ASUS Merlin WRT port forwarding script setup

[vdidwania 11]

Hi everyone, I had some difficulty setting up port forwarding with the Merlin WRT firmware on my ASUS routers and did not find a great guide online so figured I would write one up to hopefully help save someone a few hours of pain.

 

1. Download the Merlin WRT firmware from the website and just upload is as a regular file through the Administration -> Firmware Upgrade page.

 

2. Once done go to Administration -> System -> Persistent JFFS partition and make sure enable both options and restart. This is where the script will go. Restart the router.

 

3. Download Win-SCP to help you upload and edit files on the router. I found this to be the easiest way.

 

4. Log in to your router with WinSCP:

            - File protocol: SCP

            - Host name: Router IP (eg. 192.168.1.1)

            - User name/Password of your router – Login

 

5. Use the “..” folder all the way on the top to go all the way back where you will see “jffs” partition. Go to jffs -> scripts and then right click and create new file named “nat-start” without quotations. So /jffs/scripts/nat-start

           

• For whatever reason the first time I activated JFFS partition it was read only and did not allow me to create any new files so I followed the instructions here and used the commands through telnet to mount the partition and then restarted the router

 

6. Once the file is created, right click and goto properties and make sure Owner permission has check next to “X” making it executable. You can do this through telnet also using chmod command.

 

7. Use the following script below to setup port forwarding:

           

#!/bin/sh

iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan1 -j DROP
iptables -I INPUT -i tun11 -j REJECT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

iptables -I FORWARD -i tun11 -p udp -d *IP of device requiring open port* --dport *Port* -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d *IP of device requiring open port* --dport *Port* -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport *Port* -j DNAT --to-destination *IP of device requiring open port*
iptables -t nat -I PREROUTING -i tun11 -p udp --dport *Port* -j DNAT --to-destination *IP of device requiring open port*

~Obviously replace the stuff between * * with the right numbers and remove the *.

 

8. To check which tun and vlan you have telnet to your router and type in “ifconfig” and use this information to determine this. The 2^nd paragraph can be copied for multiple ports. I have OSX so I used "Terminal.app" and typed "telnet 192.168.1.1" and then type in your admin/pass, then "ifconfig".

 

9. That’s it. Save it and restart your router. Make sure you obviously setup the correct ports on the AirVPN website.

 

10. You can check under  your router page: System Log -> Port Forwarding to see the appropriate ports being forwarded. Also can check through the AirVPN website.

 

Hope that helps. Let me know if something is unclear and I will modify it. Thanks and enjoy.

[calculus 4]

Thank you for this. Port forwarding on my Netgear WNR3500L with Tomato wasn't working until I tried this.

[MD45 0]

Hi everyone, I had some difficulty setting up port forwarding with the Merlin WRT firmware on my ASUS routers and did not find a great guide online so figured I would write one up to hopefully help save someone a few hours of pain.

 

1. Download the Merlin WRT firmware from the website and just upload is as a regular file through the Administration -> Firmware Upgrade page.

 

2. Once done go to Administration -> System -> Persistent JFFS partition and make sure enable both options and restart. This is where the script will go. Restart the router.

 

3. Download Win-SCP to help you upload and edit files on the router. I found this to be the easiest way.

 

4. Log in to your router with WinSCP:

            - File protocol: SCP

            - Host name: Router IP (eg. 192.168.1.1)

            - User name/Password of your router – Login

 

5. Use the “..” folder all the way on the top to go all the way back where you will see “jffs” partition. Go to jffs -> scripts and then right click and create new file named “nat-start” without quotations. So /jffs/scripts/nat-start

           

• For whatever reason the first time I activated JFFS partition it was read only and did not allow me to create any new files so I followed the instructions here and used the commands through telnet to mount the partition and then restarted the router

 

6. Once the file is created, right click and goto properties and make sure Owner permission has check next to “X” making it executable. You can do this through telnet also using chmod command.

 

7. Use the following script below to setup port forwarding:

           

#!/bin/sh

iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan1 -j DROP
iptables -I INPUT -i tun11 -j REJECT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

iptables -I FORWARD -i tun11 -p udp -d *IP of device requiring open port* --dport *Port* -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d *IP of device requiring open port* --dport *Port* -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport *Port* -j DNAT --to-destination *IP of device requiring open port*
iptables -t nat -I PREROUTING -i tun11 -p udp --dport *Port* -j DNAT --to-destination *IP of device requiring open port*

~Obviously replace the stuff between * * with the right numbers and remove the *.

 

8. To check which tun and vlan you have telnet to your router and type in “ifconfig” and use this information to determine this. The 2^nd paragraph can be copied for multiple ports. I have OSX so I used "Terminal.app" and typed "telnet 192.168.1.1" and then type in your admin/pass, then "ifconfig".

 

9. That’s it. Save it and restart your router. Make sure you obviously setup the correct ports on the AirVPN website.

 

10. You can check under  your router page: System Log -> Port Forwarding to see the appropriate ports being forwarded. Also can check through the AirVPN website.

 

Hope that helps. Let me know if something is unclear and I will modify it. Thanks and enjoy.

 

Thank you so much for your post, it's been really helpfull.

 

Just one hint for peole like me who is not familiar with Linux and scripts: don't forget to flag the file as executable.

[Hades666 1]

Many thanks for this post a friend and me where looking for this! 

