[SOLVED] RT-AX86U Port Forwarding issue

[MyNameIsKevin]

Hi,

I have an RT-AX86U with stock firmware/merlin (tried both, back to stock) and I can't seem to forward any ports.
I've contacted my internet provider and they claim the modem is in bridge mode (which I asked them to do, just to confirm I contacted them again).

I can confirm this; when I plug a small light-weight laptop to the modem directly, I can ssh to it from my phones mobile hotspot.

Port forwarding switch is on.
NAT is on
uPNP is disabled
static IP router is 192.168.1.254
SSH is on for LAN
I use cloudflare dns 1.1.1.1 but that shouldn't really matter.
Changed nothing else ( I believe, and checked to be certain)

I tried port 80 ext, to int 192.168.1.10 (test webserver) without internal port 80 defined, and with.
Tried SSH.
Both fail, no port seems to forward.

I can confirm however, that when I select to administer the router via WAN, I can connect through my phones mobile hotspot to it and log in succesfully like I would through LAN,
this is the same for SSH when I enable it for WAN; I can succesfully SSH to it from my phones mobile hotspot.

This is the IP tables output (123.456.123.456 to hide my private IP):

@RT-AX86U-C018:/tmp/home/root# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 432 packets, 28835 bytes)
pkts bytes target prot opt in out source destination
63 3646 GAME_VSERVER all -- * * 0.0.0.0/0 123.456.123.456
61 3542 VSERVER all -- * * 0.0.0.0/0 123.456.123.456

Chain INPUT (policy ACCEPT 290 packets, 17892 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 52 packets, 4074 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 70 packets, 5529 bytes)
pkts bytes target prot opt in out source destination
316 21267 MASQUERADE all -- * eth0 !123.456.123.456 0.0.0.0/0 mode: fullcone
7 1358 MASQUERADE all -- * br0 192.168.1.0/24 192.168.1.0/24

Chain DNSFILTER (0 references)
pkts bytes target prot opt in out source destination

Chain GAME_VSERVER (1 references)
pkts bytes target prot opt in out source destination
2 104 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.1.10:80

Chain LOCALSRV (1 references)
pkts bytes target prot opt in out source destination

Chain MAPE (0 references)
pkts bytes target prot opt in out source destination

Chain PCREDIRECT (0 references)
pkts bytes target prot opt in out source destination

Chain VSERVER (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 to:192.168.1.10:22
5 300 DNAT tcp -- * * 188.206.107.172 0.0.0.0/0 tcp dpt:12345 to:192.168.1.10:80
56 3242 VUPNP all -- * * 0.0.0.0/0 0.0.0.0/0
56 3242 LOCALSRV all -- * * 0.0.0.0/0 0.0.0.0/0
56 3242 DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 to:192.168.1.10

Chain VUPNP (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23560 to:192.168.1.90:4000
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25812 to:192.168.1.95:4000

I'm moderately familiar with networking since IT is my main source of income.

I'm however not familiar with ASUS routers, this is my first one. So it could be as simple as a hidden switch or something that's turned off that looks unrelated but isn't.

Could anyone more knowledgeable/experienced please offer some assistence?

 

[ColinTaylor]

That all looks OK. We can even see that traffic is hitting those rules as expected.

I see that you've restricted the source address for port 12345>80 but I assume that's just part of your experimentation, as is the fact that you've put 192.168.1.10 in the DMZ.

In cases like this it's usually the local firewall on the server that's the problem.

 

[bbunge]

If you are running Asus cloud services, AiCloud, the port 80 forward may not work. I have port 443 set to a web server on my LAN and it works. If you really need to use port 80 on an internal device, set the internal port to 80 and the external port to something else like 8080.

 

[MyNameIsKevin]

@ColinTaylor​

Thanks for your reply. Indeed, the restricted IP is my mobile hotspot's IP and I've experimentaly put the server as DMZ.

Yeah I thought so too, but the testserver doesn't have any iptables/further firewall issues.

root@eos:~# ip a | grep inet
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
inet 192.168.1.10/24 brd 192.168.1.255 scope global ens18
inet6 fe80::74be:d5ff:feb7:982/64 scope link
root@eos:~# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

What is strange though, is that I can resolve my external IP from inside (my LAN). So in this case http://123.456.123.456:12345 (or whatever testport I used) shows a little 'o' , which is the content of index.html on EOS.

@bbunge​

No bueno, I don't have any AI or cloud service turned on.

 

[ColinTaylor]

Yeah I thought so too, but the testserver doesn't have any iptables/further firewall issues.

In the case of web servers they often have their own access restrictions, the default being to only reply to the local subnet. But that's not normally the case for SSH. Try running tcpdump on the server and seeing if any of the traffic is reaching it.

 

[MyNameIsKevin]

Hero! It was indeed a subnet issue, but not exactly what you thought.

I installed this server about 7 years ago. In the meanwhile I switched from setting up network interfaces on the machine itself, to managing local machine IP assignments and DNS settings from the router. So all the servers were using gateway 192.168.1.1, but my new router has IP 192.168.1.254.

So it was casting to the local network fine, which explains why I could view it from LAN but not WAN.

After changing the default gateway to the propper address, all works fine now. I'm going to switch it to DHCP and assign it a static IP through the router interface.

Thanks!

 

[MyNameIsKevin]

How do I mark this one as solved?

 

[ColinTaylor]

How do I mark this one as solved?

Just Edit your first post and change the prefix on the title.