Jump to content
Not connected, Your IP: 18.188.96.17

Recommended Posts

New Router: ASUS RT-AC68U. Firmware: 376.47 (Merlin Build)

DYN service: Host my Domain name, running a utlility to track IP changes

AC68U to AirVPN tunnel setup, working fine ..

 

AirVPN Port Forward: for 192.168.1.130 - a local port mapped to 103.10.197.187 (public), forward to 10.4.21.250 (internal)

Local IP Address: 192.168.1.130 is manually assigned to my website (host on my Macmini server)

Router to AirVPN tunnel setup completed, working fine ..i.e. MacPro, or Iphones are all able to access internet services,

Remote into MacMini and web services is up and running ..

 

Problem: Unable to access my website, internally or externally (via any browser) after started AirVPN service

Help: How to trouble-shoot or test website access. Test to run, etc..

 

I am a newbie, any assistance is greatly appreciated.

 

Thank you.

 

Kenneth

 

 

 

Share this post


Link to post

The important thing are the ports: You forward a remote port (let's say it's 12345) to a local port, in this case it's 80 I believe. You access your website by connecting to the remote port, which is 12345. example.org:12345. Or 12.34.56.78:12345. Savvy? <3


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

AirVPN Port Forward: for 192.168.1.130 - a local port mapped to 103.10.197.187 (public), forward to 10.4.21.250 (internal)

Local IP Address: 192.168.1.130 is manually assigned to my website (host on my Macmini server)

 

Below is my iptables for port forwarding:

 

#!/bin/sh

iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan1 -j DROP
iptables -I INPUT -i tun11 -j REJECT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE


iptables -I FORWARD -i tun11 -p udp -d 192.168.1.130 --dport 18378 -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.130 --dport 18378 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 18378 -j DNAT --to-destination 192.168.1.130
iptables -t nat -I PREROUTING -i tun11 -p udp --dport 37649 -j DNAT --to-destination 192.168.1.130

iptables -I FORWARD -i tun11 -p udp -d 192.168.1.132 --dport 37649 -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.132 --dport 37649 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 18378 -j DNAT --to-destination 192.168.1.32
iptables -t nat -I PREROUTING -i tun11 -p udp --dport 37649 -j DNAT --to-destination 192.168.1.32

iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

 

Thanks!

Share this post


Link to post

Your iptables rules are wrong, the cleanup rule should be your last rule, otherwise traffic matching your below

rules will be dropped since it matches an above rule.

 

Try this:

 

#!/bin/sh

iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan1 -j DROP
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE


iptables -I FORWARD -i tun11 -p udp -d 192.168.1.130 --dport 18378 -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.130 --dport 18378 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 18378 -j DNAT --to-destination 192.168.1.130
iptables -t nat -I PREROUTING -i tun11 -p udp --dport 37649 -j DNAT --to-destination 192.168.1.130

iptables -I FORWARD -i tun11 -p udp -d 192.168.1.132 --dport 37649 -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.132 --dport 37649 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 18378 -j DNAT --to-destination 192.168.1.32
iptables -t nat -I PREROUTING -i tun11 -p udp --dport 37649 -j DNAT --to-destination 192.168.1.32

iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A INPUT -i tun11 -j DROP

 

Generally, you will always want to append all cleanup (drop/reject) rules at the end of the table with -A, so there will be no

way of interference with other previous rules or by other scripts that insert rules dynamically.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

If you're using Merlin asus the openvpn client has an automatic firewall setting already.  So, all you need to input are the port forwarding rules, none of the firewall rules.

 

there was another user having a similar problem with port forwarding not working until he/she stopped adding the extra firewall rules.

Share this post


Link to post

zhang888 - Thanks for your suggestion on the iptables rules.

 

go558a83nk - I don't know much about iptables. Removing firewall rules, here are the revisions:

 

iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan1 -j DROP

 

iptables -I FORWARD -i tun11 -p udp -d 192.168.1.130 --dport 18378 -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.130 --dport 18378 -j ACCEPT
ptables -I FORWARD -i tun11 -p udp -d 192.168.1.132 --dport 37649 -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.132 --dport 37649 -j ACCEPT

iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A INPUT -i tun11 -j DROP

 

Please comment..

Share this post


Link to post

Comment on what? The rules are fine and the traffic should reach your end destination.

There is a device in your way that sends packets with RST/ACK (RA) flags to that port - so that means that port forwarding is working,

but either your router or your LAN machine still have some sort of a firewall running.

