Configuring Static WAN IP through NAT

[jwal]

Hi,

I've been using Asuswrt-Merlin for some time but have limited NAT knowledge. Having exhausted everything I could think of to fix this, it is time to admit defeat and reach out for help.

I've recently switched to a static WAN IP, and after configuring the firewalls NAT table as below, I've been unable to access the internal service on below port using the external public WAN IP:

iptables -t nat -I PREROUTING -i ppp0 -d <WAN-IP> -p tcp --dport 43210 -j DNAT --to-destination 192.168.1.2:43210
iptables -t nat -I POSTROUTING -s 192.168.1.2 -p tcp -m tcp --sport 43210 -j SNAT --to-source <WAN-IP>
iptables -I FORWARD -d 192.168.1.2 -p tcp --dport 43210 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

It is worth mentioning I also connect to a VPN server on the tun11 interface, and have no such problems with port forwarding configured as follows.

iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 8889 -j DNAT --to-destination 192.168.1.2:6789

It appears from the logs, all traffic from ppp0 is dropped.

Oct 24 08:49:20 kernel: DROP IN=ppp0

I would very much appreciate any suggestions on how to resolve or investigate what is causing this issue.

 

[ColinTaylor]

Why don't you just use the port forwarding options in the router's GUI?

 

[jwal]

I did try that option Colin, but unfortunately it didn't work. I assumed (perhaps incorrectly) the port forwarding option in the routers GUI, simply resulted in the NAT table being updated.

 

[ColinTaylor]

I did try that option Colin, but unfortunately it didn't work. I assumed (perhaps incorrectly) the port forwarding option in the routers GUI, simply resulted in the NAT table being updated.

Maybe you should check it again. The iptables rule created through the GUI is almost identical to the PREROUTING rule you posted. The other 2 iptables rules are not necessary as there are already similar existing rules.

If it still doesn't work post a screen shot of your rule and the output of iptables-save.

 

[jwal]

I took a backup of the settings, reset to factory defaults then re-applied the port forwarding rule using the routers GUI - it is now working

I'm now hesitant to restore from the backup, as anticipate it may stop working again.

Do you know if it is possible to simply view all the saved settings from the backup file, then I can reapply them individually to try and identify which was causing the problem?

Appreciate your help with this.

 

[ColinTaylor]

Do you know if it is possible to simply view all the saved settings from the backup file, then I can reapply them individually to try and identify which was causing the problem?

You've never said what router model you have or what firmware version you are using.

 

[jwal]

Apologies, I have a Netgear R7000 with firmware 380.70

 

[Val D.]

Apologies, I have a Netgear R7000 with firmware 380.70

You are running illegal software on your router, won’t get support here.

 

[jwal]

Appreciate your help with the port forwarding issue.