380.57 port forwarding question

[connorm]

so i have verified that even with firewall off when over wifi i https://162.156.173.XX:8181 takes me to the R7000

as soon as i switch to celular the same address doesnt work, which means that the R7000 is the problem... grrr this is so frustrating

 

[kvic]

Use tcpdump to confirm packets reaching Merlin router or not.

Also worth checking EdgeOS setup. Here is a troubleshooting guide

https://help.ubnt.com/hc/en-us/arti...o-I-troubleshoot-port-forwarding-DNAT-issues-

 

[sinshiva]

under Administration, System; do you have 'Allow SSH access from WAN' and 'Enable Web Access from WAN' set to Yes ?

 

[bryantjopplin]

under Administration, System; do you have 'Allow SSH access from WAN' and 'Enable Web Access from WAN' set to Yes ?

He said he didnt have allow access from wan allowed. Not sure why not. It will not work without it. He is confusing lol

Sent from my Nexus 6 using Tapatalk

 

[kvic]

He said he didnt have allow access from wan allowed. Not sure why not. It will not work without it. He is confusing lol

He's actually not

In #21, firewall is turned off. These two knobs on admin tab do not matter in such case.

 

[bryantjopplin]

He's actually not

In #21, firewall is turned off. These two knobs on admin tab do not matter in such case.

Just tested on mine and it does matter. The internal webserver does know that it needs to redirect if "enable web access from wan" is turned on.

I turned off firewall and disenabled enable web access from wan and it didn't work. Firewall or not that needs to be turned on to redirect. Unless he has the r7000 LAN on the same as the edgerouter x and not dishing dhcp then he can access the router via the LAN side. Unless I'm missing something he is saying.

Sent from my Nexus 6 using Tapatalk

 

[kvic]

The internal webserver does know that it needs to redirect if "enable web access from wan" is turned on.

WebUI listens on all interfaces. You can tell from e.g

$ netstat -na | grep 8443
tcp        0      0 0.0.0.0:8443            0.0.0.0:*               LISTEN

Once firewall is off. Direct access is available. You have a remote chance to be correct that asuswrt might be doing something silly there. I haven't used the default firewall rules for a very long time.

Also possible that you use different port on LAN and WAN. In that case, a redirection is need but without any merit doing so when firewall is off.

 

[connorm]

under Administration, System; do you have 'Allow SSH access from WAN' and 'Enable Web Access from WAN' set to Yes ?

no, but i have tried with them enabled, since the request will come in on a lan port its not considered as from lan

