What's new

RT-AX86U Port forward does not work

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

orudie

Occasional Visitor
Stock Firmware Version:3.0.0.4.386_46061

Hello. on my RT-AX86U port forwarding does not work. I believe it started happening after recently enabling AiMesh.

The AiMesh node is ASUS RT-AC68U connected to ASUS RT-AX86U using LAN ethernet. AiProtection is disabled.

The main router RT-AX86U WAN port is connected to LAN 1 port of my ISP's modem/router which is configured in bridge mode.

RT-AX86U WAN configured with WAN type PPPoE and connected to ISP with username and password.

LAN configured with router's IP Address 10.1.1.1 and Subnet Mask 255.255.255.0

DDNS is enabled and configured with asuscomm.com and free SSL cert from letsencrypt.org.

Attaching a screenshot with port forwarding rules and none of them are working.

Please suggest what I am doing incorrectly and which configuration I should check.
 

Attachments

  • asus port forward.png
    asus port forward.png
    41.4 KB · Views: 259
Last edited:
Are you using a VPN client on the router?

Have you checked that your router's WAN connection is getting a public IP address and not a private one?
 
In the router VPN Clients are configured, but currently all are inactive.
Yes, my router's WAN connection is getting a public IP address. I verified this with both router's GUI and whatismyip.com
 
Check that the port forwarding rules are present and correct in System Log - Port Forwarding.
 
Source Destination Proto. Port range Redirect to Local port
ALL ALL TCP 32400 10.1.1.20 32400
ALL ALL UDP 32400 10.1.1.20 32400
ALL ALL UDP 2456 10.1.1.21 2456
ALL ALL TCP 22 10.1.1.21 22
 
That all looks correct.

How are you testing this? Are you testing from outside your LAN (i.e. from the internet side)? Test using your router's WAN IP address rather than a DDNS name.
 
I am testing this from outside my LAN with both my WAN's IP address and DDNS name. In both cases I cannot reach my LAN servers on specified ports.

ex: telnet <my.wan.ip> 22
 
You said that this used to work but thought it stopped working after enabling AiMesh. Are the servers connected directly to the primary router or to an AiMesh node?
 
The Linux VM servers are running on Synology NAS in Virtual Machine Manager. Synology NAS is connected to the switch, which is connected to the router. Both Synology NAS and the VMs use the same LAN subnet network as the router 10.1.1.0/24. The OS firewall is disabled on the Linux VM servers.
 
I removed the AiMesh node and switched some LAN cables around, rebooted both NAS and router, which did not help.
Network switch is now connected to router's LAN1 (gaming port) instead of LAN2 port.
I am "hitting the wall" here. Any other suggestions please?
 
Last edited:
Look at the system log for any clue. Also, plex has its own tester for find out whether it is reachable or not. Finally, there are online tools which allows you to test if a port is open.
 
As a test I installed FPT server on a physical windows computer, in windows firewall allowed connections on port 21, tested FTP connection from another computer on LAN and it worked.

Then in the router I configured port forwarding on port 21, and I am NOT able to reach it from outside.

orudie@bearsvmlx01 /home/orudie# telnet 10.1.1.37 21
Trying 10.1.1.37...
Connected to 10.1.1.37.
Escape character is '^]'.
220-FileZilla Server 1.4.1
220 Please visit https://filezilla-project.org/


Any other ideas?
 

Attachments

  • asus port forward.png
    asus port forward.png
    47.3 KB · Views: 237
If you SSH into the router (after having tried to connect) and issue the following command you will be able to see whether the port forwarding rules are accepting traffic.
Code:
iptables-save -t nat -c
 
iptables-save -t nat -c
# Generated by iptables-save v1.4.12.2 on Fri May 20 19:12:01 2022
*nat
:pREROUTING ACCEPT [206:13708]
:INPUT ACCEPT [138:8829]
:OUTPUT ACCEPT [70:5982]
:pOSTROUTING ACCEPT [64:5566]
:DNSFILTER - [0:0]
:GAME_VSERVER - [0:0]
:LOCALSRV - [0:0]
:MAPE - [0:0]
:pCREDIRECT - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
[31:1577] -A PREROUTING -d 178.127.183.219/32 -j GAME_VSERVER
[31:1577] -A PREROUTING -d 178.127.183.219/32 -j VSERVER
[31:1577] -A PREROUTING -d 178.127.183.219/32 -j GAME_VSERVER
[0:0] -A PREROUTING -d 169.254.198.37/32 -j VSERVER
[35:3238] -A POSTROUTING ! -s 178.127.183.219/32 -o ppp0 -j MASQUERADE --mode fullcone
[0:0] -A POSTROUTING ! -s 169.254.198.37/32 -o eth0 -j MASQUERADE --mode fullcone
[6:416] -A POSTROUTING -s 10.1.1.0/24 -d 10.1.1.0/24 -o br0 -j MASQUERADE
[0:0] -A VSERVER -p tcp -m tcp --dport 32400 -j DNAT --to-destination 10.1.1.20:32400
[0:0] -A VSERVER -p udp -m udp --dport 32400 -j DNAT --to-destination 10.1.1.20:32400
[0:0] -A VSERVER -p udp -m udp --dport 2456 -j DNAT --to-destination 10.1.1.21:2456
[0:0] -A VSERVER -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.1.1.21:22
[0:0] -A VSERVER -p tcp -m tcp --dport 20 -j DNAT --to-destination 10.1.1.37:21
[0:0] -A VSERVER -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.1.1.37:21
[31:1577] -A VSERVER -j VUPNP
COMMIT
# Completed on Fri May 20 19:12:01 2022
 
