Author
Message
thecon DD-WRT Novice Joined: 26 Apr 2021 Posts: 15
Posted: Sat Dec 16, 2023 19:21 Post subject: Port forwarding fail after r52894
Hi!
I use ddwrt on Netgear R7800 and I noticed that later builds than
https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2023/06-06-2023-r52894/
(for example 06-12-2023-r52955 up to 12-15-2023-r54517)
all fail to port range forward to my PC (via ethernet).
I use wifi, guest wifi (both on 2.4Ghz and 5Ghz), a wireguard tunnel, DDNS, dns with blacklisted domains (to mimic pihole), ports and port ranges forwarding, it's bridged with my vdsl modem, etc. Nothing too fancy.
Has anyone observed anything like my problem? I have ruled out everything but the R7800.
Thanks!
Back to top
Sponsor
Per Yngve Berg DD-WRT Guru Joined: 13 Aug 2013 Posts: 6872 Location: Romerike, Norway
Posted: Sat Dec 16, 2023 23:08 Post subject:
Do you have a WG Client running?
The return packets will be routed through the Tunnel and never reach the WAN.
Back to top
thecon DD-WRT Novice Joined: 26 Apr 2021 Posts: 15
Posted: Sat Dec 16, 2023 23:55 Post subject:
WG server (tunnel) running on home's R7800 bridged to the VDSL model. WG clients only on two cellphones just to VPN on the home network (they have no need to reach my PC also on home network).
However, up to r52894 I could reach my PC remotely from other remote PCs (nothing to do with VPN) through port forwarding. After r52955 I no longer can do that (don't know what changed between r52894 and r52955).
Back to top
ho1Aetoo DD-WRT Guru Joined: 19 Feb 2019 Posts: 3006 Location: Germany
Back to top
thecon DD-WRT Novice Joined: 26 Apr 2021 Posts: 15
Posted: Sun Dec 17, 2023 11:29 Post subject:
Sad to hear (but good to know that it works on others). Will troubleshoot some more and report back here if I find anything. Perhaps one can see the changes between r52894 and r52955 to see what changes might create this problem under specific scenarios (such as mine).
Back to top
egc DD-WRT Guru Joined: 18 Mar 2014 Posts: 12923 Location: Netherlands
Posted: Sun Dec 17, 2023 11:41 Post subject:
You can post screenshots e.g. Basic Setup, services, wireguard, port forward so that we can have a look.
Do you have SFE shortcut forwarding engine on Basic Setup Page enabled?
If so try with it disabled. _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read): https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top
thecon DD-WRT Novice Joined: 26 Apr 2021 Posts: 15
Posted: Sun Dec 17, 2023 13:34 Post subject:
Services.asp -> dnsmaq Additional options
-----------------------------------------
#also 0.0.0.0 on Setup/services. https://wiki.dd-wrt.com/wiki/index.php/DNSMasq_as_DHCP_server
no-resolv
server=208.67.222.222
server=208.67.220.222
server=208.67.220.220
#pihole ddwrt 1/2 https://pastebin.com/aySi7RhY
addn-hosts=/tmp/blacklisted_domains
#https://wiki.dd-wrt.com/wiki/index.php/Guest_Network
interface=wlan0.1,wlan1.1
dhcp-option=wlan0.1,3,10.2.1.1
dhcp-range=wlan0.1,10.2.1.101,10.2.1.150,255.255.255.0,24h
dhcp-option=wlan1.1,3,10.2.1.1
dhcp-range=wlan1.1,10.2.1.101,10.2.1.150,255.255.255.0,24h
firewall
--------
#2/2 bridge https://superuser.com/questions/859490/how-do-i-access-my-modems-gui-when-its-in-bridged-mode
iptables -t nat -I POSTROUTING -o `nvram get wan_ifname` -d 10.2.5.0/24 -j MASQUERADE
#After creating br1 in Setup/Networking, also enable Net Isolation and Forced DNS Redirection: https://wiki.dd-wrt.com/wiki/index.php/Guest_Network#Multi-radio_routers
iptables -I INPUT -i br1 -m state --state NEW -j REJECT
iptables -I INPUT -i br1 -p udp -m multiport --dports 53,67 -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j REJECT
rest notes
----------
On: Wifi 5GHz, 2.4GHz bridged with wired (PC). Guest wifis (5GHz/2GHz) isolated. NAT port+ranges forwarding, uPnP, DDNS
Off: keepalive, mac filters, wds, freeradius, pppoe, vpn, usb, nas, hotspot, ad blocking, vlan, ipv6, qos, dmz
Additional strange thing: media player on bridged interface (main wifi+wired) does not see internet when the new version of ddwrt is installed. However, Alexa on guest wifi has internet ok.
