Help with port forwarding

[froggy666uk]

Hi,

I installed Merlin 384.13 yesterday on my AC86u and did a factory reset.

Prior to to the reset I had a port forward set up so that I could connect to one of my internal devices on port 922 from the internet - worked fine. After the factory reset I don't seem to be able to get it working again.

Does the attached look ok? Have I missed something else that I need to configure?

I can confirm 192.168.1.13 is up and running and I can connect on port 22 from my lan.

Any help gratefully received

Cheers,
Dave.

 

[ColinTaylor]

Try giving it a Service Name. Perhaps it doesn't like it being blank.

Check the status of the port forward under System Log - Port Forwarding.

Also check your WAN IP address hasn't changed.

 

[froggy666uk]

Hi Colin,

Thanks for the reply. I've given the service a name, same issue. Screenshot of the system log page attached (I'd set the protocol to TCP in this case, if I set the protocol to both it shows 2 entries, one for TCP and one for UDP).

I have a static IP address from my provider, and I've confirmed this is set correctly in the network map.

I notice the Port Forwarding log page shows a chain of 'VSERVER' - is that an iptables chain? Are there any iptables commands I can run to verify all is set correctly?

Cheers,
Dave.

 

[ColinTaylor]

Yes, VSERVER is the port forwarding chain.

The following command should verify the rules:

iptables -L -vnt nat

 

[froggy666uk]

Yes, VSERVER is the port forwarding chain.

The following command should verify the rules:

iptables -L -vnt nat

admin@RT-AC86U-4C20:/rom/etc/init.d# iptables -L -vnt nat
Chain PREROUTING (policy ACCEPT 2147 packets, 300K bytes)
 pkts bytes target     prot opt in     out     source               destination
  448 46219 VSERVER    all  --  *      *       0.0.0.0/0            80.229.25.xxx
    0     0 VSERVER    all  --  *      *       0.0.0.0/0            169.254.114.58

Chain INPUT (policy ACCEPT 1258 packets, 143K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 780 packets, 63135 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 758 packets, 59395 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       192.168.1.0/24       0.0.0.0/0            policy match dir out pol ipsec
  867  139K PUPNP      all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
  447  111K MASQUERADE  all  --  *      ppp0   !80.229.25.xxx        0.0.0.0/0
    0     0 MASQUERADE  all  --  *      eth0   !169.254.114.58       0.0.0.0/0
   23  3792 MASQUERADE  all  --  *      br0     192.168.1.0/24       192.168.1.0/24

Chain DNSFILTER (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain LOCALSRV (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain PCREDIRECT (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain PUPNP (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain VSERVER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    1    52 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:922 to:192.168.1.13:22
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:922 to:192.168.1.13:22
  447 46167 VUPNP      all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain VUPNP (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:9308 to:192.168.1.113:9308
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:47214 to:192.168.1.38:47214
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:45795 to:192.168.1.38:45795

Thanks. Look ok? Not sure what that 169.254.114.58 address is!

 

[ColinTaylor]

That looks OK as far as I can tell.

It looks like you're using PPPoE, that's not a connection type that I'm particularly familiar with. But I expect 169.254.114.58 is the local connection to your modem and 80.229.25.xxx is your public IP address that is tunnelled across PPPoE.

The only notable thing I can see it the DNAT line for port 922. It has actually received one packet which suggests to me that the port forwarding is working. I would check the firewall settings on the target PC.

 

[froggy666uk]

That looks OK as far as I can tell.

It looks like you're using PPPoE, that's not a connection type that I'm particularly familiar with. But I expect 169.254.114.58 is the local connection to your modem and 80.229.25.xxx is your public IP address that is tunnelled across PPPoE.

The only notable thing I can see it the DNAT line for port 922. It has actually received one packet which suggests to me that the port forwarding is working. I would check the firewall settings on the target PC.

Ah good spot! I've tried hitting the external IP/port a couple of times and I can see the packet count increments each team, so looks like the port forwarding rule is working.

Dunno why I still can't get through then It is just a raspberry pi sitting on my lan, no firewall running. I can connect on port 22 from my router:

admin@RT-AC86U-xxxx:/tmp/home/root# telnet 192.168.1.13 22
SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u6

Protocol mismatch.
Connection closed by foreign host

 

[ColinTaylor]

Prior to doing the factory reset were you using a different IP address range for your LAN?

 

[froggy666uk]

All sorted - thanks for pointing me in the right direction! Before I did the factory reset my router had an IP of 192.168.1.254, I left it as the default 192.168.1.1 after the reset, but forgot to update any devices with static network settings.

Thanks again