iptables-save -t nat -c
# Generated by iptables-save v1.4.12.2 on Fri May 20 19:12:01 2022
*nat
:pREROUTING ACCEPT [206:13708]
:INPUT ACCEPT [138:8829]
:OUTPUT ACCEPT [70:5982]
:pOSTROUTING ACCEPT [64:5566]
:DNSFILTER - [0:0]
:GAME_VSERVER - [0:0]
:LOCALSRV - [0:0]
:MAPE - [0:0]
:pCREDIRECT - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
[31:1577] -A PREROUTING -d 178.127.183.219/32 -j GAME_VSERVER
[31:1577] -A PREROUTING -d 178.127.183.219/32 -j VSERVER
[31:1577] -A PREROUTING -d 178.127.183.219/32 -j GAME_VSERVER
[0:0] -A PREROUTING -d 169.254.198.37/32 -j VSERVER
[35:3238] -A POSTROUTING ! -s 178.127.183.219/32 -o ppp0 -j MASQUERADE --mode fullcone
[0:0] -A POSTROUTING ! -s 169.254.198.37/32 -o eth0 -j MASQUERADE --mode fullcone
[6:416] -A POSTROUTING -s 10.1.1.0/24 -d 10.1.1.0/24 -o br0 -j MASQUERADE
[0:0] -A VSERVER -p tcp -m tcp --dport 32400 -j DNAT --to-destination 10.1.1.20:32400
[0:0] -A VSERVER -p udp -m udp --dport 32400 -j DNAT --to-destination 10.1.1.20:32400
[0:0] -A VSERVER -p udp -m udp --dport 2456 -j DNAT --to-destination 10.1.1.21:2456
[0:0] -A VSERVER -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.1.1.21:22
[0:0] -A VSERVER -p tcp -m tcp --dport 20 -j DNAT --to-destination 10.1.1.37:21
[0:0] -A VSERVER -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.1.1.37:21
[31:1577] -A VSERVER -j VUPNP
COMMIT
# Completed on Fri May 20 19:12:01 2022
There's almost zero traffic of any kind that's hit the firewall. I guess that's because you made some changes to the router just before issuing that command. Can you run the command again after trying to connect from the outside to your internal servers.
 
With telnet I am trying to hit port 21 from outside continuously and running the command but all I see is this:

iptables-save -t nat -c
# Generated by iptables-save v1.4.12.2 on Fri May 20 20:02:03 2022
*nat
:pREROUTING ACCEPT [717:68737]
:INPUT ACCEPT [400:24402]
:OUTPUT ACCEPT [101:9620]
:pOSTROUTING ACCEPT [93:9028]
:DNSFILTER - [0:0]
:GAME_VSERVER - [0:0]
:LOCALSRV - [0:0]
:MAPE - [0:0]
:pCREDIRECT - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
[114:5801] -A PREROUTING -d 178.127.138.94/32 -j GAME_VSERVER
[114:5801] -A PREROUTING -d 178.127.138.94/32 -j VSERVER
[114:5801] -A PREROUTING -d 178.127.138.94/32 -j GAME_VSERVER
[1:84] -A PREROUTING -d 192.168.100.7/32 -j VSERVER
[97:14962] -A POSTROUTING ! -s 178.127.138.94/32 -o ppp0 -j MASQUERADE
[0:0] -A POSTROUTING ! -s 192.168.100.7/32 -o eth0 -j MASQUERADE
[8:592] -A POSTROUTING -s 10.1.1.0/24 -d 10.1.1.0/24 -o br0 -j MASQUERADE
[0:0] -A VSERVER -p tcp -m tcp --dport 20 -j DNAT --to-destination 10.1.1.37:21
[0:0] -A VSERVER -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.1.1.37:21
[115:5885] -A VSERVER -j VUPNP
COMMIT
# Completed on Fri May 20 20:02:03 2022
 
There is no incoming traffic on those ports. Your public IP address has changed since your previous post. Are you absolutely sure you're using the correct IP address?
 
yes absolutely sure. Every time I see the public IP changes I try connecting to the new public IP from the outside
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top