the R7000 will technically see the request coming from 192.168.1.1

here is tcp dump for the port

i know everything is getting through and firewall is not the issue

but i cant verify another port is not used/needed



ERX login: admin
Password:
Linux ERX 3.10.14-UBNT #1 SMP Tue Dec 1 00:07:49 PST 2015 mips
Welcome to EdgeOS
sudo tcp admin@ERX:~$ sudo tcpdump -nv -i eth1 not port 22 and port 8443
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
22:41:29.115899 IP (tos 0x0, ttl 50, id 32798, offset 0, flags [DF], proto TCP (6), length 64)
24.114.26.35.5337 > 162.156.173.38.8443: Flags , cksum 0x043c (correct), seq 1359700970, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 805803476 ecr 0,sackOK,eol], length 0
22:41:29.898366 IP (tos 0x0, ttl 50, id 46951, offset 0, flags [DF], proto TCP (6), length 64)
24.114.26.35.5337 > 162.156.173.38.8443: Flags , cksum 0x0053 (correct), seq 1359700970, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 805804477 ecr 0,sackOK,eol], length 0
22:41:30.867338 IP (tos 0x0, ttl 50, id 10071, offset 0, flags [DF], proto TCP (6), length 64)
24.114.26.35.5337 > 162.156.173.38.8443: Flags , cksum 0xfc69 (correct), seq 1359700970, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 805805478 ecr 0,sackOK,eol], length 0
22:41:31.887356 IP (tos 0x0, ttl 50, id 4873, offset 0, flags [DF], proto TCP (6), length 64)
24.114.26.35.5337 > 162.156.173.38.8443: Flags , cksum 0xf880 (correct), seq 1359700970, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 805806479 ecr 0,sackOK,eol], length 0
22:41:32.867139 IP (tos 0x0, ttl 50, id 11177, offset 0, flags [DF], proto TCP (6), length 64)
24.114.26.35.5337 > 162.156.173.38.8443: Flags , cksum 0xf497 (correct), seq 1359700970, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 805807480 ecr 0,sackOK,eol], length 0
22:41:33.882382 IP (tos 0x0, ttl 50, id 48223, offset 0, flags [DF], proto TCP (6), length 64)
24.114.26.35.5337 > 162.156.173.38.8443: Flags , cksum 0xf0ae (correct), seq 1359700970, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 805808481 ecr 0,sackOK,eol], length 0
22:41:35.882383 IP (tos 0x0, ttl 50, id 58522, offset 0, flags [DF], proto TCP (6), length 64)
24.114.26.35.5337 > 162.156.173.38.8443: Flags , cksum 0xe8dd (correct), seq 1359700970, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 805810482 ecr 0,sackOK,eol], length 0
22:41:39.882887 IP (tos 0x0, ttl 50, id 63618, offset 0, flags [DF], proto TCP (6), length 64)
24.114.26.35.5337 > 162.156.173.38.8443: Flags , cksum 0xd93d (correct), seq 1359700970, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 805814482 ecr 0,sackOK,eol], length 0
22:41:47.882675 IP (tos 0x0, ttl 50, id 58835, offset 0, flags [DF], proto TCP (6), length 64)
24.114.26.35.5337 > 162.156.173.38.8443: Flags , cksum 0xb9fd (correct), seq 1359700970, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 805822482 ecr 0,sackOK,eol], length 0
22:42:04.004714 IP (tos 0x0, ttl 50, id 34174, offset 0, flags [DF], proto TCP (6), length 64)
24.114.26.35.5337 > 162.156.173.38.8443: Flags , cksum 0x7b7d (correct), seq 1359700970, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 805838482 ecr 0,sackOK,eol], length 0
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel

admin@ERX:~$

 

[connorm]

WebUI listens on all interfaces. You can tell from e.g

$ netstat -na | grep 8443
tcp        0      0 0.0.0.0:8443            0.0.0.0:*               LISTEN

Once firewall is off. Direct access is available. You have a remote chance to be correct that asuswrt might be doing something silly there. I haven't used the default firewall rules for a very long time.

Also possible that you use different port on LAN and WAN. In that case, a redirection is need but without any merit doing so when firewall is off.

admin@R7000:/tmp/home/root# netstat -na | grep 8443
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN
admin@R7000:/tmp/home/root#

dont know what your getting at with this?

it doesnt prove another port isnt being used

kvic do you have another router to put your RT-AC56 behind to test?

 

[connorm]

Just tested on mine and it does matter. The internal webserver does know that it needs to redirect if "enable web access from wan" is turned on.

I turned off firewall and disenabled enable web access from wan and it didn't work. Firewall or not that needs to be turned on to redirect. Unless he has the r7000 LAN on the same as the edgerouter x and not dishing dhcp then he can access the router via the LAN side. Unless I'm missing something he is saying.

Sent from my Nexus 6 using Tapatalk

i just enabled both for fun and tried doesnt make a difference

 

[kvic]

dont know what your getting at with this?

I was not responding to you..

On your issue, I would tcpdump on Merlin router too (tcpdump available from Entware).

WebUI only listens on one port. No other secret ports I'm aware of. So you can clear up this suspicion and get focussed..

 

[connorm]

ok, so how would i get tcp dump on the R7000 via entware? and yes this is a very puzzling issue, thank you for all your help!!!

