KennethVPN 2 Posted ... New Router: ASUS RT-AC68U. Firmware: 376.47 (Merlin Build)DYN service: Host my Domain name, running a utlility to track IP changesAC68U to AirVPN tunnel setup, working fine .. AirVPN Port Forward: for 192.168.1.130 - a local port mapped to 103.10.197.187 (public), forward to 10.4.21.250 (internal)Local IP Address: 192.168.1.130 is manually assigned to my website (host on my Macmini server)Router to AirVPN tunnel setup completed, working fine ..i.e. MacPro, or Iphones are all able to access internet services,Remote into MacMini and web services is up and running .. Problem: Unable to access my website, internally or externally (via any browser) after started AirVPN serviceHelp: How to trouble-shoot or test website access. Test to run, etc.. I am a newbie, any assistance is greatly appreciated. Thank you. Kenneth 1 KennethVPN reacted to this Quote Share this post Link to post
OpenSourcerer 1435 Posted ... The important thing are the ports: You forward a remote port (let's say it's 12345) to a local port, in this case it's 80 I believe. You access your website by connecting to the remote port, which is 12345. example.org:12345. Or 12.34.56.78:12345. Savvy? <3 Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
go558a83nk 362 Posted ... what are your iptables for port forwarding? Quote Share this post Link to post
KennethVPN 2 Posted ... AirVPN Port Forward: for 192.168.1.130 - a local port mapped to 103.10.197.187 (public), forward to 10.4.21.250 (internal)Local IP Address: 192.168.1.130 is manually assigned to my website (host on my Macmini server) Below is my iptables for port forwarding: #!/bin/shiptables -I FORWARD -i br0 -o tun11 -j ACCEPTiptables -I FORWARD -i tun11 -o br0 -j ACCEPTiptables -I FORWARD -i br0 -o vlan1 -j DROPiptables -I INPUT -i tun11 -j REJECTiptables -t nat -A POSTROUTING -o tun11 -j MASQUERADEiptables -I FORWARD -i tun11 -p udp -d 192.168.1.130 --dport 18378 -j ACCEPTiptables -I FORWARD -i tun11 -p tcp -d 192.168.1.130 --dport 18378 -j ACCEPTiptables -t nat -I PREROUTING -i tun11 -p tcp --dport 18378 -j DNAT --to-destination 192.168.1.130iptables -t nat -I PREROUTING -i tun11 -p udp --dport 37649 -j DNAT --to-destination 192.168.1.130iptables -I FORWARD -i tun11 -p udp -d 192.168.1.132 --dport 37649 -j ACCEPTiptables -I FORWARD -i tun11 -p tcp -d 192.168.1.132 --dport 37649 -j ACCEPTiptables -t nat -I PREROUTING -i tun11 -p tcp --dport 18378 -j DNAT --to-destination 192.168.1.32iptables -t nat -I PREROUTING -i tun11 -p udp --dport 37649 -j DNAT --to-destination 192.168.1.32iptables -A INPUT -p icmp -j ACCEPTiptables -A OUTPUT -p icmp -j ACCEPT Thanks! Quote Share this post Link to post
zhang888 1066 Posted ... Your iptables rules are wrong, the cleanup rule should be your last rule, otherwise traffic matching your belowrules will be dropped since it matches an above rule. Try this: #!/bin/sh iptables -I FORWARD -i br0 -o tun11 -j ACCEPT iptables -I FORWARD -i tun11 -o br0 -j ACCEPT iptables -I FORWARD -i br0 -o vlan1 -j DROP iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE iptables -I FORWARD -i tun11 -p udp -d 192.168.1.130 --dport 18378 -j ACCEPT iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.130 --dport 18378 -j ACCEPT iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 18378 -j DNAT --to-destination 192.168.1.130 iptables -t nat -I PREROUTING -i tun11 -p udp --dport 37649 -j DNAT --to-destination 192.168.1.130 iptables -I FORWARD -i tun11 -p udp -d 192.168.1.132 --dport 37649 -j ACCEPT iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.132 --dport 37649 -j ACCEPT iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 18378 -j DNAT --to-destination 192.168.1.32 iptables -t nat -I PREROUTING -i tun11 -p udp --dport 37649 -j DNAT --to-destination 192.168.1.32 iptables -A INPUT -p icmp -j ACCEPT iptables -A OUTPUT -p icmp -j ACCEPT iptables -A INPUT -i tun11 -j DROP Generally, you will always want to append all cleanup (drop/reject) rules at the end of the table with -A, so there will be noway of interference with other previous rules or by other scripts that insert rules dynamically. Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
