Port forwarding not working with TOR function

[WarIock]

Hello, friends. Please help me with the problem. If I turn on the TOR for a specified MAC, then this device is aviable from the local network with its IP, but port forwarding rules for this device stop working. How can I fix this? If I disable the TOR for this device, then port forwarding rules works correctly.

 

[kfp]

Hello, friends. Please help me with the problem. If I turn on the TOR for a specified MAC, then this device is aviable from the local network with its IP, but port forwarding rules for this device stop working. How can I fix this? If I disable the TOR for this device, then port forwarding rules works correctly.

That’s expected behaviour. I mean, that’s the point of TOR so your IP is hard to trace back. Unless you have created an onion address for your router and you’re trying to access the open port using said address, everything is working correctly.

 

[Fitz Mutch]

... Unless you have created an onion address for your router and you’re trying to access the open port using said address, ...

I think onion addresses work well because it does not rely on port forwarding.

 

[WarIock]

In old version firmware it's worked. In 384.x the version firmware the device, for which TOR is enabled, can see the local network. So this is not an unconditional redirection of all traffic through TOR. The router is the entry point to the TOR. I do not understand the difference in the trace:local device1-router local ip-device0 (TOR) and device1-router wan ip-port forwarding-device0, but first worked, second not.

 

[kfp]

I do not understand the difference in the trace:local device1-router local ip-device0 (TOR) and device1-router wan ip-port forwarding-device0, but first worked, second not.

I think I know what you’re trying to do now; you’re basically using your router as a jumpbox into the TOR network.

Which version was it working before? I’ll take a look at the code tomorrow and see if I can spot any changes that might’ve impacted this scenario.

 

[WarIock]

I think I know what you’re trying to do now; you’re basically using your router as a jumpbox into the TOR network.

Which version was it working before? I’ll take a look at the code tomorrow and see if I can spot any changes that might’ve impacted this scenario.

I do not remember exactly, it seems it was version 360.65 or earlier. This does not exactly work on versions 380.69.x and 384.x
It seems that custom port forwarding prtov began to have a lower priority than the redirection that starts with the TOR
Not quite right, I use TOR only for two devices: an android and a small home server. To some server ports, access must be from LAN and from WAN.

 

[kfp]

Not quite right, I use TOR only for two devices: an android and a small home server. To some server ports, access must be from LAN and from WAN.

Ah, selective TOR just like you said in first post, got it.

 

[kfp]

I use TOR only for two devices: an android and a small home server. To some server ports, access must be from LAN and from WAN.

After re-reading your set up, I finally got what you want

You have a ‘small home server’ that reaches out to the web via TOR. You ALSO want to be able to access said home server through your router IP via WAN, is that correct?

If so, it is CORRECT behaviour that it doesn’t work, because if it did that would be a leak. Looking at the code, this was implemented in 380.64, which lines up with the versions you said it stopped working.

If you really need this set up then you’d need to setup a proxy/jumpbox in your LAN with port forwarding and no TOR, and access that small home server through it.

 

[WarIock]

Thanks for the detailed answer

 

[barbara]

With an Asuswrt-Merlin custom config, you can tell Tor the port to use, for a tunneled HTTP proxy or SOCKS proxy.

https://www.torproject.org/docs/tor-manual.html.en

HTTPTunnelPort [address:]port|auto [isolation flags]

Open this port to listen for proxy connections using the "HTTP CONNECT" protocol instead of SOCKS. Set this to 0 0 if you don’t want to allow "HTTP CONNECT" connections. Set the port to "auto" to have Tor pick a port for you. This directive can be specified multiple times to bind to multiple addresses/ports. See SOCKSPort for an explanation of isolation flags. (Default: 0)


SocksPort [address:]port|unixath|auto [flags] [isolation flags]

Open this port to listen for connections from SOCKS-speaking applications. Set this to 0 if you don’t want to allow application connections via SOCKS. Set it to "auto" to have Tor pick a port for you. This directive can be specified multiple times to bind to multiple addresses/ports. If a unix domain socket is used, you may quote the path using standard C escape sequences. (Default: 9050)