RT-AX86U Port forward does not work

orudie

Occasional Visitor
Stock Firmware Version:3.0.0.4.386_46061

Hello. on my RT-AX86U port forwarding does not work. I believe it started happening after recently enabling AiMesh.

The AiMesh node is ASUS RT-AC68U connected to ASUS RT-AX86U using LAN ethernet. AiProtection is disabled.

The main router RT-AX86U WAN port is connected to LAN 1 port of my ISP's modem/router which is configured in bridge mode.

RT-AX86U WAN configured with WAN type PPPoE and connected to ISP with username and password.

LAN configured with router's IP Address 10.1.1.1 and Subnet Mask 255.255.255.0

DDNS is enabled and configured with asuscomm.com and free SSL cert from letsencrypt.org.

Attaching a screenshot with port forwarding rules and none of them are working.

Please suggest what I am doing incorrectly and which configuration I should check.
 

Attachments

  • asus port forward.png
    asus port forward.png
    41.4 KB · Views: 34
Last edited:

ColinTaylor

Part of the Furniture
Are you using a VPN client on the router?

Have you checked that your router's WAN connection is getting a public IP address and not a private one?
 

orudie

Occasional Visitor
In the router VPN Clients are configured, but currently all are inactive.
Yes, my router's WAN connection is getting a public IP address. I verified this with both router's GUI and whatismyip.com
 

ColinTaylor

Part of the Furniture
Check that the port forwarding rules are present and correct in System Log - Port Forwarding.
 

orudie

Occasional Visitor
Source Destination Proto. Port range Redirect to Local port
ALL ALL TCP 32400 10.1.1.20 32400
ALL ALL UDP 32400 10.1.1.20 32400
ALL ALL UDP 2456 10.1.1.21 2456
ALL ALL TCP 22 10.1.1.21 22
 

ColinTaylor

Part of the Furniture
That all looks correct.

How are you testing this? Are you testing from outside your LAN (i.e. from the internet side)? Test using your router's WAN IP address rather than a DDNS name.
 

orudie

Occasional Visitor
I am testing this from outside my LAN with both my WAN's IP address and DDNS name. In both cases I cannot reach my LAN servers on specified ports.

ex: telnet <my.wan.ip> 22
 

ColinTaylor

Part of the Furniture
You said that this used to work but thought it stopped working after enabling AiMesh. Are the servers connected directly to the primary router or to an AiMesh node?
 

orudie

Occasional Visitor
The Linux VM servers are running on Synology NAS in Virtual Machine Manager. Synology NAS is connected to the switch, which is connected to the router. Both Synology NAS and the VMs use the same LAN subnet network as the router 10.1.1.0/24. The OS firewall is disabled on the Linux VM servers.
 

orudie

Occasional Visitor
I removed the AiMesh node and switched some LAN cables around, rebooted both NAS and router, which did not help.
Network switch is now connected to router's LAN1 (gaming port) instead of LAN2 port.
I am "hitting the wall" here. Any other suggestions please?
 
Last edited:

ColinTaylor

Part of the Furniture
Try testing access to a server running on a physical machine rather than a VM.
 

juanantonio

Occasional Visitor
Look at the system log for any clue. Also, plex has its own tester for find out whether it is reachable or not. Finally, there are online tools which allows you to test if a port is open.
 

orudie

Occasional Visitor
As a test I installed FPT server on a physical windows computer, in windows firewall allowed connections on port 21, tested FTP connection from another computer on LAN and it worked.

Then in the router I configured port forwarding on port 21, and I am NOT able to reach it from outside.

[email protected] /home/orudie# telnet 10.1.1.37 21
Trying 10.1.1.37...
Connected to 10.1.1.37.
Escape character is '^]'.
220-FileZilla Server 1.4.1
220 Please visit https://filezilla-project.org/


Any other ideas?
 

Attachments

  • asus port forward.png
    asus port forward.png
    47.3 KB · Views: 19

ColinTaylor

Part of the Furniture
If you SSH into the router (after having tried to connect) and issue the following command you will be able to see whether the port forwarding rules are accepting traffic.
Code:
iptables-save -t nat -c
 

orudie

Occasional Visitor
iptables-save -t nat -c
# Generated by iptables-save v1.4.12.2 on Fri May 20 19:12:01 2022
*nat
:pREROUTING ACCEPT [206:13708]
:INPUT ACCEPT [138:8829]
:OUTPUT ACCEPT [70:5982]
:pOSTROUTING ACCEPT [64:5566]
:DNSFILTER - [0:0]
:GAME_VSERVER - [0:0]
:LOCALSRV - [0:0]
:MAPE - [0:0]
:pCREDIRECT - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
[31:1577] -A PREROUTING -d 178.127.183.219/32 -j GAME_VSERVER
[31:1577] -A PREROUTING -d 178.127.183.219/32 -j VSERVER
[31:1577] -A PREROUTING -d 178.127.183.219/32 -j GAME_VSERVER
[0:0] -A PREROUTING -d 169.254.198.37/32 -j VSERVER
[35:3238] -A POSTROUTING ! -s 178.127.183.219/32 -o ppp0 -j MASQUERADE --mode fullcone
[0:0] -A POSTROUTING ! -s 169.254.198.37/32 -o eth0 -j MASQUERADE --mode fullcone
[6:416] -A POSTROUTING -s 10.1.1.0/24 -d 10.1.1.0/24 -o br0 -j MASQUERADE
[0:0] -A VSERVER -p tcp -m tcp --dport 32400 -j DNAT --to-destination 10.1.1.20:32400
[0:0] -A VSERVER -p udp -m udp --dport 32400 -j DNAT --to-destination 10.1.1.20:32400
[0:0] -A VSERVER -p udp -m udp --dport 2456 -j DNAT --to-destination 10.1.1.21:2456
[0:0] -A VSERVER -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.1.1.21:22
[0:0] -A VSERVER -p tcp -m tcp --dport 20 -j DNAT --to-destination 10.1.1.37:21
[0:0] -A VSERVER -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.1.1.37:21
[31:1577] -A VSERVER -j VUPNP
COMMIT
# Completed on Fri May 20 19:12:01 2022
 

