Posted: Fri Jan 15, 2010 23:05 Post subject: Problem w/ port mapping on AR670W w/build 13069
Port mapping and port forwarding don't seem to be working.
When coming in from the Internet I'm having trouble with port mapping and port forwarding to an internal Apache/HTTPd machine which is listening my LAN on port 80 and LAN port 443 (apache web server). I can, however, access those services on those same ports when originating connections from within LAN to the WAN IP.
Looking at the Active IP Connections Table (https://my.example-dd-wrt.test:myport/Status_Conntrack.asp) I can see connections arriving at the WAN IP on the correct ports but the status stay as 'Unreplied' and on the internal (LAN side) Apache/HTTPd machine netstat -an shows the right ports are listening but never see a connection on the mapped ports from the dd-wrt AR670W.
I've checked, double and triple checked all the port mapping settings using the DD-WRT web Gui and I've even tried using port range forwarding instead of part mapping. I grep'ed the nvram to ensure the the mapping is in place and it is.
example:
root@DD-WRT:~# nvram show |grep my-LAN-IP.httpServer:80
forward_spec=Apache-http:on:tcp:80>my-LAN-IP.httpServer:80
On my LAN I have confirmed that the ports 80 and 443 are listening and reachable from my DD-WRT, I confirmed this by telneting from the myLAN-IP.DD-WRT command line to my-LAN-IP.httpServer on both port 80 and 443 and I get the expected telnet responses.
I took it step farther using the dd-wrt command line with itables command
(I read through from http://www.dd-wrt.com/wiki/index.php/Port_Forwarding and tried this (using my LAN IP addresses):
iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to my-LAN-IP.httpServer:80
iptables -I FORWARD -p tcp -d my-LAN-IP.httpServer --dport 80 -j ACCEPT
Based on the output of the following command, I believe the settings are correct and have been applied.
So having said all of this, can anyone comment on what might be wrong or how else I might troubleshoot this problem? Did I miss something silly/obvious?
Posted: Tue Jan 19, 2010 19:45 Post subject: ISP or Http server restrictions?
Two possibilities are:
1. Your ISP blocks the ports you are trying to forward. (My ISP blocks port 80.) Try a different port and forward it to 80 on your http server.
2. Your http server has firewall rules that block all but your LAN. (Look at iptables -L on the http server.)
You could test these by connecting your http server directly to your ISP connection. (Bearing in mind that you loose the firewall protections of the router.)
Posted: Wed Jan 20, 2010 20:25 Post subject: Re: ISP or Http server restrictions?
sawecw wrote:
Two possibilities are:
1. Your ISP blocks the ports you are trying to forward. (My ISP blocks port 80.) Try a different port and forward it to 80 on your http server.
2. Your http server has firewall rules that block all but your LAN. (Look at iptables -L on the http server.)
You could test these by connecting your http server directly to your ISP connection. (Bearing in mind that you loose the firewall protections of the router.)
Thanks for the reply.
Pretty sure my ISP is not blocking any of those ports because all of this port fowarding/mapping works just fine when I use a DLINK DI-604 router, also sure these ports are not block by my ISP because from the dd-wrt I can see the connections arriving and connecting on the WAN side, it's just on the LAN side that there's no response or connection.
Regarding firewall on my HTTP server, I'll check it but as above, this all worked fine with another router (DI-604).
By the way, what led you to believe I'm using iptables on my HTTP server?
Posted: Thu Jan 21, 2010 1:03 Post subject: Re: ISP or Http server restrictions?
scrotar wrote:
...
By the way, what led you to believe I'm using iptables on my HTTP server?
scrotar
Nothing. Just guessing that if your http server is Linux, it might have a default firewall which would be iptables.
You could try a later build, 13525 and 13637 are available for the AR670W. I have no reason to believe these will be better, just something to try.
You could try turning off the remote access to ddwrt. That is the only difference I see between your setup and mine. (Although my router is a Netgear, not the AR670W)
Posted: Thu Jan 21, 2010 2:08 Post subject: Re: ISP or Http server restrictions?
sawecw wrote:
scrotar wrote:
...
By the way, what led you to believe I'm using iptables on my HTTP server?
scrotar
Nothing. Just guessing that if your http server is Linux, it might have a default firewall which would be iptables.
You could try a later build, 13525 and 13637 are available for the AR670W. I have no reason to believe these will be better, just something to try.
You could try turning off the remote access to ddwrt. That is the only difference I see between your setup and mine. (Although my router is a Netgear, not the AR670W)
Okay, thanks sawecw.
I didn't know those newer builds were available for the AR670W, I'll look into that option.
Which build are you using on your Netgear? If you're also doing port mapping can you tell me if your output of: "iptables -L -n -t nat" is similar to mine?
Also, if you do an "nvram show |grep xxx.xxx.xxx.xxx:80" do you get a similar output that I'm getting? (xxx.xxx.xxx.xxx is your HTTP server lan IP)
BTW I never really liked iptables and have always found ipfilter easier to work with (I'm not firewall expert, just a personal preference).
Posted: Thu Jan 21, 2010 5:09 Post subject: Re: ISP or Http server restrictions?
scrotar wrote:
...
Which build are you using on your Netgear? If you're also doing port mapping can you tell me if your output of: "iptables -L -n -t nat" is similar to mine?
Also, if you do an "nvram show |grep xxx.xxx.xxx.xxx:80" do you get a similar output that I'm getting? (xxx.xxx.xxx.xxx is your HTTP server lan IP)
...
scrotar
My netgear router is running 13525. I also used 13064 which worked.
Posted: Fri Jan 22, 2010 2:50 Post subject: Re: ISP or Http server restrictions?
sawecw wrote:
scrotar wrote:
...
