Access web interface on WAN

FL2 · June 1, 2022, 10:26am

Hey there,
I‘m using an OpenWRT Device as OpenVPN Gateway in my home network. My setup looks like this:

Internet -> WAN port of internet router,
LAN Port of internet router-> WAN port of OpenWRT router,
Device connected via wifi to OpenWRT router

The setup works as it should. But I want to be able to access the OpenWRT router from my internet router‘s network. For example to change settings.

I followed this guide https://superuser.com/questions/1084177/cant-connect-via-luci-or-ssh-from-wan-side-network-to-raspberry-pi-1b-running-o and added a traffic rule for WAN on port 80, but the webinterface just does not show up.

Can you help me, please?

frollic · June 1, 2022, 10:40am

sure you don't want to use your openwrt device as a https://openwrt.org/docs/guide-user/network/wifi/dumbap ?

if not, post your /etc/config/firewall

trendy · June 1, 2022, 12:39pm

Try to access the OpenWrt router from its wan side, to make sure there are hits on the firewall. Then please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c | grep 80 ; ip6tables-save -c | grep 80; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

FL2 · June 5, 2022, 10:01am

@frollic:
Here is my firewall setup:


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'

config rule
	option name 'allowssh'
	option src 'wan'
	option src_port '22'
	option dest 'lan'
	option dest_port '22'
	option target 'ACCEPT'

config rule
	option name 'Allow-WAN-Web'
	list proto 'tcp'
	option src 'wan'
	option dest '*'
	option dest_port '80'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allowwan2'
	option src 'wan'
	option dest 'lan'
	option dest_port '80'
	option target 'ACCEPT'
	option src_port '80'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'OpenVPN_FW'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'OpenVPN_VPN'

config forwarding
	option src 'OpenVPN_FW'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'OpenVPN_FW'

@trendy:
Here is what I get by this commands:

root@OpenWrtN16:~# ubus system board; \ uci export network; \ uci export dhcp; u
ci export firewall; \ head -n -0 /etc/firewall.user; \ iptables-save -c | grep 8
0 ; ip6tables-save -c | grep 80; \ ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
Usage: ubus [<options>] <command> [arguments...]
Options:
 -s <socket>:           Set the unix domain socket to connect to
 -t <timeout>:          Set the timeout (in seconds) for a command to complete
 -S:                    Use simplified output (for scripts)
 -v:                    More verbose output
 -m <type>:             (for monitor): include a specific message type
                        (can be used more than once)
 -M <r|t>               (for monitor): only capture received or transmitted traffic

Commands:
 - list [<path>]                        List objects
 - call <path> <method> [<message>]     Call an object method
 - subscribe <path> [<path>...] Subscribe to object(s) notifications
 - listen [<path>...]                   Listen for events
 - send <type> [<message>]              Send an event
 - wait_for <object> [<object>...]      Wait for multiple objects to appear on ubus
 - monitor                              Monitor ubus traffic

-ash:  uci: not found
-ash:  uci: not found
package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'

config rule
        option name 'allowssh'
        option src 'wan'
        option src_port '22'
        option dest 'lan'
        option dest_port '22'
        option target 'ACCEPT'

config rule
        option name 'Allow-WAN-Web'
        list proto 'tcp'
        option src 'wan'
        option dest '*'
        option dest_port '80'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allowwan2'
        option src 'wan'
        option dest 'lan'
        option dest_port '80'
        option target 'ACCEPT'
        option src_port '80'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config zone
        option name 'OpenVPN_FW'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'OpenVPN_VPN'

config forwarding
        option src 'OpenVPN_FW'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'OpenVPN_FW'

-ash:  head: not found
-ash:  iptables-save: not found
[1801:159675] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[0:0] -A zone_wan_forward -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Allow-WAN-Web" -j ACCEPT
[0:0] -A zone_wan_forward -p tcp -m tcp --sport 80 --dport 80 -m comment --comment "!fw3: Allowwan2" -j zone_lan_dest                                                   _ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --sport 80 --dport 80 -m comment --comment "!fw3: Allowwan2" -j zone_lan_dest                                                   _ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD"                                                    -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD"                                                    -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD"                                                    -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD"                                                    -j ACCEPT
-ash:  ip: not found
default via 192.168.178.1 dev eth0.1  src 192.168.178.20
192.168.100.0/24 dev br-lan scope link  src 192.168.100.1
192.168.178.0/24 dev eth0.1 scope link  src 192.168.178.20
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.100.0 dev br-lan table local scope link  src 192.168.100.1
local 192.168.100.1 dev br-lan table local scope host  src 192.168.100.1
broadcast 192.168.100.255 dev br-lan table local scope link  src 192.168.100.1
broadcast 192.168.178.0 dev eth0.1 table local scope link  src 192.168.178.20
local 192.168.178.20 dev eth0.1 table local scope host  src 192.168.178.20
broadcast 192.168.178.255 dev eth0.1 table local scope link  src 192.168.178.20
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
root@OpenWrtN16:~#

frollic · June 5, 2022, 11:05am

What openwrt version are you running?

cat /etc/openwrt_release

FL2 · June 5, 2022, 11:43am

OpenWrt 21.02.3, r16554-1d4dea6d4f

frollic · June 5, 2022, 11:47am

Not what you were asked to post.

trendy · June 6, 2022, 7:41am

You didn't paste the block of commands properly. Try it one more time, don't change anything.

jwmullally · June 6, 2022, 8:07am

This works from a clean install:

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-Admin'
uci set firewall.@rule[-1].enabled='true'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].dest_port='22 80 443'
uci set firewall.@rule[-1].target='ACCEPT'
uci commit firewall
service firewall restart

FL2 · July 6, 2022, 5:45pm

@jwmullally your solution works, thank you very much.

FL2 · July 7, 2022, 5:04pm

I have created a reboot script afterwards. Today the remote access suddenly does not work anymore

system · July 17, 2022, 5:04pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.