I have flashed r2844 to the router and am having one hell of time trying to get virtual servers to work. I am trying to forward ports from the router to internal machines (ssh, vnc to name a couple). For example, public_ip:37237 to internal_ip:5900. I need about 10 "virtual servers".

Is there anything beyond filling in the various textboxes on the Virtual Server webpage?

I have also played around with iptables with PREROUTING chain, but have not succeeded. It seems the router is not forwarding at all.

Can someone please help?

Something like this:

#!/bin/sh
WANIF=`nvram get wan_ifname`

# deleting last firewal rules (policy)
iptables -D INPUT -j DROP

iptables -t nat -A PREROUTING -i ${WANIF} -p tcp --dport 80 -j DNAT --to-destination 192.168.1.110:8080

# Restablishing INPUT chain policy
iptables -A INPUT -j DROP
My basic post-firewall layout
WANIF is automatically set to your wan network interface
this rule forwards port 80 to port 8080 on the computer with ip 192.168.1.110

Thanks for your reply. So I do not need any FORWARD or INPUT chain rules? I will try it out on the router.

What if I want to forward a port to another port on the router itself. For example, forward port 33425 to port 22 on the router itself (I do not want to open port 22 itself to the outside). Will I need some other rules in this case?

Thanks for your reply. So I do not need any FORWARD or INPUT chain rules? I will try it out on the router.

What if I want to forward a port to another port on the router itself. For example, forward port 33425 to port 22 on the router itself (I do not want to open port 22 itself to the outside). Will I need some other rules in this case?

It should work like this, other chains already have been made

iptables -L

you could use the same command, just use the LAN ip of the router as endpoint:)

if you want to open a port in a regular way just use:

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
or something like that:)

I have flashed r2844 to the router and am having one hell of time trying to get virtual servers to work. I am trying to forward ports from the router to internal machines (ssh, vnc to name a couple). For example, public_ip:37237 to internal_ip:5900. I need about 10 "virtual servers".

Is there anything beyond filling in the various textboxes on the Virtual Server webpage?

I have also played around with iptables with PREROUTING chain, but have not succeeded. It seems the router is not forwarding at all.

Can someone please help?

What do you call "internal machines"? Servers on the router or servers on the LAN?

If servers on the router then WPTE hint is enough. If servers on the LAN then you need to use the FORWARD chain.

why not to use VSERVER chain? it's used for new connections from wan side.

What do you call "internal machines"? Servers on the router or servers on the LAN?

If servers on the router then WPTE hint is enough. If servers on the LAN then you need to use the FORWARD chain.
From internal machines, I mean machines on my LAN.


why not to use VSERVER chain? it's used for new connections from wan side.
That is how the router itself is doing it. For port forwarding to the router itself, the firmware adds a rule to the VSERVER chain and another rule to the INPUT chain. For forwarding to internal machines, you would probably need a rule to VSERVER and another to FORWARD chain.

I have not tested it out yet. I plan to do this today and post back the results here.

I tried it on the router and it works great :D Thanks for all the help.

To summarize, if you are port forwarding on the router itself:

1) iptables -t nat -A VSERVER -p tcp --dport <router external port> -j DNAT --to-destination <router internal ip>:<router internal port>
2) iptables -D INPUT -j DROP
3) iptables -A INPUT -p tcp --dport <router internal port> -j ACCEPT
4) iptables -A INPUT -j DROP

If you are forwarding to another pc on the lan:

1) iptables -t nat -A VSERVER -p tcp --dport <router external port> -j DNAT --to-destination <internal pc ip>:<internal pc port>
2) iptables -A FORWARD -p tcp --dport <router external port> -j ACCEPT

You can restrict the scope of the VSERVER rules to the external interface but I have not done that for now. I have all my VSERVERs set up in post-firewall and it is working great.

If you are forwarding to another pc on the lan:
...
2) iptables -A FORWARD -p tcp --dport <router external port> -j ACCEPT
looks redundant, there's already (if firewall wan->lan is tuned from web-ui):


-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT




You can restrict the scope of the VSERVER rules to the external interface but I have not done that for now.
same for that. it's automagicaly restricted to the external interfaces.

looks redundant, there's already (if firewall wan->lan is tuned from web-ui):


-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT



same for that. it's automagicaly restricted to the external interfaces.
Thanks for the info :)