Port forwarding with OpenWRT Kamikaze

Port forwarding in itself is nothing new in OpenWRT, though the way it is done has changed dramatically between White Russian and Kamikaze.

One reoccurring problem is that port forwarding only works for packets coming in through the wan interface – In White Russian it was possible to add some clever rules to


but things does not seem to be so easy in Kamikaze (even if it is possible to include




the rules do not work.

Luckily I have a work-around.

As an example, let us say I want to forward traffic from the Internet to my server OpenWRT router Server

First, create the configuration for the forwarded port by adding this to



config 'redirect' 'www'
    option 'src' 'wan'
    option 'proto' 'tcp'
    option 'src_ip' ''
    option 'src_dport' '80'
    option 'dest_ip' ''
    option 'dest_port' '80

config 'rule'
    option 'src' 'wan'
    option 'proto' 'tcp'
    option 'src_ip' ''
    option 'dest_ip' ''
    option 'dest_port' '80'
    option 'target' 'ACCEPT'
[email protected]:~# /etc/init.d/firewall restart

That is it, traffic coming to the wan interface is now forwarded to the server.

But there is a problem. If you try to connect to www.my.site (which resolves to your public IP) you will get the webif of OpenWRT instead of the website.

To circumvent this we need to redirect (or proxy) the traffic to the web server as there does not seem to be any easy way to do “lan to lan port forwarding”.

For this I decided to use xinetd since it has native support for port redirection.

Start by moving the webif to another port, the configuration is in



config 'httpd'
    option 'home' '/www'
    option 'port' '1080'
[email protected]:~# /etc/init.d/httpd restart

(The configuration for the SSH server is in



Now install xinetd – It’s not in the “native” OpenWRT packages but can be found in OptWare:

[email protected]:~# ipkpg install http://ipkg.nslu2-linux.org/feeds/optware/openwrt-brcm24/cross/unstable/xinetd_2.3.14-8_mipsel.ipk

Now, either copy


from a Linux/Unix machine or add this line:

www     80/tcp      http        # WorldWideWeb HTTP

Then create the file



service http
   flags = REUSE
   socket_type = stream
   wait = no
   user = root
   redirect = 80
   log_on_failure += USERID

If you plan on using a lot of OptWare packages you could at a custom start-up script that calls all S-scripts in


– But I opted for a single OpenWRT-style init-script for xinetd.



#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org

start() {
    [ -x /opt/sbin/xinetd ] && {
[email protected]:~# /etc/init.d/xinetd enable
[email protected]:~# /etc/init.d/xinetd start
[email protected]:~# ps aux | grep [x]inetd
 1599 root      1900 S    /opt/sbin/xinetd
 1935 root      1900 S    /opt/sbin/xinetd

logread should show something like

May 10 23:25:45 xinetd[2166]: Reading included configuration file: /opt/etc/xinetd.d/http-forward [file=/opt/etc/xinetd.conf] [line=15]
May 10 23:25:45 xinetd[2166]: xinetd Version 2.3.14 started with no options compiled in.
May 10 23:25:45 xinetd[2166]: Started working: 1 available services

Now try to connect to the forwarded port, there should be something like this in the log:

May 10 23:25:53 xinetd[2166]: START: http pid=2168 from=
  • Andi

    to keep LuCI on port 80 for lan and have wan port 80 redirected to to a specific server (here in lan), try first a rule that rejects port 80 on wan and then the forward… like this (in /etc/config/firewall):

    config rule
    option src wan
    option dest_port 80
    option target REJECT

    config redirect
    option src wan
    option src_dport 80
    option dest lan
    option dest_ip
    option dest_port 80
    option proto tcp

    works fine for me…

    • alj

      Yes, it’s a typo. Fixed.

    • alj

      Another brilliant way of solving the same problem :)

      I’ve always been running the WebIf on port 1080 (instead of 80) which is why I chose that solution with Kamikaze.


  • Steve

    Hi Alan,

    I noticed in your example you said your server was at but in your configuration you use Is this a typo?


  • Hi,
    that’s very usefull, but I still have a question:
    is it possible to specify both protocol? I mean, how to enable udp and tcp on port 6000?

  • alj

    I do believe that the ‘proto’ parameter is optional – but I cannot test it as I am no longer using OpenWRT (hardware compatibility issues – nothing wrong with OpenWRT as such).