Accessing self-hosted services behind router on guest WiFi network

Installing and Using OpenWrt Network and Wireless Configuration
1

Today I upgraded my WRT1900ACS v2 from an old DD-WRT build to OpenWRT 19.07.5. Everything went smoothly, and I had no issues setting up a guest WiFi network by following the Guest Wi-Fi Basics page found on the OpenWRT wiki here. Internet access, DHCP, and DNS work exactly as expected on the guest network.

I have a server behind this WRT1900ACS, which hosts several web-based services including Matrix and Nextcloud through a reverse proxy. Typically, client programs access these services by using subdomains of a domain I own, for example https://nextcloud.mydomain.com and https://matrix.mydomain.com. I've confirmed that these services are accessible externally over LTE on my phone.

For reasons that I don't fully understand, devices on the guest WiFi are unable to connect to these services, but I would like guests to be able to access them. When connected to the guest network, attempting curl https://nextcloud.mydomain.com or similar yields "connection refused", and web browsers report that they're unable to connect. DNS lookups (nslookup) for these URLs correctly return the router's external IP address, so I have concluded that the firewall is blocking this traffic.

On the main WiFi network, there are no issues accessing these self-hosted services.

This was also the case with DD-WRT, but I was hoping to solve this issue as part of the upgrade. So far I have tried creating firewall rules to forward HTTP and HTTPs traffic from the guest firewall zone to the lan zone, which seemed to have no effect.

Is there documentation somewhere that addresses what I'm trying to accomplish? Or is there a better way to describe this that would be helpful when I'm searching through forum posts? I would appreciate any help solving this, or at least something to point me in the right direction. Thanks!

The relevant configuration files are as follows. I'd be happy to share others if that's useful.

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'
	option masq '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option src 'wan'
	option name 'Server pseudo-DMZ'
	option target 'DNAT'
	option dest_ip '192.168.1.240'
	option dest 'lan'
	list proto 'all'

config redirect
	option dest_port '22'
	option src 'wan'
	option name 'Server SSH'
	option src_dport '(redacted)'
	option target 'DNAT'
	option dest_ip '192.168.1.231'
	option dest 'lan'
	list proto 'tcp'

config zone 'guest'
	option name 'guest'
	option network 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding 'guest_wan'
	option src 'guest'
	option dest 'wan'

config rule 'guest_dns'
	option name 'Allow-DNS-Guest'
	option src 'guest'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule 'guest_dhcp'
	option name 'Allow-DHCP-Guest'
	option src 'guest'
	option dest_port '67'
	option family 'ipv4'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option dest_port '80'
	option src 'guest'
	option name 'Guest-Allow-HTTP'
	option target 'ACCEPT'
	option src_port '80'
	option dest 'lan'
	list dest_ip '192.168.1.240'

config rule
	option dest_port '443'
	option src 'guest'
	option name 'Guest-Allow-HTTPS'
	option target 'ACCEPT'
	option src_port '443'
	option dest 'lan'
	list dest_ip '192.168.1.240'

config rule
	option dest 'guest'
	option src 'lan'
	option target 'ACCEPT'

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd85:cb0a:37c1::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '208.67.222.222'
	list dns '208.67.220.220'
	list dns '192.168.1.240'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'
	option delegate '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'
	option vid '2'

config interface 'guest'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	list dns '208.67.222.222'
	list dns '208.67.220.220'
	option delegate '0'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option htmode 'VHT80'
	option country 'US'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option macaddr '62:38:e0:db:a5:7b'
	option key 'KEY REDACTED'
	option ssid 'SSID REDACTED'
	option hidden '1'
	option encryption 'psk2'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option htmode 'HT20'
	option country 'US'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option macaddr '62:38:e0:db:a5:7a'
	option key 'KEY REDACTED'
	option ssid 'SSID REDACTED'
	option hidden '1'
	option encryption 'psk2'

config wifi-iface 'guest'
	option device 'radio0'
	option mode 'ap'
	option network 'guest'
	option key 'KEY REDACTED'
	option ssid 'SSID REDACTED'
	option encryption 'psk2'
2

Can you access these services from the guest network by connecting to their private IP address?

You might want to swap these sections.
Currently, the first redirect always takes precedence and the second redirect has no effect.

1 Like
3

Rebind your domain using its private IP address, or create additional redirect from guest to LAN.

1 Like
4

Thank you both for the replies.

Can you access these services from the guest network by connecting to their private IP address?

No, with my current configuration, I cannot access the services running on the main 192.168.1.0/24 network from the guest 192.168.3.0/24 network.

You might want to swap these sections.

This was unrelated to my original question, but was an issue nonetheless and your advice solved it. I always forget that the order of the rules matters.

Rebind your domain using private IP address, or create additional redirect from guest to LAN.

I feel like the first one is dependent on devices on 192.168.3.0/24 being able to access devices on 192.168.1.0/24, while the second one is a means to accomplishing that. I had to return home after my holiday break ended a few days ago, and I no longer have local access to this router, but I will see what I can do and share my findings.