When you set the REJECT iptables rule, instead of a DROP one, this will be the behaviour.

 

HPING 103.254.153.99 (eth0 103.254.153.99): S set, 40 headers + 0 data bytes
len=40 ip=103.254.153.99 ttl=51 id=12765 tos=0 iplen=40
sport=18378 flags=RA seq=0 win=0 rtt=499.0 ms
seq=0 ack=1795427004 sum=4651 urp=0

len=40 ip=103.254.153.99 ttl=51 id=22707 tos=0 iplen=40
sport=18378 flags=RA seq=1 win=0 rtt=472.1 ms
seq=0 ack=663636341 sum=256 urp=0

len=40 ip=103.254.153.99 ttl=51 id=10232 tos=0 iplen=40
sport=18378 flags=RA seq=2 win=0 rtt=467.9 ms
seq=0 ack=298586357 sum=43a4 urp=0

 

Once you fix this, the response should be SYN/ACK (SA) and the port will be considered open.

You can check it in the port forwarding test page as well.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

The prerouting lines needed are missing.

 

https://airvpn.org/topic/9270-how-to-forward-ports-in-dd-wrt-tomato-with-iptables/?hl=%2Bport+%2Bforward+%2Btomato

 

that is the pattern you need to use, changing things to suit your machine and setup.

 

make sure you have the tun device number set correct, etc.

 

The lines

iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan1 -j DROP

 

are probably not needed if you're using the automatic firewall setting in the openvpn client of Merlin Asus.  They might be a hindrance so test with and without them once you get the actual port forwarding rules correct.

Share this post


Link to post

Thanks guys! I think my iptables rules and port forwarding are working now. I am still unable to resolve the issue with accessing my host website both internal or external. On the Macmini server (host) and any other devices at home, I received the following: Problem loading page. and "unable to connect" message.

 

When I attempt to ping the website URL, it displayed the IP: 103.254.153.99 and no time out. It pinged good. My local website IP is 192.168.130...? Maybe some router settings and/or firewall but still do not know where to look ,,,

Share this post


Link to post

Thanks guys! I think my iptables rules and port forwarding are working now. I am still unable to resolve the issue with accessing my host website both internal or external. On the Macmini server (host) and any other devices at home, I received the following: Problem loading page. and "unable to connect" message.

 

When I attempt to ping the website URL, it displayed the IP: 103.254.153.99 and no time out. It pinged good. My local website IP is 192.168.130...? Maybe some router settings and/or firewall but still do not know where to look ,,,

 

look in your router settings for the NAT loopback option and change that to see if you can get things working better.  you should have a merlin and an asus option.

 

If the port checker that AirVPN has built into your port forwarding page (this web site) has a green light then you should be good to go.

Share this post


Link to post

There is no NAT loopback options, either a Merlin or Asus. On my router, there are only two references on NAT:

 

1) Open VPN Client, Create NAT on tunnel: Yes or No

 

2) WAN, Internet Connection, Enable NAT: Yes or No

 

Either Yes or No, does not work.

 

When I port checker, I received: Checking port 18378 for internal IP 10.4.31.100 completed. No green light yet ...

Share this post


Link to post

There is no NAT loopback options, either a Merlin or Asus. On my router, there are only two references on NAT:

 

1) Open VPN Client, Create NAT on tunnel: Yes or No

 

2) WAN, Internet Connection, Enable NAT: Yes or No

 

Either Yes or No, does not work.

 

When I port checker, I received: Checking port 18378 for internal IP 10.4.31.100 completed. No green light yet ...

 

 

check for NAT loopback in the firewall section?  http://www.snbforums.com/threads/asus-nat-loopback-and-merlin-nat-loopback-differences.33310/

 

anyway, if you don't get a green light and your server is actually running you still have port forwarding problems.

 

believe me, I did port forwarding running an openvpn client on an Asus router for years with the iptables linked a few posts above.

Share this post


Link to post

As already explained, you should make sure that your destination machine does not filter packets on that port,

and that your application is listening.

 

The test you can try will look something like:

 

hping3 103.254.153.99 -S -V -p 18378

 

result:

 

len=40 ip=103.254.153.99 ttl=51 id=15183 tos=0 iplen=40

sport=18378 flags=RA seq=0 win=0 rtt=473.7 ms

seq=0 ack=1551268129 sum=91f1 urp=0

 

Notice the RST/ACK reply sent back to the first SYN from the source.

