Hi,
I have trouble setting up port forwarding with my new GL-AXT1800. Here is my Setup:
I have the router behind a modem set up in bridge mode. So I have a public IP on my router. On the LAN side I have two VLANs setup. 192.168.178.0/24 and 10.0.1.0./24. Routing between the networks works fine. I have been trying to setup port forwarding to a host in the 10.0.1.0/24 network. I want to forward port 80 and 443 to my nginx proxy manager. The /etc/config/firewall config looks like this (MACs and sensitive data removed):
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wwan'
option input 'ACCEPT'
option masq '1'
option forward 'REJECT'
config rule
option dest_port '80'
option name 'allow_in_http-npm'
option dest 'SmartHome'
list dest_ip '10.0.1.14'
option target 'ACCEPT'
list proto 'tcp'
option src '*'
config rule
option dest_port '443'
option name 'allow_in_https_npm'
option dest 'SmartHome'
list dest_ip '10.0.1.14'
option target 'ACCEPT'
list proto 'tcp'
option src '*'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config include 'nat6'
option path '/etc/firewall.nat6'
option reload '1'
config rule 'process_mark'
option name 'process_mark'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 65533'
option target 'MARK'
option set_xmark '0x80000/0x80000'
config rule 'wan_in_conn_mark'
option name 'wan_in_conn_mark'
option src 'wan'
option dest '*'
option set_xmark '0x80000/0x80000'
option target 'MARK'
option extra '-m mark --mark 0x0/0x3f00 -j CONNMARK --set-xmark 0x80000/0x80000'
option enabled '0'
config rule 'lan_in_conn_mark_restore'
option name 'lan_in_conn_mark_restore'
option src 'lan'
option dest '*'
option set_xmark '0x80000/0x80000'
option target 'MARK'
option extra '-m connmark --mark 0x80000/0x80000 -j CONNMARK --restore-mark'
option enabled '0'
config rule 'out_conn_mark_restore'
option name 'out_conn_mark_restore'
option dest '*'
option set_xmark '0x80000/0x80000'
option target 'MARK'
option extra '-m connmark --mark 0x80000/0x80000 -j CONNMARK --restore-mark'
option enabled '0'
config include 'swap_wan_in_conn_mark'
option type 'script'
option reload '1'
option enabled '0'
option path '/etc/firewall.swap_wan_in_conn_mark.sh'
config rule 'block_dns'
option name 'block_dns'
option src '*'
option device 'br-+'
option dest_port '53'
option target 'REJECT'
option enabled '0'
config include 'gls2s'
option type 'script'
option path '/var/etc/gls2s.include'
option reload '1'
config include 'glblock'
option type 'script'
option path '/usr/bin/gl_block.sh'
option reload '1'
config include 'vpn_server_policy'
option type 'script'
option path '/etc/firewall.vpn_server_policy.sh'
option reload '1'
option enabled '1'
config zone
option name 'SmartHome'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
list network 'SmartHome'
config rule
option dest 'SmartHome'
option src 'lan'
option name 'allow_lan_to_any'
option target 'ACCEPT'
config rule
option src 'SmartHome'
option name 'allow_homeassistant_any'
list src_ip '10.0.1.11'
option dest '*'
option target 'ACCEPT'
config rule
option dest_port '5353'
option src '*'
option dest '*'
option target 'ACCEPT'
list proto 'udp'
option name 'Allow_mDNS'
config rule
option dest '*'
option src 'SmartHome'
option name 'Allow_Smarhome_to_any'
option target 'ACCEPT'
config redirect
option dest_port '80'
option src 'wan'
option name 'http_npm'
option src_dport '80'
option target 'DNAT'
option dest_ip '10.0.1.14'
option dest 'SmartHome'
list proto 'tcp'
config redirect
option dest_port '443'
option src 'wan'
option name 'https_npm'
option src_dport '443'
option target 'DNAT'
option dest_ip '10.0.1.14'
option dest 'SmartHome'
list proto 'tcp'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding
option dest 'wan'
option src 'SmartHome'
From a port scanner website I know that the ports seems to be open and tcpdump also gets packets on wan. But they are not reaching the 10.0.1.0 interface. So it's probably the firewall. But being new to OpenWRT/LUCI I don't now whats missing. I have played around with the zone settings, but I haven't got it working. When I try to port forward something within the "lan" interface it works. But not from the "smart home" interface.
Here is the /etc/config/network file:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix ''
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth2'
config device
option name 'eth1'
option macaddr ''
config device
option name 'eth2'
option macaddr ''
config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option isolate '0'
option ipaddr '192.168.178.1'
option device 'eth2'
config device
option name 'eth0'
option macaddr ''
config interface 'wan'
option device 'eth0'
option ipv6 '0'
option proto 'pppoe'
option username ''
option password ''
config interface 'wan6'
option proto 'dhcpv6'
option disabled '1'
option device '@wan'
config switch
option name 'switch0'
option reset '0'
option enable_vlan '0'
config interface 'tethering6'
option proto 'dhcpv6'
option disabled '1'
option device '@tethering'
config interface 'wwan6'
option proto 'dhcpv6'
option disabled '1'
option device '@wwan'
config interface 'guest'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.9.1'
option netmask '255.255.255.0'
option ip6assign '60'
option multicast_querier '1'
option igmp_snooping '0'
option isolate '0'
option bridge_empty '1'
option disabled '1'
config interface 'wwan'
option proto 'dhcp'
config interface 'modem_1_1_2_6'
option proto 'dhcpv6'
option disabled '1'
option device '@modem_1_1_2'
config rule 'policy_bypass_vpn'
option mark '0x60000/0x60000'
option lookup '53'
option priority '53'
config rule 'policy_via_vpn'
option mark '0x80000/0x80000'
option lookup '52'
option priority '52'
config rule 'policy_dns'
option mark '0x100000/0x100000'
option lookup '51'
option priority '51'
config switch_vlan
option device 'switch0'
option vlan '2'
option description 'LAN'
option ports '1 5t'
config switch_vlan
option device 'switch0'
option ports '2 5t'
option vlan '3'
option description 'Smart Home'
config interface 'SmartHome'
option proto 'static'
option ipaddr '10.0.1.1'
option netmask '255.255.255.0'
option device 'br_smarthome'
config device
list ports 'eth1'
option type 'bridge'
option name 'br_smarthome'
option bridge_empty '1'