Redirect a port to another on router itself


due to a series of circumstances, I need to have a “common” port (like 587) redirect to another one, but on the firewall itself (i.e., I try to connect to the router on port 22 but my connection ends up on 12345 instead). While for TCP it worked, I wasn’t able to get it working with UDP.
Note that port 12345 is already open on the router, I just can’t connect to it directly due to certain policies on the machine I want to attempt the connection from.

How did you try to test the UDP redirect?

I used WireGuard, which only listens on UDP. I couldn’t get a handshake done. OTOH, forwardig 587 to 22 (for SSH; TCP) did work.

Please post the relevant section of your /etc/config/firewall, you should find something like that:

config 'redirect'
        option 'name' 'hidden udp port'
        option 'src' 'wan'
        option 'proto' 'udp'
        option 'src_dport' '5555'
        option 'dest_ip' ''
        option 'dest_port' '22'
        option 'target' 'DNAT'
        option 'dest' 'lan'

Honest question: why do I need DNAT? This is on the router itself.

config redirect
        option name 'Wireguard_test'
        option src 'wan'
        option dest 'lan'
        option src_dport '587'
        option proto 'udp'
        option dest_port '51820'
        option dest_ip '' # Router IP

EDIT: In fact, iptables uses REDIRECT in this case when the rules are applied (this output is from an earlier version that doesn’t have the IP baked in).

# iptables -t nat -L
REDIRECT   udp  --  anywhere             anywhere             udp dpt:587 /* Wireguard_test */ redir ports 51820

Apologize, probably I do not understand your initial requirement. What does “on the router itself” mean? Redirection within the same firewall zone (lan)? Maybe a small picture or users with much more firewall know how will help …

Ok, let’s reword, since I understand it’s not clear at all:

  1. Router has one service on port 51820 (UDP), which is opened to outside (WAN)
  2. I can’t access 51820 from a certain location (filtered) so I need to use a more common port
  3. I’d need to connect to port 587, or equivalent, and get redirected to port 51820, still on the router.

When doing this on TCP (forward port 587 to 22, for example, TCP) it works (granted, port 22 was never open to the outside). When doing this with UDP, it basically does nothing (connections time out).