Try to access the OpenWrt router from its wan side, to make sure there are hits on the firewall. Then please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c | grep 80 ; ip6tables-save -c | grep 80; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
root@OpenWrtN16:~# ubus system board; \ uci export network; \ uci export dhcp; u
ci export firewall; \ head -n -0 /etc/firewall.user; \ iptables-save -c | grep 8
0 ; ip6tables-save -c | grep 80; \ ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
Usage: ubus [<options>] <command> [arguments...]
Options:
-s <socket>: Set the unix domain socket to connect to
-t <timeout>: Set the timeout (in seconds) for a command to complete
-S: Use simplified output (for scripts)
-v: More verbose output
-m <type>: (for monitor): include a specific message type
(can be used more than once)
-M <r|t> (for monitor): only capture received or transmitted traffic
Commands:
- list [<path>] List objects
- call <path> <method> [<message>] Call an object method
- subscribe <path> [<path>...] Subscribe to object(s) notifications
- listen [<path>...] Listen for events
- send <type> [<message>] Send an event
- wait_for <object> [<object>...] Wait for multiple objects to appear on ubus
- monitor Monitor ubus traffic
-ash: uci: not found
-ash: uci: not found
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wwan'
config rule
option name 'allowssh'
option src 'wan'
option src_port '22'
option dest 'lan'
option dest_port '22'
option target 'ACCEPT'
config rule
option name 'Allow-WAN-Web'
list proto 'tcp'
option src 'wan'
option dest '*'
option dest_port '80'
option target 'ACCEPT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allowwan2'
option src 'wan'
option dest 'lan'
option dest_port '80'
option target 'ACCEPT'
option src_port '80'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option name 'OpenVPN_FW'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'OpenVPN_VPN'
config forwarding
option src 'OpenVPN_FW'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'OpenVPN_FW'
-ash: head: not found
-ash: iptables-save: not found
[1801:159675] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[0:0] -A zone_wan_forward -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Allow-WAN-Web" -j ACCEPT
[0:0] -A zone_wan_forward -p tcp -m tcp --sport 80 --dport 80 -m comment --comment "!fw3: Allowwan2" -j zone_lan_dest _ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --sport 80 --dport 80 -m comment --comment "!fw3: Allowwan2" -j zone_lan_dest _ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-ash: ip: not found
default via 192.168.178.1 dev eth0.1 src 192.168.178.20
192.168.100.0/24 dev br-lan scope link src 192.168.100.1
192.168.178.0/24 dev eth0.1 scope link src 192.168.178.20
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.100.0 dev br-lan table local scope link src 192.168.100.1
local 192.168.100.1 dev br-lan table local scope host src 192.168.100.1
broadcast 192.168.100.255 dev br-lan table local scope link src 192.168.100.1
broadcast 192.168.178.0 dev eth0.1 table local scope link src 192.168.178.20
local 192.168.178.20 dev eth0.1 table local scope host src 192.168.178.20
broadcast 192.168.178.255 dev eth0.1 table local scope link src 192.168.178.20
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
root@OpenWrtN16:~#
uci add firewall rule
uci set firewall.@rule[-1].name='Allow-Admin'
uci set firewall.@rule[-1].enabled='true'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].dest_port='22 80 443'
uci set firewall.@rule[-1].target='ACCEPT'
uci commit firewall
service firewall restart