go558a83nk 362 Posted ... If you're using Merlin asus the openvpn client has an automatic firewall setting already. So, all you need to input are the port forwarding rules, none of the firewall rules. there was another user having a similar problem with port forwarding not working until he/she stopped adding the extra firewall rules. Quote Share this post Link to post
KennethVPN 2 Posted ... zhang888 - Thanks for your suggestion on the iptables rules. go558a83nk - I don't know much about iptables. Removing firewall rules, here are the revisions: iptables -I FORWARD -i br0 -o tun11 -j ACCEPTiptables -I FORWARD -i tun11 -o br0 -j ACCEPTiptables -I FORWARD -i br0 -o vlan1 -j DROP iptables -I FORWARD -i tun11 -p udp -d 192.168.1.130 --dport 18378 -j ACCEPTiptables -I FORWARD -i tun11 -p tcp -d 192.168.1.130 --dport 18378 -j ACCEPTptables -I FORWARD -i tun11 -p udp -d 192.168.1.132 --dport 37649 -j ACCEPTiptables -I FORWARD -i tun11 -p tcp -d 192.168.1.132 --dport 37649 -j ACCEPTiptables -A INPUT -p icmp -j ACCEPTiptables -A OUTPUT -p icmp -j ACCEPTiptables -A INPUT -i tun11 -j DROP Please comment.. Quote Share this post Link to post
zhang888 1066 Posted ... Comment on what? The rules are fine and the traffic should reach your end destination.There is a device in your way that sends packets with RST/ACK (RA) flags to that port - so that means that port forwarding is working,but either your router or your LAN machine still have some sort of a firewall running.When you set the REJECT iptables rule, instead of a DROP one, this will be the behaviour. HPING 103.254.153.99 (eth0 103.254.153.99): S set, 40 headers + 0 data bytes len=40 ip=103.254.153.99 ttl=51 id=12765 tos=0 iplen=40 sport=18378 flags=RA seq=0 win=0 rtt=499.0 ms seq=0 ack=1795427004 sum=4651 urp=0 len=40 ip=103.254.153.99 ttl=51 id=22707 tos=0 iplen=40 sport=18378 flags=RA seq=1 win=0 rtt=472.1 ms seq=0 ack=663636341 sum=256 urp=0 len=40 ip=103.254.153.99 ttl=51 id=10232 tos=0 iplen=40 sport=18378 flags=RA seq=2 win=0 rtt=467.9 ms seq=0 ack=298586357 sum=43a4 urp=0 Once you fix this, the response should be SYN/ACK (SA) and the port will be considered open.You can check it in the port forwarding test page as well. Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
go558a83nk 362 Posted ... The prerouting lines needed are missing. https://airvpn.org/topic/9270-how-to-forward-ports-in-dd-wrt-tomato-with-iptables/?hl=%2Bport+%2Bforward+%2Btomato that is the pattern you need to use, changing things to suit your machine and setup. make sure you have the tun device number set correct, etc. The linesiptables -I FORWARD -i br0 -o tun11 -j ACCEPTiptables -I FORWARD -i tun11 -o br0 -j ACCEPTiptables -I FORWARD -i br0 -o vlan1 -j DROP are probably not needed if you're using the automatic firewall setting in the openvpn client of Merlin Asus. They might be a hindrance so test with and without them once you get the actual port forwarding rules correct. Quote Share this post Link to post
KennethVPN 2 Posted ... Thanks guys! I think my iptables rules and port forwarding are working now. I am still unable to resolve the issue with accessing my host website both internal or external. On the Macmini server (host) and any other devices at home, I received the following: Problem loading page. and "unable to connect" message. When I attempt to ping the website URL, it displayed the IP: 103.254.153.99 and no time out. It pinged good. My local website IP is 192.168.130...? Maybe some router settings and/or firewall but still do not know where to look ,,, Quote Share this post Link to post
