@mk24 I am pretty sure the answer to both questions is yes. Is there any way I can definitively check?
The IPv4 Upstream IP shown on the status page must match your IP found by port scan sites.
You could temporarily locally open port 22 TCP which is the router's SSH server (make sure your password is secure). This should then appear as an open port on the port scan site.
When you say you had it working with no-ip do you mean the firewall rules?
It is working fine and there are a lot of hits.
Is the address you have in duckdns the same as your wan IP?
`nslookup dikacloud.duckdns.org 8.8.8.8 ; . /lib/functions/network.sh; network_flush_cache; network_find_wan NET_IF; network_get_ipaddr NET_ADDR "${NET_IF}"; echo "${NET_ADDR}"
1 Like
Yes, I assume the firewall rules were working because I was able to access my website on 192.168.10.228 from outside of my lan.
The ip's are different on one port scan tool but agrees with the duckdns.org site.
Yes they agree.
@trendy @krazeh @mk24
I am using a wireguard VPN. But it never made any difference with no-ip.
Thanks for your replies.
Any other ideas?
opkg update
opkg install vpn-policy-routing
uci set vpn-policy-routing.config.enabled="1"
uci -q delete vpn-policy-routing.config.dest_ipset
uci -q delete vpn-policy-routing.lan_wan
uci set vpn-policy-routing.lan_wan="policy"
uci set vpn-policy-routing.lan_wan.src_addr="192.168.10.228"
uci set vpn-policy-routing.lan_wan.src_port="80 443"
uci set vpn-policy-routing.lan_wan.dest_addr="!192.168.10.0/24"
uci set vpn-policy-routing.lan_wan.interface="wan"
uci commit vpn-policy-routing
/etc/init.d/vpn-policy-routing restart
1 Like
@vgaetera Thanks for the script. It worked to help me get Letsencrypt wizard to complete successfully but when I go to an SSL testing website it fails and when I try to access my site from outside of my lan it fails.
So I think port 80 is open but I still cannot access my site from outside my lan.
Thanks so much for your help.
If there are any ideas as to why I cannot access my website outside of my lan, I would be happy to hear them.
Thanks to all.
bdika
Capture HTTP/HTTPS traffic on OpenWrt when trying to access the site from the internet:
opkg update
opkg install tcpdump
tcpdump -vni any port 80 or port 443
2 Likes
@vgaetera Thanks for the reply. I finally got a chance to run your command while my son was trying to connect from outside the lan and this is what I got ( I was limited to 32,000 characters, so I cut out some of what seemed to be repetitive):
14:24:32.585858 IP (tos 0x0, ttl 64, id 36046, offset 0, flags [DF], proto TCP (6), length 364)
192.168.10.242.46976 > 172.217.164.227.80: Flags [P.], cksum 0x988b (correct), seq 2095294499:2095294811, ack 214232268, win 1369, options [nop,nop,TS val 37236879 ecr 4168669118], length 312: HTTP, length: 312
HEAD /generate_204 HTTP/1.1
Host: connectivitycheck.gstatic.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Linux; Android 8.0; Build/OPR2.170623.027.S25) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.57 Safari/537.36 CrKey/1.50.228700
Accept-Encoding: gzip, deflate
Accept-Language: en-US
14:24:32.585858 IP (tos 0x0, ttl 64, id 36046, offset 0, flags [DF], proto TCP (6), length 364)
192.168.10.242.46976 > 172.217.164.227.80: Flags [P.], cksum 0x988b (correct), seq 0:312, ack 1, win 1369, options [nop,nop,TS val 37236879 ecr 4168669118], length 312: HTTP, length: 312
HEAD /generate_204 HTTP/1.1
Host: connectivitycheck.gstatic.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Linux; Android 8.0; Build/OPR2.170623.027.S25) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.57 Safari/537.36 CrKey/1.50.228700
Accept-Encoding: gzip, deflate
