[AlaskaJason190]

Hey Everyone,

I'm not a networking engineer, i'm just a hobiest at best but need some help.

I've got a device behind a LTE connection CGNAT and i've gotten my router configured with a static ip address through a VPN. That part is working, all the traffic seems to pass over the vpn just fine.

I need to port forward port 80 to an IoT device.

this is what i found on the web - and i've put this into the firewall under managment and commands.

[dale_gribble39]

Does "newest firmware" mean 44715 or 51032? Have you read the OpenVPN guides sticky?

[AlaskaJason190]

Firmware: DD-WRT v3.0-r49418 std (07/04/22)
Time: 15:35:48 up 1:25, load average: 0.00, 0.00, 0.00
WAN IPv4: 192.168.1.29 IPv6: 2600:380:7056:4cad:26f5:a2ff:fec1:20f9

[SurprisedItWorks]

Your iptables rules appear to be an attempt to handle the router side of VPN port forwarding. Do you actually have VPN port forwarding set up with your provider? In other words, will your provider forward packets arriving at your fixed IP on port 80 through the tunnel to your router? My provider, as an example, offers VPN port forwarding but NOT for port 80 or other "standard" ports, so you need to understand your provider's offerings. Also, once you have your rules set up correctly, you can use "iptables -vnL PREROUTING" and "iptables -vnL FORWARD | head" in the CLI and look at the packet count field on the left and see if it is increasing for those specific rules when you attempt to connect to port 80 from the outside.

If that is all good, note that your "FORWARD 1" can be just "FORWARD" as the "1" is the default. However, the "nat 1" is something I have never seen. In my (only modest) experience it's just "nat" that you use there. And tcp is what is used for http connections. If that's what you are after, you may not need the UDP rules.

For experimenting, do paste the rules into the CLI. Then if you hose things up completely, you can just reboot. Also you can delete a rule if you mess it up and want to try again: "iptables -t nat -D PREROUTING 1" for example to delete PREROUTING rule number 1. Always view the rules before and after to confirm.

Once it works the way you want, it goes in GUI > Administration > Commands in the Firewall section. Paste into Commands and Save Firewall. There's an edit button to put what you have in that section already into the command window so you can edit it and re-save.

Much of that is for readers who are newer to it, as you seem to have done a fair bit of homework already.

And to other helpers: I'm not into "taking over" a discussion. Just hoping to move it along to spare you a few basics. Do continue as inclined!

[SurprisedItWorks]

Let me add... Be SURE to check that the rules are there after you "enter" them, and do that at each stage. The issue is that an iptables command with "-i tun1" I believe will fail to enter into the table if tun1 does not exist. So if you use the GUI to set things up for boot time, you may be good or may not be depending on how long it takes OpenVPN to set up the tunnel, and that in turn depends on whether you specify a "remote" server IP numerically or as a domain name requiring DNS lookup.

If this turns out to be an issue, using your own custom route-up.sh file, which is run after the tunnel is set up, is one possibility, but you need to be on top of shell scripting and linux generally to attempt it. Not for everyone. The messy part is that you have to incorporate the code of dd-wrt's exisiting route-up.sh script.

The other path around the problem is to forget about OpenVPN and use wireguard instead, as it's much easier to set up a tiny script to run after the tunnel is up. Of course you need a VPN provider that will port foward back through a wireguard tunnel. I do that with AirVPN, but they won't forward port 80, as I mentioned above.

[AlaskaJason190]

Yes the pure vpn provider is passing all ports per their web page ( i dont need to add a screenshot but there are three optoions and I have selected the least secure for testing to all ports)

AS of this morning when I navigate to the static ip from another network I can see the router splash page with the info on it... thats new... however i do not have the ports passing as they need to.

here is an output of the vpn and the iptaples.

[egc]

First some remarks

You also seem to run a WireGuard tunnel, this could interfere with a VPN client.
Furthermore not sure about the rule on the OUTPUT chain were is that coming from?
Are you using firewall rules of your own?

But your VPN client seems to get a good connection

The Port forward rules are working as far as the FORWARD rules but not the DNAT/PREROUTING rules those seems MIA.

Get rid of the numbers (I mean the number 1).

Using numbers is always a bad idea as there are no fixed line numbers and in the case of the DNAT rule they are even in the wrong place.

When using firewall rules you always test those from the CLI (telnet/Putty) to see if it works and then view them with:
iptables -vnL
iptables -vnL -t nat

After that in the GUI Administration/Commands and Save firewall.

[AlaskaJason190]

i installed several years ago flashrouters nordvpn applett.... that is likely the issue???

[AlaskaJason190]

the router is online, and i'm able to get to the DDWRT managment pages. but still no ports passing through.

I just did a fresh factory reset.

[egc]

Latest build as of today is 51040.

After a reset put settings in manually, never restore from a backup (to a different build that is)

You can import the PureVPN openvpn config in the DDWRT client, but you carefully have to adjust the settings as outlined in the DDWRT OpenVPN Client setup guide, there is also a paragraph about Port Forwarding via the OpenVPN interface.

Both rules can be seen with:
iptables -vnL FORWARD
iptables -vnL -t nat

The first two numbers are the packets/bytes arriving, if those stay at 0 it means nothing is coming from your VPN provider.