Today I upgraded my WRT1900ACS v2 from an old DD-WRT build to OpenWRT 19.07.5. Everything went smoothly, and I had no issues setting up a guest WiFi network by following the Guest Wi-Fi Basics page found on the OpenWRT wiki here. Internet access, DHCP, and DNS work exactly as expected on the guest network.
I have a server behind this WRT1900ACS, which hosts several web-based services including Matrix and Nextcloud through a reverse proxy. Typically, client programs access these services by using subdomains of a domain I own, for example https://nextcloud.mydomain.com and https://matrix.mydomain.com. I've confirmed that these services are accessible externally over LTE on my phone.
For reasons that I don't fully understand, devices on the guest WiFi are unable to connect to these services, but I would like guests to be able to access them. When connected to the guest network, attempting curl https://nextcloud.mydomain.com
or similar yields "connection refused", and web browsers report that they're unable to connect. DNS lookups (nslookup
) for these URLs correctly return the router's external IP address, so I have concluded that the firewall is blocking this traffic.
On the main WiFi network, there are no issues accessing these self-hosted services.
This was also the case with DD-WRT, but I was hoping to solve this issue as part of the upgrade. So far I have tried creating firewall rules to forward HTTP and HTTPs traffic from the guest
firewall zone to the lan
zone, which seemed to have no effect.
Is there documentation somewhere that addresses what I'm trying to accomplish? Or is there a better way to describe this that would be helpful when I'm searching through forum posts? I would appreciate any help solving this, or at least something to point me in the right direction. Thanks!
The relevant configuration files are as follows. I'd be happy to share others if that's useful.
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
option masq '1'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option src 'wan'
option name 'Server pseudo-DMZ'
option target 'DNAT'
option dest_ip '192.168.1.240'
option dest 'lan'
list proto 'all'
config redirect
option dest_port '22'
option src 'wan'
option name 'Server SSH'
option src_dport '(redacted)'
option target 'DNAT'
option dest_ip '192.168.1.231'
option dest 'lan'
list proto 'tcp'
config zone 'guest'
option name 'guest'
option network 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config forwarding 'guest_wan'
option src 'guest'
option dest 'wan'
config rule 'guest_dns'
option name 'Allow-DNS-Guest'
option src 'guest'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
config rule 'guest_dhcp'
option name 'Allow-DHCP-Guest'
option src 'guest'
option dest_port '67'
option family 'ipv4'
option proto 'udp'
option target 'ACCEPT'
config rule
option dest_port '80'
option src 'guest'
option name 'Guest-Allow-HTTP'
option target 'ACCEPT'
option src_port '80'
option dest 'lan'
list dest_ip '192.168.1.240'
config rule
option dest_port '443'
option src 'guest'
option name 'Guest-Allow-HTTPS'
option target 'ACCEPT'
option src_port '443'
option dest 'lan'
list dest_ip '192.168.1.240'
config rule
option dest 'guest'
option src 'lan'
option target 'ACCEPT'
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd85:cb0a:37c1::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '208.67.222.222'
list dns '208.67.220.220'
list dns '192.168.1.240'
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
option delegate '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0 1 2 3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
option vid '2'
config interface 'guest'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
list dns '208.67.222.222'
list dns '208.67.220.220'
option delegate '0'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
option htmode 'VHT80'
option country 'US'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option macaddr '62:38:e0:db:a5:7b'
option key 'KEY REDACTED'
option ssid 'SSID REDACTED'
option hidden '1'
option encryption 'psk2'
config wifi-device 'radio1'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
option htmode 'HT20'
option country 'US'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option macaddr '62:38:e0:db:a5:7a'
option key 'KEY REDACTED'
option ssid 'SSID REDACTED'
option hidden '1'
option encryption 'psk2'
config wifi-iface 'guest'
option device 'radio0'
option mode 'ap'
option network 'guest'
option key 'KEY REDACTED'
option ssid 'SSID REDACTED'
option encryption 'psk2'