Jump to content
Not connected, Your IP: 3.140.196.5

Recommended Posts

Hi everyone, I had some difficulty setting up port forwarding with the Merlin WRT firmware on my ASUS routers and did not find a great guide online so figured I would write one up to hopefully help save someone a few hours of pain.

 

1. Download the Merlin WRT firmware from the website and just upload is as a regular file through the Administration -> Firmware Upgrade page.

 

2. Once done go to Administration -> System -> Persistent JFFS partition and make sure enable both options and restart. This is where the script will go. Restart the router.

 

3. Download Win-SCP to help you upload and edit files on the router. I found this to be the easiest way.

 

4. Log in to your router with WinSCP:

            - File protocol: SCP

            - Host name: Router IP (eg. 192.168.1.1)

            - User name/Password of your router – Login

 

5. Use the “..” folder all the way on the top to go all the way back where you will see “jffs” partition. Go to jffs -> scripts and then right click and create new file named “nat-start” without quotations. So /jffs/scripts/nat-start

           

  • For whatever reason the first time I activated JFFS partition it was read only and did not allow me to create any new files so I followed the instructions here and used the commands through telnet to mount the partition and then restarted the router

 

6. Once the file is created, right click and goto properties and make sure Owner permission has check next to “X” making it executable. You can do this through telnet also using chmod command.

 

7. Use the following script below to setup port forwarding:

           

#!/bin/sh

iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan1 -j DROP
iptables -I INPUT -i tun11 -j REJECT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

iptables -I FORWARD -i tun11 -p udp -d *IP of device requiring open port* --dport *Port* -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d *IP of device requiring open port* --dport *Port* -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport *Port* -j DNAT --to-destination *IP of device requiring open port*
iptables -t nat -I PREROUTING -i tun11 -p udp --dport *Port* -j DNAT --to-destination *IP of device requiring open port*

~Obviously replace the stuff between * * with the right numbers and remove the *.

 

8. To check which tun and vlan you have telnet to your router and type in “ifconfig” and use this information to determine this. The 2nd paragraph can be copied for multiple ports. I have OSX so I used "Terminal.app" and typed "telnet 192.168.1.1" and then type in your admin/pass, then "ifconfig".

 

9. That’s it. Save it and restart your router. Make sure you obviously setup the correct ports on the AirVPN website.

 

10. You can check under  your router page: System Log -> Port Forwarding to see the appropriate ports being forwarded. Also can check through the AirVPN website.

 

Hope that helps. Let me know if something is unclear and I will modify it. Thanks and enjoy.

Share this post


Link to post

Thank you for this. Port forwarding on my Netgear WNR3500L with Tomato wasn't working until I tried this.

Share this post


Link to post

Hi everyone, I had some difficulty setting up port forwarding with the Merlin WRT firmware on my ASUS routers and did not find a great guide online so figured I would write one up to hopefully help save someone a few hours of pain.

 

1. Download the Merlin WRT firmware from the website and just upload is as a regular file through the Administration -> Firmware Upgrade page.

 

2. Once done go to Administration -> System -> Persistent JFFS partition and make sure enable both options and restart. This is where the script will go. Restart the router.

 

3. Download Win-SCP to help you upload and edit files on the router. I found this to be the easiest way.

 

4. Log in to your router with WinSCP:

            - File protocol: SCP

            - Host name: Router IP (eg. 192.168.1.1)

            - User name/Password of your router – Login

 

5. Use the “..” folder all the way on the top to go all the way back where you will see “jffs” partition. Go to jffs -> scripts and then right click and create new file named “nat-start” without quotations. So /jffs/scripts/nat-start

           

  • For whatever reason the first time I activated JFFS partition it was read only and did not allow me to create any new files so I followed the instructions here and used the commands through telnet to mount the partition and then restarted the router

 

6. Once the file is created, right click and goto properties and make sure Owner permission has check next to “X” making it executable. You can do this through telnet also using chmod command.

 

7. Use the following script below to setup port forwarding:

           

#!/bin/sh

iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan1 -j DROP
iptables -I INPUT -i tun11 -j REJECT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

iptables -I FORWARD -i tun11 -p udp -d *IP of device requiring open port* --dport *Port* -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d *IP of device requiring open port* --dport *Port* -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport *Port* -j DNAT --to-destination *IP of device requiring open port*
iptables -t nat -I PREROUTING -i tun11 -p udp --dport *Port* -j DNAT --to-destination *IP of device requiring open port*

~Obviously replace the stuff between * * with the right numbers and remove the *.

 

8. To check which tun and vlan you have telnet to your router and type in “ifconfig” and use this information to determine this. The 2nd paragraph can be copied for multiple ports. I have OSX so I used "Terminal.app" and typed "telnet 192.168.1.1" and then type in your admin/pass, then "ifconfig".

 

9. That’s it. Save it and restart your router. Make sure you obviously setup the correct ports on the AirVPN website.

 

10. You can check under  your router page: System Log -> Port Forwarding to see the appropriate ports being forwarded. Also can check through the AirVPN website.

