Port Forwarding Troubleshooting

From DD-WRT Wiki

Jump to: navigation, search


[edit] Introduction

This page explains how to troubleshoot common port forwarding troubles to figure out what the problem really is so that you can fix it. There can be many problems including multiple layers of NAT (router behind another router), misconfiguration of the port forward, software firewalls on the host being forwarded to, unexplainable behavior caused by not hard resetting the router, etc. You should first familiarize yourself with how to configure Port Forwarding before trying to troubleshoot it.

WARNING: Loopback is currently broken in build 15760 and higher but is easily fixed with iptables. See [Ticket 1868] for more information.

[edit] Basic Troubleshooting

[edit] Did You Hard Reset?

The only cases I've seen of genuine bugs with port forwards in DD-WRT have been unexplainable behavior of the underlying iptables rules that was fixed by hard resetting and reconfiguring from scratch. If you have made few changes from the default configuration then you should try this first. If you have a lot of changes then you'll likely want to test other possibilities first since most problems are user error anyways.

[edit] Check the WAN IP

Start by going to the router's GUI with your web browser and checking what the router's WAN IP is.

  • If the WAN IP is then you're using the device in an OSI layer 2 bridge/switch configuration (WAP, WDS, CB, RB) or you have no internet connection. If it's the former then no port forwards are needed on this router because the device is not doing NAT or routing. If it's the latter then you need to fix your internet connection which is a different matter not discussed here.
  • If the WAN IP begins with 192.168.x.x, 172.[16-31].x.x, or 10.x.x.x then the router is behind another router that is also doing NAT. You must configure that router to either DMZ or port forward to the DD-WRT router.
  • Any other WAN IP is likely a public (routable) address that just needs a properly configured port forward on the router.

[edit] Test Loopback

Some ISP's block certain ports or even do deep packet inspection (OSI layer 7) so to determine if the port forward is working you should try to access it from within your LAN using NAT loopback. This test will only work if you're using a client program that allows you to specify the IP and port to connect to. If you don't have an obvious client program capable of this (like a web browser to connect to a HTTP server) then you can use Nmap to check if the port is open.

To test a single TCP and UDP port number with Nmap, use the following options:

nmap -sT -sU -p [port] [IP Address]
  1. Go to the Security -> Firewall page in the GUI
  2. Uncheck Filter WAN NAT Redirection (it is by default) which means loopback will be allowed. If you disabled the SPI firewall then you will have to enable it temporarily to be able to change this setting.
  3. Make sure that the host that you're forwarding to is listening on the port being forwarded to. ie. make sure that the PC is running the program that you're trying to forward the port for so that it will accept the connections. If you do not have a program listening on the destination port then it will appear closed!
  4. Connect to the router's [WAN IP]:[external port being forwarded] from any device on your LAN using your client program or Nmap.

If loopback failed then you likely have either a software firewall on the host, or a hardware firewall or NAT router between the router and the host. If loopback worked then you likely have either a hardware firewall or NAT router between the router and the ISP, or your ISP is blocking the traffic.

  • Temporarily disable all firewalls and retest.
  • If you have another NAT router then you need to configure the first router to port forward/DMZ to the second router's WAN IP and the second router to port forward to the host. Try loopback on the other router's [WAN IP]:[external port being forwarded] too.
  • If you suspect that your ISP is blocking it because the router has a public IP and loopback worked then you need to remove all routers and connect the host directly to your ISP. If your host doesn't get an IP from your ISP then you may need to unplug your modem for a few minutes to have it release the MAC address binding.
  • If the port forward still fails then you need to look at the iptables rules to see if it's bugged/misconfigured or hard reset it if you didn't at the start. Telnet/SSH to the router, run the commands below, and post the output in a new forum thread.
iptables -t nat -vnL PREROUTING
iptables -vnL FORWARD