OpenWrt/LEDE Project

  • Status Unconfirmed
  • Percent Complete
  • Task Type Bug Report
  • Category Base system
  • Assigned To No-one
  • Operating System All
  • Severity Low
  • Priority Very Low
  • Reported Version Trunk
  • Due in Version Undecided
  • Due Date Undecided
  • Votes
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by Steve Ramage - 18.11.2018

FS#1959 - Port forwards do not work with Static Routes

Supply the following if possible:
- Device problem occurs on


NetGear WNDR 3700v2

[Software Version]

- Software versions of OpenWrt/LEDE release, packages, etc.

DISTRIB_DESCRIPTION='OpenWrt 18.06.1 r7258-5eb055306f'

[Network Setup]

Internet ⇐===⇒ OpenWRT (WAN With NAT ⇐=⇒ ( ⇐=⇒ Router (no NAT, ⇐=⇒ ( ⇐=⇒ Server (

OpenWRT Settings (/etc/config/network):

config route
 option interface 'lan'
 option target ''
 option netmask ''
 option gateway ''
 option metric '1'

Port Forward (/etc/config/firewall):

config redirect
 option target 'DNAT'
 option src 'wan'
 option dest 'lan'
 option proto 'tcp'
 option name '443'
 option dest_port '443'
 option src_dport '443'
 option dest_ip ''

[ Problem ]

Connections from the internet, or from nodes on can connect to on port 443, they make the connection to port 443. However nodes on cannot.

If I look at iptables-save I see the following:

iptables-save | grep "443"
-A zone_lan_postrouting -s -d -p tcp -m tcp --dport 443 -m comment --comment "!fw3: 443 (reflection)" -j SNAT --to-source
-A zone_lan_prerouting -s -d -p tcp -m tcp --dport 443 -m comment --comment "!fw3: 443 (reflection)" -j DNAT --to-destination
-A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: 443" -j DNAT --to-destination

The NAT rule is specifying only the local LAN address.

[Work Around ]

If as a custom start up script I run:

iptables-save | sed -r 's:^(.+) (.+)$:\1 \2\n\1 \2:' | iptables-restore

Then can access it without issue, however this script doesn’t always get executed when making changes within the OpenWRT UI (at least in 12.09, I just upgraded today).

[Potential Solutions]

I think that every route should have their iptables rules set up automagically, however I’m not 100% sure.


Available keyboard shortcuts


Task Details

Task Editing