Port forwarding not working in RT-AC66U

[Dimman Ramone]

Hi everyone.

Not totally sure that I'm posting in the right section of the forum, hopefully I do.
I'm wondering if anyone else has problems with port forwarding in the two latest Asuswrt-Merlin.
My port forwarding was working fine until I update to 380.61 and then to 380.62.
I did reboot my router and I removed and added the rules again but it doesn't seem to help.

Any ideas, anyone else that has the same problem?

/dimmanramone

 

[Dimman Ramone]

I was thinking of downgrading to the version that the port forwarding was working.
I noticed also that my WAN IP is not the correct in the GUI, anyone else seeing that?

@RMerlin Any ideas on the WAN IP and the port forwarding issue?

Should be safe to downgrade right?

 

[john9527]

Not RMerlin, but check your nvram usage on the Tools>Sysinfo page. Port forwarding not working is one of the early signs of it being too full. You need a minimum of about 5000 bytes free for the router to work properly.

 

[Dimman Ramone]

Not RMerlin, but check your nvram usage on the Tools>Sysinfo page. Port forwarding not working is one of the early signs of it being too full. You need a minimum of about 5000 bytes free for the router to work properly.

@john9527 Just check and it seems 12000 to be available.

NVRAM usage 53064 / 65536 bytes

 

[john9527]

Just check and it seems 12000 to be available.

NVRAM usage 53064 / 65536 bytes

OK...with that out of he way, next thing to check is that the NAT loopback type is set to ASUS and not Merlin (Merlin loopback can fight with some other options on the MIPS based routers)

 

[RMerlin]

How are you testing your port forwards?

 

[Dimman Ramone]

@john9527 I was on Merlin and change it to Asus, but it didn't help.

@RMerlin It is port forwards that I was using before the update without any problems. I tested with my work PC and mobile in wired, wireless and 4g network.

The ports forwards are used to ssh in a RPi and for a VPN Server on my NAS.

 

[john9527]

OK....more data....
telnet/ssh to the router and post the output of

iptables -t nat -nvL

 

[Dimman Ramone]

Here's the output

Chain PREROUTING (policy ACCEPT 9041 packets, 913K bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194
   67  3698 VSERVER    all  --  *      *       0.0.0.0/0            WAN - IP

Chain POSTROUTING (policy ACCEPT 882 packets, 76321 bytes)
pkts bytes target     prot opt in     out     source               destination
3989  601K MASQUERADE  all  --  *      eth0   !WAN - IP        0.0.0.0/0
2396  124K MASQUERADE  all  --  *      br0     192.168.1.0/24       192.168.1.0/24

Chain OUTPUT (policy ACCEPT 932 packets, 96460 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain DNSFILTER (0 references)
pkts bytes target     prot opt in     out     source               destination

Chain LOCALSRV (0 references)
pkts bytes target     prot opt in     out     source               destination

Chain PCREDIRECT (0 references)
pkts bytes target     prot opt in     out     source               destination

Chain PUPNP (0 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  tcp  --  *      *       192.168.1.21         0.0.0.0/0           tcp spt:32400 masq ports: 26712

Chain VSERVER (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 to:192.168.1.51:53
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:123 to:192.168.1.51:123
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:1024:1036 to:192.168.1.51
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:3478:3479 to:192.168.1.51
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:5060:5061 to:192.168.1.51
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:10000:10007 to:192.168.1.51
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:666 to:192.168.1.21:1194
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:666 to:192.168.1.21:1194
   67  3698 VUPNP      all  --  *      *       0.0.0.0/0            0.0.0.0/0  
   59  2656 TRIGGER    all  --  *      *       0.0.0.0/0            0.0.0.0/0           TRIGGER type:dnat match:0 relate:0

Chain VUPNP (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:5675 to:192.168.1.32:5675
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:5675 to:192.168.1.32:5675
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:26712 to:192.168.1.21:32400
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6889 to:192.168.1.21:6889
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:4433 to:192.168.1.21:4433
    7   911 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:6889 to:192.168.1.21:6889
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:51727 to:192.168.1.21:51727
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:51727 to:192.168.1.21:51727

 

[john9527]

Hmmm....can you double check that you captured all of the output? (You are missing the PREROUTING and POSTROUTING chains)

If you did capture it all, please post the output of

cat /tmp/nat_rules_xxxx_xxxx

where xxxx is an interface name....like eth0 or ppp0 (do an ls /tmp to find what it is exactly)

 

[Dimman Ramone]

I did post everything from the output prerouting and postrouting is the one in the first code block. Second code block is my cat output.

