annon3876 1 Posted ... Hi guys, please help me. i am a noob. i tried to forward ports to my local nas, so i forwarded the port here in client area port 20176. local port in my nas is 4431. am i right to forward the port 20176 and local port fill in 4431 in the client area? also i forwarded nat on my dd-wrt router tcp and udp to 192.168.1.5 port 20176 to port 4431 and also i created these firewall rules: iptables -I FORWARD -i br0 -o tun0 -j ACCEPTiptables -I FORWARD -i tun0 -o br0 -j ACCEPTiptables -I INPUT -i tun0 -j REJECTiptables -t nat -A POSTROUTING -o tun0 -j MASQUERADEiptables -I FORWARD -i tun0 -p udp -d 192.168.1.5 --dport 20176 -j ACCEPTiptables -I FORWARD -i tun0 -p tcp -d 192.168.1.5 --dport 20176 -j ACCEPTiptables -t nat -I PREROUTING -i tun0 -p tcp --dport 20176 -j DNAT --to-destination 192.168.1.5iptables -t nat -I PREROUTING -i tun0 -p udp --dport 20176 -j DNAT --to-destination 192.168.1.5 when i now start qfile app coming from wan to connect to xxxxxx.airdns.org i cant connect. just nothing happens and ends in a timeout.when i check open ports on http://www.canyouseeme.org it says connection refused Quote Share this post Link to post
annon3876 1 Posted ... Actually i removed the nat rules. didnt solve the problem Quote Share this post Link to post
go558a83nk 364 Posted ... I'm not sure about what dd-wrt needs (I've worked with Merlin Asus) for security in combination with port forwarding. However, this pattern is all I ever needed iptables -I FORWARD -i tun0 -p udp -d 192.168.1.5 --dport 20176 -j ACCEPTiptables -I FORWARD -i tun0 -p tcp -d 192.168.1.5 --dport 20176 -j ACCEPTiptables -t nat -I PREROUTING -i tun0 -p tcp --dport 20176 -j DNAT --to-destination 192.168.1.5iptables -t nat -I PREROUTING -i tun0 -p udp --dport 20176 -j DNAT --to-destination 192.168.1.5 Now, I'm confused about your setup. Did you create a forwarded port with AirVPN with a different internal port than external port? If so, you'll use that internal port in your iptable rules 1 annon3876 reacted to this Quote Share this post Link to post
annon3876 1 Posted ... I changed the local port from my nas from 4431 to 20176 as in airvpn i use 20176 too. local port and external port are the same now. still not solved. when i check the forwarded port on airvpn site i get refused error 111 Quote Share this post Link to post
NaDre 157 Posted ... From doing "man iptables-extensions": DNAT This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those chains. It specifies that the destination address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes the following options: --to-destination [ipaddr[-ipaddr]][:port[-port]] which can specify a single new destination IP address, an inclusive range of IP addresses. Optionally a port range, if the rule also specifies one of the following protocols: tcp, udp, dccp or sctp. If no port range is specified, then the destination port will never be modified. If no IP address is specified then only the desti‐ nation port will be modified. In Kernels up to 2.6.10 you can add several --to-destination options. For those kernels, if you specify more than one destination address, either via an address range or multiple --to-destina‐ tion options, a simple round-robin (one after another in cycle) load balancing takes place between these addresses. Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore. So try making it "--to-destination 192.168.1.5:4431". That is, use you destination port number too. UPDATE: I realize now that you later changed your port to match the port number that you forwarded at AirVPN. Maybe double-check that you have not told AirVPN to forward 20176 to 4431, or something? 1 annon3876 reacted to this Quote Share this post Link to post
annon3876 1 Posted ... Thanks for the reply, but it didnt solve my problem. Firewall still blocks incoming traffic on port 20176. Creating nat rules for port 20176 dont work too. Actually no NAT rules and this is my firewall command: iptables -I FORWARD -i br0 -o tun0 -j ACCEPTiptables -I FORWARD -i tun0 -o br0 -j ACCEPTiptables -I INPUT -i tun0 -j REJECTiptables -t nat -A POSTROUTING -o tun0 -j MASQUERADEiptables -I FORWARD -i tun0 -p udp -d 192.168.1.5 --dport 20176 -j ACCEPTiptables -I FORWARD -i tun0 -p tcp -d 192.168.1.5 --dport 20176 -j ACCEPTiptables -t nat -I PREROUTING -i tun0 -p tcp --dport 20176 -j DNAT --to-destination 192.168.1.5:20176iptables -t nat -I PREROUTING -i tun0 -p udp --dport 20176 -j DNAT --to-destination 192.168.1.5:20176 I dont know why the router refuses the connection Update: My actual iptables look like this: iptables -I FORWARD -i br0 -o tun0 -j ACCEPTiptables -I FORWARD -i tun0 -o br0 -j ACCEPTiptables -I INPUT -i tun0 -j REJECTiptables -t nat -A POSTROUTING -o tun0 -j MASQUERADEiptables -I FORWARD -i tun0 -p udp -d 192.168.1.5 --dport 20176 -j ACCEPTiptables -I FORWARD -i tun0 -p tcp -d 192.168.1.5 --dport 20176 -j ACCEPTiptables -t nat -I PREROUTING -i tun0 -p tcp --dport 20176 -j DNAT --to-destination 192.168.1.5iptables -t nat -I PREROUTING -i tun0 -p udp --dport 20176 -j DNAT --to-destination 192.168.1.5 Quote Share this post Link to post
Staff 10019 Posted ... @annon3876 In addition to NaDre and go558a83nk suggestions, please make sure that your tun interface name is correct. Verify with command "ifconfig". On several DD-WRT builds the default interface name is tun1, not tun0. Error 111 means that the packets are actively refused by your system. Do not forward ports from the router web panel. If you do so, you might expose your system to correlation attacks. You need to forward packets from tun interface, which is not affected by the port web panel of the router. Kind regards 1 annon3876 reacted to this Quote Share this post Link to post
annon3876 1 Posted ... Finally i got it working. Thx staff. I checked on my netgrear with ifconfig and tada: its tun1 thx all u guys. Problem solved. Quote Share this post Link to post