I have a MG90 router (non FIPS) and I am unable to port forward any ports from the WAN side to my a server on the LAN side of the router.
I am very interested in ports 80 and 443, however with a lot of trial and nothing but error, I have become stumped.
My network is set up as follows:
One Ethernet port assigned as a WAN port, the rest on my LAN subnet.
Internet works great, even for my wifi (also on my LAN subnet).
I have a server that has various functions (DHCP, DNS, routing to a HRE, and other functions) that it performs, among one of those functions is a web server.
(Technically the web server is in the HRE and the traffic is just routed, but the server looks like it is the web server).
My old router (different brand) was able to port forward properly from WAN to LAN.
The server’s IP address is at 192.168.1.25.
I can access the server while connected to the LAN but I can’t access the server externally.
If I type in the WAN IP address of the router I get an Apache tomcat error page, where on my web server it is running httpd not tomcat. I am pretty sure the tomcat error page is from the router.
Here is a screenshot of my port 443 forwarding config on my router:
LAN > Networking Rules > Add Rule (Access Granting)
Rule Name: HTTPS Traffic In
Direction: Incoming
Source IP Address: leave blank
Source Port Range: 443
Protocol: TCP
Destination IP Address: WAN IP of the modem or try leaving blank
Destination Port Range: 443 443
I just tried this, to my supprise, I could leave the destination field blank.
Unfortunately this still did not fix it.
I am trying new combinations now since I found the destination can be blank.
Will report back.
Just added granting rules to every interface and network with no destination set.
Unfortunately the results were unsuccessful in getting the ports forwarded.
The only other thing I could suggest trying is changing your LAN segment to just a /24, so 192.168.1.1 255.255.255.0. Most of these cellular gateways are designed and tested around delivering a /24 network on the LAN side, using a full /16 on the LAN could be messing with some of the routing logic it uses. I unfortunately do not have an MG90 myself to help out in testing the theory, but, If that doesn’t work you may need to reach out to your supplier for some support.
Here is an interesting development:
I added blocking rules to all levels and interface of the router config to block ports 22 and 2222 but they did not take effect.
I can still access the SSH system of the router.
I am starting to think that the firewall settings are not being implemented on save.
I recommend configuring the following WAN Networking Rules:
WAN > Networking Rules > Add Rule (Access Granting)
Rule Name: HTTPS Traffic In
Direction: Incoming
Source IP Address: leave blank
Source Port Range: leave blank
Protocol: TCP/UDP
Destination IP Address:
Destination Port Range: 443 443
WAN->Networking Rules->add Rule (Port Forwarding)
Source IP : blank
Destination port range : 443 to 443
Protocol : TCP/UDP
Forward to Host : ip address of local device attached to MG90
Forward Port range : 443 to 443
I have been more busy then ever and have not had the chance to test the settings.
I should have some down time soon and will most definitely test them.
Not that its exactly this issue, but to add to your /16 comment… I just saw this on the MP70 series. I wanted to split a /24 into two /25’s, one for wifi and one for wired. Much to my surprise, the subnetting entirely broke routing on the device when there were multiple ‘WAN’ connections. Everything works as expected with /24’s.
Not sure of your exact use case or how you are trying to split the subnet, but, I have had issues trying to break the default LAN into /25 as well, but had good success using /26s. If you need all LAN devices to talk to each other (Wi-Fi/Ethernet) but control outgoing traffic, the way I have “split up” the LAN between Wi-Fi and Ethernet on the MP70 is to setup the LAN>Ethernet>General settings to something like below keeping the main pool a /24.
I would then have my Wi-Fi devices connect via DHCP and auto pull an IP from the .129 - .190 /24 range.
Then I would statically set my wired devices in the .65 - 126 /24 range.
Both using the same gateway and subnet mask
You can then setup policy based routing if needed using the respective /26. I.e. a policy route for outgoing traffic from the Wifi side would be set to a source IP of 172.16.16.129 255.255.255.192 or policy route for the LAN side would be set to Source IP 172.16.16.64 255.255.255.192.
These would be the respective /26s you could segment traffic using policy routing
|1|172.16.16.0|172.16.16.1 - 172.16.16.62|172.16.16.63| (Dont USE if using policy routing)
|2|172.16.16.64|172.16.16.65 - 172.16.16.126|172.16.16.127| - Useable - Wired Range for static assignment
|3|172.16.16.128|172.16.16.129 - 172.16.16.190|172.16.16.191| - Useable - Wifi / DHCP Range
|4|172.16.16.192|172.16.16.193 - 172.16.16.254|172.16.16.255| - Useable - Misc for static assignment
I used this setup to allow ethernet (critical) devices to ride over any available WAN including cellular, but block Wi-Fi devices from using anything but Wifi as WAN or Ethernet as WAN (No cellular access). This also allowed devices to communicate to each other still even if on cellular.
