Hello,
due to a series of circumstances, I need to have a “common” port (like 587) redirect to another one, but on the firewall itself (i.e., I try to connect to the router on port 22 but my connection ends up on 12345 instead). While for TCP it worked, I wasn’t able to get it working with UDP.
Note that port 12345 is already open on the router, I just can’t connect to it directly due to certain policies on the machine I want to attempt the connection from.
How did you try to test the UDP redirect?
I used WireGuard, which only listens on UDP. I couldn’t get a handshake done. OTOH, forwardig 587 to 22 (for SSH; TCP) did work.
Please post the relevant section of your /etc/config/firewall, you should find something like that:
config 'redirect'
option 'name' 'hidden udp port'
option 'src' 'wan'
option 'proto' 'udp'
option 'src_dport' '5555'
option 'dest_ip' '192.168.1.100'
option 'dest_port' '22'
option 'target' 'DNAT'
option 'dest' 'lan'
Honest question: why do I need DNAT? This is on the router itself.
config redirect
option name 'Wireguard_test'
option src 'wan'
option dest 'lan'
option src_dport '587'
option proto 'udp'
option dest_port '51820'
option dest_ip '192.168.10.1' # Router IP
EDIT: In fact, iptables uses REDIRECT in this case when the rules are applied (this output is from an earlier version that doesn’t have the IP baked in).
# iptables -t nat -L
[...]
REDIRECT udp -- anywhere anywhere udp dpt:587 /* Wireguard_test */ redir ports 51820
Apologize, probably I do not understand your initial requirement. What does “on the router itself” mean? Redirection within the same firewall zone (lan)? Maybe a small picture or users with much more firewall know how will help …
Ok, let’s reword, since I understand it’s not clear at all:
When doing this on TCP (forward port 587 to 22, for example, TCP) it works (granted, port 22 was never open to the outside). When doing this with UDP, it basically does nothing (connections time out).