I have recently upgraded from a Linksys E4200 v1 with shibby version 124-EN to to Asus RT-AC68U (aka T-Mobile AC1900) with shibby version K26RT-AC-131-EN.
The port forwarding issue is present in both versions (!), however this time I dedicate some time to troubleshoot as I really need this to work.
After some analysis I came to the conclusion that the issue lies with iptables, and any solution should also be viable through changes in iptables. Unfortunately because of my limited knowledge of iptables I have not been able to find a workaround.
The scenario is very simple and common:
"Redirect ssh traffic from the internet to an internal server. For the setup I am using a "static public internet" address at the external port (vlan2) and a "static private IP" address for the internal server."
Port forwarding is working correctly (!) while I test it from the inside/private network to the public external IP address (!!).
Below you can see the established connection. Note the public IP as the destination for the ssh connection (!)
# cat /proc/net/ip_conntrack | grep 192.168.100.70 tcp 6 431995 ESTABLISHED src=192.168.100.95 dst=220.127.116.11 sport=24118 dport=2222 src=192.168.100.70 dst=192.168.100.1 sport=22 dport=24118 [ASSURED] mark=0 use=2
However doing the same from the internet does not work and eventually results in the connection request timing out. The connection status for that case shows:
# cat /proc/net/ip_conntrack | grep 192.168.100.70 tcp 6 114 SYN_SENT src=18.104.22.168 dst=22.214.171.124 sport=49574 dport=2222 [UNREPLIED] src=192.168.100.70 dst=126.96.36.199 sport=22 dport=49574 mark=0 use=2
Through connection logging of the Firewall, I can clearly see the incoming packets being accepted and going through the iptables rules. However I cannot see anything on the outgoing / return packet side. which makes me conclude that the return traffic is "blocked" probably (?) by a missing rule.
As this is a very common scenario I am sure other people must be experiencing this issue as well. I am positive that this exact same setup has worked in the past with previous versions of the firmware (maybe 121 on the Linksys E4200v1 but could be other. I don't remember).
Thank you in advance for any assistance and hopefully workaround that any one of the experts can suggest. Should you need more information or testing, do not hesitate to ask.