ColinTaylor

Part of the Furniture
iptables-save -t nat -c
# Generated by iptables-save v1.4.12.2 on Fri May 20 19:12:01 2022
*nat
:pREROUTING ACCEPT [206:13708]
:INPUT ACCEPT [138:8829]
:OUTPUT ACCEPT [70:5982]
:pOSTROUTING ACCEPT [64:5566]
:DNSFILTER - [0:0]
:GAME_VSERVER - [0:0]
:LOCALSRV - [0:0]
:MAPE - [0:0]
:pCREDIRECT - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
[31:1577] -A PREROUTING -d 178.127.183.219/32 -j GAME_VSERVER
[31:1577] -A PREROUTING -d 178.127.183.219/32 -j VSERVER
[31:1577] -A PREROUTING -d 178.127.183.219/32 -j GAME_VSERVER
[0:0] -A PREROUTING -d 169.254.198.37/32 -j VSERVER
[35:3238] -A POSTROUTING ! -s 178.127.183.219/32 -o ppp0 -j MASQUERADE --mode fullcone
[0:0] -A POSTROUTING ! -s 169.254.198.37/32 -o eth0 -j MASQUERADE --mode fullcone
[6:416] -A POSTROUTING -s 10.1.1.0/24 -d 10.1.1.0/24 -o br0 -j MASQUERADE
[0:0] -A VSERVER -p tcp -m tcp --dport 32400 -j DNAT --to-destination 10.1.1.20:32400
[0:0] -A VSERVER -p udp -m udp --dport 32400 -j DNAT --to-destination 10.1.1.20:32400
[0:0] -A VSERVER -p udp -m udp --dport 2456 -j DNAT --to-destination 10.1.1.21:2456
[0:0] -A VSERVER -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.1.1.21:22
[0:0] -A VSERVER -p tcp -m tcp --dport 20 -j DNAT --to-destination 10.1.1.37:21
[0:0] -A VSERVER -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.1.1.37:21
[31:1577] -A VSERVER -j VUPNP
COMMIT
# Completed on Fri May 20 19:12:01 2022
There's almost zero traffic of any kind that's hit the firewall. I guess that's because you made some changes to the router just before issuing that command. Can you run the command again after trying to connect from the outside to your internal servers.
 

orudie

Occasional Visitor
With telnet I am trying to hit port 21 from outside continuously and running the command but all I see is this:

iptables-save -t nat -c
# Generated by iptables-save v1.4.12.2 on Fri May 20 20:02:03 2022
*nat
:pREROUTING ACCEPT [717:68737]
:INPUT ACCEPT [400:24402]
:OUTPUT ACCEPT [101:9620]
:pOSTROUTING ACCEPT [93:9028]
:DNSFILTER - [0:0]
:GAME_VSERVER - [0:0]
:LOCALSRV - [0:0]
:MAPE - [0:0]
:pCREDIRECT - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
[114:5801] -A PREROUTING -d 178.127.138.94/32 -j GAME_VSERVER
[114:5801] -A PREROUTING -d 178.127.138.94/32 -j VSERVER
[114:5801] -A PREROUTING -d 178.127.138.94/32 -j GAME_VSERVER
[1:84] -A PREROUTING -d 192.168.100.7/32 -j VSERVER
[97:14962] -A POSTROUTING ! -s 178.127.138.94/32 -o ppp0 -j MASQUERADE
[0:0] -A POSTROUTING ! -s 192.168.100.7/32 -o eth0 -j MASQUERADE
[8:592] -A POSTROUTING -s 10.1.1.0/24 -d 10.1.1.0/24 -o br0 -j MASQUERADE
[0:0] -A VSERVER -p tcp -m tcp --dport 20 -j DNAT --to-destination 10.1.1.37:21
[0:0] -A VSERVER -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.1.1.37:21
[115:5885] -A VSERVER -j VUPNP
COMMIT
# Completed on Fri May 20 20:02:03 2022
 

ColinTaylor

Part of the Furniture
There is no incoming traffic on those ports. Your public IP address has changed since your previous post. Are you absolutely sure you're using the correct IP address?
 

orudie

Occasional Visitor
yes absolutely sure. Every time I see the public IP changes I try connecting to the new public IP from the outside
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top