Back to top
thecon DD-WRT Novice Joined: 26 Apr 2021 Posts: 15
Posted: Sun Dec 17, 2023 13:35 Post subject:
4,5,6
Back to top
thecon DD-WRT Novice Joined: 26 Apr 2021 Posts: 15
Posted: Sun Dec 17, 2023 13:35 Post subject:
and 7
Back to top
ho1Aetoo DD-WRT Guru Joined: 19 Feb 2019 Posts: 3006 Location: Germany
Posted: Sun Dec 17, 2023 14:13 Post subject:
There is a lot of nonsense configured - you don't even know where to start
And the most important thing is that your forwarding rules are missing
So let me start
basic setup:
delete the gateway and local dns
enter your DNS server in the "static dns" fields
static dns 1=208.67.222.222
static dns 2=208.67.220.222
static dns 3=208.67.220.220
networking:
set your VAPs wlan0.1 and wlan1.1 to default (not unbridged - your VAPs are bridged!!)
create a DCHP server for br1 (multiple DCHP servers)
services:
delete all "additional dnsmasq options" except for "addn-hosts=/tmp/blacklisted_domains"
egc will certainly answer you about wireguard, but "vpn passtrough" is bullshit _________________ Quickstart guides:
use Pi-Hole as simple DNS-Server with DD-WRT
VLAN configuration via GUI - 1 CPU port
VLAN configuration via GUI - 2 CPU ports (R7800, EA8500 etc)
Routers
Marvell OCTEON TX2 - QHora-322 - OpenWrt 23.05.3 - Gateway
Qualcomm IPQ8065 - R7800 - DD-WRT - WAP Last edited by ho1Aetoo on Sun Dec 17, 2023 14:31; edited 2 times in total
Back to top
thecon DD-WRT Novice Joined: 26 Apr 2021 Posts: 15
Posted: Sun Dec 17, 2023 14:23 Post subject:
Perhaps that's why it used to work (older builds), but now it doesn't (newer builds).
Also, see a sample of my port range forwards.
How can I double check this port forward is in fact in place? Using command line and iptables?
Back to top
ho1Aetoo DD-WRT Guru Joined: 19 Feb 2019 Posts: 3006 Location: Germany
Posted: Sun Dec 17, 2023 14:35 Post subject:
Quote: rest notes
----------
On: port+ranges forwarding, uPnP
What do you need uPnP for if you configure the port forwarding manually?
by the way, uPnP is a security risk
Quote: How can I double check this port forward is in fact in place? Using command line and iptables?
you can see with "iptables -t nat -vnL" if they are there and working...
(they are guaranteed to be there)
I'm away for 2 hours (someone else will surely answer you too) _________________ Quickstart guides:
use Pi-Hole as simple DNS-Server with DD-WRT
VLAN configuration via GUI - 1 CPU port
VLAN configuration via GUI - 2 CPU ports (R7800, EA8500 etc)
Routers
Marvell OCTEON TX2 - QHora-322 - OpenWrt 23.05.3 - Gateway
Qualcomm IPQ8065 - R7800 - DD-WRT - WAP
Back to top
Per Yngve Berg DD-WRT Guru Joined: 13 Aug 2013 Posts: 6872 Location: Romerike, Norway
Posted: Sun Dec 17, 2023 14:57 Post subject:
208.67.222.222 is a strange IP Address for a local DNS Server.
Back to top
egc DD-WRT Guru Joined: 18 Mar 2014 Posts: 12923 Location: Netherlands
Posted: Sun Dec 17, 2023 15:06 Post subject:
I am travelling so will review tomorrow.
But fortunately others are already pointing you in the right direction.
But like former speaker noted, this setup has room for improvement (read it is a mess) _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read): https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top
thecon DD-WRT Novice Joined: 26 Apr 2021 Posts: 15
Posted: Sun Dec 17, 2023 15:43 Post subject:
Thank you all.
I followed ho1Aetoo's advice at 16:11 message (last edited at 16:31) and although it drives me to the correct configuration, still I get dropped packets from the outside (i.e. no port forwarding). Only when i disable SPI firewall they get through. When SPI firewall is enabled (even with no other options on) I see dropped packets from outside.
Back to top