DD-WRT, forwarding TCP port 80 for http doesn't work from WAN?

iptables routing web-hosting router
25,141

Solution 1

...version DD-WRT v24-sp2 (12/12/11) std.

You didn't provide the revision number which is an important piece of information. The only current recommended revisions are 13064 or 14869. Most revisions of the dd-wrt firmware are considered unstable and broken.

Here's the relevant information from the forum thread.

Upgrade (or downgrade)to one of the forum recommended builds listed in this section, especially if you are running SP1 or v24 final (05/21/08 )13064 or 14896. Stick with what is recommended in the this thread or redhawk0's announcement if you want stability. At the time of writing, the latest official build is v.24 SP1. SP1 has a LOT of issues. It will spontaneously brick the Asus WL500W router.

All of these forum recommended builds are BETA and not "finished" yet. Although you use them at your own risk the forum recommended builds have been pretty thoroughly tested and work well, certainly better than SP1. Browse the forums and see what others are saying.

The newest builds, such as the 16xxx or 17xxx builds, that are newer than the recommended builds have been released for TESTING only. They are not new and "improved" and have not been released because they are obviously better. OFTEN they have massive problems. If they did not, they would be recommended in the forum. So realize that if you are installing a different build that the ones that are recommended here, you are testing a build and you might find that it DOES NOT WORK. Each build has a "build thread" in the forum that is created when the build is released. Report problems in that thread, but do not ask for help with your router in the build thread. IF YOU WANT A GENERALLY STABLE BUILD, USE ONE OF THE BUILDS RECOMMENDED IN THIS NOTE OR REDHAWK0'S RECOMMENDED BUILD THREAD! The only exception to this rule is if you are using a VERY new router and that router requires initial flashing of a build that is newer than 15962, and in that case most should use 17990 or 18000 (which are basically the same).

TL;DR: The newest builds, such as the 16xxx or 17xxx builds, that are newer than the recommended builds have been released for TESTING only... OFTEN they have massive problems.

Edit: You said you tested the forwarding by connecting from a remote IP address. Just to be sure, you are not trying to connect to your WAN interface's IP address from your LAN, correct? NAT Loopback is broken for that revision and anything past 15760.

I highly recommend you downgrade your firmware to one of the recommend revisions per the thread I linked unless you have a very compelling reason to not do so.

Edit 2: Hmm. I see your downgrade did not work. Sorry to hear that. Unfortunately this is likely a problem with the DD-WRT firmware of which questions about are considered off topic. My reasoning for this conclusion is that your iptables look fine and port forwarding works correctly with your Linksys router).

My advice at this point is to either 1) post to the DD-WRT forum (read all their FAQs first), 2) file a bug report or 3) buy a real router. I have had nothing but problems with DD-WRT and would never recommend it anyone. Additionally I have found COTS "routers" to also be similarly unreliable.

Solution 2

Add the four commands below (2 insmod's and 2 iptables's) to your router's startup command window (router's menu path: Administration --> Diagnostics). Paste them into the router's shell command window and then click on the SAVE STARTUP button to transfer them into your router's startup command window:

insmod ipt_mark

insmod xt_mark

iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001

iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE

Best way is to copy & paste these four commands above EXACTLY as they are, directly into your router, ONE COMMAND PER LINE. Doing so guarantees you don't make mistakes, as I bet you are fed up dealing with this already!

After saving them into your router's startup list of commands, reboot your router and test your port forwardings from the WAN side.

This should do the trick.

Please reply here if this has worked for you the way it has worked for me!

Regards, Lino

Solution 3

Your rules as they stand appear fine; so the other possibility is your ISP or someone in the middle is blocking dport 80... simple way to test that:

Add a DNAT rule that forwards request for some other port to your internal server - i.e:

iptables -t nat -I PREROUTING -p tcp --dport 32100 -d <wanIP> -j DNAT --to 192.168.2.97:80

then pop open a browser and visit http://<wanIP>:32100

if it still fails, then it's more than likely something related to pMTUd issues.

