Can't access LUCI over LAN while on another subnet

I have two networks, one 192.168.2.0/24 (network 1) with a pfSense Gateway 192.168.2.10 and on another site I have 192.168.3.0/24 (network 2) with a Linux Gateway 192.168.3.10.

These two gateways establish an IPSec-type VPN, where any host can PING or access services on any other host on the other network.

There is no firewall filtering ports for these networks on any of the gateways.

In network 2, I use a TP-Link TL-WR840N v4 with OpenWRT 18.06.5 r7897-9d401013f, 4.14.151 Kernel with LuCI openwrt-18.06 branch (git-19.309.48729-bc17ef6) to provide WiFi access for users.

The settings are the factory defaults in OpenWRT.

OpenWRT can ping hosts on both network 2 and network 1.

Both network 1 and network 2 devices can ping OpenWRT.

The problem is that being on network 1 on any computer I can't access LuCI (port 80) which is on network 2, but I can access the same device via SSH (port 22) normally. When I try to access LuCI, it presents the link with the text "LuCI - Lua Configuration Interface", but does not enter the page to login. Even when I click on the link, the browser is running and not entering the page.

But if I have the same computer on network 2, then I can log into LuCI normally.

How do I access LuCI on network 2 directly while I am on a computer on network 1 ?

Is the router set up in dumbAP or are you routing between WAN and LAN?
Post the following from the OpenWrt in preformatted text (the </> button).

uci show network; uci show uhttpd ; \
uci show firewall; uci show dhcp; \
ip -4 addr ; ip -4 ro ; ip -4 ru; \
head -n -0 /etc/firewall.user; \
1 Like

In OpenWRT I removed the WAN interface because I don't want to use it as a router, just as an access point for multiple VLANs. For now I'm still using only the default VLAN. However, when everything is working, I want to configure other VLANs and different SSIDs in each VLAN. But that will be in the future.

There is another Linux device playing the role of VPN Router and Gateway.

Your requests:

root@OpenWrt:~# uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd20:f4e1:51df::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.3.36'
network.lan.gateway='192.168.3.10'
network.lan.dns='8.8.8.8 1.1.1.1 8.8.4.4'
network.lan_dev=device
network.lan_dev.name='eth0.1'
network.lan_dev.macaddr='d4:6e:0e:74:1a:14'
network.wan_dev=device
network.wan_dev.name='eth0.2'
network.wan_dev.macaddr='d4:6e:0e:74:1a:15'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='1 2 3 4 6t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='0 6t'
root@OpenWrt:~# 
root@OpenWrt:~# uci show uhttpd
uhttpd.main=uhttpd
uhttpd.main.listen_http='0.0.0.0:80' '[::]:80'
uhttpd.main.listen_https='0.0.0.0:443' '[::]:443'
uhttpd.main.home='/www'
uhttpd.main.rfc1918_filter='1'
uhttpd.main.max_connections='100'
uhttpd.main.cert='/etc/uhttpd.crt'
uhttpd.main.key='/etc/uhttpd.key'
uhttpd.main.cgi_prefix='/cgi-bin'
uhttpd.main.lua_prefix='/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
uhttpd.main.script_timeout='60'
uhttpd.main.network_timeout='30'
uhttpd.main.http_keepalive='20'
uhttpd.main.tcp_keepalive='1'
uhttpd.defaults=cert
uhttpd.defaults.days='730'
uhttpd.defaults.bits='2048'
uhttpd.defaults.country='ZZ'
uhttpd.defaults.state='Somewhere'
uhttpd.defaults.location='Unknown'
uhttpd.defaults.commonname='OpenWrt'
root@OpenWrt:~# 
root@OpenWrt:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='ACCEPT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
root@OpenWrt:~# 
root@OpenWrt:~# uci show dhcp
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_management='1'
dhcp.lan.ignore='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
root@OpenWrt:~# 
root@OpenWrt:~# ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.3.36/24 brd 192.168.3.255 scope global br-lan
       valid_lft forever preferred_lft forever
root@OpenWrt:~# ip -4 ro
default via 192.168.3.10 dev br-lan 
192.168.3.0/24 dev br-lan scope link  src 192.168.3.36 
root@OpenWrt:~# 
root@OpenWrt:~# ip -4 ru
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
root@OpenWrt:~# 
root@OpenWrt:~# head -n -0 /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
root@OpenWrt:~# 

uci set uhttpd.main.rfc1918_filter='0' && uci commit uhttpd && service uhttpd restart

Thanks for listening.

I tried your suggestion, but the problem still persists.

And now it looks like this:

root@OpenWrt:~# uci show uhttpd
uhttpd.main=uhttpd
uhttpd.main.listen_http='0.0.0.0:80' '[::]:80'
uhttpd.main.listen_https='0.0.0.0:443' '[::]:443'
uhttpd.main.home='/www'
uhttpd.main.max_connections='100'
uhttpd.main.cert='/etc/uhttpd.crt'
uhttpd.main.key='/etc/uhttpd.key'
uhttpd.main.cgi_prefix='/cgi-bin'
uhttpd.main.lua_prefix='/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
uhttpd.main.script_timeout='60'
uhttpd.main.network_timeout='30'
uhttpd.main.http_keepalive='20'
uhttpd.main.tcp_keepalive='1'
uhttpd.main.rfc1918_filter='0'
uhttpd.defaults=cert
uhttpd.defaults.days='730'
uhttpd.defaults.bits='2048'
uhttpd.defaults.country='ZZ'
uhttpd.defaults.state='Somewhere'
uhttpd.defaults.location='Unknown'
uhttpd.defaults.commonname='OpenWrt'
root@OpenWrt:~#

It's weird because I can PING, I can SSH, I just can't access LUCI. And when I'm physically inside the same subnet I get access to LUCI.

Have you cleaned browser cache, used privated browsing, and another browser?

1 Like

Yes, I pressed F5 and it didn't work. I also changed the browser and the behavior is the same. I also tried using a private window of Chrome and Firefox, the result was the same. :anguished:

Did you consider moving the router to the other network and see if the fault persist?

Alternatively, you could run a Web server on a PC connected directly to the gateway and see if it will be acreditando from they other network.

Thanks for the reply.

I can try taking OpenWRT to another network to test. It's not that easy, but I can do it next week.

However, there is an HP printer on the network where OpenWRT is today and it has a web server running an interface for its configuration by listening to port 80. I can access the web interface of this printer usually from the same network where I can't access OpenWRT.

OK then there is no point of moving the router. My point was to find out if it can possibly the gateway that's causing the issue with port 80, but the printer proves otherwise. So it has to be the router.

Thanks partner, I solved the problem. I was making a mistake and you helped me to see.

In fact, the printer interface was not working when accessed from another subnet.

Then I realized that my problem was really on my gateway. Researching with focus on it, I found that the problem was packet fragmentation and it was only creating rule to adjust the value at 1300 that everything was solved.

iptables -t mangle -A POSTROUTING -o eth0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1300 

Thanks to everyone who tried to help me.

2 Likes

Glad it was solved. Please mark your last message as the solution. It helps other people who might face similar problem to quickly find the solution.

3 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.