 

[connorm]

i also have another device my WEB6000Q forwarded the same way

only has http / no option to configure https
the tcp dump is MUCH larger

http://pastebin.com/xvfprs9K

 

[kvic]

You can install Entware (do a search on this forum) on Merlin. Alternatively, you can tcpdump on the LAN facing interface on ERX too.

 

[connorm]

here is an 8443 packet capture on my edgerouter LAN interface when requesting from WAN over LTE from my phone


23:23:35.256392 IP 24.114.26.35.44997 > 192.168.1.3.8443: Flags , seq 3942494600, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 808327120 ecr 0,sackOK,eol], length 0
23:23:35.639532 IP 24.114.26.35.44997 > 192.168.1.3.8443: Flags , seq 3942494600, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 808327506 ecr 0,sackOK,eol], length 0
23:23:35.719661 IP 24.114.26.35.44997 > 192.168.1.3.8443: Flags , seq 3942494600, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 808327607 ecr 0,sackOK,eol], length 0
23:23:35.815653 IP 24.114.26.35.44997 > 192.168.1.3.8443: Flags , seq 3942494600, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 808327709 ecr 0,sackOK,eol], length 0
23:23:35.935746 IP 24.114.26.35.44997 > 192.168.1.3.8443: Flags , seq 3942494600, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 808327811 ecr 0,sackOK,eol], length 0
23:23:36.039645 IP 24.114.26.35.44997 > 192.168.1.3.8443: Flags , seq 3942494600, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 808327912 ecr 0,sackOK,eol], length 0
23:23:36.088638 IP 24.114.26.35.44997 > 192.168.1.3.8443: Flags , seq 3942494600, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 808327978 ecr 0,sackOK,eol], length 0
23:23:36.206657 IP 24.114.26.35.44997 > 192.168.1.3.8443: Flags , seq 3942494600, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 808328110 ecr 0,sackOK,eol], length 0
23:23:36.495903 IP 24.114.26.35.44997 > 192.168.1.3.8443: Flags , seq 3942494600, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 808328374 ecr 0,sackOK,eol], length 0
23:23:37.035529 IP 24.114.26.35.44997 > 192.168.1.3.8443: Flags , seq 3942494600, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 808328902 ecr 0,sackOK,eol], length 0
23:23:38.095782 IP 24.114.26.35.44997 > 192.168.1.3.8443: Flags , seq 3942494600, win 65535, options [mss 1400,sackOK,eol], length 0
23:23:40.215859 IP 24.114.26.35.44997 > 192.168.1.3.8443: Flags , seq 3942494600, win 65535, options [mss 1400,sackOK,eol], length 0
23:23:42.335798 IP 24.114.26.35.44997 > 192.168.1.3.8443: Flags , seq 3942494600, win 65535, options [mss 1400,sackOK,eol], length 0


and then this is packetcapture from typing in the exact same address from from my iphone connected to lan


http://pastebin.com/rN4zMjfy

 

[sinshiva]

router mode customized like an ap because AP mode lost the bandwidth monitors and i want to monitor my radios and which IPs are using them

technically i dont even think i have a default gateway entered....

just to make sure,if you SSH into R7000 and type 'ip -4 route', you should have a line like;

default via 69.246.182.1 dev eth0

also, it is not outside the realm of possibilities that you may need to reboot the r7000 after changing the HTTPS port or enabling/disable access from WAN.

I would try enabling access from WAN and rebooting, and make sure it has a default gateway. and if that doesn't work, disable firewall, too, and then reboot the R7000 again.

if the above still does not work, you should SSH into the R7000 and paste the following:

ifconfig

iptables-save

ip -4 route

 

[connorm]

just to make sure,if you SSH into R7000 and type 'ip -4 route', you should have a line like;

default via 69.246.182.1 dev eth0

also, it is not outside the realm of possibilities that you may need to reboot the r7000 after changing the HTTPS port or enabling/disable access from WAN.

