Cannot get port forwarding to work

muumi

New Around Here
Hi. I am trying to configure port forwarding on my ASUS RT-AX86U with Merlin 386.5_2. I want to add forwarding from some random WAN port to one of my computers SSH port on the LAN.

I configured WAN->Virtual Server / Port Forwarding and set Enable Port Forwarding ON, and added rule

Service Name: ssh
External Port: 11111
Internal Port: 22
Internal IP: 192.168.xx.xx
Protocol: TCP
Source IP: <empty>

But trying to ssh into the WAN IP / DDNS address (which resolves to the correct WAN IP), and the configured port (11111 above), it just times out. I tried to tail the auth.log on the server side but nothing arrives there. I asked my ISP if they are blocking some incoming connections, said no they are not.

The server has only SSH keys enabled for login but it works fine from LAN. And the connection should not just timeout in any case.

Is there some setting(s) I might be missing? Or any ideas on how to debug it further?

Thanks,
 

ColinTaylor

Part of the Furniture
Does the port show as open from https://canyouseeme.org/

Have you checked the firewall settings on the server machine?

Have you tried forwarding a port for a different service, e.g. HTTP or FTP? Does that also not work?
 

eibgrad

Part of the Furniture
One possibility often overlooked; by chance do you have an active OpenVPN client running at the same time? If you do, and the target of your port forward is being routed over the VPN, the target will become inaccessible for remote access purposes over the WAN.
 

mlord

Regular Contributor
The machine that is actually providing the SSH server on port 22 has to be configured to permit (or to not disallow) connections from random external IP addresses. If it is rejecting anything not from the internal LAN, then that would explain the issue here.
 

muumi

New Around Here
One possibility often overlooked; by chance do you have an active OpenVPN client running at the same time? If you do, and the target of your port forward is being routed over the VPN, the target will become inaccessible for remote access purposes over the WAN.

Thanks! This was it. I always have VPN on so after turning it off the connection just works. I guess I will have to try to remember to disable VPN on the server if I intend to access it remotely. Too bad but at least I know the reason now.
Does the port show as open from https://canyouseeme.org/

Have you checked the firewall settings on the server machine?

Have you tried forwarding a port for a different service, e.g. HTTP or FTP? Does that also not work?

Was planning to try these next, maybe put netcat to listen something and try to connect to that. canyouseeme was not finding the port either. And I checked the server firewall. In any case, it seems the VPN is the issue so have good to have it sorted.
 

eibgrad

Part of the Furniture
There are other options besides shutting down the VPN.

1. If the public IP of the remote client is KNOWN (workplace, second home, commonly visited wifi cafe, etc.), then you can create a static route that binds that public IP to the WAN (that can be done w/ route directives in the custom config field). If you're using routing policy w/ the OpenVPN client, it's actually more effective to use the VPN Director to bind the public IP(s) to the WAN.

Of course, for those who are truly roaming to unexpected locations, this isn't a viable solution.

2. Provided the VPN provider supports it, you could remotely access those devices bound to the VPN over the VPN provider's end of the tunnel.
 

muumi

New Around Here
There are other options besides shutting down the VPN.

1. If the public IP of the remote client is KNOWN (workplace, second home, commonly visited wifi cafe, etc.), then you can create a static route that binds that public IP to the WAN (that can be done w/ route directives in the custom config field). If you're using routing policy w/ the OpenVPN client, it's actually more effective to use the VPN Director to bind the public IP(s) to the WAN.

Of course, for those who are truly roaming to unexpected locations, this isn't a viable solution.

2. Provided the VPN provider supports it, you could remotely access those devices bound to the VPN over the VPN provider's end of the tunnel.

Yes I see, thanks. Solution 1 seems a bit complex for me, I am not sure what configs to modify, and also sometimes I use dynamic source IP.

I found a way to configure port forwarding at VPN provider endpoint. I can use that to forward connection to my ssh server. Just need to add the VPN forwarded port to SSH on the server. It works as I tested it.

I see the VPN completely bypasses port forwarding on the router, as that seems to have no effect. Not sure I understand how the routing goes at the lower levels to leave the router out of it, but I guess the VPN must take over some low-level protocols.

Well, this should now give me the means to solve my problem so that is good.

Thanks!
 

mac_user_00

New Around Here
Hi , I want to ask a question about Port Forwarding : I have an RT-AC86U with 386.7 . I have setup some ports to forward , however when i check on canyouseeme I see only the first port is open , the rest are not. Also when I restart my router the first port is no longer open. I have re-installed the firmware several times and resetted it to factory, however i cannot seem to be able to keep those ports open after the first restart.
Screenshot 2022-07-16 at 14.25.58.png

Does anyone have any suggestions for me ? (I have the internal ips setup but that's it, nothing in Internal port or Source IP.

Cheers
 

ColinTaylor

Part of the Furniture
Online port checkers can only check TCP ports, not UDP. That's why 44158 shows as open but not 1680. Restarting the router would break any active connection that port 44158 had and probably cause an error within the application (which it may or may not recover from).

Most of the PlayStation ports are UDP also. But as their use is dynamic it would be much better to delete the PS5 rule and let it use UPnP instead (WAN - Internet Connection > Enable UPnP = Yes).
 

eibgrad

Part of the Furniture
Hi , I want to ask a question about Port Forwarding : I have an RT-AC86U with 386.7 . I have setup some ports to forward , however when i check on canyouseeme I see only the first port is open , the rest are not. Also when I restart my router the first port is no longer open. I have re-installed the firmware several times and resetted it to factory, however i cannot seem to be able to keep those ports open after the first restart.
View attachment 42856
Does anyone have any suggestions for me ? (I have the internal ips setup but that's it, nothing in Internal port or Source IP.

Cheers

The OP in this thread had an issue w/ port forwarding because he had an *active* OpenVPN client at the same time. That's was causing replies from remote access over the WAN to be routed over the VPN, which will NOT work. I then offered some options to address it.

So unless you have a similar situation, seems to me it would have been better to create your own thread.

That aside, I assume you purposely hid the internal IPs. I don't know why, since they are private IPs anyway.

As with all port forwarding, the proof of the pudding is in the eating. Regardless what any online checkers have to say about the matter, do any of these port forwards actually work?

If NOT, then it's the usual things you need to check, such as verifying you have a public IP (many ISPs now use CGNAT, which makes remote access impossible). Doesn't hurt to dump the relevant firewall tables either to verify all is as expected.

Code:
iptables -t nat -vnL PREROUTING
iptables -t nat -vnL VSERVER
iptables -vnL FORWARD

While it's fine to hide the public IP (assuming it's NOT CGNAT), please don't hide the internal IPs. It's NOT necessary and only makes it more difficult to diagnose the problem.

If remote access is at least reaching the router, you should see packet counts (pkts) > zero in the PREROUTING and VSERVER chains for those rules.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top