Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Port forwarding not working #3573

Closed
falahati opened this issue Oct 6, 2024 · 1 comment
Closed

Port forwarding not working #3573

falahati opened this issue Oct 6, 2024 · 1 comment
Labels
help wanted Stale

Comments

@falahati
Copy link

falahati commented Oct 6, 2024
edited
Loading

Expected Behavior

Expect to be able to forward ports from the VPS to the local network easily.

Current Behavior

Port forwarding on the router side works. In fact, the VPN also works to the point that I can connect to the service behind the router from the VPS side, but it doesn't work for requests sent to the VPS from outside.

Specifications

  • OpenMPTCProuter version: 6.1.0-23-amd64 0.1030
  • OpenMPTCProuter VPS version: OpenMPTCProuter VPS 0.1030
  • OpenMPTCProuter VPS provider: Something regional, you wouldn't know it
  • OpenMPTCProuter platform: Linux 6.1.0-23-amd64 SMP PREEMPT_DYNAMIC Debian 6.1.99-1 x86_64

Configuration

Ok, so port forwarding was set up as follows:
image
image

IPs

  • 192.168.3.1: is OpenMPTCProuter
  • 192.168.3.101: is the destination for the port forwarding, it is another router that passes down the data 2 more levels to reach the actual device. but that won't matter as the rest of the way is configured properly, opening 192.168.3.101:13000 works as expected.

Diagnostic

/etc/shorewall/rules

DNAT            net             vpn:$OMR_ADDR   tcp     13000-13010     # OMR openmptcprouter redirect router 13000-13010 port tcp
DNAT            net             vpn:$OMR_ADDR   udp     13000-13010     # OMR openmptcprouter redirect router 13000-13010 port udp

/etc/shorewall/params.vpn

VPS_ADDR=10.255.255.1
VPS_IFACE=gt-tun0
OMR_ADDR=10.255.255.2

nc 10.255.255.2 13000 on VPS - WORKS

debian@vps:~$ nc 10.255.255.2 13000
test
HTTP/1.1 400 Bad Request
Connection: close

nc 192.168.3.101 13000 on OpenMPTCProuter - WORKS

root@OpenMPTCProuter:~# nc 192.168.3.101 13000
test
HTTP/1.1 400 Bad Request
Connection: close

tcpdump -i tun0 port 13000 on OpenMPTCProuter with nc 10.255.255.2 13000 on VPS - WORKS

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
14:38:19.789551 IP 10.255.255.1.14689 > 10.255.255.2.13000: Flags [S], seq 2824592113, win 42340, options [mss 1460,sackOK,TS val 4280825337 ecr 0,nop,wscale 9], length 0
14:38:19.791302 IP 10.255.255.2.13000 > 10.255.255.1.14689: Flags [S.], seq 774278676, ack 2824592114, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2299942069 ecr 4280825337,sackOK,eol], length 0
14:38:19.793681 IP 10.255.255.1.14689 > 10.255.255.2.13000: Flags [.], ack 1, win 83, options [nop,nop,TS val 4280825341 ecr 2299942069], length 0
14:38:19.794966 IP 10.255.255.2.13000 > 10.255.255.1.14689: Flags [.], ack 1, win 2058, options [nop,nop,TS val 2299942073 ecr 4280825341], length 0
14:38:21.105728 IP 10.255.255.1.14689 > 10.255.255.2.13000: Flags [P.], seq 1:6, ack 1, win 83, options [nop,nop,TS val 4280826653 ecr 2299942073], length 5
14:38:21.106741 IP 10.255.255.2.13000 > 10.255.255.1.14689: Flags [.], ack 6, win 2058, options [nop,nop,TS val 2299943385 ecr 4280826653], length 0
14:38:21.110557 IP 10.255.255.2.13000 > 10.255.255.1.14689: Flags [P.], seq 1:48, ack 6, win 2058, options [nop,nop,TS val 2299943389 ecr 4280826653], length 47
14:38:21.110616 IP 10.255.255.2.13000 > 10.255.255.1.14689: Flags [F.], seq 48, ack 6, win 2058, options [nop,nop,TS val 2299943389 ecr 4280826653], length 0
14:38:21.112850 IP 10.255.255.1.14689 > 10.255.255.2.13000: Flags [.], ack 48, win 83, options [nop,nop,TS val 4280826660 ecr 2299943389], length 0
14:38:21.155226 IP 10.255.255.1.14689 > 10.255.255.2.13000: Flags [.], ack 49, win 83, options [nop,nop,TS val 4280826703 ecr 2299943389], length 0
14:38:22.066326 IP 10.255.255.1.14689 > 10.255.255.2.13000: Flags [P.], seq 6:7, ack 49, win 83, options [nop,nop,TS val 4280827614 ecr 2299943389], length 1
14:38:22.067514 IP 10.255.255.2.13000 > 10.255.255.1.14689: Flags [R], seq 774278725, win 0, length 0

tcpdump -i eth0 port 13000 on OpenMPTCProuter with nc 10.255.255.2 13000 on VPS - WORKS

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:39:16.129721 IP OpenMPTCProuter.lan.26259 > 192.168.3.101.13000: Flags [S], seq 1140352865, win 42340, options [mss 1460,sackOK,TS val 4280881677 ecr 0,nop,wscale 9], length 0
14:39:16.131329 IP 192.168.3.101.13000 > OpenMPTCProuter.lan.26259: Flags [S.], seq 2371286643, ack 1140352866, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3106807462 ecr 4280881677,sackOK,eol], length 0
14:39:16.134156 IP OpenMPTCProuter.lan.26259 > 192.168.3.101.13000: Flags [.], ack 1, win 83, options [nop,nop,TS val 4280881681 ecr 3106807462], length 0
14:39:16.135285 IP 192.168.3.101.13000 > OpenMPTCProuter.lan.26259: Flags [.], ack 1, win 2058, options [nop,nop,TS val 3106807466 ecr 4280881681], length 0
14:39:17.510557 IP OpenMPTCProuter.lan.26259 > 192.168.3.101.13000: Flags [P.], seq 1:6, ack 1, win 83, options [nop,nop,TS val 4280883058 ecr 3106807466], length 5
14:39:17.511808 IP 192.168.3.101.13000 > OpenMPTCProuter.lan.26259: Flags [.], ack 6, win 2058, options [nop,nop,TS val 3106808843 ecr 4280883058], length 0
14:39:17.512577 IP 192.168.3.101.13000 > OpenMPTCProuter.lan.26259: Flags [P.], seq 1:48, ack 6, win 2058, options [nop,nop,TS val 3106808843 ecr 4280883058], length 47
14:39:17.512718 IP 192.168.3.101.13000 > OpenMPTCProuter.lan.26259: Flags [F.], seq 48, ack 6, win 2058, options [nop,nop,TS val 3106808843 ecr 4280883058], length 0
14:39:17.514682 IP OpenMPTCProuter.lan.26259 > 192.168.3.101.13000: Flags [.], ack 48, win 83, options [nop,nop,TS val 4280883062 ecr 3106808843], length 0
14:39:17.555130 IP OpenMPTCProuter.lan.26259 > 192.168.3.101.13000: Flags [.], ack 49, win 83, options [nop,nop,TS val 4280883103 ecr 3106808843], length 0
14:39:17.668101 IP OpenMPTCProuter.lan.26259 > 192.168.3.101.13000: Flags [P.], seq 6:7, ack 49, win 83, options [nop,nop,TS val 4280883216 ecr 3106808843], length 1
14:39:17.669318 IP 192.168.3.101.13000 > OpenMPTCProuter.lan.26259: Flags [R], seq 2371286692, win 0, length 0

nc [VPSIP] 13000 on another remote device - FAILS WITH NO RESPONSE

root@REMOTE:~# nc [VPSIP] 13000
test

tcpdump -i tun0 port 13000 on OpenMPTCProuter with nc [VPSIP] 13000 on another remote device - FAILS WITH NO RESPONSE

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
14:41:13.308736 IP [REMOTEVPSIP].11627 > 10.255.255.2.13000: Flags [S], seq 308606978, win 42340, options [mss 1460,sackOK,TS val 1091332290 ecr 0,nop,wscale 9], length 0
14:41:14.320848 IP [REMOTEVPSIP].11627 > 10.255.255.2.13000: Flags [S], seq 308606978, win 42340, options [mss 1460,sackOK,TS val 1091333297 ecr 0,nop,wscale 9], length 0
14:41:16.335350 IP [REMOTEVPSIP].11627 > 10.255.255.2.13000: Flags [S], seq 308606978, win 42340, options [mss 1460,sackOK,TS val 1091335317 ecr 0,nop,wscale 9], length 0
14:41:20.395291 IP [REMOTEVPSIP].11627 > 10.255.255.2.13000: Flags [S], seq 308606978, win 42340, options [mss 1460,sackOK,TS val 1091339377 ecr 0,nop,wscale 9], length 0
14:41:28.587261 IP [REMOTEVPSIP].11627 > 10.255.255.2.13000: Flags [S], seq 308606978, win 42340, options [mss 1460,sackOK,TS val 1091347569 ecr 0,nop,wscale 9], length 0
14:41:44.717230 IP [REMOTEVPSIP].11627 > 10.255.255.2.13000: Flags [S], seq 308606978, win 42340, options [mss 1460,sackOK,TS val 1091363697 ecr 0,nop,wscale 9], length 0
14:42:18.763681 IP [REMOTEVPSIP].11627 > 10.255.255.2.13000: Flags [S], seq 308606978, win 42340, options [mss 1460,sackOK,TS val 1091397745 ecr 0,nop,wscale 9], length 0

tcpdump -i eth0 port 13000 on OpenMPTCProuter with nc [VPSIP] 13000 on another remote device - FAILS WITH NO RESPONSE

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:45:08.023534 IP OpenMPTCProuter.lan.14561 > 192.168.3.101.13000: Flags [S], seq 2019288763, win 42340, options [mss 1460,sackOK,TS val 1091567004 ecr 0,nop,wscale 9], length 0
14:45:08.024992 IP 192.168.3.101.13000 > OpenMPTCProuter.lan.14561: Flags [S.], seq 3740170255, ack 2019288764, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2813151621 ecr 1091567004,sackOK,eol], length 0
14:45:08.055529 IP 192.168.3.101.13000 > OpenMPTCProuter.lan.14561: Flags [S.], seq 3740170255, ack 2019288764, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2813151651 ecr 1091567004,sackOK,eol], length 0
14:45:08.116695 IP 192.168.3.101.13000 > OpenMPTCProuter.lan.14561: Flags [S.], seq 3740170255, ack 2019288764, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2813151712 ecr 1091567004,sackOK,eol], length 0
14:45:08.237177 IP 192.168.3.101.13000 > OpenMPTCProuter.lan.14561: Flags [S.], seq 3740170255, ack 2019288764, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2813151833 ecr 1091567004,sackOK,eol], length 0
14:45:08.477686 IP 192.168.3.101.13000 > OpenMPTCProuter.lan.14561: Flags [S.], seq 3740170255, ack 2019288764, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2813152073 ecr 1091567004,sackOK,eol], length 0
14:45:08.957704 IP 192.168.3.101.13000 > OpenMPTCProuter.lan.14561: Flags [S.], seq 3740170255, ack 2019288764, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2813152553 ecr 1091567004,sackOK,eol], length 0
14:45:09.035466 IP OpenMPTCProuter.lan.14561 > 192.168.3.101.13000: Flags [S], seq 2019288763, win 42340, options [mss 1460,sackOK,TS val 1091568017 ecr 0,nop,wscale 9], length 0
14:45:09.036705 IP 192.168.3.101.13000 > OpenMPTCProuter.lan.14561: Flags [S.], seq 3740170255, ack 2019288764, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2813152633 ecr 1091568017,sackOK,eol], length 0

It seems to me that the service does respond to the initial OpenMPTCProuter.lan.14561 > 192.168.3.101.13000 with a 192.168.3.101.13000 > OpenMPTCProuter.lan.14561 in both examples, but it was passed to tunnel on one case and was ignored on the other. so the response to the request never reached the VPS as it never entered into the tunnel interface. Is this the result of a NAT rule missing on the VPS side to change the source address maybe?
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 4, 2025

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days

@github-actions github-actions bot added the Stale label Jan 4, 2025
@github-actions github-actions bot closed this as completed Jan 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@falahati