iptables not logging WAN traffic?

Let me start by stating my final goal: When traffic comes in on a specific IP address, if the server isn't on, turn it on with Wake On Lan. I am using a TP-Link Archer C7 v2 router with DD-WRT installed with build r30709.

• WOL works
• Logging LAN traffic on port works (via iptables rule)
• Pinging server from script to see if on after parsing for custom log entry works
• sending WOL works from script
• Logging WAN traffic does NOT work (via iptables rule)

Now from what I have seen about DD-WRT is a lot of people seem to create VLANs when they do something like that. My router is Atheros based, and DD-WRT supposedly doesn't support VLAN for Atheros routers although many people seem to have gotten it working on this router (they don't post instructions online).

So I am currently researching a way to setup the port on the router the server is plugged into on its own VLAN, but so far no luck.

Here are my two iptables rules:

#this works
iptables -I FORWARD -i br0 -p tcp --dport 32400 -m state --state NEW -j LOG --log-prefix "PLEX LAN Connection "

# this does not work 
iptables -I FORWARD -i eth0 -p tcp --dport 32400 -m state --state NEW -j LOG --log-prefix "PLEX WAN Connection "

# this does not work either (dd-wrt.com says vlan2 is the WAN interface)
iptables -I FORWARD -i vlan2 -p tcp --dport 32400 -m state --state NEW -j LOG --log-prefix "PLEX WAN Connection "

Is this something that can be corrected with just iptables? Because I cannot get iptables to log incoming WAN connections on that port to /var/log/messages. I assumed it wasn't writing to the log because it's not sitting on its own VLAN.

Update 1

Please note, I tried using eth0 instead of vlan2, but same result: nada in log. I even removed -i <interface> all together in both rules, but never anything on WAN traffic.

root@DD-WRT:~# ip a
root@DD-WRT:~# ip ro
default via pu.bl.ic.1 dev eth0
pu.bl.ic.0/24 dev eth0  proto kernel  scope link  src pu.bl.ic.ip
127.0.0.0/8 dev lo  scope link
169.254.0.0/16 dev br0  proto kernel  scope link  src 169.254.255.1
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1

According to DD-WRT website, vlan2 is supposed to represent the logical interface for the WAN.

Update 2

I noticed the destination IP is incorrect. Should be going to 192.168.1.2 but it.s going to 192.168.0.10. That is not a valid LAN at all:

Oct  4 20:47:35 DD-WRT kern.warn kernel: [114429.460000] PLEX LAN Connection IN=br0 OUT=eth0 MAC=XXXXXXXXXXXXXXXXXXX SRC=192.168.1.133 DST=192.168.0.10 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=45163 DF PROTO=TCP SPT=4644

Tried this as the only rule per suggestion below:

iptables -A FORWARD -p tcp --dport 32400 -m limit --limit 50/min -j LOG --log-prefix "CHECK INTERFACES"

Still nothing in the log; stopped logging LAN connections too.

Update 3

root@DD-WRT:/tmp/var/log# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 2742 packets, 395K bytes)
 pkts bytes target     prot opt in     out     source               destination
   13   764 DNAT       tcp  --  *      *       0.0.0.0/0            pu.bl.ic.ip       tcp dpt:14619 to:192.168.1.2:32400
    0     0 DNAT       icmp --  *      *       0.0.0.0/0            pu.bl.ic.ip       to:192.168.1.1
    4   232 DNAT       tcp  --  *      *       0.0.0.0/0            pu.bl.ic.ip       tcp dpt:22709 to:192.168.1.2:32400
  220 19942 TRIGGER    0    --  *      *       0.0.0.0/0            pu.bl.ic.ip       TRIGGER type:dnat match:0 relate:0

Chain INPUT (policy ACCEPT 30145 packets, 2802K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 253 packets, 21491 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 260 packets, 21863 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1065 67674 SNAT       0    --  *      eth0    192.168.1.0/24       0.0.0.0/0           to:pu.bl.ic.ip
   10   624 MASQUERADE  0    --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x80000000/0x80000000

I can't add comment on superuser, so it's an answer. Can you confirm that the service is working, whatever you access it from LAN or WAN ?

Do you use an iptables script, or do you just execute your command in bash separately ? If you don't have an iptables script, as Cybernard said, you have to make sure your LOG line is before the ACCEPT one.

Once a packet is ACCEPTed or DROPped, it leaves the chain, so will never match the log rule located later in the chain.

For example, to insert your LOG rule as the first one in the FORWARD chain :

iptables -I FORWARD 1 -p tcp --dport 32400 -m limit --limit 50/min -j LOG --log-prefix "CHECK INTERFACES"