Which build are you using on your Netgear? If you're also doing port mapping can you tell me if your output of: "iptables -L -n -t nat" is similar to mine?
Also, if you do an "nvram show |grep xxx.xxx.xxx.xxx:80" do you get a similar output that I'm getting? (xxx.xxx.xxx.xxx is your HTTP server lan IP)
...
scrotar
My netgear router is running 13525. I also used 13064 which worked.
You could try turning on logging to see if that tells you anything.
Hum... your output is similar to mine.
What logging are you suggesting I turn on, and how? If you tell me I guess it's spoon feeding but I won't mind
[EDIT] Nevermind, I think you are saying that I should have the iptables rules include logging. Darn, now I have to start learning iptables again
I'll spend some time here:
http://www.dd-wrt.com/wiki/index.php/Iptables#Logging
Posted: Fri Jan 22, 2010 3:52 Post subject: Re: ISP or Http server restrictions?
scrotar wrote:
What logging are you suggesting I turn on, and how? If you tell me I guess it's spoon feeding but I won't mind
[EDIT] Nevermind, I think you are saying that I should have the iptables rules include logging. Darn, now I have to start learning iptables again
I'll spend some time here:
http://www.dd-wrt.com/wiki/index.php/Iptables#Logging
scrotar
I was just suggesting suggesting turning on the logging from the "Security/Firewall" page. But yeah, you might need more detailed settings like described in the Wiki.
If you upgrade your AR670W to 13637, I'll try moving my AR670W (now acting as a routing bridge) to be my router. Assuming it works, I would then send you an nvram backup.
Posted: Fri Jan 22, 2010 20:15 Post subject: Re: ISP or Http server restrictions?
sawecw wrote:
scrotar wrote:
What logging are you suggesting I turn on, and how? If you tell me I guess it's spoon feeding but I won't mind
[EDIT] Nevermind, I think you are saying that I should have the iptables rules include logging. Darn, now I have to start learning iptables again
I'll spend some time here:
http://www.dd-wrt.com/wiki/index.php/Iptables#Logging
scrotar
I was just suggesting suggesting turning on the logging from the "Security/Firewall" page. But yeah, you might need more detailed settings like described in the Wiki.
If you upgrade your AR670W to 13637, I'll try moving my AR670W (now acting as a routing bridge) to be my router. Assuming it works, I would then send you an nvram backup.
Maybe I'm inching close now...
I disable the port 80 port forwarding from the GUI and turned it back on with 'logaccept' from the dd-wrt command line like this:
From the GUI Swecurity Incoming Log I now see the connection being accepted:
Source IP Protocol Destination Port Number Rule
205.XXX.XXX.XXX TCP www Accepted
However, the connection to the web server still fails and from the GUI IP Connections log I still see the connection as UNREPLIED:
No. Protocol Timeout (s) Source Address Remote Address Service Name State
2 TCP 118 205.XXX.XXX.XXX mywanip 80 UNREPLIED
When I look at iptables like this:
iptables -L INPUT -nv
I don't see any instance of anything related to the IP's or ports that I set up for port forwarding or port mapping. Maybe there is any issue with the dd-wrt firewall? Wouldn't the rules get created as part of the port mapping set up in the GUI? Maybe this is where I need to look next?
Posted: Sat Jan 23, 2010 2:32 Post subject: Re: ISP or Http server restrictions?
scrotar wrote:
When I look at iptables like this:
iptables -L INPUT -nv
I don't see any instance of anything related to the IP's or ports that I set up for port forwarding or port mapping. Maybe there is any issue with the dd-wrt firewall? Wouldn't the rules get created as part of the port mapping set up in the GUI? Maybe this is where I need to look next?
scrotar
Try FORWARD instead of INPUT.
/tmp/.ipt has the full set of rules given to iptables for what it is worth.
Could you try forwarding port 81 on the wan to port 80 on your lan. Maybe the webserver on the router is interfering with the forwarding?
I still have a feeling that the router is not the problem, rather that your webserver is somehow not right. (Although I realize you had it working with a non ddwrt router.)
Posted: Sun Jan 24, 2010 19:00 Post subject: Re: ISP or Http server restrictions?
sawecw wrote:
scrotar wrote:
When I look at iptables like this:
iptables -L INPUT -nv
I don't see any instance of anything related to the IP's or ports that I set up for port forwarding or port mapping. Maybe there is any issue with the dd-wrt firewall? Wouldn't the rules get created as part of the port mapping set up in the GUI? Maybe this is where I need to look next?
scrotar
Try FORWARD instead of INPUT.
/tmp/.ipt has the full set of rules given to iptables for what it is worth.
Could you try forwarding port 81 on the wan to port 80 on your lan. Maybe the webserver on the router is interfering with the forwarding?
I still have a feeling that the router is not the problem, rather that your webserver is somehow not right. (Although I realize you had it working with a non ddwrt router.)
Problem sovled! The problem was somewhere between the keyboard and the chair
Thanks for all your help, sawecw.
sawecw, I tried port mapping to other hosts on my LAN and it worked just fie. So, you were correct that it was a problem on my http server, I missed the obvious and had left the dafault router set to the IP of the old router. I changed it to the IP of the new router (my dd-wrt AR670) and voila, all is well now with port mapping/forwarding to my HTTP server from my dd-wrt.
"What a stupid I am"
FYI: 80 to 80 works but 81, 82, 83, etc won't map to 80. 8000 to 80 works so for now I'm okay although at some point I'll troubleshoot a bit more.
Glad to hear you got it working. Sometimes it helps to step back and start over which is what it sounds like you did. When you have something that works, make sure you backup the nvram so you can get back if you are going to experiment further!