QOS Breaks Port Forwarding on RT-AC87U

[mrdude]

I'm using the latest Alpha 4 firmware compiled today - When I enable QOS it breaks port forwarding and my router is unreachable from the WAN.

I know it's Alpha 4, but I didn't know where else to report this, I've had this issue on all the Alpha stages (3.0.0.4.378.52_alpha4) of 378.52 firmwares. I have erased NVram after flashing, is there any other reports of this? If not I though you should know.

 

[RMerlin]

I tested both traditional and adaptive QoS, and my port forwards still work fine here.

 

[mrdude]

That's weird I can send my config if you want to take a look at it - also It appears to be random, when configuring options in the web interface.

If I disable port forwarding - I can access my web interface from the wan, then when I enable port forwarding again - I can't.

 

[RMerlin]

That's weird I can send my config if you want to take a look at it - also It appears to be random, when configuring options in the web interface.

If I disable port forwarding - I can access my web interface from the wan, then when I enable port forwarding again - I can't.

Make sure you didn't disable either the firewall or NAT.

 

[mrdude]

Make sure you didn't disable either the firewall or NAT.

Ok thanks, No I didn't disable the firewall or nat.

It's ok - I have just manually added a nat script to jffs and have port forwarding working from that, and can reach the router from the wan as well.

Thanks.

 

[mrdude]

This is still broken for me - using ASUS RT-Ac87u: 378.52_alpha4

Smart QOS enabled - Port Forwarding is not working. (unable to port forward port 80 to port 80 on my web server) - web page times out using a url such as www.myebsite.org

Disabled Smart QOS - Port Forwarding works and I can access my web server webpage.

Firewall and NAT are both enabled.

 

[chamberc]

Broken for me as well. Turning on QOS on my 87u disables Port Forwarding.

 

[vanic]

Try to restart firewall via telnet or ssh:
rc rc_service restart_firewall

 

[chamberc]

Try to restart firewall via telnet or ssh:
rc rc_service restart_firewall

Unfortunately, no joy. What's weird, if I repeatedly reboot the router, about once out of 4 boots, the ports will be open. For while, I thought it might be loopback related, since I access the devices (cameras, sprinklers, etc) by sub-domain names, but verified the ports are truly not open by going via WAN IP, both from the lan and from an external network.

It's very strange.

 

[RMerlin]

Unfortunately, no joy. What's weird, if I repeatedly reboot the router, about once out of 4 boots, the ports will be open. For while, I thought it might be loopback related, since I access the devices (cameras, sprinklers, etc) by sub-domain names, but verified the ports are truly not open by going via WAN IP, both from the lan and from an external network.

It's very strange.

Do the forwards still show on the System Log -> Foward page?

Also try disabled NAT acceleration, as that'd be the most likely candidate for breaking port forwarding, rather than QoS itself.

 

[chamberc]

The ports work intermittently, so I'll provide status during each state. In between states, I make no changes to the router other than a reboot.

Port Forwarding Functioning
1) I set Adaptive QOS on at 9:20 AM.
2) Forwarding Log shows:

Destination Proto. Port range Redirect to Local port Chain
ALL TCP 8080 172.18.222.2 80 VSERVER
ALL TCP 8443 172.18.222.2 8443 VSERVER
ALL TCP 4000 172.18.222.120 80 VSERVER
ALL UDP 4000 172.18.222.120 80 VSERVER
ALL TCP 4001 172.18.222.121 80 VSERVER
ALL UDP 4001 172.18.222.121 80 VSERVER
ALL TCP 4002 172.18.222.122 80 VSERVER
ALL UDP 4002 172.18.222.122 80 VSERVER
ALL TCP 4003 172.18.222.123 80 VSERVER
ALL UDP 4003 172.18.222.123 80 VSERVER
ALL TCP 4004 172.18.222.124 80 VSERVER
ALL UDP 4004 172.18.222.124 80 VSERVER
ALL TCP 5938 172.18.222.100 5938 VSERVER
ALL UDP 5938 172.18.222.100 5938 VSERVER
ALL TCP 3074 172.18.222.139 3074 VSERVER
ALL UDP 3074 172.18.222.139 3074 VSERVER
ALL TCP 123 172.18.222.60 123 VSERVER
ALL UDP 123 172.18.222.60 123 VSERVER
ALL TCP 6690 172.18.222.60 6690 VSERVER
ALL UDP 6690 172.18.222.60 6690 VSERVER
ALL TCP 5000 172.18.222.60 5000 VSERVER
ALL UDP 5000 172.18.222.60 5000 VSERVER
ALL TCP 5001 172.18.222.60 5001 VSERVER
ALL UDP 5001 172.18.222.60 5001 VSERVER
ALL TCP 20 172.18.222.60 21 VSERVER
ALL UDP 20 172.18.222.60 21 VSERVER
ALL TCP 21 172.18.222.60 21 VSERVER
ALL TCP 2021 172.18.222.2 21 VSERVER
ALL UDP 21 172.18.222.60 21 VSERVER
ALL TCP 5200 172.18.222.100 5200 VSERVER
ALL UDP 5200 172.18.222.100 5200 VSERVER
ALL TCP 88 172.18.222.139 88 VSERVER
ALL UDP 88 172.18.222.139 88 VSERVER
ALL TCP 53 172.18.222.139 53 VSERVER
ALL UDP 53 172.18.222.139 53 VSERVER
ALL TCP 500 172.18.222.139 500 VSERVER
ALL UDP 500 172.18.222.139 500 VSERVER
ALL TCP 3544 172.18.222.139 3544 VSERVER
ALL UDP 3544 172.18.222.139 3544 VSERVER
ALL TCP 4500 172.18.222.139 4500 VSERVER
ALL UDP 4500 172.18.222.139 4500 VSERVER
ALL TCP 5005 172.18.222.60 5005 VSERVER
ALL UDP 5005 172.18.222.60 5005 VSERVER
ALL TCP 3004 172.18.222.60 3004 VSERVER
ALL UDP 3004 172.18.222.60 3004 VSERVER
ALL TCP 25105 172.18.222.133 25105 VSERVER
ALL UDP 25105 172.18.222.133 25105 VSERVER
ALL TCP 443 172.18.222.60 443 VSERVER
ALL UDP 443 172.18.222.60 443 VSERVER
ALL TCP 8181 172.18.222.100 8181 VSERVER
ALL UDP 8181 172.18.222.100 8181 VSERVER


We'll see how long they stay open and what the logs show when they close.

 

[chamberc]

I'm going to have to do some more scenario testing. Something is definitely wonky with Adaptive QOS, port forwarding, and NAT loopback. I will post back my results, but something is weird.

 

[chamberc]

Ok, I feel a little better to describe my testing scenarios.

Reason for attempting to use Adaptive QOS- High Bufferbloat on my TimeWarnerCable 300/20 connection.

Overview- AC87U as primary router connected to a cable modem in bridge mode
AC68U running in AP mode connected to eathernet which connects to the AC87U

I have approximately 65 devices that connect either to the AC87u or AC68u depending on their location (large house, about 4200 sq ft)

Many of these devices have sub-domain names that are port redirects using no-ip/dnsomatic. Thermostats, security cameras, sprinkler controls, NAS, etc

Upon turning on Adaptive QOS (doing so physically inside the LAN), I could drastically reduce BufferBloat, but at that point, when attempting to access the devices via their domain names, (redirects to open ports on the AC87u) I could not reach the devices.

Continuing to test while at work (remote into the 87u) I noticed that I could reach all of the devices via their domain names. Upon returning home, they appeared to all be no longer working via port forwarding.

It then dawned on me I could access the devices via IP, but not via their domain name. I then turned NAT Loopback from the Merlin mode to the Asus mode. It appears, switching this mode now allows the devices to be accessible from both within and outside the LAN to be accessible via their domain names.

Very strange... And my testing was flawed prior due to not taking into the account of being inside and outside the LAN.

Hope this is valuable to some.

 

[john9527]

I have approximately 65 devices that connect

With that many devices connecting, you could be running low on nvram space which can cause all sorts of strange issues. What is the NVRAM usage on the Tools page?

 

[chamberc]

With that many devices connecting, you could be running low on nvram space which can cause all sorts of strange issues. What is the NVRAM usage on the Tools page?

Thanks for the response. Currently it reads 44784 / 65536 bytes

 

[chamberc]

This is with my Adaptive QOS set at 292 and 20 respectively. Finally eliminated BB...

 

[john9527]

Currently it reads 44784 / 65536 bytes

That looks fine....and I think you have the right solution switching the NAT loopback implementation. Some work better with one vs the other (ASUS vs Merlin).