  *      *       0.0.0.0/0            <WAN IP>       to:192.168.1.2
    4   176 DNAT       tcp  --  *      *       0.0.0.0/0            <WAN IP>       tcp dpt:2002 to:192.168.1.50:2002
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            <WAN IP>       udp dpt:2002 to:192.168.1.50:2002
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            <WAN IP>       tcp dpt:1195 to:192.168.1.50:1195
    6   252 DNAT       udp  --  *      *       0.0.0.0/0            <WAN IP>       udp dpt:1195 to:192.168.1.50:1195
11228  655K TRIGGER    0    --  *      *       0.0.0.0/0            <WAN IP>       TRIGGER type:dnat match:0 relate:0



Quote:
When you have problems like this, it's not a bad idea to create your port forwards directly in the firewall script, if only to verify it's not a GUI issue.


Haven't done it this way yet, but will depending what happens after this post.

Quote:
Beware, there’s always the possibility your ISP is blocking ports, esp. the low numbered ones. Try something much high, say 10000 or above


I've confirmed with my ISP that these ports are not blocked, whereas 25, 80, 135-139, 445 are.

Quote:
As far as the port assignments, the destination port of a remote OpenVPN server by your OpenVPN client is irrelevant. That port exists on the *other* system. So there is no conflict w/ having that same port open inbound on your router for your OpenVPN server.


Correct, and coincidentally enough the OpenVPN client on DD-WRT failed at nearly the same time that port forwarding worked for the first time. Had to try.

Quote:
If you're running an OpenVPN server on the primary router, you DON'T port forward! You're not trying to forward from the router's WAN to some other device on the LAN.


I wasn't clear... my OpenVPN server actually is an Ubuntu OpenVPN server on the LAN, with all iptables and routes working. When on wireless, clients connect and head outbound no problem.



The iptables above looks ok to me but I'm fairly new to it. It was mentioned above that I should update the build but it seems like I'm running current. All that aside, I'm not opposed to 30/30/30 but it would be nice to restore from a config, without reintroducing the same issues.
tatsuya46
DD-WRT Guru


Joined: 03 Jan 2010
Posts: 7568
Location: YWG, Canada

PostPosted: Sat Dec 20, 2014 22:20    Post subject: Reply with quote
look at the ftp below, the wiki just isnt updated yet
_________________
LATEST FIRMWARE(S)

BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers

[x86_64] Haswell i3-4150/QCA9984/QCA9882 ------> r55488 std
[QUALCOMM] DIR-862L --------------------------------> r55460 std
▲ ACTIVE / INACTIVE ▼
[QUALCOMM] WNDR4300 v1 --------------------------> r50485 std
[BROADCOM] DIR-860L A1 ----------------------------> r50485 std


Sigh.. why do i exist anyway.. | I love you Anthony.. never forget that.. my other 99% that ill never see again..

skiglades
DD-WRT Novice


Joined: 17 Dec 2014
Posts: 7

PostPosted: Sat Dec 20, 2014 23:16    Post subject: Reply with quote
Thanks for that, I got the "425 Security: Bad IP connecting" error and forgot to turn off VPN and retry.

I upgraded to revision 25648 and immediately port forwarding worked (from iOS client first on WLAN, then on 3G). No kidding that a few minutes later, client can't reach the VPN server from 3G but still can on WLAN. On WLAN, client can reach the OpenVPN server IP, LAN server IP, gateway, and outbound.

I've also rebooted the router and client. The port forwarding config and iptables all look unchanged by the upgrade. I'll keep checking but that's what I see so far.
skiglades
DD-WRT Novice


Joined: 17 Dec 2014
Posts: 7

PostPosted: Sun Dec 21, 2014 0:06    Post subject: Reply with quote
I disabled port forwarding and re-enabled it to see if a reconfig would change anything. Disabled port forwarding iptables...

