RT-AC68U in DMZ, port forwarding

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

bozho

New Around Here
Hi,

I run RT-AC68U with Merlin 384.13 behind my ISP's router. Unfortunately, ISP's router does not have a bridge mode, so I put my RT in DMZ. RT is assigned a stable IP via ISP router's DHCP, uses Automatic IP WAN connection to connect to ISP's router and RT's "public" IP is correct. Everything else is switched off on the ISP's router, including WiFi.

I cannot get port forwarding to work on the RT. I have some ancient port forwards that I know worked with my previous ISP many moons ago (and previous ISP's router in bridge mode). When I add a port forward for a server on my LAN, I cannot connect from the Internet (connecting from the LAN works, so the server is not the problem). The server has DHCP IP reservation set on the RT.

I also run an OpenVPN server on the RT, and that one works fine (i.e. I can connect to it from the Internet).

I don't know that much about networking, but can port forwarding even work in this configuration?

Thank you!
 

ColinTaylor

Part of the Furniture
In theory this should work. If you're using common port numbers like 80, 443, etc. it's possible that your ISP is blocking them or those ports are already being used by the router.

You should consider updating the firmware at some point as your current version is over two years old.
 

bozho

New Around Here
I've just checked with my provider, they say they're not blocking anything. I'm testing with Syncthing Web UI port (8384), and default Minecraft server port (25565).

Where else should I look?
 

ColinTaylor

Part of the Furniture
Go to System Log - Port Forwarding and check that the ports are showing correctly there.
 

bozho

New Around Here
That table shows my port forward.

This is the output of iptables -t nat -L -n -v on the RT:

Code:
Chain PREROUTING (policy ACCEPT 550 packets, 59579 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1194
    2    84 VSERVER    all  --  *      *       0.0.0.0/0            192.168.0.3

Chain INPUT (policy ACCEPT 116 packets, 8697 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 38 packets, 3325 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 20 packets, 2109 bytes)
 pkts bytes target     prot opt in     out     source               destination
  371 37245 MASQUERADE  all  --  *      tun11   10.13.15.0/24        0.0.0.0/0
    0     0 MASQUERADE  all  --  *      tun12   10.13.15.0/24        0.0.0.0/0
   50 11638 PUPNP      all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
   42 11070 MASQUERADE  all  --  *      eth0   !192.168.0.3          0.0.0.0/0
   18  1216 MASQUERADE  all  --  *      br0     10.13.15.0/24        10.13.15.0/24

Chain DNSFILTER (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain DNSVPN1 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain DNSVPN2 (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain LOCALSRV (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain PCREDIRECT (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain PUPNP (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  tcp  --  *      *       10.13.15.21          0.0.0.0/0            tcp spt:22000 masq ports: 41769
    0     0 MASQUERADE  tcp  --  *      *       10.13.15.18          0.0.0.0/0            tcp spt:22000 masq ports: 59995
    0     0 MASQUERADE  tcp  --  *      *       10.13.15.21          0.0.0.0/0            tcp spt:22000 masq ports: 4381
    0     0 MASQUERADE  tcp  --  *      *       10.13.15.20          0.0.0.0/0            tcp spt:51000 masq ports: 51001
    0     0 MASQUERADE  udp  --  *      *       10.13.15.20          0.0.0.0/0            udp spt:51000 masq ports: 51001

Chain VSERVER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8384 to:10.13.15.18:8384
    2    84 VUPNP      all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain VUPNP (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:41769 to:10.13.15.21:22000
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:59995 to:10.13.15.18:22000
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4381 to:10.13.15.21:22000
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:51001 to:10.13.15.20:51000
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51001 to:10.13.15.20:51000

My ISP's router is on 192.168.0/24 subnet (RT is assigned 192.168.0.3 by the ISP's router), and my LAN is 10.13.15.0/24 subnet.

I'm not well-versed in reading iptables output, but the VSERVER line in the PREROUTING chain made me wonder if the ISP's router changes the destination IP from the public IP to the DMZ IP.

I also tried disabling DMZ on the ISP's router and adding the 8384 port forward on the ISP's router to 192.168.0.3. No luck.
 

ColinTaylor

Part of the Furniture
You have two VPN clients enabled. Try disabling those.

P.S. I only see port 8384 in your output. I can't see port 25565 anywhere.
 
Last edited:

bozho

New Around Here
Disabled both VPN clients, made sure to put the RT back into DMZ, checked iptables output, DNSVPN1 and DNSVPN2 chains are gone. No joy.

I also tried disabling UPNP on the WAN page, same.

I've removed 25565 port for now, to keep things simple.
 

ColinTaylor

Part of the Furniture
Try connecting to port 8384 again (from the internet) and then post the output of your iptables command.
 

bozho

New Around Here
Oh, silly me.

It looks like something (ISP or ISP's router?) is blocking requests to my external IP when the requests are coming from my LAN.

When I telnet from my phone while connected to a mobile network, everything works as expected, with UPNP and VPN clients turned on...

Colin, sorry for wasting your time...
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top