1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

firewall-start script VS web UI port forwarding

Discussion in 'Asuswrt-Merlin' started by Joel Teixeira, Oct 11, 2017.

  1. Joel Teixeira

    Joel Teixeira Occasional Visitor

    Joined:
    May 30, 2015
    Messages:
    33
    Hey there,

    I'm a little confused regarding port forwarding on my ASUS AC3200. I disabled uPnP since it seems to be related with some security concerns and mapped all ports manually. My main doubt is, do I need to use the firewall-start script if the rule is already on the "WAN - Virtual Server / Port Forwarding"?

    If I create, for instance, a rule like:

    [​IMG]

    Do I still need to open the ports on firewall-start with:

    [​IMG]

    Or/And I should redirect using the firewall-star as well (not sure the syntax below is correct):

    [​IMG]

    Is there any preferred method? When I create a redirect on Web UI it automatically open/forwards the port without needing to tweak with the script? Or the script is prefered and I shoud forget about the web UI when it comes to port forwaring?

    Thanks a lot!
     
  2. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    7,010
    Location:
    UK
    No you don't need any scripts.
     
    Joel Teixeira likes this.
  3. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,956
    Location:
    UK
    FYI To exploit the Port Forwarding tables implemented by Asus, the rules are in the following format:
    Code:
    iptables -t nat -I PREROUTING -d $(nvram get wan_ipaddr) -j VSERVER
    iptables -t nat -I VSERVER -p udp -m udp --dport nnnnn -j DNAT --to-destination xxx.xxx.xxx.xxx:ppppp
    Using a custom Port Forwarding script is useful in the following scenarios:

    1. You exceed the Port forwarding rule limit in the GUI! :eek:

    2. You wish to dynamically allow the Fort Forwarding only for a specific (limited) time period (using cron) or based on some other criteria/event such as port knocking etc.
     
    Joel Teixeira likes this.
  4. Joel Teixeira

    Joel Teixeira Occasional Visitor

    Joined:
    May 30, 2015
    Messages:
    33
    Thanks a lot for the detailed explanation. Since I don't have so many rules to apply I'll just remove the firewall-start file completely.