MQTT publish from router not working; what's blocking it?

[XIII]

Somehow I can publish MQTT messages from my Raspberry Pi to my own MQTT broker (on the same Raspberry Pi), but not from my router.

I'm not sure what's wrong. Who can help?

Setup:

• Mosquitto MQTT server with valid Let's Encrypt certificates on Raspberry Pi on port 8883
• Personal domain name mqtt.domain.com redirected to hostname.asuscomm.com
• Port 8883 on router forwarded to Raspberry Pi
• Entware packages ca-bundle and ca-certificates installed on router
• AC86U router with Merlin 384.13 firmware

Working on Pi (using domain name, DDNS, and port forwarding):

mosquitto_pub -h mqtt.domain.com -p 8883 -u username -P password -t topic -m message --capath /etc/ssl/certs

NOT working on router (using domain name, DDNS, and port forwarding):

mosquitto_pub -h mqtt.domain.com -p 8883 -u username -P password -t topic -m message --capath /opt/etc/ssl/certs

Error message:

Error: Connection refused

Working on router (direct access to Pi):

mosquitto_pub -h pi.home.lan -p 8883 -u username -P password -t topic -m message --capath /opt/etc/ssl/certs --insecure

(The --insecure is needed because the domain name will not match the certificate)

It looks like something is blocking the router to connect to the MQTT broker via domain name, DDNS, and port forwarding?

On Pi (domain name):

nmap mqtt.domain.com -p 8883

reports

8883/tcp open  secure-mqtt

On router (domain name):

nmap mqtt.domain.com -p 8883

reports

8883/tcp closed  secure-mqtt

On router (Pi):

nmap pi.home.lan -p 8883

reports

8883/tcp open secure-mqtt

Note: I run the "ufw" firewall on the Raspberry Pi, with this rule for port 8883:

8883 ALLOW Anywhere

I do run SkyNet, but don't see anything being added to its log while trying this.

What can be blocking the router to publish MQTT messages? How to fix it?

 

[XIII]

Publishing from the router does work if I add a custom dnsmasq entry that redirects mqtt.domain.com to the IP address of the Raspberry Pi!

Would my issue be that (without that redirect) port forwarding does not kick in, because if I try to publish from the router I hit internal instead of external port 8883?

(or am I talking nonsense now?)

 

[XIII]

Instead of redirecting all traffic I would rather only do it for (tcp) port 8883.

Seems like this might work?

iptables -t nat -A OUTPUT -p tcp --dport 8883 -j DNAT --to-destination 192.168.1.3:8883

(where 192.168.1.3 is the IP address of the Raspberry Pi)

What would be a good script to put this in, to make it run after router reboots?

 

[ColinTaylor]

Changes to the nat table should go in nat-start.

 

[XIII]

I think this nat "solution" is only a (bad) workaround, since it will probably redirect all traffic to port 8883 to the Pi; also when (if) I want to communicate with other MQTT brokers from the router?

(No time for experiments right now; hope to continue later)