[YAPFI] Yet Another Port Forwarding Issue

Hi,

I would like to forward port 443 from WAN to my DMZ. So I’ve made that settings through LuCi but its not working. I checked /etc/config/firewall and it seems ok to me. I’m just wondering if its not some kind of bugs.

$ cat /etc/config/firewall

[…]
config defaults
option syn_flood ‘1’
option input ‘ACCEPT’
option output ‘ACCEPT’
option forward ‘ACCEPT’

config zone
option name ‘wan’
option output ‘ACCEPT’
option input ‘ACCEPT’
option network ‘wan’
option forward ‘ACCEPT’
option family ‘ipv4’
option masq ‘1’
option mtu_fix ‘1’

config include
option path ‘/etc/firewall.user’

config include
option path ‘/usr/share/firewall/turris’
option reload ‘1’

config include
option path ‘/etc/firewall.d/with_reload/firewall.include.sh’
option reload ‘1’

config include
option path ‘/etc/firewall.d/without_reload/firewall.include.sh’
option reload ‘0’

config zone
option name ‘dmz’
option input ‘ACCEPT’
option output ‘ACCEPT’
option network ‘dmz’
option family ‘ipv4’
option forward ‘ACCEPT’
option masq ‘1’
option mtu_fix ‘1’

config forwarding
option dest ‘dmz’
option src ‘lan’

config rule
option target ‘ACCEPT’
option src ‘wan’
option proto ‘tcp’
option dest_port ‘443’
option name ‘foo - 443’
option family ‘ipv4’

config forwarding
option dest ‘dmz’
option src ‘wan’

config forwarding
option dest ‘wan’
option src ‘dmz’

config redirect
option target ‘DNAT’
option src ‘wan’
option dest ‘dmz’
option proto ‘tcp’
option dest_ip ‘xx.xx.xx.xx’
option src_dport ‘443’
option name ‘foo - 443’
[…]

Symptom :

$ curl https://my_public_ip
curl: (7) Failed to connect to my_public_ip 443: Connection refused

Also, through nmap I could verified that the port is open. And from my box I’m not receiving any packet from 443 (but it works internally).

Did you move router management port from TCP 443 to another port number? The router management web service is listening on 443 (HTTPS) usually and therefore this port must be cleared before you use it for other purposes.
Disable your WAN-to-DMZ TCP 443 port forwarding, connect your PC by SSH to router and use this command to check a situation:

netstat  -anpt | grep LISTEN

You will see what services (processes) are listening on which ports. Only free (unused) ports can be used for forwarding.

Well, I use only port 80 for LuCi so I removed HTTPS from lighttpd and I’m connect to LuCi using a SSH tunnel instead.

So I disable the port forwarding and I checked if the router is listening on port 443. Its not listening.

I enabled again port forwarding but I changed the port to 4444. It didn’t work and with tcpdump on my interface (pppoe-wan) I can’t see any packets coming.

Is there any daemon that could interfere with packet management ? miniupnpd ?

No, I think the problem is not the interference with other router service now. You have solved interference at TCP 443. I suppose something is wrong in firewall or HTTPS.
Please, make some tests to separate possible SSL (HTTPS) problem from port forwarding problem (static NAT and address/port filtering). My suggestions are:

###A) Test the web and router by plain HTTP protocol, not HTTPS.

  1. Temporary enable web server to listen on TCP=81 (plain HTTP protocol)
  2. Verify web server is working. Use any PC connected to DMZ and open link http://your_web_server_DMZ_address:81
  3. Set router port forwarding for TCP 81 from WAN to IP address of web server in DMZ. Port 81 is usually free, no local router services are listening on it.
  4. Test the web access by browser running outside (e.g. smart phone with pubic IP address), use this kind of link: http://your_router_public_IP_address:81
    Note HTTP protocol is used, no SSL, no encryption and certificate.

This test gives you result concerning your router firewall setting and static NAT. Probably some ACCEPT rule is wrong (or missing) in firewall if no packets are traversing and translating from WAN to DMZ.

Only if your test is successful continue to test B)

###B) Change web server port and activate SSL

  1. Reconfigure your web server, change HTTP --> HTTPS and TCP=81 --> TCP=443
  2. Verify web server and SSL layer is working fine. Test it directly in the DMZ by HTTPS (secure). https://your_web_server_DMZ_address
  3. Change your firewall and NAT setting (port forwarding). Use TCP=443 instead of 81 at both interfaces the WAN and the DMZ.
  4. Test the web access by browser running outside (e.g. smart phone with pubic IP address), use this kind of link: https://your_router_public_IP_address

Recommendation:
Do not use different TCP ports at WAN and LAN for HTTPS. For instance using ports WAN TCP=4444 and DMZ TCP=443 in one translating rule is not recommended.

Ok I’m going to test that but unfortunately not now as I’m far away from the router for few days. I will let you know once done.

Have you tried from internal or external?
Another question, why the ACCEPT rule?
For me it is working without an explicit ACCEPT rule, only DNAT rule.

I tried from internal. Maybe it was not a good idea.

I changed the explicit ACCEPT rule I have only the DNAT one and still the same symptom. Right now, I don’t have access to the router for further testing but I will test again when back again.

Hi,

I can close this now as I don’t know why but now its working :wink: