Forwarding ports to the Fonera itself doesn't work

[hommes.hans@…]

I think there is a big bug in the port forwarding of the firewall in firmware 2.3.6.0. I can not access any internal port in or behind the fonera. Everything stays locked. Several users of my Motion4Fon report this. Only solution is to open all wan traffic (ACCEPT in firewall file). I have tested this in 2.3.0.0, 2.3.5.0 and 2.3.6.0 Last working version has been 2.2.6.0 Please repair in net release and reply to confirm.

[matthijs]

Could you indicate how you tried to open up ports exactly? E.g., in what part of the interface, with which values?

Also, how did you test if things were working? Did you try connecting from the internet, or also from the WAN side of the Fonera (in between the Fonera and your internet modem)?

[anonymous]

I tried to open from: WebGUI >> Dashboard >> Settings >> Firewall# >> Port Forwarding: Here I set:

TCP 3280 192.168.10.1 80 TCP 3281 192.168.10.1 81 TCP 3282 192.168.10.1 82 TCP 3283 192.168.10.1 83 TCP 3284 192.168.10.3 80

Use: WebGUI, Motion settings, Motion stream, Motion snapshot, ATA186 voip settings Tested from both WAN site of the fonera and from the internet. If I change: /etc/config/firewall config 'zone'

option 'name' 'wan' option 'input' 'REJECT' option 'output' 'ACCEPT' option 'forward' 'REJECT' option 'masq' '1'

in >>>>>> config 'zone'

option 'name' 'wan' option 'input' 'ACCEPT' option 'output' 'ACCEPT' option 'forward' 'ACCEPT' option 'masq' '1'

Everything is open. But that is NOT what we want is it, everything open. As sad it was working in version 2.2.6.0

[OldMan hans@…]

Info supplied. Can't change status, only "Action" option is "leave as infoneeded"

[matthijs]

Sorry, your comment got misplaced in my inbox. Changing status, but it might be a while until I can look into this.

[matthijs]

I assume you've tried a restart of the Fonera? I've been testing a bit and it seems to work for me (using a custom 2.3.6.0 build on 2.0g, though) but only after a restart...

[OldMan hommes.hans@…]

Yes, my Fonera2n is powered off every day from 02:00 until 08:00 LT. It resets and starts fresh every day. If you like to have any config files just ask for them. (private mail)

I reported the problem for the 2N. It runs 2.3.6.0. developer version. My 2q is still running v 2.2.5.0 RC2 I love to test your v 2.3.6.0 version for 2q, can you send it to me in in a private mail. Like to see if the firewall runs okay in my environment.

[matthijs]

For debugging, I'll need the contents of the file "/etc/config/firewall" and the results of the commands "iptables -L -v -n" and "iptables -L -v -n -t nat".

Could you attach the results in this report?

[OldMan]

Firewall as requested by Matthijs

[OldMan]

iptables -L -v -n as requested by Matthijs

[Oldman]

iptables -L -v -n as requested by Matthijs

[OldMan]

Requested info in attachments.

[matthijs]

From the looks of it, it seems the port forwarding rules are installed ok. However, two notes:

1. It seems some of your rules are supposed to redirect to the Fonera itself (192.168.10.1). I'm not completely sure this is supported (it might need a REDIRECT rule instead of a DNAT rule).
2. Are you sure that you've tested from the internet? When you test from behind the Fonera, I don't think the forward will work, even when you use the public address of your modem or the Fonera.

[OldMan]

1. This forwarding to the Fonera use to work, at least in the 2q until 2.2.5.0 RC2 Manny Fonero's working with the Motion plug-in use to work this way. There are now a lot of questions about how to access motion from external, on the forum. 1a. Notice that the NAT from port 84 to 192.168.10.4 port 80 is also NOT working. This one is not to the Fonera itself.

2. I did put a extra switch between the WAN side of the Fonera and the Modem, and connected a extra laptop to this switch for testing the firewall, so that Modem and internet issues are out of the question.

[anonymous]

"Notice that the NAT from port 84 to 192.168.10.4 port 80 is also NOT working." Sorry, sorry, sorry: This is working! I configured it wrong to 192.168.10.4 port 84. So, this means Firewall is working but not to the internal ports of the Fonera. I think I have to make new versions of Motion4Fon to open these ports.

[OldMan @…]

New Info: If I configure in >firewall > port forwarding : port 83, ip 192.168.10.1, port 83 then I can access this port for a few seconds after that the port is blocked again. The time varies for 3 till 20 seconds or maybe more. It looks like some process running every 30 or 60 seconds is blocking this internal port after a while.

[matthijs]

A bit of testing shows that forwarding ports to the Fonera itself does in fact work. There is however one catch: This can only be used to "change" port numbers on ports that are already open on the WAN interface (since the ACCEPT rule gets created in the FORWARD chain, not INPUT). I guess this is sort of a feature, not accidentally opening up WAN ports.

In particular, forwarding port 8000 or something to 192.168.10.1 port 443 makes the WebGUI available on a different port (but only if the WebGUI is enabled in the Applications page and only if you use HTTPS, don't use HTTP and/or port 80).

I think that since this report was created, Hans and I have discussed changing the motion plugin to let it properly open up the ports (by adding the appropriate entries under the "Settings -> Firewall -> Applications). I'm not sure if this was ever completed. Hans, if you want we / I can have another look at that?

I'm closing this report, since I consider this working. If I missed anything, feel free to comment.