Port Forwarding - basic config

Hi,

I’ve replaced my old router with my TO and I’m having problems with setting up the port forwarding. I need 85, 9000 and 18004 open and forwarded to my CCTV device @ 192.168.1.96. These are my forwards.


I’ve also opened the same ports.

However, https://www.yougetsignal.com/tools/open-ports/ still reports these ports as closed.

I assume that I’ve missed some other config setting that my previous router didn’t have. Can someone please point me in the right direction to fix this? Many thanks.

Yes you missed it completely. Because it is two different things on both sheets.

If you open port that means traffic from wan end up on this device eg. there has to be some daemon running on turris that handle incoming traffic on choosen port.

If you set up port forwarding to other device in your lan, than all traffic is forwarded to choosen IP 192.168.1.96 in your case. So delete rules Open85, Open9000, Open 18004 and keep ONLY Swann Media, Swann Host and Swan HTTP and it should redirect all traffic from wan to your camera.

Hi,

Thanks for the reply. The setup that you have suggested is what I had originally and that didn’t work either. However, I see what you mean about opening the ports to “device”. They should be “forwarded” to “lan” I assume. However this means that I don’t understand the difference between the “Port Forwards” section and the “Traffic Rules” section? Both appear to be able to forward ports. Is there a difference?

Anyway, this is what I now have, but it still doesn’t work.


Let me know what I’m doing wrong there. :slight_smile:

Your setting is correct and should definitely work. But there could be some other problem with your connection likely on your ISP side could be those ports blocked. So you need to troubleshoot it somehow. I would recommend you to install NGINX on Turris and configure it to listen on port 85. Then you have to open port 85 (not forward!) in Traffic Rules. Then use some other network connection to connect to your wan IP from this connection (Mobile LTE or other) try open in web browser http://your_wan_ip:85 and see if you get some response. Of course you should first make some hello page on nginx server and test it from your lan just to verify your NGINX server return any page on port 85 from your lan. This way you made sure that something is listening on port 85 and if it is not reachable from wan internet there is something wrong with your network connection at ISP.If you get some correct response from wan then you remove 85 from traffic rules and setup port forwarding to your camera and that should work.

As default turris firewall setup is deny all request and then it looks like port is closed from wan.
In order to enable some communication you have to have something running on certain port on turris device itself or forwarding port to another device within you lan. So that’s the difference.

Or better idea, if you have forris running on turris then you could setup port forwarding rule for port 85 or any other you want and forward it to your turris local ip address (usually 192.168.1.1 if you did not changed it) but make change in destination port to 80. This way if you open your wan IP address from mobile phone entering like http://your_wan_ip_address:85 should open forris login page and you had verified that port 85 is not blocked on the way.

Hi,

I’ll try NGINX. My ISP isn’t blocking as this was working perfectly well before I changed my router. I’ll update here with the results either way later. Thanks.

Are you sure about source ports? I doubt other party starts its session at the same source port as destination port. I would try to remove source port criteria.

Hi,

Nope, I’m not sure at all. I’ve never done any forwarding on an OpenWrt router before. I assumed that source port referred to incoming port when the request arrived at the router, but without some clear documentation, I can’t be sure. The OpenWrt documentation implies that my interpretation is correct, but as it doesn’t actually work, I could easily be wrong. I’m going to have t just try stuff…

I use the port forwards section and that works ok. Try to move your rules there. Good luck.

Untitled

Did you manage to work it out? I too am unable to set up port forwarding or find any documentation for the Turris Omnia to help.

Hi.
I am also interested in this as I’m trying to set up wireguard VPN on LAN device.
Is there any manual at the moment explaining port forward?
Searched in documentation but had no luck (maybe I’m search noob there)
I will play a bit but will appreciate guidance from somebody experienced.

Port forwarding is actually needed when you want to forward traffic from some network to a host in another network. Such as from wan(internet) to one of your hosts in your local network. Normally that host is not reachable from internet, by port forwarding you make your internal host accessible from internet.

Assume your lan has 192.168.1.0/24 and router has ip 192.168.1.1, and a http server running on host 192.168.1.26, so you do port forwarding, incoming connection to wan port 80 (http: //wanIp:80) goes to 192.168.1.26:80, port opening not needed on the router.

On the other hand if the http server running on the router itself and you want it to be accesible from internet you just allow incoming connection for port 80 on the router, no port forwarding.

Regarding VPN, it makes your local networks accessible from internet by secure tunnelling. It is better choice than port forwarding.
There is wireguard turris community wiki for wireguard setup.

that is how I understand it.
Only thing now I have configured now is

I played a lot with differentzones and forwards and all I coud find but it does no go through.
I will have to install web server with simple page but I’m not wrt linux skilled yet and manual how to install uhttp gives me error:

opkg install uhttpd
Unknown package 'uhttpd'.
Collected errors:
 * opkg_install_cmd: Cannot install package uhttpd.

Looks good, but there must be a listening server(http server etc) on that host:port 192.168.1.2, otherwise it is pointless.
You will install http server on that host(pc whatever it is), not the router. You can try lighthttp for example.

I have testing docker app on that machine and when I open 192.168.1.2:12346 on my network, login page is shown.
This part I have solved.

“try lighthttp” you mean on omnia?

No, nothing to install on the router which simply forwards the packets to the machine with LAN address 192.168.1.2 on port 12346. However that machine must have the port open and a server software (lighthttp or other) able to deal with the incoming packets. You do this port forwarding because you expect incoming requests from the outside world (=WAN).

1 Like

Well it is already accessible within your LAN without port forwarding. You do port forwarding because want to access that machine from internet, you should test from internet like http: // wanIP : 80
See your setup it says from wan to 192.168.1.2

Seems like we are in circles.
situation is:

ISP says all ports are forwarded to my router (Omnia).

So now I’m wondering how can I test further.

Please verify the rule from cmd line:
iptables -t nat -S|grep 12346

It should be like below:

-A zone_wan_prerouting -p tcp -m tcp --dport 12346 -m comment --comment "!fw3: test12346" -j DNAT --to-destination 192.168.1.2:12346

If not there might be firewall not restarted. Try restarting manually.

/etc/init.d/firewall restart

Btw after saving rule have you clicked Save & Apply? Actually that button should restart firewall with the new settings.

Also check
ip route
There should be
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1

Thanks for tip.
this is my output and I found line you refered to:

iptables -t nat -S|grep 12346
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.2/32 -p tcp -m tcp --dport 12346 -m comment --comment "!fw3: test 12346 (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.2/32 -p udp -m udp --dport 12346 -m comment --comment "!fw3: test 12346 (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.10.13/32 -p tcp -m tcp --dport 12346 -m comment --comment "!fw3: test 12346 (reflection)" -j DNAT --to-destination 192.168.1.2:12346
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.10.13/32 -p udp -m udp --dport 12346 -m comment --comment "!fw3: test 12346 (reflection)" -j DNAT --to-destination 192.168.1.2:12346
-A zone_wan_prerouting -p tcp -m tcp --dport 12346 -m comment --comment "!fw3: test 12346" -j DNAT --to-destination 192.168.1.2:12346
-A zone_wan_prerouting -p udp -m udp --dport 12346 -m comment --comment "!fw3: test 12346" -j DNAT --to-destination 192.168.1.2:12346

also in ip route is the exact line you have posted

And yes I clicked save and apply

I tried and it is same postrouting missing somehow(might not be needed).
But forward rule also missing, It seems it doesn’t create forwarding rule just by adding port-forwarding unless forward from wan wasn’t allowed before.

Needs to add allow forward from wan, to the botttom one, this screen is from Lan zone(edit)