Port forwarding non-functional? --edit: not an Almond+ problem, & resolved.

[czyzczyz]

My web server is on my local network, behind the Almond+. I've set up a port forwarding rule to forward all port 80 packets to port 80 at its IP address on the internal network (attached screenshot). On my previous router, that was all that was needed to get it to show up online, but connected to the Almond+ it's dead to the world. I can, however, access it on the LAN, so I know the web server itself is functioning just fine as before, but the router's not letting anyone get to it. My web server has a manual IP on the local network, and is able to access the wan just fine -- it already successfully figured out my external IP address and properly updated the records at the dynamic DNS host.

I looked into the Firewall settings in the Almond+ menu, and it appeared that there was a section in there that could also be used to open up and forward a port. So I did that too (attached screenshot).

I noticed some possibly-relevant "Zone Settings" for the firewall in the OpenWRT LuCI web interface, and set them all to "accept" just to see if that cleared anything up. (attached screenshot). I've had trouble finding documentation on exactly what it is I'm adjusting here using the LuCI and I'm probably erring on the side of opening way too much up, just because I want to get my server back online.

I'm not sure what to do next. I can ping my domain name from outside my local network (which I assume is the router responding), so I'm pretty sure attempts to access the domain name via web browser at port 80 are reaching the router, they're just being rejected completely rather than being forwarded to my web server, regardless the port forwarding settings and the identical-looking firewall rule settings. I don't know how to further diagnose what's happening to the packets within the router, is it logging anything by default?

Thanks for any help or info. I can't imagine I am or will remain the only person running into this problem.

I'm running firmware R065 (AP2-R065-L009-W016-ZW016-ZB005), though I first established the port forward settings under R064.

[czyzczyz]

I'd love to hear from anyone who has gotten port forwarding to work. As far as I can tell, the iptables settings created by the Securifi port forwarding UI (and the openwrt LuCI UI) don't work. I can fiddle in LuCI all day in "Network > Firewall > Traffic Rules" and in "Custom Rules" but I feel like I'm just digging a hole to nowhere. This is a very basic router function, it shouldn't be so difficult.

I've had no luck getting this working despite hours and hours researching. I'm tempted to just go back to using my old netgear router until the next Almond+ software update in the hopes that maybe there's just a bug in this version of OpenWRT.

I'd accept that maybe it'd be slightly complicated to have port 80 and 22 forwarded since the router's using those two ports for its own purposes, but I've got a webcam at port 888 that is apparently impossible to expose to the wan with the Almond+ but is simple to forward with my netgear router running its standard firmware or any router running dd-wrt.

[czyzczyz]

Last ditch effort:

Just to make sure I hadn't caused a problem mucking about in LuCI, or that there wasn't a problem with forwarding in R064 that sticks around after an update, I reflashed to R065 with 'keep settings' unchecked.

Starting from a blank slate, I set the router's LAN IP to 10.0.1.1, set up a few static leases, and then followed the Almond+ Port forwarding instructions (http://wiki.securifi.com/index.php?title=Port_forwarding_-_Almond%2B_2014) to the letter to set port 888 to forward TCP packets to 10.0.1.117:888 (see attached image for setting).

No dice.

Rebooted the router -- still not forwarding.

I know 10.0.1.117:888 is an accessible web server since I can access it on my LAN, and if I plug in my netgear router it forwards to it from the outside world just fine.

I'm surprised nobody else is reporting similar problems or chiming in on this one. I can't be the only person with this problem.

[Schwartz]

My forwarding seems to work fine. These are the only rules I have setup.

L2TP
UDP
From any host in wan
To any router IP at port 1701
Forward to IP 192.168.1.4, port 1701 in lan

L2TP
UDP
From any host in wan
To any router IP at port 500
Forward to IP 192.168.1.4, port 500 in lan

L2TP
UDP
From any host in wan
To any router IP at port 4500
Forward to IP 192.168.1.4, port 4500 in lan

OpenVPN
UDP
From any host in wan
To any router IP at port 1194
Forward to IP 192.168.1.4, port 1194 in lan

[Oendaril]

I have all of my ip cameras functioning with port forwarding (through a reverse proxy) just fine too. I'm not sure why yours is having issues, my only difference is that i'm allowing both TCP and UDP and i'm setting the static ip on the client rather than using static leases. Shouldn't need to muck with the firewall as that would defeat the point of a port forward.

are you getting zero response data from your wanip:888 requests?

[czyzczyz]

Aha, I think I've found the problem, and it's me. Or more specifically, it's that I didn't notice that my cable modem's bridge mode cares about the MAC ID of the connected device, and so my Almond+ itself wasn't exposed to the wan, and my servers are all double-NATted.


I'm pretty sure that's what's going on as I reconnected my linksys and noticed that with it connected forwarding worked fine. I then noticed that the cable modem had handed my linksys my real external IP address as the router's WAN address, but the Almond+ had always been given 192.168.0.2. Oops.

So I'm fairly certain that either I've got to add the WAN MAC of the Almond+ to a list inside my cable modem so that bridge mode will work (jumping through the hoops oulined here: http://www.dslreports.com/forum/r25756879-TWC-SBG6850-and-Bridge-Mode), or I've gotta set my Almond+ to use the Linksys's MAC ID (which might be possible from within the OpenWRT LuCI UI).

I've got a few more hoops to jump through and then I'll hopefully be able to say the problem is definitely not with Almond+ or R065.

Thanks to everyone who replied, btw. The fact that forwarding is working for you meant the problem was something solveable.

[czyzczyz]

Yup, that was the problem. I set the Almond+ to use the MAC ID of my linksys, and instantly my cable modem handed it the real external IP address and all my forwards started to function from the outside.

[Oendaril]

Hmm, is your modem actually one of those all-in-one gateways? In those cases I just added the router to the DMZ on there, otherwise you do get double NAT'ed as you mentioned.  Completely forgot about that issue as I don't know any bare modems that do that

Edit: yeah, looks like that modem is one of those, although they force you to bridging as you said instead of just including the router ip in the DMZ.

[derrikn]

This is exactly my problem. I still need to figure out how to get my external IP to show, but at least you got me looking in the right direction. Thanks.