DD-WRT, forwarding TCP port 80 for http doesn't work from WAN?
Solution 1
...version DD-WRT v24-sp2 (12/12/11) std.
You didn't provide the revision number which is an important piece of information. The only current recommended revisions are 13064 or 14869. Most revisions of the dd-wrt firmware are considered unstable and broken.
Here's the relevant information from the forum thread.
Upgrade (or downgrade)to one of the forum recommended builds listed in this section, especially if you are running SP1 or v24 final (05/21/08 )13064 or 14896. Stick with what is recommended in the this thread or redhawk0's announcement if you want stability. At the time of writing, the latest official build is v.24 SP1. SP1 has a LOT of issues. It will spontaneously brick the Asus WL500W router.
All of these forum recommended builds are BETA and not "finished" yet. Although you use them at your own risk the forum recommended builds have been pretty thoroughly tested and work well, certainly better than SP1. Browse the forums and see what others are saying.
The newest builds, such as the 16xxx or 17xxx builds, that are newer than the recommended builds have been released for TESTING only. They are not new and "improved" and have not been released because they are obviously better. OFTEN they have massive problems. If they did not, they would be recommended in the forum. So realize that if you are installing a different build that the ones that are recommended here, you are testing a build and you might find that it DOES NOT WORK. Each build has a "build thread" in the forum that is created when the build is released. Report problems in that thread, but do not ask for help with your router in the build thread. IF YOU WANT A GENERALLY STABLE BUILD, USE ONE OF THE BUILDS RECOMMENDED IN THIS NOTE OR REDHAWK0'S RECOMMENDED BUILD THREAD! The only exception to this rule is if you are using a VERY new router and that router requires initial flashing of a build that is newer than 15962, and in that case most should use 17990 or 18000 (which are basically the same).
TL;DR: The newest builds, such as the 16xxx or 17xxx builds, that are newer than the recommended builds have been released for TESTING only... OFTEN they have massive problems.
Edit: You said you tested the forwarding by connecting from a remote IP address. Just to be sure, you are not trying to connect to your WAN interface's IP address from your LAN, correct? NAT Loopback is broken for that revision and anything past 15760.
I highly recommend you downgrade your firmware to one of the recommend revisions per the thread I linked unless you have a very compelling reason to not do so.
Edit 2: Hmm. I see your downgrade did not work. Sorry to hear that. Unfortunately this is likely a problem with the DD-WRT firmware of which questions about are considered off topic. My reasoning for this conclusion is that your iptables look fine and port forwarding works correctly with your Linksys router).
My advice at this point is to either 1) post to the DD-WRT forum (read all their FAQs first), 2) file a bug report or 3) buy a real router. I have had nothing but problems with DD-WRT and would never recommend it anyone. Additionally I have found COTS "routers" to also be similarly unreliable.
Solution 2
Add the four commands below (2 insmod's and 2 iptables's) to your router's startup command window (router's menu path: Administration --> Diagnostics). Paste them into the router's shell command window and then click on the SAVE STARTUP button to transfer them into your router's startup command window:
insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE
Best way is to copy & paste these four commands above EXACTLY as they are, directly into your router, ONE COMMAND PER LINE. Doing so guarantees you don't make mistakes, as I bet you are fed up dealing with this already!
After saving them into your router's startup list of commands, reboot your router and test your port forwardings from the WAN side.
This should do the trick.
Please reply here if this has worked for you the way it has worked for me!
Regards, Lino
Solution 3
Your rules as they stand appear fine; so the other possibility is your ISP or someone in the middle is blocking dport 80... simple way to test that:
Add a DNAT rule that forwards request for some other port to your internal server - i.e:
iptables -t nat -I PREROUTING -p tcp --dport 32100 -d <wanIP> -j DNAT --to 192.168.2.97:80
then pop open a browser and visit http://<wanIP>:32100
if it still fails, then it's more than likely something related to pMTUd issues.
Solution 4
Your rules are fine. You have port 80 configured as the default for remote access. Change that and you should be fine.
Solution 5
Your listing of iptables is only for the default filter
table (same as iptables -t filter -L
), which is for traditional straightforward routing and is not sufficient in your case - you use network address translation (NAT).
In this case the relevant setting is in the nat
table (connect to your router through ssh and issue iptables -t nat -L
); it should contain something like that:
Chain PREROUTING (policy ...)
target prot opt source destination
DNAT tcp -- anywhere your_internet_ip_address tcp dpt:80 to:192.168.2.97:80
Of course, from outside you need to connect to http://your_internet_ip_address, not to http://192.168.2.97, forgive me for stating the obvious.
