Port forwarding not working

[NighthawkFoo]

I recently upgraded an Asus RT-N66U running DD-WRT to an Asus RT-AC86U with Merlin version 386.3_2. I have a Raspberry Pi 4 as a home server with a static IP of 192.168.1.99. With DD-WRT, I was able to forward ports from the outside to the Pi so I could access it when away from home. I was forwarding ports for ssh, HTTP, and HTTPS.

After upgrading to the RT-AC86U, I have not been able to get port forwarding working. The Pi hasn't changed, and is plugged directly into the router via Ethernet. It's still listening for traffic, and I can connect to it when I'm on my home network on all the expected ports. I've played with the port forwarding settings in the router web UI, but they don't make a difference. I tried logging in to the router via ssh, and using iptables commands manually to setup port forwarding, but that didn't work either. I was able to see the forwarding rules in the iptables output, but I still haven't been able to connect to my Pi from an external machine.

I feel like I'm missing something obvious here, but I don't know what that might be. Does anyone have any suggestions?

 

[ColinTaylor]

Check your WAN IP address. It's likely to have changed with the new router. Also check that it's not a CGNAT address.

 

[NighthawkFoo]

The WAN address is correct. I have DDNS setup, and the address is being updated. I also tweaked the router to respond to pings, and I can see it from the outside world.

 

[ColinTaylor]

If you haven't already:

Try disabling AiProtection
Use different external ports (>10000).

 

[NighthawkFoo]

I've verified that AiProtection is off, and I just tried forwarding port 10022 to port 22 on 192.168.1.99 using the web UI. I still can't connect externally.

I looked at the output of iptables --list, and I don't see the forwarding rule listed. Should it be there? Or am I looking in the wrong place?

 

[eibgrad]

Do you perhaps have an active OpenVPN client connected at the same time? Depending on how it's configured, that can cause issues w/ remote access over the WAN.

 

[ColinTaylor]

I looked at the output of iptables --list, and I don't see the forwarding rule listed. Should it be there? Or am I looking in the wrong place?

Look in the GUI at System Log - Port Forwarding.

If you use the command line you need to specify the nat table (-t nat).

 

[NighthawkFoo]

Do you perhaps have an active OpenVPN client connected at the same time? Depending on how it's configured, that can cause issues w/ remote access over the WAN.

I do have an OpenVPN client running on that Raspberry Pi, but I don't think that's the issue. I was able to connect to that machine with the old router just fine. In addition, I can disable the VPN, confirm that it's gone, and I still can't connect from the outside world.

 

[eibgrad]

If the port forward is there and being reached, it will show hit counts on the pkts and bytes columns for that rule in the nat table (specifically the VSERVER chain). Use the following command to dump the nat table.

iptables -t nat -vnL

Using your specified example, it should look similiar to the following (where x.x.x.x is my obscured *public* IP).

admin@lab-merlin1:/tmp/home/root# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 84 packets, 16712 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   21  1260 GAME_VSERVER  all  --  *      *       0.0.0.0/0            x.x.x.x      
   21  1260 VSERVER    all  --  *      *       0.0.0.0/0            x.x.x.x      

...

Chain VSERVER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   20  1200 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8443 to:192.168.1.1:8443
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:10022 to:192.168.1.99:22
    1    60 VUPNP      all  --  *      *       0.0.0.0/0            0.0.0.0/0

 

[NighthawkFoo]

Thanks for the command - I see exactly what you're referring to. When I try to ssh in via port 10022 from an external machine, the packet counter is incremented. I have ssh in verbose mode, and it's just hanging on the "Connecting" step.

admin@RT-AC86U-8190:/tmp/home/root# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 82 packets, 5862 bytes)
pkts bytes target     prot opt in     out     source               destination      
    4   240 GAME_VSERVER  all  --  *      *       0.0.0.0/0            x.x.x.x
    4   240 VSERVER    all  --  *      *       0.0.0.0/0            x.x.x.x
...

Chain VSERVER (1 references)
pkts bytes target     prot opt in     out     source               destination      
    6   360 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:10022 to:192.168.1.99:22
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:192.168.1.99:80
   14   688 VUPNP      all  --  *      *       0.0.0.0/0            0.0.0.0/0

 

[eibgrad]

Well the good news is that we know the port forwarded is there and being reached, so it can't be a problem of having a private IP on the WAN. Once you've reached this point, it tends to be one of two things. Either there's a personal firewall on the target device that's NOT accepting the connection request, OR, you have an active OpenVPN client on the router that has bound that same target to the VPN, making it inaccessible from the WAN (apparently it's NOT the latter given your prior response).

 

[dave14305]

Just to double-check the obvious: the default LAN subnet on an N66U would have been 192.168.1.0/24. On an AC86U, it would be 192.168.50.0/24. Have you deliberately reconfigured the AC86U to use 192.168.1.0/24 when setting it up?

Super basic question, but since it’s not mentioned above, I’ll ask it.

 

[NighthawkFoo]

Actually, I did change the IP address of the router to be 192.168.1.1, as that's what I used for all my previous routers. I thought it was a strange choice to use the .50 subnet. Could that be the problem?

 

[dave14305]

Actually, I did change the IP address of the router to be 192.168.1.1, as that's what I used for all my previous routers. I thought it was a strange choice to use the .50 subnet. Could that be the problem?

No, but could have been an issue if your router was configured for 192.168.50.0/24 and you were trying to forward to an address in 192.168.1.0/24.

Post your LAN / DHCP Server settings from the GUI if you want us to double-check your work.

 

[NighthawkFoo]

Here you go. I have the Pi configured with a static IP from Debian, which is why it's outside the DHCP lease range.

 

[NighthawkFoo]

For what it's worth, I had the following lines in my /etc/rc.local file on the Pi in order to get packets routed to thewhen the VPN was active.

# Allow ssh from non-VPN address.
ip rule add table 128 from 192.168.1.99
ip route add table 128 to 192.168.1.0/24 dev eth0
ip route add table 128 default via 192.168.1.1

 

[ColinTaylor]

Setting those two external DNS servers on the LAN/DHCP page is usually wrong. You would normally leave them blank, or disable "Advertise router's..." and specify a different local DNS server address (like a PiHole). But that is unrelated to your port forwarding issue.

 

[NighthawkFoo]

Setting those two external DNS servers on the LAN/DHCP page is usually wrong. You would normally leave them blank, or disable "Advertise router's..." and specify a different local DNS server address (like a PiHole). But that is unrelated to your port forwarding issue.

I might switch to my PiHole again, but I was avoiding it due to a kernel bug that was causing my Pi4 to hang every day or two. That recently got fixed, and the machine is stable, so I might revert one of these days.

 

[NighthawkFoo]

So I did some experimenting recently, and it seems that port forwarding completely stops working after a certain amount of router uptime. A soft reboot completely fixes the problem, until it triggers again. I notice this because I'm using Nextcloud on my Pi, and I have my devices pointing to my dynamic DNS address as the endpoint.

 

[HTBruceM]

Maybe load an earlier Merlin FW or stock ASUS FW?