[jfrcs 0]

Hello,

 

Thanks for this topics it's work for me.

 

I have an other question:

 

Is it possible to setup a INPUT RANGE of IP address ?

 

Best regards

[MrOsito 0]

I tried following your instructions and still can't seem to get airvpn port forwarding working properly.

 

Is there anyway I could organise a chat with you rather than communicating with messages on this board?

[MrOsito 0]

The other thing I was unsure about was the script on the following page: https://airvpn.org/topic/9270-how-to-forward-ports-in-dd-wrt-tomato-with-iptables/

is much more simple than the script provided above.

What is the difference?

 

What is the br0 interface?

[zippy114 0]

Hi there - vdidwania, thank you for your first post - super clear on how to create and post a script in /jffs/scripts/nat-start

 

FWIW, I used a different sample script - the main feature i wanted to use (which is not available in the web UI) is to check the source IP address before forwarding the port.  The reference I used is here: https://github.com/RMerl/asuswrt-merlin/wiki/Iptables-tips

 

Here's my one line script that will only accept remote desktop to a PC at 1.4 from a <specific IP address> (substitute with your IP):

 

#!/bin/shiptables -t nat -I VSERVER 3 -p tcp -m tcp -s <specific IP address> --dport 3389 -j DNAT --to 192.168.1.4

Good luck - zippy114

[vprivaten 0]

Thanks for this post! I got it to work thanks to you (and I’m a noob in this area hehe) – but it seems to only work if the device is connected to my Asus router on cable. If I connect the device to the wifi on my Asus router it does not work. Could it be something to do with the port forwarding script setup?

[Khariz 109]

I'm assuming your IP address is different when Wired vs Wireless.  Are you changing the IP address accordingly?

[vprivaten 0]

Hi Khariz,

Thanks for your suggestion - but it started to work after I rebooted my router a second time :-)

[vdidwania 11]

thank you for this! I am working on a update to my above post and will be sure to incorporate this in there.

 

Hi there - vdidwania, thank you for your first post - super clear on how to create and post a script in /jffs/scripts/nat-start

 

FWIW, I used a different sample script - the main feature i wanted to use (which is not available in the web UI) is to check the source IP address before forwarding the port.  The reference I used is here: https://github.com/RMerl/asuswrt-merlin/wiki/Iptables-tips

 

Here's my one line script that will only accept remote desktop to a PC at 1.4 from a <specific IP address> (substitute with your IP):

 

#!/bin/shiptables -t nat -I VSERVER 3 -p tcp -m tcp -s <specific IP address> --dport 3389 -j DNAT --to 192.168.1.4

Good luck - zippy114

[vdidwania 11]

Can you clarify which part does not work on Wifi? I am assuming you have DHCP turned on with all devices on the same subnet

 

Thanks for this post! I got it to work thanks to you (and I’m a noob in this area hehe) – but it seems to only work if the device is connected to my Asus router on cable. If I connect the device to the wifi on my Asus router it does not work. Could it be something to do with the port forwarding script setup?

[vprivaten 0]

Hi vdidwania,

I guess I was lucky - and by some reason a second router reboot got it to work, as I wrote to Khariz earlier in this thread.

But thanks again anyways :-)

[Sevenz 3]

Old guide, but still working. Thanks for writing this

[Stevieoo 3]

Thx for this guide.

 

I used the script from 7.

However, now the entries TCP and UDP are displayed "twice" in System Log -> Port Forwarding ?!

 

 

What could be wrong? 

 

 

 

 

7. Use the following script below to setup port forwarding:

           

#!/bin/sh

iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan1 -j DROP
iptables -I INPUT -i tun11 -j REJECT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

iptables -I FORWARD -i tun11 -p udp -d *IP of device requiring open port* --dport *Port* -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d *IP of device requiring open port* --dport *Port* -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport *Port* -j DNAT --to-destination *IP of device requiring open port*
iptables -t nat -I PREROUTING -i tun11 -p udp --dport *Port* -j DNAT --to-destination *IP of device requiring open port*

~Obviously replace the stuff between * * with the right numbers and remove the *.

[Syco1us 0]

vdidwania, 

I have a question about this, when using Win-scp the connection to my router is refused ? 

 

Any idea of what might cause this ?

 

Thanks 

Syco1us 

[Stevieoo 3]

You must check port 22 - firewall blocking this?

 

 have a question about this, when using Win-scp the connection to my router is refused ? 

[Syco1us 0]

I can not get the firewall to allow port 22, do I have to just shut down the FW ? 

[machina0 0]

Great post and thank you for the write up.  This script worked for me as well.  The only strange thing is that when i go to System Log -> Port Forwarding, it does not display that the ports are being forwarded.  Any idea why this is?  

[freeb1rd 1]

Great post and thank you for the write up.  This script worked for me as well.  The only strange thing is that when i go to System Log -> Port Forwarding, it does not display that the ports are being forwarded.  Any idea why this is?  

 

I am using the same script and I do see the 2 (udp/tcp) prerouting entries on the System Log -> Port Forwarding page. Did you make sure you have the correct TUN device? The script the OP posted uses tun11 but this differs based on what VPN slot you assign in the Merlin VPN admin page under "Client control" -> "Select client instance". For instance, I have mine under slot #"Client 3" so my TUN device is actually tun13.

 

FYI I am running Merlin firmware version 380.67