No idea how to implement it through DD-WRT v24 GUI. On v23 I did it via Applications&Gaming -> Port Forwarding
and DNAT worked nicely.
UPDATE 1: So, you do have a proper DNAT rule.
One more thing I've noticed. You have a TRIGGER rule for port 80. Manual says
By setting Port Triggering rules, you can allow inbound traffic to arrive at a specific LAN host [...] If a PC sends outbound traffic from those ports, incoming traffic on the Forwarded Range will be forwarded to that PC.
This is something quite different than normal Port Forwarding (DNAT) and may very likely conflict with it. Triggering is normally used for applications which connect back (usually multiplayer games), I don't see why anybody would want it for port 80.
Related videos on Youtube
Comments
-
Darth Continent over 1 year
I'm running DD-WRT firmware on my router, version DD-WRT v24-sp2 (12/12/11) std.
I'm trying to port forward
http
traffic on port 80 to my PC's local IP, 192.168.2.97, and although I can browse my hosted site on my LAN, when I try from a remote IP offsite I get "The Connection has timed out".Could someone please have a look at the iptables dump linked here and help me find the proper iptables syntax to use to enable port forwarding to work properly? I'm very new to iptables and am lost on how to craft the necessary syntax.
EDIT output of
netstat -ano | find "80"
from the web server (Windows 7 running IIS):TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4 TCP 192.168.2.97:1869 207.46.124.39:80 ESTABLISHED 3860 TCP 192.168.2.97:43794 74.125.229.36:80 TIME_WAIT 0 TCP [::]:80 [::]:0 LISTENING 4 UDP 127.0.0.1:48000 *:* 3132 UDP 127.0.0.1:48001 *:* 2420
EDIT output of
iptables -t nat -L
from the DD-WRT command prompt:Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT icmp -- anywhere my.wan.ip to:192.168.2.1 DNAT tcp -- anywhere my.wan.ip tcp dpt:www to:192.168.2.97:80 DNAT tcp -- anywhere my.wan.ip tcp dpt:www to:192.168.2.97 TRIGGER 0 -- anywhere my.wan.ip TRIGGER type:dnat match:0 relate:0 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT 0 -- 192.168.2.0/24 anywhere to:my.wan.ip RETURN 0 -- anywhere anywhere PKTTYPE = broadcast
EDIT output of
iptables -t nat -vnL
from DD-WRT interface:Chain PREROUTING (policy ACCEPT 165K packets, 18M bytes) pkts bytes target prot opt in out source destination 38 47952 DNAT icmp -- * * 0.0.0.0/0 my.wan.ip to:192.168.2.1 0 0 DNAT tcp -- * * 0.0.0.0/0 my.wan.ip tcp dpt:80 to:192.168.2.97:80 0 0 DNAT tcp -- * * 0.0.0.0/0 my.wan.ip tcp dpt:80 to:192.168.2.97 47056 6024K TRIGGER 0 -- * * 0.0.0.0/0 my.wan.ip TRIGGER type:dnat match:0 relate:0 Chain OUTPUT (policy ACCEPT 4753 packets, 418K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 4753 packets, 418K bytes) pkts bytes target prot opt in out source destination 87913 10M SNAT 0 -- * vlan2 192.168.2.0/24 0.0.0.0/0 to:my.wan.ip 0 0 RETURN 0 -- * br0 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
EDIT output of
route
from DD-WRT Command prompt:Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 74.178.55.1 * 255.255.255.255 UH 0 0 0 vlan2 192.168.2.0 * 255.255.255.0 U 0 0 0 br0 74.178.55.0 * 255.255.255.0 U 0 0 0 vlan2 169.254.0.0 * 255.255.0.0 U 0 0 0 br0 239.0.0.0 * 255.0.0.0 U 0 0 0 br0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default adsl-74-178-55- 0.0.0.0 UG 0 0 0 vlan2
CONCLUSION: I've had it with DD-WRT.
I've bricked and unbricked my Buffalo WZR-HP-G300NH2 dozens of times now. Tried numerous suggestions below. Posted on the DD-WRT forum and got met with mostly dead air. Looked at other alternative firmwares like OpenWRT, Gargoyle, HyperWRT, Tomato. Of these, OpenWRT with Gargoyle looked promising, but Gargoyle specifically does not support my router (the WZR-HP-G300NH is supported, but not the WZR-HP-G300NH2).
