Tofu 11/12 Port Forward problem

Discussion in 'HyperWRT Firmware' started by bluefiberoptics, Jan 13, 2006.

  1. bluefiberoptics

    bluefiberoptics Network Guru Member

    I had to create some port forwards for file transfer. When I was finished, I unchecked the enable boxes and clicked save changes. After I did that, I lost my connection. It would not come back, I rebooted the router, DSL modem, etc. So when I rechecked the enable boxes in port forward, my connection worked again. But now I can't take off port forwarding or my connection stops. :(
  2. syndicatedragon

    syndicatedragon Network Guru Member

    I had something similar happen to me (although I was using a very old Rupan HyperWRT build). I think I ended up resetting the factory defaults and that cleared it (but what a pain).

    On a related note, what is the command in the "Command Shell" to get the thing to list currently forwarded ports (in case this is a problem with the web interface)?
  3. NateHoy

    NateHoy Network Guru Member

    OK, I can confirm this problem. I've also seen it reported elsewhere, so I decided to test it.

    But it's not as simple as it seems.

    Here's my test.

    I have Azureus, set to default port 49155. I also experimented at one time with uTorrent, set to 49156. When I went to Tofu, though, I turned on UPnP, which works flawlessly with Tofu and Azureus.

    So I had the range of 49155-49156 forwarded, though disabled. I turned off UPnP in both the router and Azureus, turned on the manual port forward, then restarted Azureus.

    Using the Azureus NAT testing tool, 49155 was not working ("NAT Error"). However, 49156 was ("OK"). No difference in the two ports. I widened out the range to 49150-49160, and three of the ports in that range actually worked. The other eight did not. I don't see ANY difference between the ports, but it appears that some ports forward and some do not.

    So I switched Azureus over to 49156 and got green lights (meaning no NAT issues) almost immediately.


    UPnP works.
    SOME manually forwarded ports work, and when one does it appears to stay working.

    Here is an extract from iptables --list for the forwards, they LOOK ok:

    ACCEPT tcp -- anywhere Hoys tcp dpts:49150:49160
    ACCEPT udp -- anywhere Hoys udp dpts:49150:49160

    EDIT: Update - I'm now getting port forward errors with 49156, the port that tested just fine a couple of minutes ago. The NAT test still passes, but it was somewhat slow for a minute or two. Still "green lights" except for the main distributed database status, which doesn't get tested very often.

    Never had this problem on UPnP, so I suspect even the ports that do forward successfully have issues.
  4. bluefiberoptics

    bluefiberoptics Network Guru Member

    ? I don't know?
  5. Thibor

    Thibor Super Moderator Staff Member Member

    if you have the ports set up in Forward.asp but the enable checkbox is not checked, the firewall will explicitly block the ports listed, unless UPnP sets up a rule for a port listed, it is set as a higher priority
  6. bluefiberoptics

    bluefiberoptics Network Guru Member

    How do I make the range blank again? If I try to delete them from the field, I get a message saying I have to enter a value from 1-255 or something.
  7. Thibor

    Thibor Super Moderator Staff Member Member

    you could try "nvram set forward_port=" then "nvram commit"
  8. Thibor

    Thibor Super Moderator Staff Member Member

    i've now removed this screwy code from firewall.c and i'm sure Tofu will do something with it too.
  9. syndicatedragon

    syndicatedragon Network Guru Member

    If you want to see what ports are actually being forwarded, the command is

    /usr/sbin/iptables --list FORWARD
    It helps if you know a little about iptables to figure out what that means though. :) Also, do this from telnet because it doesn't have the right format from the "command prompt" window.

    I'm curious Thibor what did you change in firewall.c ?
  10. Thibor

    Thibor Super Moderator Staff Member Member

    if( flag_dis == 0 )
    save2file("-A PREROUTING -p tcp -m tcp -d %s --dport %s "

    "-j DNAT --to-destination %s%s\n"
    , wanaddr, port, lan_cclass, ip);

    snprintf(buff, sizeof(buff), "-A FORWARD -p tcp "
    "-m tcp -d %s%s --dport %s -j %s\n"
    , lan_cclass, ip, port, log_accept);
    if( (!dmzenable) || (dmzenable && strcmp(ip , nvram_safe_get("dmz_ipaddr"))) )
    snprintf(buff, sizeof(buff), "-A FORWARD -p tcp "
    "-m tcp -d %s%s --dport %s -j %s\n"
    , lan_cclass, ip, port, log_drop);
    I changed the underlined line to:

    if( (dmzenable && strcmp(ip , nvram_safe_get("dmz_ipaddr"))) )

    i did this in 2 places, one for tcp and one for udp. Basically the Enable checkbox is acting as a FORWARD/DROP control and if the ip address is the DMZ will still do that, but for any other address will just enable/disable the particular port forward setting
  11. syndicatedragon

    syndicatedragon Network Guru Member

    Yeah, that code was a little goofy. It explains why I see what I see in the FORWARD list though with the explicit drop rules.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice