What's new

AX1800 - port forwarding and other settings aren't reflected in iptables

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

dyasny

New Around Here
Hi all,

I've been going back and forth with asus support over this for a while now, and I hope maybe to find help here instead.

I've got an AX1800 xd4 router connected to a bridged modem, and everything worked fine until I decided I needed to open a port to an internal machine. So I looked at the UI, found the port forwarding section and added a port, exactly as it says in the manual. Only nothing happened.
So I ssh into the router and start poking around, and notice that when I enable openvpn for example, the INPUT chain gets the server's port and I can connect to openvpn, but the forwarded ports aren't visible anywhere in `iptables -L`

The issue seems to be selective in fact. When I set up a trigger, it shows up in iptables. When I try to open ssh on the router to the WAN, nothing happens either.

I'm running 3.0.0.4.386_46061-g9a06866
 
The port forwarding rules won't be seen in that output because you're only displaying the filter table. To see the forwarding rules you need to look at the nat table:
Code:
iptables-save -t nat
You can also to them in the GUI at System Log - Port Forwarding
 
Thanks, that shows the rule and the port/host but port forwarding still doesn't work:

Code:
-A VSERVER -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.1.127:8080
-A VSERVER -j VUPNP
-A VSERVER -j LOCALSRV
-A VSERVER -j DNAT --to-destination 192.168.1.127
 
I'm assuming that you're trying to forward port 8080 to 192.168.1.127.

You currently have 192.168.1.127 in the DMZ which is a security concern so I suggest you remove that.

The port forwarding looks fine so I suggest the problem lies elsewhere. Either you don't have a public IP address or there's an issue with the server setup.
 
Yeah, I enabled DMZ to see if that would work, not planning on keeping it going.

I can access the port over LAN from my laptop and other devices, I can even curl it from inside the router. As for internet - other stuff, like connecting to openvpn on the router, works from the outside just fine. I also just fiddled a bit with ssh from the WAN and after rebooting the router it also started working.
 
Interesting stuff here. The machine I'm forwarding to has nordvpn installed and running, apparently, it doesn't interfere with LAN access, but it does when coming in from WAN. When I stop nordvpn port forwarding works just fine.

Now to figure out how to make nordvpn play nice, can I masquerade the incoming forwarded connections as sourced from the LAN somehow maybe?
 
Now to figure out how to make nordvpn play nice, can I masquerade the incoming forwarded connections as sourced from the LAN somehow maybe?
Try this:
Code:
iptables -t nat -I POSTROUTING -d 192.168.1.127 -o br0 -j SNAT --to $(nvram get lan_ipaddr)
 
looks like it worked, will this be permanent or is there another command to save this setting?
 
Unfortunately it's only temporary until you reboot the router and make changes in the GUI that affects the firewall.

To make the change persistent you'd have to be running a custom firmware like Merlin, but that's not available for your model of router.
 
isn't there something like rc.local where I can push this setting and make it permanent? Or is it because all permanent settings are stored in nvram instead of the local FS?
 
Or is it because all permanent settings are stored in nvram instead of the local FS?
^This^ The firmware would need to support some sort of "user hooks" for custom scripts. The stock Asus firmware doesn't have this.*

* There is a way of triggering a script when a USB device is mounted but that would be a very unreliable method of modifying the firewall, if it worked at all.
 
Well, it is what it is :) Thank you so much, I've finally received some real answers, which didn't happen after a week on daily back and forth with asus support.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top