[thecon]

Hi!

I use ddwrt on Netgear R7800 and I noticed that later builds than

https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2023/06-06-2023-r52894/

(for example 06-12-2023-r52955 up to 12-15-2023-r54517)

all fail to port range forward to my PC (via ethernet).

I use wifi, guest wifi (both on 2.4Ghz and 5Ghz), a wireguard tunnel, DDNS, dns with blacklisted domains (to mimic pihole), ports and port ranges forwarding, it's bridged with my vdsl modem, etc. Nothing too fancy.

Has anyone observed anything like my problem? I have ruled out everything but the R7800.

Thanks!

[Per Yngve Berg]

Do you have a WG Client running?

The return packets will be routed through the Tunnel and never reach the WAN.

[thecon]

WG server (tunnel) running on home's R7800 bridged to the VDSL model. WG clients only on two cellphones just to VPN on the home network (they have no need to reach my PC also on home network).

However, up to r52894 I could reach my PC remotely from other remote PCs (nothing to do with VPN) through port forwarding. After r52955 I no longer can do that (don't know what changed between r52894 and r52955).

[ho1Aetoo]

Everything works - as usual when someone reports that port forwarding is not working.

I just tested it on my r7800 which is bridged to a VDSL modem.

Pure waste of time - as usual

[thecon]

Sad to hear (but good to know that it works on others). Will troubleshoot some more and report back here if I find anything. Perhaps one can see the changes between r52894 and r52955 to see what changes might create this problem under specific scenarios (such as mine).

[egc]

You can post screenshots e.g. Basic Setup, services, wireguard, port forward so that we can have a look.

Do you have SFE shortcut forwarding engine on Basic Setup Page enabled?

If so try with it disabled.

[thecon]

Services.asp -> dnsmaq Additional options
-----------------------------------------
#also 0.0.0.0 on Setup/services. https://wiki.dd-wrt.com/wiki/index.php/DNSMasq_as_DHCP_server
no-resolv
server=208.67.222.222
server=208.67.220.222
server=208.67.220.220
#pihole ddwrt 1/2 https://pastebin.com/aySi7RhY
addn-hosts=/tmp/blacklisted_domains
#https://wiki.dd-wrt.com/wiki/index.php/Guest_Network
interface=wlan0.1,wlan1.1
dhcp-option=wlan0.1,3,10.2.1.1
dhcp-range=wlan0.1,10.2.1.101,10.2.1.150,255.255.255.0,24h
dhcp-option=wlan1.1,3,10.2.1.1
dhcp-range=wlan1.1,10.2.1.101,10.2.1.150,255.255.255.0,24h


firewall
--------
#2/2 bridge https://superuser.com/questions/859490/how-do-i-access-my-modems-gui-when-its-in-bridged-mode
iptables -t nat -I POSTROUTING -o `nvram get wan_ifname` -d 10.2.5.0/24 -j MASQUERADE
#After creating br1 in Setup/Networking, also enable Net Isolation and Forced DNS Redirection: https://wiki.dd-wrt.com/wiki/index.php/Guest_Network#Multi-radio_routers
iptables -I INPUT -i br1 -m state --state NEW -j REJECT
iptables -I INPUT -i br1 -p udp -m multiport --dports 53,67 -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j REJECT



rest notes
----------
On: Wifi 5GHz, 2.4GHz bridged with wired (PC). Guest wifis (5GHz/2GHz) isolated. NAT port+ranges forwarding, uPnP, DDNS
Off: keepalive, mac filters, wds, freeradius, pppoe, vpn, usb, nas, hotspot, ad blocking, vlan, ipv6, qos, dmz
Additional strange thing: media player on bridged interface (main wifi+wired) does not see internet when the new version of ddwrt is installed. However, Alexa on guest wifi has internet ok.

[thecon]

4,5,6

[thecon]

and 7

[ho1Aetoo]

There is a lot of nonsense configured - you don't even know where to start

And the most important thing is that your forwarding rules are missing


So let me start

basic setup:

delete the gateway and local dns
enter your DNS server in the "static dns" fields

static dns 1=208.67.222.222
static dns 2=208.67.220.222
static dns 3=208.67.220.220

networking:

set your VAPs wlan0.1 and wlan1.1 to default (not unbridged - your VAPs are bridged!!)
create a DCHP server for br1 (multiple DCHP servers)

services:

delete all "additional dnsmasq options" except for "addn-hosts=/tmp/blacklisted_domains"

egc will certainly answer you about wireguard, but "vpn passtrough" is bullshit

[thecon]

Perhaps that's why it used to work (older builds), but now it doesn't (newer builds).

Also, see a sample of my port range forwards.

How can I double check this port forward is in fact in place? Using command line and iptables?

[ho1Aetoo]

[Per Yngve Berg]

208.67.222.222 is a strange IP Address for a local DNS Server.

[egc]

I am travelling so will review tomorrow.

But fortunately others are already pointing you in the right direction.

But like former speaker noted, this setup has room for improvement (read it is a mess)

[thecon]

Thank you all.

I followed ho1Aetoo's advice at 16:11 message (last edited at 16:31) and although it drives me to the correct configuration, still I get dropped packets from the outside (i.e. no port forwarding). Only when i disable SPI firewall they get through. When SPI firewall is enabled (even with no other options on) I see dropped packets from outside.