Chain PREROUTING (policy ACCEPT 9041 packets, 913K bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194
   67  3698 VSERVER    all  --  *      *       0.0.0.0/0            WAN - IP

Chain POSTROUTING (policy ACCEPT 882 packets, 76321 bytes)
pkts bytes target     prot opt in     out     source               destination
3989  601K MASQUERADE  all  --  *      eth0   !WAN - IP        0.0.0.0/0 
2396  124K MASQUERADE  all  --  *      br0     192.168.1.0/24       192.168.1.0/24

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:VSERVER - [0:0]
:LOCALSRV - [0:0]
:VUPNP - [0:0]
:PUPNP - [0:0]
:DNSFILTER - [0:0]
:PCREDIRECT - [0:0]
-A PREROUTING -d WAN-IP -j VSERVER
-A VSERVER -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.1.51:53
-A VSERVER -p udp -m udp --dport 123 -j DNAT --to-destination 192.168.1.51:123
-A VSERVER -p udp -m udp --dport 1024:1036 -j DNAT --to 192.168.1.51
-A VSERVER -p udp -m udp --dport 3478:3479 -j DNAT --to 192.168.1.51
-A VSERVER -p udp -m udp --dport 5060:5061 -j DNAT --to 192.168.1.51
-A VSERVER -p udp -m udp --dport 10000:10007 -j DNAT --to 192.168.1.51
-A VSERVER -p tcp -m tcp --dport 666 -j DNAT --to-destination 192.168.1.21:1194
-A VSERVER -p udp -m udp --dport 666 -j DNAT --to-destination 192.168.1.21:1194
-A VSERVER -j VUPNP
-A VSERVER -j TRIGGER --trigger-type dnat
-A POSTROUTING  -o eth0 ! -s WAN-IP -j MASQUERADE
-A POSTROUTING  -o br0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j MASQUERADE
COMMIT

 

[ColinTaylor]

Hmmm....can you double check that you captured all of the output? (You are missing the PREROUTING and POSTROUTING chains)

It's there, at the top. Did you scroll down past it?

I don't see any rules for SSH. Perhaps we need a screen shot of the port forwarding page in the routers GUI?

 

[john9527]

It's there, at the top. Did you scroll down past it?

Duh...my fault in cut/paste so I could easily look at it.....

But, I think it shows the problem (also in the cat output)

Chain PREROUTING (policy ACCEPT 9041 packets, 913K bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194
   67  3698 VSERVER    all  --  *      *       0.0.0.0/0            WAN - IP

Chain POSTROUTING (policy ACCEPT 882 packets, 76321 bytes)
pkts bytes target     prot opt in     out     source               destination
3989  601K MASQUERADE  all  --  *      eth0   !WAN - IP        0.0.0.0/0
2396  124K MASQUERADE  all  --  *      br0     192.168.1.0/24       192.168.1.0/24

Looks like there is a code error resolving a variable 'WAN-IP' (or 'WAN - IP' with embedded spaces)...Either I or @RMerlin will need to dig into the code.

 

[Dimman Ramone]

@ColinTaylor Yes I don't have the SSH Rules anymore. When I was trying fixing it I just removed them after a while.

 

[Dimman Ramone]

@john9527 I just replaced my ip with WAN-IP

But as I said in a previous post it seems the wan-ip to be wrong. For example I'm surfing with 193.213.43.1 but in the GUI says 100.5.6.2

 

[john9527]

@john9527 I just replaced my ip with WAN-IP

But as I said in a previous post it seems the wan-ip to be wrong. For example I'm surfing with 193.213.43.1 but in the GUI says 100.5.6.2

Ahh....makes sense

Are you running in a double NAT setup? Recently change ISPs or any ISP hardware?

EDIT: I see you are also running a VPN server. Try turning that off just to eliminate a variable.

 

[Dimman Ramone]

@john9527 No doule NAT, no new ISP or hardware, just new IP when I restarted but I shouldn't have any problems with port forwarding because of that.

With or without the VPN still doesn't work.

 

[ColinTaylor]

For example I'm surfing with 193.213.43.1 but in the GUI says 100.5.6.2

Who is your ISP? 193.213.43.1 is Telenor Norway whereas 100.5.6.2 is Verizon USA.

Are you using a VPN proxy?

 

[Dimman Ramone]

@ColinTaylor It was just an example My ISP is Bredband2 in Sweden but the WAN IP that I can see in the GUI is from
Internet Assigned Numbers Authority in US.

No I'm not using a proxy.

 

[ColinTaylor]

I was thinking that it sounds like carrier-grade NAT and then I read...

http://www.sweclockers.com/forum/trad/1443086-itux-bredband2-och-cgn

Itux Bredband2 och CGN
Tänkte bara informera att idag har B2 slagit på CGN för mig som sitter på Itux nät i Gbg.
Märkte det dessvärre efter kl 19 när deras kundtjänst stängt.
Någon annan som har Itux och kan ge er syn på den ISP ni har?

Edit: hittade svar

"Vi håller på att lägga om våra nät till privata IP-adresser. Det här görs via CG-NAT och förändringen införs i väntan på IPv6. Utrullningen kommer ske efterhand och övervakas noggrant. En icke-publik IP-adress påverkar inte vanligt surfande.

Skulle du trots det ha ett genuint behov av en publik IP-adress kan du kontakta vår kundtjänst så ordnar vi det åt dig kostnadsfritt."