This means port forwarding works fine from the Air server you are currently connected to, and either your router

or end machine are rejecting those packets - because of either a rule or no listening application on that port.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

I am on the latest firmware now, 380.62_1. My NAT Loopback (in the firewall section) is set to Merlin. System Log-Port Forwarding are as follows:

 

Destination Proto Port range Redirect to Local Port Chain

ALL UDP 60311 192.168.1.132 60311 PREROUTING

ALL TCP 60311 192.168.1.132 60311 PREROUTING

ALL UDP 43968 192.168.1.130 43968 PREROUTING

ALL TCP 43968 192.168.1.130 43968 PREROUTING

 

When I port checked on AirVPN site again, there is still no green light. There must be some router settings, perhaps in Administration, System, Web Interface or in Firewall-General tab that need specific settings. What are the correct settings...?

Share this post


Link to post

I am on the latest firmware now, 380.62_1. My NAT Loopback (in the firewall section) is set to Merlin. System Log-Port Forwarding are as follows:

 

Destination Proto Port range Redirect to Local Port Chain

ALL UDP 60311 192.168.1.132 60311 PREROUTING

ALL TCP 60311 192.168.1.132 60311 PREROUTING

ALL UDP 43968 192.168.1.130 43968 PREROUTING

ALL TCP 43968 192.168.1.130 43968 PREROUTING

 

When I port checked on AirVPN site again, there is still no green light. There must be some router settings, perhaps in Administration, System, Web Interface or in Firewall-General tab that need specific settings. What are the correct settings...?

 

nope there are no settings that need changed.  put in the correct iptables and it works.  if you're still putting in the extraneous rules that's probably the problem.

 

All you need is this pattern, changing things like the TUN device, the port, the LAN device IP to suit your setup.

 

iptables -I FORWARD -i tun11 -p udp -d 192.168.1.130 --dport 18378 -j ACCEPT

iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.130 --dport 18378 -j ACCEPT

iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 18378 -j DNAT --to-destination 192.168.1.130

iptables -t nat -I PREROUTING -i tun11 -p udp --dport 18378 -j DNAT --to-destination 192.168.1.130

 

iptables -I FORWARD -i tun11 -p udp -d 192.168.1.132 --dport 37649 -j ACCEPT

iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.132 --dport 37649 -j ACCEPT

iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 37649 -j DNAT --to-destination 192.168.1.32

iptables -t nat -I PREROUTING -i tun11 -p udp --dport 37649 -j DNAT --to-destination 192.168.1.32

Share this post


Link to post

 

I am on the latest firmware now, 380.62_1. My NAT Loopback (in the firewall section) is set to Merlin. System Log-Port Forwarding are as follows:

 

Destination Proto Port range Redirect to Local Port Chain

ALL UDP 60311 192.168.1.132 60311 PREROUTING

ALL TCP 60311 192.168.1.132 60311 PREROUTING

ALL UDP 43968 192.168.1.130 43968 PREROUTING

ALL TCP 43968 192.168.1.130 43968 PREROUTING

 

When I port checked on AirVPN site again, there is still no green light. There must be some router settings, perhaps in Administration, System, Web Interface or in Firewall-General tab that need specific settings. What are the correct settings...?

nope there are no settings that need changed. put in the correct iptables and it works. if you're still putting in the extraneous rules that's probably the problem.

 

All you need is this pattern, changing things like the TUN device, the port, the LAN device IP to suit your setup.

 

iptables -I FORWARD -i tun11 -p udp -d 192.168.1.130 --dport 18378 -j ACCEPT

iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.130 --dport 18378 -j ACCEPT

iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 18378 -j DNAT --to-destination 192.168.1.130

iptables -t nat -I PREROUTING -i tun11 -p udp --dport 18378 -j DNAT --to-destination 192.168.1.130

 

iptables -I FORWARD -i tun11 -p udp -d 192.168.1.132 --dport 37649 -j ACCEPT

iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.132 --dport 37649 -j ACCEPT

iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 37649 -j DNAT --to-destination 192.168.1.32

iptables -t nat -I PREROUTING -i tun11 -p udp --dport 37649 -j DNAT --to-destination 192.168.1.32

That is what I have in my nat-start file. Firewall is disabled on my web server. Internally, my website loads fine.. My router is running behind the AirVPN.

 

I need to know the LAN and WAN settings so it will not interfere with port forwarding...

 

Interestingly, myDlink webcam was able to secure a port automatically... I can access it anywhere ...

 

 

Sent from my iPhone using Tapatalk

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...