Cannot access service behind router

bolle · October 26, 2021, 6:12pm

Hello,
I switched to a new ISP and changed the router mode from DHCP to PPPoE. Everything works flawlessly, except the access of a webserver behind the router. When I check the IP addresses, there is a deviation between the ones in OpenWRT (a Link Local Address; 100.65.3.XXX) and the external one (checked via curl https://ipinfo.io/ip and verified by DDNS service). I forwarded the ports 80 and 443 from wan to lan, but I cannot access the service behind it.
uci export network gives the following output.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxx::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config device
	option name 'wan'
	option macaddr 'aa:aa:aa'

config interface 'wan'
	option proto 'pppoe'
	option username 'xxx'
	option password 'yyy'
	option ipv6 'auto'
	option device 'wan'

config interface 'guest'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	list dns '94.140.14.15'
	list dns '94.140.14.16'

It worked, when the OpenWRT router was behind my first router and acted as a DHCP server only.

Does anyone have an idea how to solve this issue?

Thank you in advance,
bolle

psherman · October 26, 2021, 6:21pm

This is CG-NAT. It is not Link Local (which are the 196.254.0.0/16 'self assigned' IP addresses that happen when a DHCP server isn't available).

Anyway, CG-NAT means that you do not have a publicly routable IP address, and therefore your servers will not be accessible. There is no easy way around this situation. You can talk to your ISP to see if they can give you a public IP address (this may or may not be an option, and/or it may involve extra cost).

Failing that, there is one more complex option which involves VPNs and is not trivial and may well involve additional costs.

bolle · October 26, 2021, 6:59pm

Hello psherman,
thank you very much for the info and explanation. I will contact the ISP and hope that they can solve this issue on their side.

Best regards,
bolle

slh · October 26, 2021, 8:25pm

In many cases ISPs with cgNAT at least offer IPv6 as an alternative, which may be enough to meet your needs.

bolle · October 27, 2021, 7:15am

Thank you slh,
to me it looks like the WAN interface has a "weird" IPv6 address as well, but the WAN_6 (Virtual dynamic interface (DHCPv6 client)) uses a correct IPv6 address. I will try to create some traffic rules since it looks lile port forwarding is for IPv4 only.

Best regards,
bolle

bolle · November 1, 2021, 7:49pm

Hello psherman,
ISP confirmed that with my current configuration external access is not possible, but with a small fee they will modify it, so the router will use a public routable IP. Thank you for your support.

Best regards,
bolle

system · November 11, 2021, 7:50pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.