Solved Port Forwarding Issue

[waldo43]

Hello, having issues getting port forwarding to work properly.

Firmware Tested - 3004.388.7, 3004.388.6
Hardware - ASUS AXRT88-U
Config - Default/Factory Reset Firmware

Configuration:

1/ WAN-> VS / Port forwarding

2/ LAN -> DHCP Server

3/ System Log -> Port Forwarding (to verify input)

4/ Testing Ports from www.canyouseeme.org
80 + 443 both time out/connection refused

Additional steps taken:
5/ Verified with neighbor using same isp and eero equipment. They have 60+ ports forwarded. Reports zero issues forwarding on their equipment.

6/ My ISP says they are only blocking 25 and the rest is fair game.

7/ I tried resetting firmware to factory default settings with no success.

8/ Tested a different range of port forwards on a second machine on the network with no success.

Am I missing a step somewhere?

 

[eibgrad]

I suggest dumping the relevant data structures to see exactly what's happening (firewall, listening ports, etc.).

iptables -t nat -vnL
iptables -vnL INPUT
iptables -vnL FORWARD
netstat -tupln

It will also tell us if traffic is actually hitting those firewall rules. It's ok to hide your public IP, just do so consistently.

 

[bennor]

@waldo43, Is the device at 192.168.50.54 configured to receive traffic on port 80/443? If the device has a firewall ensure it is configure to accept/allow traffic on ports 80/443.

 

[waldo43]

I suggest dumping the relevant data structures to see exactly what's happening (firewall, listening ports, etc.).

iptables -t nat -vnL
iptables -vnL INPUT
iptables -vnL FORWARD
netstat -tupln

It will also tell us if traffic is actually hitting those firewall rules. It's ok to hide your public IP, just do so consistently.

Thank you @eibgrad

iptables -t nat -vnL
[removed]

 

[waldo43]

[removed]

 

[eibgrad]

Are you double NAT'd? Perhaps behind the ISP's router? Because the following tells me the WAN ip on your router is *private* (192.168.0.2)!

Chain PREROUTING (policy ACCEPT 6961 packets, 2383K bytes)
 pkts bytes target     prot opt in     out     source               destination
    8   664 GAME_VSERVER  all  --  *      *       0.0.0.0/0            192.168.0.2
    8   664 VSERVER    all  --  *      *       0.0.0.0/0            192.168.0.2

You can't port forward to a private IP on the WAN, it must be public. If you're double NAT'd, then you need to place the WAN ip of your router in the DMZ of the upstream (ISP) router. Or else placed the ISP's router into bridge modem (if supported).

 

[waldo43]

Thank you my friend. I logged into the modem and sure enough, we were double running double nat. Hats off to you for helping trouble shoot this.

Have a great weekend !