The furthest I've come so far is with getting OpenWRT and Luci (a web management add-on) installed, after wading through hundreds of forum posts trying to find solutions or workarounds to numerous build and config and other errors only to be met with terse, unhelpful posts in response to questions similar to mine along the way like "just recompile with {some library or option or config which seems perfectly conventional to the developer but not a newbie}" or "just try {doing the obvious which you've probably already tried, which I can do in my sleep but don't particularly care to elaborate on}".
Apparently I did something wrong, because following this and trying to apply some configuration changes through Luci, the router has bricked again after a reboot. If I feel like it, I'll try yet again to reflash it, and see what I need to do to avoid the situation again, and hopefully end up with a functional router or at least a switch I can use.
In the meantime I've gone ahead and bought another router, and I'm hoping that the factory firmware will do the seemingly simple task of port forwarding. Thanks to kce and all those who took a stab at this.
-
ash over 12 yearsDid you configure the port forwarding from the NAT/QoS -> Port Forwarding screen?
-
Hubert Kario over 12 yearsYour ISP may be blocking port 80 if you're not using the business package.
-
Darth Continent over 12 years@Starfish: Yes, port 80 is set from there to forward TCP to my local IP.
-
Darth Continent over 12 years@HubertKario: I tried using a spare Linksys router I have lying around with its factory firmware, it forwarded external http traffic just fine, so I'm pretty certain my ISP isn't filtering.
-
Mattias Ahnberg over 12 yearsNAT through a Linux machine/dd-wrt must be placed in the nat tables PREROUTING section, I don't see that one in your iptables dump. Can you please give us that one too?
-
Mattias Ahnberg over 12 yearsAnother thought; I am not sure if dd-wrt itself listens on port 80 for some service, just to try it out, try to forward another higher port (12345 or something) to the internal IP.
-
Vick Vega over 12 years@Darth Continent - Do you have web management turned on the router from outside of the network?
-
Darth Continent over 12 years@VickVega Nope, web management is Disabled.
-
Darth Continent over 12 years@MattiasAhnberg: I tried forwarding port 8080 instead, no luck. Also can you tell me the syntax to use to obtain the prerouting section?
-
Mattias Ahnberg over 12 yearsTo list the nat table, do:
iptables -t nat -vnL
for example. -
Mattias Ahnberg over 12 yearsCool. Try: iptables -t nat -p tcp --dport 8080 -j DNAT --to-destination int.ern.al.ip:80 then browse (from the outside, very important!) to ext.ern.al.ip:8080 and see what happens.
-
Darth Continent over 12 years@MattiasAhnberg: Ok, applied the command successfully, but got the same connection timeout when trying to browse remotely from my office laptop.
-
Mattias Ahnberg over 12 yearsIs the outgoing SNAT pointed at the right interface? Do any other type of traffic work as intended? These tips about PREROUTING table, etc. should work. Doublecheck so that the internal webserver has a default route that goes to this router too, if outgoing traffic from THAT server goes elsewhere it could cause timeouts even if everything is properly setup on the dd-wrt.
-
Darth Continent over 12 years@MattiasAhnberg: Can you tell me what syntax to verify the outgoing SNAT you mention? I checked and my webserver does have a default route referencing my router as the gateway (Network Destination 0.0.0.0, Netmask 0.0.0.0, Gateway 192.168.2.1 [my router], Interface 192.168.2.97 [my webserver local IP]). However, if you meant the "internal webserver" for DD-WRT on the router itself, see above.
-
Mattias Ahnberg over 12 yearsI mostly meant if the router works at all for outgoing traffic from the internal webserver, if it can reach the Internet through the router. I am starting to be at a loss of what is the problem here, all your policies and rules look right, in my experience that usually means that the machine behind has some issues so we might be looking at the wrong place, thats why I started ask about the default route. But its complicated when you say it works/worked with another router. :(
-
Mattias Ahnberg over 12 yearsDid you try port forwarding through the UI? dd-wrt.com/wiki/index.php/Port_Forwarding
-
Darth Continent over 12 years@MattiasAhnberg: Yes, same result.
-
Brian Hasden over 12 yearsNot sure if you've taken a look at the recent answers, but the post that Lino Lopes made regarding commands to run is the fix for the issue. I ran into what appears to be the same port forwarding issue and Lino Lopes answer resolved it.