 

Hope that helps. Let me know if something is unclear and I will modify it. Thanks and enjoy.

 

Thank you so much for your post, it's been really helpfull.

 

Just one hint for peole like me who is not familiar with Linux and scripts: don't forget to flag the file as executable.

Share this post


Link to post

Hello,

 

Thanks for this topics it's work for me.

 

I have an other question:

 

Is it possible to setup a INPUT RANGE of IP address ?

 

Best regards

Share this post


Link to post

I tried following your instructions and still can't seem to get airvpn port forwarding working properly.

 

Is there anyway I could organise a chat with you rather than communicating with messages on this board?

Share this post


Link to post

Hi there - vdidwania, thank you for your first post - super clear on how to create and post a script in /jffs/scripts/nat-start

 

FWIW, I used a different sample script - the main feature i wanted to use (which is not available in the web UI) is to check the source IP address before forwarding the port.  The reference I used is here: https://github.com/RMerl/asuswrt-merlin/wiki/Iptables-tips

 

Here's my one line script that will only accept remote desktop to a PC at 1.4 from a <specific IP address> (substitute with your IP):

 

#!/bin/shiptables -t nat -I VSERVER 3 -p tcp -m tcp -s <specific IP address> --dport 3389 -j DNAT --to 192.168.1.4

Good luck - zippy114

Share this post


Link to post

Thanks for this post! I got it to work thanks to you (and I’m a noob in this area hehe) – but it seems to only work if the device is connected to my Asus router on cable. If I connect the device to the wifi on my Asus router it does not work. Could it be something to do with the port forwarding script setup?

Share this post


Link to post

I'm assuming your IP address is different when Wired vs Wireless.  Are you changing the IP address accordingly?

Share this post


Link to post

thank you for this! I am working on a update to my above post and will be sure to incorporate this in there.

 

Hi there - vdidwania, thank you for your first post - super clear on how to create and post a script in /jffs/scripts/nat-start

 

FWIW, I used a different sample script - the main feature i wanted to use (which is not available in the web UI) is to check the source IP address before forwarding the port.  The reference I used is here: https://github.com/RMerl/asuswrt-merlin/wiki/Iptables-tips

 

Here's my one line script that will only accept remote desktop to a PC at 1.4 from a <specific IP address> (substitute with your IP):

 

#!/bin/shiptables -t nat -I VSERVER 3 -p tcp -m tcp -s <specific IP address> --dport 3389 -j DNAT --to 192.168.1.4

Good luck - zippy114

Share this post


Link to post

Can you clarify which part does not work on Wifi? I am assuming you have DHCP turned on with all devices on the same subnet

 

Thanks for this post! I got it to work thanks to you (and I’m a noob in this area hehe) – but it seems to only work if the device is connected to my Asus router on cable. If I connect the device to the wifi on my Asus router it does not work. Could it be something to do with the port forwarding script setup?

Share this post


Link to post
Hi vdidwania,

I guess I was lucky - and by some reason a second router reboot got it to work, as I wrote to Khariz earlier in this thread.

But thanks again anyways :-)

Share this post


Link to post
Thx for this guide.
 
I used the script from 7.
However, now the entries TCP and UDP are displayed "twice" in System Log -> Port Forwarding ?!
 
 

What could be wrong? 

 

 

 

 

7. Use the following script below to setup port forwarding:

           

#!/bin/sh

iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan1 -j DROP
iptables -I INPUT -i tun11 -j REJECT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

iptables -I FORWARD -i tun11 -p udp -d *IP of device requiring open port* --dport *Port* -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d *IP of device requiring open port* --dport *Port* -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport *Port* -j DNAT --to-destination *IP of device requiring open port*
iptables -t nat -I PREROUTING -i tun11 -p udp --dport *Port* -j DNAT --to-destination *IP of device requiring open port*

~Obviously replace the stuff between * * with the right numbers and remove the *.

Share this post


Link to post
vdidwania

I have a question about this, when using Win-scp the connection to my router is refused ? 

 

Any idea of what might cause this ?

 

Thanks 

Syco1us 

Share this post


Link to post

You must check port 22 - firewall blocking this?

 

 have a question about this, when using Win-scp the connection to my router is refused ? 

Share this post


Link to post

Great post and thank you for the write up.  This script worked for me as well.  The only strange thing is that when i go to System Log -> Port Forwarding, it does not display that the ports are being forwarded.  Any idea why this is?  

Share this post


Link to post

Great post and thank you for the write up.  This script worked for me as well.  The only strange thing is that when i go to System Log -> Port Forwarding, it does not display that the ports are being forwarded.  Any idea why this is?  

 

I am using the same script and I do see the 2 (udp/tcp) prerouting entries on the System Log -> Port Forwarding page. Did you make sure you have the correct TUN device? The script the OP posted uses tun11 but this differs based on what VPN slot you assign in the Merlin VPN admin page under "Client control" -> "Select client instance". For instance, I have mine under slot #"Client 3" so my TUN device is actually tun13.

 

FYI I am running Merlin firmware version 380.67

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...