DNAT port forwarding help needed [Solved]

solved

#1

Spent all day trying to figure out how to enable a single port but am going to give up for now :frowning:

Omnia WAN IP 192.168.1.85 (DHCP and reserved on ISP router)
Omnia LAN IP 10.0.112.254
NAS IP:port (to be access from the internet) 10.0.112.40 (fixed IP and added hostname in Omnia)

What I tried using LuCI:
used fresh install default firewall config:


config defaults
option syn_flood ‘1’
option input ‘ACCEPT’
option output ‘ACCEPT’
option forward ‘REJECT’

config zone
option name ‘lan’
list network ‘lan’
option input ‘ACCEPT’
option output ‘ACCEPT’
option forward ‘ACCEPT’

config zone
option name ‘wan’
list network ‘wan’
list network ‘wan6’
option output ‘ACCEPT’
option masq ‘1’
option input ‘REJECT’
option forward ‘REJECT’

config forwarding
option src ‘lan’
option dest ‘wan’

Adding one of these 2 or both:

config redirect
option target ‘DNAT’
option src ‘wan’
option proto ‘tcp’
option src_dport ‘5001’
option dest_ip ‘10.0.112.40’
option dest_port ‘5001’
option name ‘nas’
option dest ‘lan’

config rule
option enabled ‘1’
option target ‘ACCEPT’
option name ‘nas’
option family ‘ipv4’
option src ‘wan’
option dest ‘lan’
option dest_ip ‘10.0.112.40’
option dest_port ‘5001’


Used https://www.yougetsignal.com/tools/open-ports/. to check port 5001
and enabled
tcpdump -pnvvi eth1 port 5001
to see if I would get any traffic from wan. Which I did get whenever I opened the ISP router FW port and probed the port fromm the outside (so Double NAT config I guess):

[mss 1460,sackOK,TS val 3200491581 ecr 0,nop,wscale 8], length 0
19:32:59.780868 IP (tos 0x0, ttl 51, id 43936, offset 0, flags [DF], proto TCP (6), length 60)
198.199.98.246.58956 > 192.168.1.85.5001: Flags [S], cksum 0xe65b (correct), seq 3614182306, win 14600, options


#2

It looks like you do not have a public IP (your ISP does not support open ports or DMZ).


#3

Hi,
Thanks for reply.
Actually the same setup with my previous router did work fine. I do have a fixed public ip address assigned so i can skip ddns and have my fqdn resolving my isp assign pub ip.

But in the meantime I found a thread which suggested to restart the fw and capture the output and it gives out strange errors indeed.

/etc/init.d/firewall restart output:

Warning: Unable to locate ipset utility, disabling ipset support

  • Flushing IPv4 filter table
  • Flushing IPv4
  • Running script ‘/etc/firewall.user’
  • Running script ‘/usr/share/firewall/turris’
    ! Skipping due to path error: No such file or directory
  • Running script ‘/etc/firewall.d/with_reload/firewall.include.sh’
  • Running script ‘/etc/firewall.d/without_reload/firewall.include.sh’
  • Running script ‘/usr/share/miniupnpd/firewall.include’

So maybe there is a problem with the big update the Omnia went through at initial config.

Will try to restore image via usb. Fingers crossed.

The only change I did was to install an msata disk inside before turning it on for the first time so that the wifi would work without any modifications. Which it did. Everything else seems to be running just fine. Also during initial config When I tried to format the msata it asked me if I wanted to migrate the oftenly written data to the new disk.


#4

I see the rule in addition - to delete it, just to be redirect.


#5

Reflashed but nothing changed :frowning:
Yes I did enable only one of the 2 rules. Now only forwarding is up. But still no luck.


#6

The firewall is fine (only forwarding) , then it should be blocked by the provider.

TCP is OK?
ISP only allowed port 5001?


#7

Why would the provider block the port only after I replaced my old router with the omnia. And then why is the traffic detected inside the omnia with the tcpdump. When I close the isp router 5001 port forwarding, the tcpdump does not show any traffic. Does this not tell that the isp router is indeed configured Ok if the omnia show traffic at ingress?


#8

Firewall looks good on my side. It can be more factors like a subnet, a gateway, a running service on NAS, and so on.

I’m sorry, I’m not going to tell you better. :frowning_face:


#9

Yes it was the default gateway. Changed it with new router but forgot to reflect this in ALL of my fixed ip devices (the nas). Doh!
When will I learn the lesson… recheck the simple stuff first!

Thanks so much for your help.