Posted: Thu Jan 11, 2024 13:35 Post subject: Issues trying to forward a port on DD-WRT
Hi there, I've been trying to forward a group of ports (21, 80, 443, etc) on my router, using the "NAT/QoS Port Forwarding" interface.
In fact, I had it working perfectly for some years, but one day, out of nowhere, it stoped working. So, after strugling for a while, I decided to upgrade the firmware (from v3.0-r46329 std to v3.0-r54682 std) I was using, but even so, I could not connect to these ports again anymore.
Joined: 18 Mar 2014 Posts: 12923 Location: Netherlands
Posted: Thu Jan 11, 2024 13:58 Post subject:
Redacting RFC1918 addresses is not only useless , as they are private, but it makes it difficult to give the best possible support.
Assuming you did not allow remote administration (please show iptables -vnL -t nat) it looks like the port forwarding is working you can see the rules being hit.
Chain FORWARD (policy ACCEPT 87 packets, 4476 bytes)
pkts bytes target prot opt in out source destination
76450 31M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
5572 1734K upnp all -- * * 0.0.0.0/0 0.0.0.0/0
5572 1734K lan2wan all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- vlan2 * 0.0.0.0/0 224.0.0.0/4
102 5753 ACCEPT tcp -- vlan2 * 0.0.0.0/0 192.168.1.199 tcp dpt:80
23 1148 ACCEPT tcp -- vlan2 * 0.0.0.0/0 192.168.1.199 tcp dpt:443
7 332 ACCEPT tcp -- vlan2 * 0.0.0.0/0 192.168.1.199 tcp dpt:21
0 0 TRIGGER all -- vlan2 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
5440 1727K trigger_out all -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 TRIGGER all -- vlan2 eth0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 TRIGGER all -- vlan2 vlan1 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- vlan1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- vlan1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 TRIGGER all -- vlan2 wlan0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- wlan0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- wlan0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 TRIGGER all -- vlan2 wlan1 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- wlan1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- wlan1 * 0.0.0.0/0 0.0.0.0/0 state NEW
5353 1722K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
Chain OUTPUT (policy ACCEPT 9407 packets, 1899K bytes)
pkts bytes target prot opt in out source destination
Chain advgrp_1 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_10 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_11 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_12 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_13 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_14 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_15 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_16 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_17 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_18 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_19 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_2 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_20 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_3 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_4 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_5 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_6 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_7 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_8 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_9 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_1 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_10 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_11 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_12 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_13 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_14 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_15 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_16 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_17 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_18 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_19 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_2 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_20 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_3 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_4 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_5 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_6 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_7 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_8 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_9 (0 references)
pkts bytes target prot opt in out source destination
Chain lan2wan (1 references)
pkts bytes target prot opt in out source destination
Chain trigger_out (5 references)
pkts bytes target prot opt in out source destination
Chain upnp (1 references)
pkts bytes target prot opt in out source destination
(3)
Also, don't mask private IP addresses - you know they are private?
No, I believe the ip address is public: Mod edit: Screenshot was redacted in error, no need to share public IP.
Last edited by uranux on Thu Jan 11, 2024 20:29; edited 2 times in total
Joined: 08 May 2018 Posts: 14249 Location: Texas, USA
Posted: Thu Jan 11, 2024 19:34 Post subject:
I edited your post(s) to make them more readable and to redact your public IP for security reasons. If you know that the IP address is public and wish to redact it, that is fine and good practice. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Last edited by kernel-panic69 on Thu Jan 11, 2024 21:17; edited 1 time in total
Redacting RFC1918 addresses is not only useless, as they are private, but it makes it difficult to give the best possible support.
-> I must confess I do not understand what you mean here.
Assuming you did not allow remote administration (please show iptables -vnL -t nat) it looks like the port forwarding is working you can see the rules being hit.
-> command output:
Joined: 08 May 2018 Posts: 14249 Location: Texas, USA
Posted: Thu Jan 11, 2024 20:12 Post subject:
The redacted address is 177.*.*.* and is public, hence my edit to the post. This may have been confusion on @uranux' part, but that was the IP range he posted and I connected it with the redacted screenshot, which probably actually showed the 192.168.1.199 address. Either way, no public IP addresses should be posted for the sake of keeping everyone honest. Sorry for your gears getting ground smooth over trivial mistakes. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Are you testing the ports from an external host or from an internal one?
-> From an internal host, it works
[guest@internal-host]# telnet 177.X.X.X 21
Trying 177.X.X.X...
Connected to 177.X.X.X.
Escape character is '^]'.
220 FTP Server ready.
But not from a VPS
[guest@external-host]# telnet 177.X.X.X 21
Trying 177.X.X.X...
telnet: connect to address 177.X.X.X: Connection timed out
It realy looks like everything is fine, but still no connection is done from VPS host.
As you mentioned, I also believe the problem may be due to any kind of rules changed by my ISP. However, I wanted to check if it could be caused by any other problem with the configuration of my router or even a hardware issue.
As I said on the first post, I have been using Port Forward with DD-WRT for many years without problems. I will try to solve it hiring another ISP.