Code:

iptables -vnL FORWARD && iptables -t nat -vnL PREROUTING
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  241 46976 ACCEPT     0    --  *      tun1    0.0.0.0/0            0.0.0.0/0           
  251  132K ACCEPT     0    --  tun1   *       0.0.0.0/0            0.0.0.0/0           
   24  6260 logaccept  0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 logaccept  47   --  *      vlan2   192.168.1.0/24       0.0.0.0/0           
    0     0 logaccept  tcp  --  *      vlan2   192.168.1.0/24       0.0.0.0/0           tcp dpt:1723
    2   233 lan2wan    0    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 logaccept  0    --  br0    br0     0.0.0.0/0            0.0.0.0/0           
    0     0 TRIGGER    0    --  vlan2  br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    2   233 trigger_out  0    --  br0    *       0.0.0.0/0            0.0.0.0/0           
    1    64 logaccept  0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
    1   169 logdrop    0    --  *      *       0.0.0.0/0            0.0.0.0/0           
Chain PREROUTING (policy ACCEPT 249 packets, 25086 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       icmp --  *      *       0.0.0.0/0            <WAN IP>       to:192.168.1.2
   49  4096 TRIGGER    0    --  *      *       0.0.0.0/0            <WAN IP>       TRIGGER type:dnat match:0 relate:0


Re-enabled forwarding iptables...
Code:

iptables -nvL FORWARD && iptables -t nat -vnL PREROUTING
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   39  5244 ACCEPT     0    --  *      tun1    0.0.0.0/0            0.0.0.0/0           
   30  7527 ACCEPT     0    --  tun1   *       0.0.0.0/0            0.0.0.0/0           
    0     0 logaccept  0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 logaccept  47   --  *      vlan2   192.168.1.0/24       0.0.0.0/0           
    0     0 logaccept  tcp  --  *      vlan2   192.168.1.0/24       0.0.0.0/0           tcp dpt:1723
    0     0 lan2wan    0    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 logaccept  0    --  br0    br0     0.0.0.0/0            0.0.0.0/0           
    0     0 logaccept  tcp  --  *      *       0.0.0.0/0            192.168.1.50        tcp dpt:2002
    0     0 logaccept  udp  --  *      *       0.0.0.0/0            192.168.1.50        udp dpt:2002
    0     0 logaccept  tcp  --  *      *       0.0.0.0/0            192.168.1.50        tcp dpt:1195
    0     0 logaccept  udp  --  *      *       0.0.0.0/0            192.168.1.50        udp dpt:1195
    0     0 TRIGGER    0    --  vlan2  br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  0    --  br0    *       0.0.0.0/0            0.0.0.0/0           
    0     0 logaccept  0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
    0     0 logdrop    0    --  *      *       0.0.0.0/0            0.0.0.0/0           
Chain PREROUTING (policy ACCEPT 224 packets, 31514 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       icmp --  *      *       0.0.0.0/0            <WAN IP>       to:192.168.1.2
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            <WAN IP>       tcp dpt:2002 to:192.168.1.50:2002
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            <WAN IP>       udp dpt:2002 to:192.168.1.50:2002
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            <WAN IP>       tcp dpt:1195 to:192.168.1.50:1195
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            <WAN IP>       udp dpt:1195 to:192.168.1.50:1195
   83  9886 TRIGGER    0    --  *      *       0.0.0.0/0            <WAN IP>       TRIGGER type:dnat match:0 relate:0



If nothing else it seems iptables are being changed according to GUI config. Also in case it's relevant, following almost any change including the port forwarding reconfig above, I'm forced to reboot the router as the WAN connection drops every time.

My router is different only in that I have an OSSEC HIDS server on the network doing SSH-based logins for file-integrity monitoring. But all it's doing is hashing files, reporting output of netstat, and similar. Not sure if that could interfere as it's basically the same as logging in and running a few shell commands.
skiglades
DD-WRT Novice


Joined: 17 Dec 2014
Posts: 7

PostPosted: Sun Dec 28, 2014 23:06    Post subject: Reply with quote
Can anyone comment if my options are basically limited to doing a hard reset and restoring from config or rebuilding the config by hand?

iptables troubleshooting hasn't resolved it nor has upgrading the firmware.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum