RT-AC86U Port Forward Not Working? 384.8

[Dave Edwards]

I have nzbget installed locally on router 192.168.1. 1 listening on port 82. I can connect when on LAN.

I am at work so connecting over WAN. I have port forwarding enabled:

port range :82
local op: 192.168.1.1
local port:82
Protocol: BOTH

I use port checker https://www.yougetsignal.com/tools/open-ports/ and tells me the port is closed.. sure enough I cannot get to nzbget.

However I know nzbget is listening on port 82 and if I disable the firewall it works.

I had a similar problem with lightttpd and convinced myself I fixed this by simplying the conf. However now I believe I either simply don't understand how port forwarding works or it is not working. This is a simple rule, I applied settings, rebooted router and same problem.

Please help

(I have configured VPN and can work this way but I really wanted to get it working directly.. as much as anything I want to understand whether I am wrong or whether its a problem on the router).

thanks

 

[Jack Yaz]

It's not so much a port forward as you're not forwarding anything.

Try

iptables -I INPUT -p tcp --dport 82 -j ACCEPT

 

[Dave Edwards]

It's not so much a port forward as you're not forwarding anything.

Try

iptables -I INPUT -p tcp --dport 82 -j ACCEPT

Thank you ! That works. Could you explain why?

Is it a case that I should not port forward to services on the local router because that is plain nonsense? I should only port forward to pcs or whatever behind my router? and for services running on the router itself I should be using iptables .. I have a lot of reading to do I know but thanks for your help !

 

[bigcid10]

I had that issue as well ,wound up deadheading my router

 

[Vexira]

I have nzbget installed locally on router 192.168.1. 1 listening on port 82. I can connect when on LAN.

I am at work so connecting over WAN. I have port forwarding enabled:

port range :82
local op: 192.168.1.1
local port:82
Protocol: BOTH

I use port checker https://www.yougetsignal.com/tools/open-ports/ and tells me the port is closed.. sure enough I cannot get to nzbget.

However I know nzbget is listening on port 82 and if I disable the firewall it works.

I had a similar problem with lightttpd and convinced myself I fixed this by simplying the conf. However now I believe I either simply don't understand how port forwarding works or it is not working. This is a simple rule, I applied settings, rebooted router and same problem.

Please help

(I have configured VPN and can work this way but I really wanted to get it working directly.. as much as anything I want to understand whether I am wrong or whether its a problem on the router).

thanks

Is Nat set to full cone?

 

[Dave Edwards]

Is Nat set to full cone?

Full cone? The NAT settings are all enabled with nat helper where option available apart from PPPoE which is disabled.

Is the implication from last two replies that the port forwarding should have added those iptables entries itself? I just figured I didn't know what I was doing and for local services on the router I must use iptables command line? Is that wrong? Should I be able to do this fully through the GUI?

I'm not massively concerned as it's working via that command line but do the iptables stuff persist or do I need to had a startup script?

 

[ColinTaylor]

Full cone? The NAT settings are all enabled with nat helper where option available apart from PPPoE which is disabled.

Is the implication from last two replies that the port forwarding should have added those iptables entries itself? I just figured I didn't know what I was doing and for local services on the router I must use iptables command line? Is that wrong? Should I be able to do this fully through the GUI?

I'm not massively concerned as it's working via that command line but do the iptables stuff persist or do I need to had a startup script?

Full cone and the other NAT settings are irrelevant here. As is the port forwarding rule because that is for clients on the LAN, not the router itself.

@Jack Yaz's command creates a hole in the router's firewall allowing you to access it on that port from the internet. As you have guessed it will not survive a reboot therefore you'll need to put it into a firewall-start script. Something like this:

#!/bin/sh
iptables -I INPUT -p tcp --dport 82 -j ACCEPT

 

[Dave Edwards]

Full cone and the other NAT settings are irrelevant here. As is the port forwarding rule because that is for clients on the LAN, not the router itself.

@Jack Yaz's command creates a hole in the router's firewall allowing you to access it on that port from the internet. As you have guessed it will not survive a reboot therefore you'll need to put it into a firewall-start script. Something like this:

#!/bin/sh
iptables -I INPUT -p tcp --dport 82 -j ACCEPT

Thanks for clarifying.

 

[Jack Yaz]

Thank you ! That works. Could you explain why?

Is it a case that I should not port forward to services on the local router because that is plain nonsense? I should only port forward to pcs or whatever behind my router? and for services running on the router itself I should be using iptables .. I have a lot of reading to do I know but thanks for your help !

Correct - port forward applies to traffic being routed through the router. Since this service lives on the router, they won't work. If you're always going to be connecting from a fixed WAN IP, you could tighten the access on the rules, since the rule as-is will allow any traffic through on that port

 

[Vexira]

Full cone? The NAT settings are all enabled with nat helper where option available apart from PPPoE which is disabled.

Is the implication from last two replies that the port forwarding should have added those iptables entries itself? I just figured I didn't know what I was doing and for local services on the router I must use iptables command line? Is that wrong? Should I be able to do this fully through the GUI?

I'm not massively concerned as it's working via that command line but do the iptables stuff persist or do I need to had a startup script?

Wasn't sure if you meant upnp or normal port forwarding.

 

[loveleeyoungae]

Correct - port forward applies to traffic being routed through the router. Since this service lives on the router, they won't work. If you're always going to be connecting from a fixed WAN IP, you could tighten the access on the rules, since the rule as-is will allow any traffic through on that port

If I want to let devices on WAN side of the router to use its DNS server, will these rules be enough? (And don't worry, it's a double NAT environment, so I'm not exposing my network to the Internet - the Asus router and those devices belong to the subnet range of the ISP Router/Modem)

iptables -I INPUT 4 -p udp --dport 53 -j ACCEPT
iptables -I INPUT 5 -p tcp --dport 53 -j ACCEPT

Actually, I tried those rules. But it seemed the devices got stuck, they couldn't open websites/reach internet anymore. Maybe some other changes to dnsmasq.conf are required?

 

[ColinTaylor]

Actually, I tried those rules. But it seemed the devices got stuck, they couldn't open websites/reach internet anymore. Maybe some other changes to dnsmasq.conf are required?

You'd have to change dnsmasq so that it's also listening on the WAN interface. I'd guess that you'd also need to use the --no-dhcp-interface option to stop it being a DHCP server for the upstream network.

 

[loveleeyoungae]

You'd have to change dnsmasq so that it's also listening on the WAN interface. I'd guess that you'd also need to use the --no-dhcp-interface option to stop it being a DHCP server for the upstream network.

Thank you. Sorry for my limited knowledge, is WAN interface vlan2 or eth0/wan0? So for example, I can put these into the dnsmasq.conf.add?

interface=vlan2
no-dhcp-interface=vlan2
server=1.1.1.1 #use dnsmasq to set upstream DNS instead of using webgui

Btw, it'd be great if you can point out how to know what ethx/vlanx is for which interface. Tried a google search, but maybe I didn't use the right keywords.

 

[ColinTaylor]

Btw, it'd be great if you can point out how to know what ethx/vlanx is for which interface. Tried a google search, but maybe I didn't use the right keywords.

The WAN interface changes depending on whether hardware acceleration is enabled, and possibly by model. So the best way to find your current interface is with:

nvram get wan0_ifname

I'm ignoring any dual-WAN setups.

 

[Martineau]

The WAN interface changes depending on whether hardware acceleration is enabled, and possibly by model. So the best way to find your current interface is with:

nvram get wan0_ifname

I'm ignoring any dual-WAN setups.

Invalid for PPPoE WAN.

 

[ColinTaylor]

Invalid for PPPoE WAN.

I don't have any experience of that kind of setup. So what's the appropriate command in that case?

 

[john9527]

I don't have any experience of that kind of setup. So what's the appropriate command in that case?

wan0_pppoe_ifname

 

[loveleeyoungae]

The WAN interface changes depending on whether hardware acceleration is enabled, and possibly by model. So the best way to find your current interface is with:

nvram get wan0_ifname

I'm ignoring any dual-WAN setups.

Thanks, I should have remembered it as I used to read some thread mentioning that nvram variable. Still I'd have to read more on networking interfaces.

Anyway, the example code worked! FYI, I'm trying to set my Diversion-enabled-AC68U as the DNS-aka-adblocking server for devices on its WAN side (Double NAT, not exposing my network), so currently it can help blocking http ads fine, but has some weird behavior with httpS ads (half-loading, long timeout instead of quick timeout as for devices on its LAN side).

Don't know if you guys can continue to offer some quick suggestions, or maybe I should elevate this question to a separate thread, but thank you

 

[ColinTaylor]

Anyway, the example code worked! FYI, I'm trying to set my Diversion-enabled-AC68U as the DNS-aka-adblocking server for devices on its WAN side (Double NAT, not exposing my network), so currently it can help blocking http ads fine, but has some weird behavior with httpS ads (half-loading, long timeout instead of quick timeout as for devices on its LAN side).

Don't know if you guys can continue to offer some quick suggestions, or maybe I should elevate this question to a separate thread, but thank you

Yeah, not really on-topic for this thread. Sounds more like a question best asked in a Diversion thread.