5

Remove the src_port from both rules.

1 Like
6

Thanks again for the suggestion, but this didn't seem to have any effect.

I'm inclined to shelve this issue until I have local access to the router again, which may not happen again for several months. Other people are relying on this router to work, and I don't want to risk screwing the firewall settings up enough that I get locked out and have to drive across several states just to fix it. If this forum thread isn't locked by then, I'll update it with whatever I figure out.

We've lived with this quirk for a while, and it's not a problem unless there are guests visiting, but thanks to the ongoing Coronavirus situation here in the U.S. that probably won't happen again for a while.

7

I finally had physical access to this WRT1900ACS again and found the solution. Referencing another thread titled [SOLVED] Access a LAN webserver from a guest network using the public IP, I added two rules to /etc/config/firewall, as follows:

config rule 'guest_http'
        option name 'Guest-Allow-HTTP'
        option src 'guest'
        option dest 'lan'
        list dest_ip '192.168.1.240'
        option dest_port '80'
        list proto 'tcp'
        option target 'ACCEPT'

config rule 'guest_https'
        option name 'Guest-Allow-HTTPS'
        option src 'guest'
        option dest 'lan'
        list dest_ip '192.168.1.240'
        option dest_port '443'
        list proto 'tcp'
        option target 'ACCEPT'

Then, as @vgaetera suggested, I associated the domains of the services with the private lan IP address in /etc/config/dhcp:

config domain
        option name 'mydomain.com'
        option ip '192.168.1.240'

config domain
        option name 'matrix.mydomain.com'
        option ip '192.168.1.240'

config domain
        option name 'nextcloud.mydomain.com'
        option ip '192.168.1.240'

After adding those items to the configurations and restarting OpenWRT's firewall and DHCP server, all devices tested could access the main webserver (mydomain.com), Matrix homeserver (matrix.mydomain.com), and Nextcloud instance (nextcloud.mydomain.com) when joined to the guest network, provided they didn't have static DNS set up. I also did some light testing for things I'd consider vulnerabilities (e.g., guests being able to SSH into these VMs or access other devices in the lan zone like our FreeNAS server) and didn't find anything concerning.

For posterity, here are my complete, working configuration files:

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'
	option masq '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option src 'wan'
	option name 'Server Pseudo-DMZ'
	option target 'DNAT'
	option dest_ip '192.168.1.240'
	option dest 'lan'
	list proto 'all'

config redirect
	option dest_port '22'
	option src 'wan'
	option name Server SSH'
	option src_dport '(REDACTED)'
	option target 'DNAT'
	option dest_ip '192.168.1.231'
	option dest 'lan'
	list proto 'tcp'

config zone 'guest'
	option name 'guest'
	option network 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding 'guest_wan'
	option src 'guest'
	option dest 'wan'

config rule 'guest_dns'
	option name 'Allow-DNS-Guest'
	option src 'guest'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule 'guest_dhcp'
	option name 'Allow-DHCP-Guest'
	option src 'guest'
	option dest_port '67'
	option family 'ipv4'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'guest_lan'
	option dest 'guest'
	option src 'lan'
	option target 'ACCEPT'

config rule 'guest_http'
    option name 'Guest-Allow-HTTP'
    option src 'guest'
    option dest 'lan'
    list dest_ip '192.168.1.240'
    option dest_port '80'
    list proto 'tcp'
    option target 'ACCEPT'

config rule 'guest_https'
    option name 'Guest-Allow-HTTPS'
    option src 'guest'
    option dest 'lan'
    list dest_ip '192.168.1.240'
    option dest_port '443'
    list proto 'tcp'
    option target 'ACCEPT'

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd85:cb0a:37c1::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '208.67.222.222'
	list dns '208.67.220.220'
	list dns '192.168.1.240'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'
	option delegate '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'
	option vid '2'

config interface 'guest'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	list dns '208.67.222.222'
	list dns '208.67.220.220'
	option delegate '0'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option htmode 'VHT80'
	option country 'US'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option macaddr '62:38:e0:db:a5:7b'
	option key '(REDACTED)'
	option ssid '(REDACTED)'
	option hidden '1'
	option encryption 'psk2'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option htmode 'HT20'
	option country 'US'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option macaddr '62:38:e0:db:a5:7a'
	option key '(REDACTED)'
	option ssid '(REDACTED)'
	option hidden '1'
	option encryption 'psk2'

config wifi-iface 'guest'
	option device 'radio0'
	option mode 'ap'
	option network 'guest'
	option key '(REDACTED)'
	option ssid '(REDACTED)'
	option encryption 'psk2'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option leasetime '12h'
	option limit '100'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '1h'

config domain
	option name 'mydomain.com'
	option ip '192.168.1.240'

config domain
	option name 'matrix.mydomain.com'
	option ip '192.168.1.240'

config domain
	option name 'nextcloud.mydomain.com'
	option ip '192.168.1.240'

config domain
	option name 'subsonic.mydomain.com'
	option ip '192.168.1.240'

Once again, thank you to everyone who responded when I first started this thread.

8

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.