Can't access LUCI from LAN side but it works fine over tailscale

KOA · November 21, 2025, 6:54pm

I can't access Luci from the LAN side, but I can access it from my Tailscale network.
screenshot taken while accessing from the Tailscale network.

network config


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd4b:ff2d:7fa::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.18.2'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.18.1'
	list dns '192.168.18.80'
	list dns '192.168.18.94'

config interface 'wwan'
	option proto 'dhcp'
	option device 'br-lan'
	option peerdns '0'
	list dns '192.168.18.94'
	list dns '192.168.18.80'

config interface 'wlan'
	option proto 'dhcp'
	option defaultroute '0'

config interface 'tailscale'
	option proto 'none'
	option device 'tailscale0'

firewall


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option input 'ACCEPT'
	option name 'sun'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'wlan'

config redirect
	option name 'SUN2000'
	option target 'DNAT'
	option src 'lan'
	option src_dport '6607'
	option dest 'sun'
	option dest_ip '192.168.200.1'
	option dest_port '6607'
	list proto 'tcp'

config forwarding
	option src 'lan'
	option dest 'sun'

config zone
	option name 'tailscale'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'tailscale'

config forwarding
	option src 'tailscale'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'tailscale'

DHCP


config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

uhttpd


config uhttpd 'main'
	list listen_http '0.0.0.0:80'
	list listen_http '[::]:80'
	list listen_https '0.0.0.0:443'
	list listen_https '[::]:443'
	option redirect_https '1'
	option home '/www'
	option rfc1918_filter '1'
	option max_requests '3'
	option max_connections '100'
	option cert '/etc/uhttpd.crt'
	option key '/etc/uhttpd.key'
	option cgi_prefix '/cgi-bin'
	list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
	option script_timeout '60'
	option network_timeout '30'
	option http_keepalive '20'
	option tcp_keepalive '1'
	option ubus_prefix '/ubus'

config cert 'defaults'
	option days '397'
	option key_type 'ec'
	option bits '2048'
	option ec_curve 'P-256'
	option country 'ZZ'
	option state 'Somewhere'
	option location 'Unknown'
	option commonname 'OpenWrt'

psherman · November 21, 2025, 7:05pm

This might be wrong...

KOA:

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.18.2'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.18.1'
	list dns '192.168.18.80'
	list dns '192.168.18.94'

config interface 'wwan'
	option proto 'dhcp'
	option device 'br-lan'
	option peerdns '0'
	list dns '192.168.18.94'
	list dns '192.168.18.80'

What is the upstream (wwan) subnet -- is it 192.168.18.0/24?

Can you show a topology diagram that illustrates how this device fits into the network?

KOA · November 21, 2025, 7:33pm

ISP router (192.168.18.1)------- OpenWrt router acting as AP (192.168.18.2)

psherman · November 21, 2025, 7:56pm

How is the OpenWrt router connected to the ISP router? wifi? ethernet (if so, what port on the OpenWrt router)? both?

KOA · November 21, 2025, 7:57pm

Ethernet via LAN port.

psherman · November 21, 2025, 8:02pm

Delete these:

KOA:

config interface 'wwan'
	option proto 'dhcp'
	option device 'br-lan'
	option peerdns '0'
	list dns '192.168.18.94'
	list dns '192.168.18.80'

config interface 'wlan'
	option proto 'dhcp'
	option defaultroute '0'

And these:

KOA:

config zone
	option input 'ACCEPT'
	option name 'sun'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'wlan'

config redirect
	option name 'SUN2000'
	option target 'DNAT'
	option src 'lan'
	option src_dport '6607'
	option dest 'sun'
	option dest_ip '192.168.200.1'
	option dest_port '6607'
	list proto 'tcp'

config forwarding
	option src 'lan'
	option dest 'sun'

Then reboot and test again.

KOA · November 21, 2025, 8:06pm

is there a solution to keep these setting and access it still?

something on the lines of

option rfc1918_filter '1'

switched to

option rfc1918_filter '0'

??

psherman · November 21, 2025, 8:10pm

Why do you want to keep the lines I recommended deleting? Those are generally incorrect, don't belong there and will cause problems. You should remove them because they represent problems in the config, even if not directly related to the immediate issue. (but I do think it is the cause, so please delete the stuff as described).

That said, my configuration has:

	option rfc1918_filter '1'

and it works correctly. So no, I don't believe that is related to your issue.

lleachii · November 23, 2025, 9:05am

Just to be clear if the other user wasn't, you have incorrectly configured 2 OpenWrt interfaces to both use LAN and WWAN. That is invalid for various reasons (on both networking and firewall aspects) .

It's not clear why you believe this setting would fix or workaround the misconfiguration.

I also noticed from your screenshot that you have 2 upstream networks with the same IP range of 192.168.18.0/24 (and gateway of 192.168.18.1). I surmise removing WWAN as mentioned would resolve that invalid setup.

KOA · November 23, 2025, 10:57am

Strangely enough, without changing these and just adding unbound to the Pi-Hole server somehow fixed it, which is strange.

lleachii · November 23, 2025, 11:04am

Then I assume you were attempting to access via hostnames and not by IP (i.e., this is information you haven't previously provided), correct?

KOA · November 23, 2025, 11:18am

no I was using following ip / urls.

https://192.168.18.2/cgi-bin/luci/

and 

https://192.168.18.58/cgi-bin/luci/

lleachii · November 23, 2025, 11:21am

Then this was the reason:

(Edit: added this to clarify this paragraph applies only to hostnames and hypothetical) You were probably lucky and the nameserver provided the correct IP for the interface you're connected to as the first response (Round Robin).

A router cannot possess two (Layer 2, in your case Ethernet/Wireless Ethernet) interfaces with the same Layer 3 (IP) addressing, as it doesn't know how to (can't) route to one another.