I would try enabling access from WAN and rebooting, and make sure it has a default gateway. and if that doesn't work, disable firewall, too, and then reboot the R7000 again.

if the above still does not work, you should SSH into the R7000 and paste the following:

ifconfig

iptables-save

ip -4 route

ASUSWRT-Merlin R7000_3.0.0.4 Fri Dec 25 05:08:53 UTC 2015
admin@R7000:/tmp/home/root# ip -4 route
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.3
127.0.0.0/8 dev lo scope link

ok?


what will this do?

ifconfig

iptables-save

ip -4 route

 

[kvic]

here is an 8443 packet capture on my edgerouter LAN interface when requesting from WAN over LTE from my phone

The traces do not agree with what you said. Seems you were requesting WAN over internal WiFi from your phone?

 

[connorm]

ok and this is packet capture for 192.168.1.1

this is the logs from when i do the request on the LAN over wifi

http://pastebin.com/MSZ2M6Jf

this is the log when i do it from LTE


23:33:54.226026 ARP, Reply 192.168.1.3 is-at e4:f4:c6:0e:d5:38, length 46
23:33:54.225828 ARP, Request who-has 192.168.1.3 tell 192.168.1.1, length 28
23:33:49.217552 IP 24.114.26.35.45024 > 192.168.1.3.8443: Flags , seq 581413943, win 65535, options [mss 1400,sackOK,eol], length 0
23:33:32.824813 IP 192.168.1.3.137 > 192.168.1.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
23:33:17.219702 IP 24.114.26.35.45024 > 192.168.1.3.8443: Flags , seq 581413943, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 808908537 ecr 0,sackOK,eol], length 0
23:33:01.148891 IP 24.114.26.35.45024 > 192.168.1.3.8443: Flags , seq 581413943, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 808892537 ecr 0,sackOK,eol], length 0
23:32:53.076476 IP 24.114.26.35.45024 > 192.168.1.3.8443: Flags , seq 581413943, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 808884537 ecr 0,sackOK,eol], length 0
23:32:49.095935 IP 24.114.26.35.45024 > 192.168.1.3.8443: Flags , seq 581413943, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 808880537 ecr 0,sackOK,eol], length 0
23:32:47.043129 IP 24.114.26.35.45024 > 192.168.1.3.8443: Flags , seq 581413943, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 808878537 ecr 0,sackOK,eol], length 0
23:32:46.978003 ARP, Reply 192.168.1.3 is-at e4:f4:c6:0e:d5:38, length 46
23:32:46.977828 ARP, Request who-has 192.168.1.3 tell 192.168.1.1, length 28
23:32:46.028959 IP 24.114.26.35.45024 > 192.168.1.3.8443: Flags , seq 581413943, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 808877537 ecr 0,sackOK,eol], length 0
23:32:45.014869 IP 24.114.26.35.45024 > 192.168.1.3.8443: Flags , seq 581413943, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 808876537 ecr 0,sackOK,eol], length 0
23:32:44.035887 IP 24.114.26.35.45024 > 192.168.1.3.8443: Flags , seq 581413943, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 808875537 ecr 0,sackOK,eol], length 0
23:32:42.989016 IP 24.114.26.35.45024 > 192.168.1.3.8443: Flags , seq 581413943, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 808874536 ecr 0,sackOK,eol], length 0
23:32:41.970447 IP 24.114.26.35.45024 > 192.168.1.3.8443: Flags , seq 581413943, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 808873536 ecr 0,sackOK,eol], length 0

 

[sinshiva]

ASUSWRT-Merlin R7000_3.0.0.4 Fri Dec 25 05:08:53 UTC 2015
admin@R7000:/tmp/home/root# ip -4 route
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.3
127.0.0.0/8 dev lo scope link

ok?


what will this do?

ifconfig

iptables-save

ip -4 route

weird, so it looks like you do not have a default route. did you set a static ip on the wan page? there should be a place for a default gateway.

ifconfig to show the ip of your wan and lan interface on he r7000, iptables-save to see firewall and nat config, ip -4 route to see the routing table, but it looks like no default route is the problem