Solution 4

Your rules are fine. You have port 80 configured as the default for remote access. Change that and you should be fine.

Solution 5

Your listing of iptables is only for the default filter table (same as iptables -t filter -L), which is for traditional straightforward routing and is not sufficient in your case - you use network address translation (NAT).

In this case the relevant setting is in the nat table (connect to your router through ssh and issue iptables -t nat -L); it should contain something like that:

Chain PREROUTING (policy ...)
target     prot opt source               destination
DNAT       tcp  --  anywhere             your_internet_ip_address       tcp dpt:80 to:192.168.2.97:80

Of course, from outside you need to connect to http://your_internet_ip_address, not to http://192.168.2.97, forgive me for stating the obvious.

No idea how to implement it through DD-WRT v24 GUI. On v23 I did it via Applications&Gaming -> Port Forwarding and DNAT worked nicely.

UPDATE 1: So, you do have a proper DNAT rule.

One more thing I've noticed. You have a TRIGGER rule for port 80. Manual says

By setting Port Triggering rules, you can allow inbound traffic to arrive at a specific LAN host [...] If a PC sends outbound traffic from those ports, incoming traffic on the Forwarded Range will be forwarded to that PC.

This is something quite different than normal Port Forwarding (DNAT) and may very likely conflict with it. Triggering is normally used for applications which connect back (usually multiplayer games), I don't see why anybody would want it for port 80.

Share:
25,141

Related videos on Youtube

Darth Continent
Author by

Darth Continent

I feel a disturbance in my bowels...

Updated on September 18, 2022

Comments

  • Darth Continent
    Darth Continent over 1 year

    I'm running DD-WRT firmware on my router, version DD-WRT v24-sp2 (12/12/11) std.

    I'm trying to port forward http traffic on port 80 to my PC's local IP, 192.168.2.97, and although I can browse my hosted site on my LAN, when I try from a remote IP offsite I get "The Connection has timed out".

    Could someone please have a look at the iptables dump linked here and help me find the proper iptables syntax to use to enable port forwarding to work properly? I'm very new to iptables and am lost on how to craft the necessary syntax.

    EDIT output of netstat -ano | find "80" from the web server (Windows 7 running IIS): 

      TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    192.168.2.97:1869      207.46.124.39:80       ESTABLISHED     3860
  TCP    192.168.2.97:43794     74.125.229.36:80       TIME_WAIT       0
  TCP    [::]:80                [::]:0                 LISTENING       4
  UDP    127.0.0.1:48000        *:*                                    3132
  UDP    127.0.0.1:48001        *:*                                    2420

    EDIT output of iptables -t nat -L from the DD-WRT command prompt:

    Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       icmp --  anywhere             my.wan.ip to:192.168.2.1 
DNAT       tcp  --  anywhere             my.wan.ip tcp dpt:www to:192.168.2.97:80 
DNAT       tcp  --  anywhere             my.wan.ip tcp dpt:www to:192.168.2.97 
TRIGGER    0    --  anywhere             my.wan.ip TRIGGER type:dnat match:0 relate:0 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       0    --  192.168.2.0/24       anywhere            to:my.wan.ip 
RETURN     0    --  anywhere             anywhere            PKTTYPE = broadcast

    EDIT output of iptables -t nat -vnL from DD-WRT interface:

    Chain PREROUTING (policy ACCEPT 165K packets, 18M bytes)
 pkts bytes target     prot opt in     out     source               destination         
   38 47952 DNAT       icmp --  *      *       0.0.0.0/0            my.wan.ip       to:192.168.2.1 
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            my.wan.ip       tcp dpt:80 to:192.168.2.97:80 
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            my.wan.ip       tcp dpt:80 to:192.168.2.97 
47056 6024K TRIGGER    0    --  *      *       0.0.0.0/0            my.wan.ip       TRIGGER type:dnat match:0 relate:0 
Chain OUTPUT (policy ACCEPT 4753 packets, 418K bytes)
 pkts bytes target     prot opt in     out     source               destination         
Chain POSTROUTING (policy ACCEPT 4753 packets, 418K bytes)
 pkts bytes target     prot opt in     out     source               destination         
87913   10M SNAT       0    --  *      vlan2   192.168.2.0/24       0.0.0.0/0           to:my.wan.ip 
    0     0 RETURN     0    --  *      br0     0.0.0.0/0            0.0.0.0/0           PKTTYPE = broadcast

