Port Forward of port 80 to internal server does not work

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
stefan_gk
DD-WRT Novice


Joined: 17 Sep 2012
Posts: 6

PostPosted: Tue Apr 20, 2021 9:34    Post subject: Port Forward of port 80 to internal server does not work Reply with quote
Router Model: Linksys WRT1200AC
Firmware VersionDD-WRT v3.0-r46395 std (04/19/21)
Kernel VersionLinux 4.9.267 #2564 SMP Mon Apr 19 03:35:08 +07 2021 armv7l

I set port forward rules for port 80 and 443 from internet to web server located in LAN. Port 443 is working fine, but I have problems with port 80.

Changed port for remote administration from LAN & Internet to 8080, but still not working.

Even when stop completely admin interfaces (LAN & Internet access), it does not work.

I'm not so good at iptables etc. to check and fix it.

Some help will be appreciated highly.

Stefan Krastanov

P.S.
Tried also to set the host as DMZ, does not succeed either.
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Tue Apr 20, 2021 13:40    Post subject: Reply with quote
Beware, many ISPs block port 80 by default. They'll only offer it to their business customers. And besides, it also makes your router more susceptible to attacks since hackers are specifically targeting the well-known ports (http (80), ftp (21), etc.). Better to use a more obscure port.
_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
stefan_gk
DD-WRT Novice


Joined: 17 Sep 2012
Posts: 6

PostPosted: Wed Apr 21, 2021 15:11    Post subject: Let's Encrypt is looking for acme-challenge on port 80 Reply with quote
Thank you for proposal, but my final goal is to allow my server to get Let's Encrypt certificate. My server's client for Let's Encrypt put verification hashes in .well-known/acme-chanllenge and it accessible only on plain http.

BTW I start tcpdump on external interface on the router and try with mobile internet to request my URL - it gets requests, so the hypothesis with ISP block is not proved.

I need some advice how to trace these requests to the host in LAN zone.
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1407

PostPosted: Wed Apr 21, 2021 23:04    Post subject: Reply with quote
what are your firewall/port forwarding rules... maybe you made a mistake there? But if you did put it in dmz then it makes me think that something else is wrong.

Do you mind posting pictures of your port forwarding or your iptables firewall output?
stefan_gk
DD-WRT Novice


Joined: 17 Sep 2012
Posts: 6

PostPosted: Thu Apr 22, 2021 11:58    Post subject: and netstat Reply with quote
Sure. Here you are.

Last edited by stefan_gk on Fri Apr 23, 2021 15:45; edited 1 time in total
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1407

PostPosted: Thu Apr 22, 2021 23:02    Post subject: Reply with quote
based on your pictures and firewall everything is set correctly (one exception)...

Your firewall is even showing that the packets are being forwarded:

Code:

    8   408 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.66.254       tcp dpt:80
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.66.254       udp dpt:80
   14   651 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.66.254       tcp dpt:443
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.66.254       udp dpt:443


You have 8 hits on tcp 80 and 14 on tcp:443, so it mlight be on your machine...

Could you also post the result of iptables -t nat -vnL

*1* Note: you have both dmz and port forwarding enabled, this is probably a conflict and I do not know which takes priority... so either use one or the other.

The only other thing is, is the machine that you want at that ipaddress.
stefan_gk
DD-WRT Novice


Joined: 17 Sep 2012
Posts: 6

PostPosted: Fri Apr 23, 2021 3:04    Post subject: iptables -t nat -vnL Reply with quote
deleted

Last edited by stefan_gk on Fri Apr 23, 2021 15:44; edited 1 time in total
stefan_gk
DD-WRT Novice


Joined: 17 Sep 2012
Posts: 6

PostPosted: Fri Apr 23, 2021 3:05    Post subject: DMZ off Reply with quote
In mean time I switched DMZ off
tedm
DD-WRT Guru


Joined: 13 Mar 2009
Posts: 554

PostPosted: Fri Apr 23, 2021 5:59    Post subject: Reply with quote
Just out of curiosity, is this a Linux box running Apache? Have you tried killing the apache process when you run certbot? I have had a number of arguments with the certbot fanboyz over on their forum. They swear that certbot sends apache a signal or some such rot and can coexist with it. However I have not found that to be true. I always have to shut down apache, run certbot, then restart apache.

The LetsEncrypt people have complete blinders on about this 3 month certificate expiration business. There is no fragging reason they cannot do what everyone else in the industry does and set the cert expiration to a year out and every time you bring this issue up they have a whole load of baloney reasons like "we wanna force automation so that everyone will use LetsEncrypt" I privately believe there is some sort of political horsecrap going on between the LetsEncrypt people and the rest of the commercial certificate industry. I suspect the rest of the CA's have all gotten together and told LetsEncrypt that if they do 1 year certs and go up against the CAs, that the CA's will all smoosh them. Because after all, why would anyone pay money for a commercial cert when they can get exactly the same thing for free. So, the LetsEncrypt people take pains to make sure their certs ARE NOT exactly the same - instead they have a hamstrung expiration and a hack-and-a-half to get the cert. It's sufficiently trouble-prone, as you are discovering, that most people will just buy the commercial cert.
stefan_gk
DD-WRT Novice


Joined: 17 Sep 2012
Posts: 6

PostPosted: Fri Apr 23, 2021 15:43    Post subject: Linux box Reply with quote
oh yes, it's linux box. I love the SMEServer contribution (https://wiki.koozali.org) - based on CentOS (ergo Red Hat EE).

I did tcpdump on LAN interface of the router and in parallel on "WAN" interface on the server. On the server side there wasn't any packets arriving.

I start do doubt VMWare Worstation Bridge driver and Symantec Endpoint Protection Client. Stopped SEP and then I realize that my windows firewall is not switched off. I did it in past, and hope that SEP as taking the role for firewall will also turn it off. I went to control panel and stop windows firewall.

Now the chain from internet to my SMEServer is clear and I managed to issue Let's Encrypt certificate.

Thank you everyone for helping me and sorry to bother you.
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1407

PostPosted: Fri Apr 23, 2021 19:43    Post subject: Reply with quote
Smile yay! glad we got it working for you
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum