Port forward to public ip

[ArashT]

I have a Asus GT-AX6000 router with asuswrt-merlin frimware
The router WAN has a public static IP (x.x.x.x) via ISP (PPPOE)
My VPS has a public static IP too
(y.y.y.y) (outside of my local network)
The VPS has a webserver and it's running on port 80 (http://y.y.y.y:80)
I want to access the web page on my VPS via my router address (http://x.x.x.x:80)
How can I do this ??
(In most cases people asked for Public to Private address port forward but I want Public to Public)

 

[drinkingbird]

I have a Asus GT-AX6000 router with asuswrt-merlin frimware
The router WAN has a public static IP (x.x.x.x) via ISP (PPPOE)
My VPS has a public static IP too
(y.y.y.y) (outside of my local network)
The VPS has a webserver and it's running on port 80 (http://y.y.y.y:80)
I want to access the web page on my VPS via my router address (http://x.x.x.x:80)
How can I do this ??
(In most cases people asked for Public to Private address port forward but I want Public to Public)

Are the two static IPS in the same subnet? If so there is no port forwarding, it doesn't even hit the Asus, and that webserver is exposed to the internet with no protection.

 

[ArashT]

Are the two static IPS in the same subnet? If so there is no port forwarding, it doesn't even hit the Asus, and that webserver is exposed to the internet with no protection.

No bro
They are on completely different network

 

[ColinTaylor]

Can I ask why you would want to do this? I could understand if you were accessing the VPS by your router's DDNS name, but not if you're using IP addresses. Why not just use the IP address of the VPS, or setup a DDNS that points to the VPS?

 

[ArashT]

Can I ask why you would want to do this? I could understand if you were accessing the VPS by your router's DDNS name, but not if you're using IP addresses. Why not just use the IP address of the VPS, or setup a DDNS that points to the VPS?

Lol, that's a shame but I live in a country with internet censorship, I'm trying to bypass the limitations, it's a little bit hard to explain )
Back to the situation:
I can achieve what I want by flushing iptables rules:

iptables -t filter --flush
iptables -t nat --flush

And applying port forward:

iptables -t nat -A POSTROUTING ! -s 127.0.0.1 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination y.y.y.y:80

But in this way it's like I completely disabled router firewall !!

 

[ColinTaylor]

Lol, that's a shame but I live in a country with internet censorship, I'm trying to bypass the limitations, it's a little bit hard to explain )
Back to the situation:
I can achieve what I want by flushing iptables rules:

iptables -t filter --flush
iptables -t nat --flush

And applying port forward:

iptables -t nat -A POSTROUTING ! -s 127.0.0.1 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination y.y.y.y:80

But in this way it's like I completely disabled router firewall !!

I suspect you have cut and paste that from the askubuntu site without understanding how it works?

Did you try using the router's port forwarding option but specifying your VPS address instead of an internal address?

 

[ArashT]

I suspect you have cut and paste that from the askubuntu site without understanding how it works?

Did you try using the router's port forwarding option but specifying your VPS address instead of an internal address?

Yes, I tried the router port forward
But the rule only works in my local network correctly and not from the outside (which is my goal)
I guess that one of the FORWARD rules causing this issue

 

[ColinTaylor]

I guess that one of the FORWARD rules causing this issue

Yes I think you are correct. On my router/firmware I would need to add a rule to the other2wan chain. Your router may be different than mine. Can you post the output of iptables-save (after a reboot so any changes you have made are removed).

 

[ArashT]

Yes I think you are correct. On my router/firmware I would need to add a rule to the other2wan chain. Your router may be different than mine. Can you post the output of iptables-save (after a reboot so any changes you have made are removed).

Sure, here you are (I just replaced my public wan IP with x.x.x.x)
(Edit: rm since my problem solved)

 

[ColinTaylor]

Thanks. That's rather different than my router. I'll have to look at it in more detail later when I have more time. Other members may be able to help in the meantime.

It might be easier to use something like nginx.

 

[drinkingbird]

No bro
They are on completely different network

By default the Asus can't do that but looks like you're willing to get into scripting so you should be able to get it to work. Going to be a bit challenging to get it all right.

I'm assuming you have a switch on the WAN port with your modem and this server both connected?

May make more sense to plug it into a LAN port and create custom routing and firewall rules there (put that LAN port it its own VLAN/bridge etc). Or a separate VLAN off the WAN port going to a smart switch that can split up the VLANs to different ports.

 

[ArashT]

Thanks to all of you guys
I just managed to solve it

iptables -I FORWARD -p tcp -d y.y.y.y -j ACCEPT

 

[drinkingbird]

Thanks to all of you guys
I just managed to solve it

iptables -I FORWARD -p tcp -d y.y.y.y -j ACCEPT

That's essentially a "permit any" to that IP. Not really something I'd want facing the internet. Not exactly sure how the routing is working either, that will allow your internal hosts to hit it but external should require additional routing setup. Where is the device connected, LAN or WAN?

 

[ArashT]

That's essentially a "permit any" to that IP. Not really something I'd want facing the internet. Not exactly sure how the routing is working either, that will allow your internal hosts to hit it but external should require additional routing setup. Where is the device connected, LAN or WAN?

I think you are right, I have issue with external host via WAN
Can you help me about the additional routing ?

 

[ColinTaylor]

I think you are right, I have issue with external host via WAN
Can you help me about the additional routing ?

You said this was now working so presumably there's no need to make any routing changes.

 

[ArashT]

You said this was now working so presumably there's no need to make any routing changes.

That rule is working for my first test !
I can see my VPS web page on port 80 via my router wan IP from outside (my mobile data) :

iptables -t filter -I FORWARD -p tcp -d {VPS_IP} -j ACCEPT
iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to-destination {VPS_IP}:80

With this 2 rules the first test will pass
But my final goal is to using Xray which is listening on port 443 and this one doesn't seem to work:

iptables -t filter -I FORWARD -p tcp -d {VPS_IP} -j ACCEPT
iptables -t nat -I PREROUTING -p tcp --dport 443 -j DNAT --to-destination {VPS_IP}:443

 

[ColinTaylor]

I don't think you can use a simple IP direction for HTTPS traffic (if that's what Xray uses). The HTTPS server detects that the source address has changed and thinks it's a man-in-the-middle attack, the very thing HTTPS is designed to prevent. The only way I know of avoiding that is by using a proxy server.

Entware has a v2ray package if that's of any help.

 

[ArashT]

I don't think you can use a simple IP direction for HTTPS traffic (if that's what Xray uses). The HTTPS server detects that the source address has changed and thinks it's a man-in-the-middle attack, the very thing HTTPS is designed to prevent. The only way I know of avoiding that is by using a proxy server.

Entware has a v2ray package if that's of any help.

I just used haproxy for https port forward and it's working great
Thanks for the tip