    EDIT output of route from DD-WRT Command prompt:

    Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
74.178.55.1     *               255.255.255.255 UH    0      0        0 vlan2
192.168.2.0     *               255.255.255.0   U     0      0        0 br0
74.178.55.0     *               255.255.255.0   U     0      0        0 vlan2
169.254.0.0     *               255.255.0.0     U     0      0        0 br0
239.0.0.0       *               255.0.0.0       U     0      0        0 br0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         adsl-74-178-55- 0.0.0.0         UG    0      0        0 vlan2


    CONCLUSION: I've had it with DD-WRT.

    I've bricked and unbricked my Buffalo WZR-HP-G300NH2 dozens of times now. Tried numerous suggestions below. Posted on the DD-WRT forum and got met with mostly dead air. Looked at other alternative firmwares like OpenWRT, Gargoyle, HyperWRT, Tomato. Of these, OpenWRT with Gargoyle looked promising, but Gargoyle specifically does not support my router (the WZR-HP-G300NH is supported, but not the WZR-HP-G300NH2).

    The furthest I've come so far is with getting OpenWRT and Luci (a web management add-on) installed, after wading through hundreds of forum posts trying to find solutions or workarounds to numerous build and config and other errors only to be met with terse, unhelpful posts in response to questions similar to mine along the way like "just recompile with {some library or option or config which seems perfectly conventional to the developer but not a newbie}" or "just try {doing the obvious which you've probably already tried, which I can do in my sleep but don't particularly care to elaborate on}".

    Apparently I did something wrong, because following this and trying to apply some configuration changes through Luci, the router has bricked again after a reboot. If I feel like it, I'll try yet again to reflash it, and see what I need to do to avoid the situation again, and hopefully end up with a functional router or at least a switch I can use.

    In the meantime I've gone ahead and bought another router, and I'm hoping that the factory firmware will do the seemingly simple task of port forwarding. Thanks to kce and all those who took a stab at this.

    • ash
      ash over 12 years
      Did you configure the port forwarding from the NAT/QoS -> Port Forwarding screen?
    • Hubert Kario
      Hubert Kario over 12 years
      Your ISP may be blocking port 80 if you're not using the business package.
    • Darth Continent
      Darth Continent over 12 years
      @Starfish: Yes, port 80 is set from there to forward TCP to my local IP.
    • Darth Continent
      Darth Continent over 12 years
      @HubertKario: I tried using a spare Linksys router I have lying around with its factory firmware, it forwarded external http traffic just fine, so I'm pretty certain my ISP isn't filtering.
    • Mattias Ahnberg
      Mattias Ahnberg over 12 years
      NAT through a Linux machine/dd-wrt must be placed in the nat tables PREROUTING section, I don't see that one in your iptables dump. Can you please give us that one too?
    • Mattias Ahnberg
      Mattias Ahnberg over 12 years
      Another thought; I am not sure if dd-wrt itself listens on port 80 for some service, just to try it out, try to forward another higher port (12345 or something) to the internal IP.
    • Vick Vega
      Vick Vega over 12 years
      @Darth Continent - Do you have web management turned on the router from outside of the network?
    • Darth Continent
      Darth Continent over 12 years
      @VickVega Nope, web management is Disabled.
    • Darth Continent
      Darth Continent over 12 years
      @MattiasAhnberg: I tried forwarding port 8080 instead, no luck. Also can you tell me the syntax to use to obtain the prerouting section?
    • Mattias Ahnberg
      Mattias Ahnberg over 12 years
      To list the nat table, do: iptables -t nat -vnL for example.
    • Mattias Ahnberg
      Mattias Ahnberg over 12 years
      Cool. Try: iptables -t nat -p tcp --dport 8080 -j DNAT --to-destination int.ern.al.ip:80 then browse (from the outside, very important!) to ext.ern.al.ip:8080 and see what happens.
    • Darth Continent
      Darth Continent over 12 years
      @MattiasAhnberg: Ok, applied the command successfully, but got the same connection timeout when trying to browse remotely from my office laptop.
    • Mattias Ahnberg
      Mattias Ahnberg over 12 years
      Is the outgoing SNAT pointed at the right interface? Do any other type of traffic work as intended? These tips about PREROUTING table, etc. should work. Doublecheck so that the internal webserver has a default route that goes to this router too, if outgoing traffic from THAT server goes elsewhere it could cause timeouts even if everything is properly setup on the dd-wrt.
    • Darth Continent
      Darth Continent over 12 years
      @MattiasAhnberg: Can you tell me what syntax to verify the outgoing SNAT you mention? I checked and my webserver does have a default route referencing my router as the gateway (Network Destination 0.0.0.0, Netmask 0.0.0.0, Gateway 192.168.2.1 [my router], Interface 192.168.2.97 [my webserver local IP]). However, if you meant the "internal webserver" for DD-WRT on the router itself, see above.
    • Mattias Ahnberg
      Mattias Ahnberg over 12 years
      I mostly meant if the router works at all for outgoing traffic from the internal webserver, if it can reach the Internet through the router. I am starting to be at a loss of what is the problem here, all your policies and rules look right, in my experience that usually means that the machine behind has some issues so we might be looking at the wrong place, thats why I started ask about the default route. But its complicated when you say it works/worked with another router. :(
    • Mattias Ahnberg
      Mattias Ahnberg over 12 years
      Did you try port forwarding through the UI? dd-wrt.com/wiki/index.php/Port_Forwarding
    • Darth Continent
      Darth Continent over 12 years
      @MattiasAhnberg: Yes, same result.
    • Brian Hasden
      Brian Hasden over 12 years
      Not sure if you've taken a look at the recent answers, but the post that Lino Lopes made regarding commands to run is the fix for the issue. I ran into what appears to be the same port forwarding issue and Lino Lopes answer resolved it.
    • Darth Continent
      Darth Continent over 12 years
      @BrianHasden: Thanks, I haven't checked on this thread in a while; next chance I get I'll try it out and if it works give him the answer.
  • Darth Continent
    Darth Continent over 12 years
    Do you mean Windows firewall? I've already disabled it at the domain, public and private levels. Or do you mean the SPI firewall in DD-WRT?
  • Darth Continent
    Darth Continent over 12 years
    Well, for NAT I've set up port forwarding as described in the DD-WRT wiki to forward port 80 to my server's LAN IP address; for the firewall, as far as I'm aware I haven't set up anything in the DD-WRT firewall GUI settings to block port 80 traffic, though the iptables dump I posted I need help deciphering as I'm not sure whether that indicates port 80 is being blocked.
  • Vick Vega
    Vick Vega over 12 years
    As much as I'm aware - You need to allow access from outside to some host on internal network. By default, on a lot small-medium firewalls all the incoming access is blocked, unless authorized. So, add the rule to allow access on port 80 trough the router's GUI.
  • Vick Vega
    Vick Vega over 12 years
    Can you do me a favor please? Run at the command prompt: (windows) netstat -ano | find "80". (Linux) netstat -ano | grep :80. And post the results.
  • Alien Life Form
    Alien Life Form over 12 years
    Surely you already checked this one out: dd-wrt.com/wiki/index.php/Port_Forwarding_Troubleshooting
  • Darth Continent
    Darth Continent over 12 years
    @AlienLifeForm: Yes, my setup fits the simplest of the WAN configs described on the wiki: "Any other WAN IP is likely a public (routable) address that just needs a properly configured port forward on the router."
  • Darth Continent
    Darth Continent over 12 years
    @VickVega I've added the output from netstat to my original post above.
  • Darth Continent
    Darth Continent over 12 years
    Thanks, I edited my original post to include the output of iptables -t nat -L, and yes in testing I'm trying to connect to my server via a remote session to a laptop at my office across town. For v24 I set up the forwarding rule via NAT / QoS => Port Forwarding.
  • Darth Continent
    Darth Continent over 12 years
    I tried to add that rule, but DD-WRT came back with "Bad argument `DNAT'". Btw, I'd mentioned a Linksys router I tried with just its factory firmware forwarded port 80 fine to my web server, so it seems like there's no filtering going on.
  • Naveed Abbas
    Naveed Abbas over 12 years
    Seems ok. I've updated my answer with one more advice: triggering.
  • Darth Continent
    Darth Continent over 12 years
    I removed the entry I had under Port Triggering, no change; from my external setup the connection still times out.
  • Olipro
    Olipro over 12 years
    sorry, the stupid editor treated my command as if it were markup, fixed now
  • Darth Continent
    Darth Continent over 12 years
    Here's the build info: DD-WRT v24-sp2 (12/12/11) std - build 18000
  • Admin
    Admin over 12 years
    Please see my edit. If this is an issue with NAT Loopback there is a fix (downgrade) otherwise you should downgrade anyway.
  • Darth Continent
    Darth Continent over 12 years
    I'd already applied a workaround recommended by one of the DD-WRT users to get around the NAT loopback issue, this solved the problem of not being able to browse to the web server from within my LAN, but the inability to browse from an external address still remains. I guess at this point I may go ahead and try downgrading to an earlier build as you recommend.
  • Darth Continent
    Darth Continent over 12 years
    I tried downgrading the firmware to build 14896, which according to the DD-WRT database is compatible with the Buffalo WZR-HP-G300NH, however, my router is actually the Buffalo WZR-HR-G300NH 2. Nevertheless, the GUI allowed me to downgrade to the G300NH build 14896 firmware, whereupon my router bricked. I then updated to the previous firmware specifically for the WZR-HR-G300NH2 via TFTP and my router came back to life, with the same server timeout problem when trying to access my web server externally, unfortunately.
  • Darth Continent
    Darth Continent over 12 years
    I tried to find the earliest build possible for the NH2 by someone named BrainSlayer (a senior user on the DD-WRT support forum), posted here: dd-wrt.com/others/eko/BrainSlayer-V24-preSP2 I tried downgrading to the earliest build of his firmware I could find that supports the NH2 (16994, located here: dd-wrt.com/others/eko/BrainSlayer-V24-preSP2/2011/…), but once again the server timeout occurs.
  • Darth Continent
    Darth Continent over 12 years
    No luck, I still get the connection timeout.
  • Olipro
    Olipro over 12 years
    oops, yes, that would fail, fixed command again.
  • Brian Hasden
    Brian Hasden over 12 years
    Thank you so much for this, however for my E3000 router I needed to add this to the firewall script and not startup. The DD-WRT post explaining the fix is at dd-wrt.com/phpBB2/viewtopic.php?t=89353.
  • MrGigu
    MrGigu about 11 years
    txt spk dsnt go down well here like you bro lol wtfbbq ellipsis

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Is selective VPN routing worth it?
Routing subnet to specific routing table with fwmark, direct to ISP and VPN
Using DD-WRT to connect to VPN and Forward all traffic of certain devices through VPN
routing specific IP to ppp0 tunnel
Packet Redirection on Windows
How can we make our ubuntu server router as gateway mode to router mode?
Linux as router with multiple internet providers
What is the UH flag in routing table
Ubuntu 18.04 as a router
What does iptables -j REDIRECT *actually* do to packet headers?