Port forwarding in itself is nothing new in OpenWRT, though the way it is done has changed dramatically between White Russian and Kamikaze.

One reoccurring problem is that port forwarding only works for packets coming in through the wan interface – In White Russian it was possible to add some clever rules to /etc/firewall.user but things does not seem to be so easy in Kamikaze (even if it is possible to include /etc/firewall.user from /etc/config/firewall the rules do not work).

Luckily I have a work-around.

As an example, let us say I want to forward traffic from the Internet to my server OpenWRT router Server  

First, create the configuration for the forwarded port by adding this to /etc/config/firewall:

config 'redirect' 'www'
    option 'src' 'wan'
    option 'proto' 'tcp'
    option 'src_ip' ''
    option 'src_dport' '80'
    option 'dest_ip' ''
    option 'dest_port' '80

config 'rule'
    option 'src' 'wan'
    option 'proto' 'tcp'
    option 'src_ip' ''
    option 'dest_ip' ''
    option 'dest_port' '80'
    option 'target' 'ACCEPT'

the reload the firewall

root@OpenWRT:~# /etc/init.d/firewall restart

That is it, traffic coming to the wan interface is now forwarded to the server.

But there is a problem. If you try to connect to www.my.site (which resolves to your public IP) you will get the webif of OpenWRT instead of the website.

To circumvent this we need to redirect (or proxy) the traffic to the web server as there does not seem to be any easy way to do “lan to lan port forwarding”.

For this I decided to use xinetd since it has native support for port redirection.

Start by moving the webif to another port, the configuration is in /etc/config/httpd:

config 'httpd'
    option 'home' '/www'
    option 'port' '1080'

and then restart the web server

root@OpenWRT:~# /etc/init.d/httpd restart

(The configuration for the SSH server is in /etc/config/dropbear)

Now install xinetd – It’s not in the “native” OpenWRT packages but can be found in OptWare:

root@OpenWRT:~# ipkpg install http://ipkg.nslu2-linux.org/feeds/optware/openwrt-brcm24/cross/unstable/xinetd_2.3.14-8_mipsel.ipk

Now, either copy /etc/services from a Linux/Unix machine or add this line:

www     80/tcp      http        # WorldWideWeb HTTP

Then create the file /opt/etc/xinetd.d/http-forward:

service http
   flags = REUSE
   socket_type = stream
   wait = no
   user = root
   redirect = 80
   log_on_failure += USERID

If you plan on using a lot of OptWare packages you could at a custom start-up script that calls all S-scripts in /opt/etc/init.d

– But I opted for a single OpenWRT-style init-script for xinetd (/etc/init.d/xinetd):

#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org

start() {
    [ -x /opt/sbin/xinetd ] && {

and then enable and start the service

root@OpenWRT:~# /etc/init.d/xinetd enable
root@OpenWRT:~# /etc/init.d/xinetd start
root@OpenWRT:~# ps aux | grep [x]inetd
 1599 root      1900 S    /opt/sbin/xinetd
 1935 root      1900 S    /opt/sbin/xinetd

logread should show something like

May 10 23:25:45 xinetd[2166]: Reading included configuration file: /opt/etc/xinetd.d/http-forward [file=/opt/etc/xinetd.conf] [line=15]
May 10 23:25:45 xinetd[2166]: xinetd Version 2.3.14 started with no options compiled in.
May 10 23:25:45 xinetd[2166]: Started working: 1 available services

Now try to connect to the forwarded port, there should be something like this in the log:

May 10 23:25:53 xinetd[2166]: START: http pid=2168 from=