Can only open ports when internal/external is different

[Marko Polo]

the last 6 ACCEPTs are blocked by the logdrop all above

Should I remove this line?

8047 1110K logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Does logdrop drop all packages after it? I found little info about such rule.

 

[ColinTaylor]

Should I remove this line?

8047 1110K logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0

You can't (or shouldn't) remove that line because it is generated by the router as part of it's "standard" rule set (it should be the last thing in the INPUT chain). As mstombs previously asked, I think we need to understand how/why those 6 rules got placed there.

Does logdrop drop all packages after it? I found little info about such rule.

You can see what the logdrop chain does by looking at the output. Any rule match that jumps to logdrop will log new connection attempts and then drop the packet.

Chain logdrop (10 references)
 pkts bytes target     prot opt in     out     source               destination   
 8068 1111K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 7 level 4 prefix "DROP "
10002 1193K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

 

[Marko Polo]

I think we need to understand how/why those 6 rules got placed there.

I added them manually following one of those guides in the web

As I see it, there is little sense to open ports (=forward ports) in the GUI if I wanna open port for router-based service, 'cause GUI applet intended only for LAN PCs. No?
So as I understand, I should remove these rules and re-add them correctly. How to do this?

 

[ColinTaylor]

As I see it, there is little sense to open ports (=forward ports) in the GUI if I wanna open port for router-based service, 'cause GUI applet intended only for LAN PCs. No?

Correct.

So as I understand, I should remove these rules and re-add them correctly. How to do this?

You should use a /jffs/scripts/firewall-start script. I can't comment on what (and where) the correct rules to be added (or inserted) are as I am not familiar with your application.

 

[Marko Polo]

I can't comment on what (and where) the correct rules to be added (or inserted) are as I am not familiar with your application.

My task is quite trivial: I want to make available my Asterisk server for external SIP clients. Now only LAN clients are able to register on the server. My asterisk works on the standard 5060 udp port.

 

[mstombs]

You must be adding rules to the INPUT chain using "-A", test first using "iptables -I" which will insert the rules at the top, not the most efficient but should work. I guess Asuswrt (and others) uses an explicit logdrop at the end is for the optional logging function? Surely would be better to change the default policy from ACCEPT?

NB do check out the original documentation, good info for Linux OS in general!

https://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-7.html#ss7.4

 

[ColinTaylor]

I guess Asuswrt (and others) uses an explicit logdrop at the end is for the optional logging function? Surely would be better to change the default policy from ACCEPT?

Yes it's for logging dropped packets. If that option is turned off in the GUI then "-j logdrop" becomes "-j DROP".

It's been asked before why it doesn't change the default policy. My suspicion is it's because a) it's always been like that (if it ain't broke don't fix it), and b) it makes it easier to dynamically create the rules based on all the possible permutations that might be set in the GUI.

 

[ColinTaylor]

My task is quite trivial: I want to make available my Asterisk server for external SIP clients. Now only LAN clients are able to register on the server. My asterisk works on the standard 5060 udp port.

So adding to what mstombs just said it looks like you would need something like this in your firewall-start script:

#!/bin/sh

iptables -I INPUT -i eth0 -p udp -m udp --dport 5060 -j ACCEPT

Of course this assumes that the server is actually listening on the WAN interface and not just the LAN interface.

 

[stanstrup]

Can this thread be split? As far as I can understand this is not related to my original issue?

 

[ColinTaylor]

Can this thread be split? As far as I can understand this is not related to my original issue?

You are quite correct. Apologies. @MarcoPolo If you're still having problems please create another thread and we'll discuss it there.

So the original question remains the same:

Hi,

I am using a new RT-AC88U with the Merlin software (the issue I will describe also happens with official firmware).
Firmware: 380.67_beta4

Like many others I am having trouble opening ports on this router. I have disabled the firewall and disabled NAT Acceleration as suggested when people had problems.

I have now figured out that things work if the external (Port Range) and internal (local) port is different when I open ports.
If I set the same port or leave the local port blank the port stays closed. This is consistent when I try using RDP. For RDP and I could even live with that setup.

But I have other programs where the external and internal ports need to be the same. So any idea how to fix this or explain what is going on?

 

[mstombs]

You are quite correct. Apologies. @MarcoPolo If you're still having problems please create another thread and we'll discuss it there.

So the original question remains the same:
Like many others I am having trouble opening ports on this router. I have disabled the firewall and disabled NAT Acceleration as suggested when people had problems.

The 'firewall' is built using iptables configured netfilter packet filters, which also does the portforwarding...