go558a83nk 362 Posted ... Thanks guys! I think my iptables rules and port forwarding are working now. I am still unable to resolve the issue with accessing my host website both internal or external. On the Macmini server (host) and any other devices at home, I received the following: Problem loading page. and "unable to connect" message. When I attempt to ping the website URL, it displayed the IP: 103.254.153.99 and no time out. It pinged good. My local website IP is 192.168.130...? Maybe some router settings and/or firewall but still do not know where to look ,,, look in your router settings for the NAT loopback option and change that to see if you can get things working better. you should have a merlin and an asus option. If the port checker that AirVPN has built into your port forwarding page (this web site) has a green light then you should be good to go. Quote Share this post Link to post
KennethVPN 2 Posted ... There is no NAT loopback options, either a Merlin or Asus. On my router, there are only two references on NAT: 1) Open VPN Client, Create NAT on tunnel: Yes or No 2) WAN, Internet Connection, Enable NAT: Yes or No Either Yes or No, does not work. When I port checker, I received: Checking port 18378 for internal IP 10.4.31.100 completed. No green light yet ... Quote Share this post Link to post
go558a83nk 362 Posted ... There is no NAT loopback options, either a Merlin or Asus. On my router, there are only two references on NAT: 1) Open VPN Client, Create NAT on tunnel: Yes or No 2) WAN, Internet Connection, Enable NAT: Yes or No Either Yes or No, does not work. When I port checker, I received: Checking port 18378 for internal IP 10.4.31.100 completed. No green light yet ... check for NAT loopback in the firewall section? http://www.snbforums.com/threads/asus-nat-loopback-and-merlin-nat-loopback-differences.33310/ anyway, if you don't get a green light and your server is actually running you still have port forwarding problems. believe me, I did port forwarding running an openvpn client on an Asus router for years with the iptables linked a few posts above. Quote Share this post Link to post
KennethVPN 2 Posted ... I have a different Merlin build, 376.47. Let me update to a latest version ... Quote Share this post Link to post
zhang888 1066 Posted ... As already explained, you should make sure that your destination machine does not filter packets on that port,and that your application is listening. The test you can try will look something like: hping3 103.254.153.99 -S -V -p 18378 result: len=40 ip=103.254.153.99 ttl=51 id=15183 tos=0 iplen=40sport=18378 flags=RA seq=0 win=0 rtt=473.7 msseq=0 ack=1551268129 sum=91f1 urp=0 Notice the RST/ACK reply sent back to the first SYN from the source.This means port forwarding works fine from the Air server you are currently connected to, and either your routeror end machine are rejecting those packets - because of either a rule or no listening application on that port. Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
KennethVPN 2 Posted ... I am on the latest firmware now, 380.62_1. My NAT Loopback (in the firewall section) is set to Merlin. System Log-Port Forwarding are as follows: Destination Proto Port range Redirect to Local Port ChainALL UDP 60311 192.168.1.132 60311 PREROUTINGALL TCP 60311 192.168.1.132 60311 PREROUTINGALL UDP 43968 192.168.1.130 43968 PREROUTINGALL TCP 43968 192.168.1.130 43968 PREROUTING When I port checked on AirVPN site again, there is still no green light. There must be some router settings, perhaps in Administration, System, Web Interface or in Firewall-General tab that need specific settings. What are the correct settings...? Quote Share this post Link to post
go558a83nk 362 Posted ... I am on the latest firmware now, 380.62_1. My NAT Loopback (in the firewall section) is set to Merlin. System Log-Port Forwarding are as follows: Destination Proto Port range Redirect to Local Port ChainALL UDP 60311 192.168.1.132 60311 PREROUTINGALL TCP 60311 192.168.1.132 60311 PREROUTINGALL UDP 43968 192.168.1.130 43968 PREROUTINGALL TCP 43968 192.168.1.130 43968 PREROUTING When I port checked on AirVPN site again, there is still no green light. There must be some router settings, perhaps in Administration, System, Web Interface or in Firewall-General tab that need specific settings. What are the correct settings...? nope there are no settings that need changed. put in the correct iptables and it works. if you're still putting in the extraneous rules that's probably the problem. All you need is this pattern, changing things like the TUN device, the port, the LAN device IP to suit your setup. iptables -I FORWARD -i tun11 -p udp -d 192.168.1.130 --dport 18378 -j ACCEPTiptables -I FORWARD -i tun11 -p tcp -d 192.168.1.130 --dport 18378 -j ACCEPTiptables -t nat -I PREROUTING -i tun11 -p tcp --dport 18378 -j DNAT --to-destination 192.168.1.130iptables -t nat -I PREROUTING -i tun11 -p udp --dport 18378 -j DNAT --to-destination 192.168.1.130 iptables -I FORWARD -i tun11 -p udp -d 192.168.1.132 --dport 37649 -j ACCEPTiptables -I FORWARD -i tun11 -p tcp -d 192.168.1.132 --dport 37649 -j ACCEPTiptables -t nat -I PREROUTING -i tun11 -p tcp --dport 37649 -j DNAT --to-destination 192.168.1.32iptables -t nat -I PREROUTING -i tun11 -p udp --dport 37649 -j DNAT --to-destination 192.168.1.32 Quote Share this post Link to post
KennethVPN 2 Posted ... I am on the latest firmware now, 380.62_1. My NAT Loopback (in the firewall section) is set to Merlin. System Log-Port Forwarding are as follows: Destination Proto Port range Redirect to Local Port ChainALL UDP 60311 192.168.1.132 60311 PREROUTINGALL TCP 60311 192.168.1.132 60311 PREROUTINGALL UDP 43968 192.168.1.130 43968 PREROUTINGALL TCP 43968 192.168.1.130 43968 PREROUTING When I port checked on AirVPN site again, there is still no green light. There must be some router settings, perhaps in Administration, System, Web Interface or in Firewall-General tab that need specific settings. What are the correct settings...?nope there are no settings that need changed. put in the correct iptables and it works. if you're still putting in the extraneous rules that's probably the problem. All you need is this pattern, changing things like the TUN device, the port, the LAN device IP to suit your setup. iptables -I FORWARD -i tun11 -p udp -d 192.168.1.130 --dport 18378 -j ACCEPTiptables -I FORWARD -i tun11 -p tcp -d 192.168.1.130 --dport 18378 -j ACCEPTiptables -t nat -I PREROUTING -i tun11 -p tcp --dport 18378 -j DNAT --to-destination 192.168.1.130iptables -t nat -I PREROUTING -i tun11 -p udp --dport 18378 -j DNAT --to-destination 192.168.1.130 iptables -I FORWARD -i tun11 -p udp -d 192.168.1.132 --dport 37649 -j ACCEPTiptables -I FORWARD -i tun11 -p tcp -d 192.168.1.132 --dport 37649 -j ACCEPTiptables -t nat -I PREROUTING -i tun11 -p tcp --dport 37649 -j DNAT --to-destination 192.168.1.32iptables -t nat -I PREROUTING -i tun11 -p udp --dport 37649 -j DNAT --to-destination 192.168.1.32That is what I have in my nat-start file. Firewall is disabled on my web server. Internally, my website loads fine.. My router is running behind the AirVPN. I need to know the LAN and WAN settings so it will not interfere with port forwarding... Interestingly, myDlink webcam was able to secure a port automatically... I can access it anywhere ... Sent from my iPhone using Tapatalk 1 KennethVPN reacted to this Quote Share this post Link to post
KennethVPN 2 Posted ... I finally got it working... Thank you go558a83nk, zhang888 and giganerd for all your help and assistance !! Quote Share this post Link to post
Not connected, Your IP: 3.12.73.149
Online: 25279 users - 314601 Mbit/s total BW