Debugging NAT traversal with a ASUS RT-AC66U B1

[jp_rider]

Hi. I have a RT-AC66U B1 (firmware just updated to 3.0.0.4.386_51733) that I'm attempting to get NAT traversal working to dynamically open ports to devices behind my router. In my router settings, "WAN > Internet Connection > Enable UPnP" is set to "Yes". When I run the application on my laptop, the application successfully runs the NAT-PMP protocol and outputs an external IP address and port.

In the router settings, I can see that the TCP port is opened in the log at "System Log > Port Forwarding":

Source          Destination     Proto. Port range  Redirect to     Local port
...
ALL             ALL             TCP    63000       192.168.0.227   63000

Unfortunately when I attempt to connect to the external IP and port, I eventually get a timeout error:

$ nc -zv EXTERNAL_IP 63000
... [EXTERNAL_IP] 63000: Operation timed out

It seems like the router is likely dropping the packets. If I attempt to connect before the NAT-PMP protocol is run, I immediately get a connection refused:

$ nc -zv EXTERNAL_IP 63000
... [EXTERNAL_IP] 63000: Connection refused

I am able to connect using my local IP address:

$ nc -zv 192_168_0_227 63000
... [192_168_0_227] 63000 open

I am also able to connect to the external IP address to ports I have manually port forwarded.

I thought the router's firewall might be causing the issue but disabling "Enable Firewall" and "Enable IPv6 Firewall" under "Firewall > General" does not make a difference.

I've ssh'd into the router and printed the iptable chains:

# iptables -v -L
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  221  114K INPUT_PING  icmp --  any    any     anywhere             anywhere             icmp echo-request
 105K 8187K ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
 1867  129K DROP       all  --  any    any     anywhere             anywhere             state INVALID
 314K   38M PTCSRVWAN  all  --  !br0   any     anywhere             anywhere
 141K   95M PTCSRVLAN  all  --  br0    any     anywhere             anywhere
 141K   95M ACCEPT     all  --  br0    any     anywhere             anywhere             state NEW
92194   24M ACCEPT     all  --  lo     any     anywhere             anywhere             state NEW
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp spt:bootps dpt:bootpc
    0     0 INPUT_ICMP  icmp --  any    any     anywhere             anywhere
   34  2322 ACCEPT     udp  --  br2    any     anywhere             anywhere             udp dpt:domain
  108 35424 ACCEPT     udp  --  br2    any     anywhere             anywhere             udp dpt:bootps
    0     0 ACCEPT     udp  --  br2    any     anywhere             anywhere             udp dpt:bootpc
  263 53916 DROP       all  --  br2    any     anywhere             anywhere
 221K   14M OVPNSI     all  --  any    any     anywhere             anywhere
 221K   14M OVPNCI     all  --  any    any     anywhere             anywhere
 221K   14M DROP       all  --  any    any     anywhere             anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    6   456 DROP       all  --  br0    any     anywhere             anywhere             MAC ...
    0     0 DROP       all  --  br0    any     anywhere             anywhere             MAC ...
32248 1936K DROP       all  --  br0    any     anywhere             anywhere             MAC ...
 251K   23M ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
 903K   60M OVPNSF     all  --  any    any     anywhere             anywhere
 3833 1125K WGNPControls  all  --  br2    any     anywhere             anywhere
 3833 1125K ACCEPT     all  --  br2    eth0    anywhere             anywhere
    0     0 DROP       all  --  !br0   eth0    anywhere             anywhere
   27  1328 ACCEPT     all  --  br0    br0     anywhere             anywhere
  273 22443 DROP       all  --  any    any     anywhere             anywhere             state INVALID
 897K   58M ACCEPT     all  --  br0    any     anywhere             anywhere
 1756 89100 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT
    0     0 OVPNCF     all  --  any    any     anywhere             anywhere
    0     0 VPNCF      all  --  any    any     anywhere             anywhere
    0     0 DROP       all  --  any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 3246 packets, 3172K bytes)
 pkts bytes target     prot opt in     out     source               destination
13459  965K OUTPUT_DNS  udp  --  any    any     anywhere             anywhere             udp dpt:domain u32 "..."
    0     0 OUTPUT_DNS  tcp  --  any    any     anywhere             anywhere             tcp dpt:domain u32 "..."
 213K  233M OUTPUT_IP  all  --  any    any     anywhere             anywhere

Chain FUPNP (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  any    any     anywhere             192.168.0.227        tcp dpt:63000
...

It looks like the port is being added to the `FUPNP` but there are "0 references" to that chain. Should this chain be inserted into one of the other chains, and if so how should I do this permanently? Also, is there a way to confirm that the firewall is seeing and then dropping the connections? Thanks!

 

[ColinTaylor]

You need to look at the nat table:

iptables -t nat -L -vn

or

iptables-save -t nat

Also, it looks like you're testing this from within your LAN? You need to test it from the internet side.