-
Darth Continent over 12 years@BrianHasden: Thanks, I haven't checked on this thread in a while; next chance I get I'll try it out and if it works give him the answer.
-
-
Darth Continent over 12 yearsDo you mean Windows firewall? I've already disabled it at the domain, public and private levels. Or do you mean the SPI firewall in DD-WRT?
-
Darth Continent over 12 yearsWell, for NAT I've set up port forwarding as described in the DD-WRT wiki to forward port 80 to my server's LAN IP address; for the firewall, as far as I'm aware I haven't set up anything in the DD-WRT firewall GUI settings to block port 80 traffic, though the iptables dump I posted I need help deciphering as I'm not sure whether that indicates port 80 is being blocked.
-
Vick Vega over 12 yearsAs much as I'm aware - You need to allow access from outside to some host on internal network. By default, on a lot small-medium firewalls all the incoming access is blocked, unless authorized. So, add the rule to allow access on port 80 trough the router's GUI.
-
Vick Vega over 12 yearsCan you do me a favor please? Run at the command prompt: (windows) netstat -ano | find "80". (Linux) netstat -ano | grep :80. And post the results.
-
Alien Life Form over 12 yearsSurely you already checked this one out: dd-wrt.com/wiki/index.php/Port_Forwarding_Troubleshooting
-
Darth Continent over 12 years@AlienLifeForm: Yes, my setup fits the simplest of the WAN configs described on the wiki: "Any other WAN IP is likely a public (routable) address that just needs a properly configured port forward on the router."
-
Darth Continent over 12 years@VickVega I've added the output from netstat to my original post above.
-
Darth Continent over 12 yearsThanks, I edited my original post to include the output of
iptables -t nat -L
, and yes in testing I'm trying to connect to my server via a remote session to a laptop at my office across town. For v24 I set up the forwarding rule via NAT / QoS => Port Forwarding. -
Darth Continent over 12 yearsI tried to add that rule, but DD-WRT came back with "Bad argument `DNAT'". Btw, I'd mentioned a Linksys router I tried with just its factory firmware forwarded port 80 fine to my web server, so it seems like there's no filtering going on.
-
Naveed Abbas over 12 yearsSeems ok. I've updated my answer with one more advice: triggering.
-
Darth Continent over 12 yearsI removed the entry I had under Port Triggering, no change; from my external setup the connection still times out.
-
Olipro over 12 yearssorry, the stupid editor treated my command as if it were markup, fixed now
-
Darth Continent over 12 yearsHere's the build info: DD-WRT v24-sp2 (12/12/11) std - build 18000
-
Admin over 12 yearsPlease see my edit. If this is an issue with NAT Loopback there is a fix (downgrade) otherwise you should downgrade anyway.
-
Darth Continent over 12 yearsI'd already applied a workaround recommended by one of the DD-WRT users to get around the NAT loopback issue, this solved the problem of not being able to browse to the web server from within my LAN, but the inability to browse from an external address still remains. I guess at this point I may go ahead and try downgrading to an earlier build as you recommend.
-
Darth Continent over 12 yearsI tried downgrading the firmware to build 14896, which according to the DD-WRT database is compatible with the Buffalo WZR-HP-G300NH, however, my router is actually the Buffalo WZR-HR-G300NH 2. Nevertheless, the GUI allowed me to downgrade to the G300NH build 14896 firmware, whereupon my router bricked. I then updated to the previous firmware specifically for the WZR-HR-G300NH2 via TFTP and my router came back to life, with the same server timeout problem when trying to access my web server externally, unfortunately.
-
Darth Continent over 12 yearsI tried to find the earliest build possible for the NH2 by someone named BrainSlayer (a senior user on the DD-WRT support forum), posted here: dd-wrt.com/others/eko/BrainSlayer-V24-preSP2 I tried downgrading to the earliest build of his firmware I could find that supports the NH2 (16994, located here: dd-wrt.com/others/eko/BrainSlayer-V24-preSP2/2011/…), but once again the server timeout occurs.
-
Darth Continent over 12 yearsNo luck, I still get the connection timeout.
-
Olipro over 12 yearsoops, yes, that would fail, fixed command again.
-
Brian Hasden over 12 yearsThank you so much for this, however for my E3000 router I needed to add this to the firewall script and not startup. The DD-WRT post explaining the fix is at dd-wrt.com/phpBB2/viewtopic.php?t=89353.
-
MrGigu about 11 yearstxt spk dsnt go down well here like you bro lol wtfbbq ellipsis