Accept-Language: en-US
14:24:32.585883 IP (tos 0x0, ttl 63, id 36046, offset 0, flags [DF], proto TCP (6), length 364)
135.23.172.137.46976 > 172.217.164.227.80: Flags [P.], cksum 0x3085 (correct), seq 2095294499:2095294811, ack 214232268, win 1369, options [nop,nop,TS val 37236879 ecr 4168669118], length 312: HTTP, length: 312
HEAD /generate_204 HTTP/1.1
Host: connectivitycheck.gstatic.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Linux; Android 8.0; Build/OPR2.170623.027.S25) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.57 Safari/537.36 CrKey/1.50.228700
Accept-Encoding: gzip, deflate
Accept-Language: en-US
14:24:32.600485 IP (tos 0x0, ttl 58, id 42493, offset 0, flags [none], proto TCP (6), length 135)
172.217.164.227.80 > 135.23.172.137.46976: Flags [P.], cksum 0x03ba (correct), seq 1:84, ack 312, win 269, options [nop,nop,TS val 4168670677 ecr 37236879], length 83: HTTP, length: 83
HTTP/1.1 204 No Content
Content-Length: 0
Date: Sun, 21 Feb 2021 19:24:32 GMT
14:24:32.600498 IP (tos 0x0, ttl 57, id 42493, offset 0, flags [none], proto TCP (6), length 135)
172.217.164.227.80 > 192.168.10.242.46976: Flags [P.], cksum 0x6bc0 (correct), seq 1:84, ack 312, win 269, options [nop,nop,TS val 4168670677 ecr 37236879], length 83: HTTP, length: 83
HTTP/1.1 204 No Content
Content-Length: 0
Date: Sun, 21 Feb 2021 19:24:32 GMT
14:24:32.600501 IP (tos 0x0, ttl 57, id 42493, offset 0, flags [none], proto TCP (6), length 135)
172.217.164.227.80 > 192.168.10.242.46976: Flags [P.], cksum 0x6bc0 (correct), seq 1:84, ack 312, win 269, options [nop,nop,TS val 4168670677 ecr 37236879], length 83: HTTP, length: 83
HTTP/1.1 204 No Content
Content-Length: 0
Date: Sun, 21 Feb 2021 19:24:32 GMT
14:24:32.600503 IP (tos 0x0, ttl 57, id 42493, offset 0, flags [none], proto TCP (6), length 135)
172.217.164.227.80 > 192.168.10.242.46976: Flags [P.], cksum 0x6bc0 (correct), seq 1:84, ack 312, win 269, options [nop,nop,TS val 4168670677 ecr 37236879], length 83: HTTP, length: 83
HTTP/1.1 204 No Content
Content-Length: 0
Date: Sun, 21 Feb 2021 19:24:32 GMT
14:24:32.602066 IP (tos 0x0, ttl 64, id 36047, offset 0, flags [DF], proto TCP (6), length 52)
192.168.10.242.46976 > 172.217.164.227.80: Flags [.], cksum 0x7300 (correct), ack 84, win 1369, options [nop,nop,TS val 37236882 ecr 4168670677], length 0
14:24:32.602066 IP (tos 0x0, ttl 64, id 36047, offset 0, flags [DF], proto TCP (6), length 52)
192.168.10.242.46976 > 172.217.164.227.80: Flags [.], cksum 0x7300 (correct), ack 84, win 1369, options [nop,nop,TS val 37236882 ecr 4168670677], length 0
14:24:32.602091 IP (tos 0x0, ttl 63, id 36047, offset 0, flags [DF], proto TCP (6), length 52)
135.23.172.137.46976 > 172.217.164.227.80: Flags [.], cksum 0x0afa (correct), ack 84, win 1369, options [nop,nop,TS val 37236882 ecr 4168670677], length 0
14:24:32.808079 IP (tos 0x0, ttl 64, id 9572, offset 0, flags [DF], proto TCP (6), length 60)
192.168.10.187.47876 > 95.217.163.246.80: Flags [S], cksum 0xa49d (correct), seq 1086192453, win 64240, options [mss 1460,sackOK,TS val 1782216620 ecr 0,nop,wscale 7], length 0
14:24:32.808079 IP (tos 0x0, ttl 64, id 9572, offset 0, flags [DF], proto TCP (6), length 60)
192.168.10.187.47876 > 95.217.163.246.80: Flags [S], cksum 0xa49d (correct), seq 1086192453, win 64240, options [mss 1460,sackOK,TS val 1782216620 ecr 0,nop,wscale 7], length 0
14:24:32.808126 IP (tos 0x0, ttl 63, id 9572, offset 0, flags [DF], proto TCP (6), length 60)
10.65.140.14.47876 > 95.217.163.246.80: Flags [S], cksum 0xda01 (correct), seq 1086192453, win 64240, options [mss 1380,sackOK,TS val 1782216620 ecr 0,nop,wscale 7], length 0
14:24:32.935436 IP (tos 0x0, ttl 51, id 0, offset 0, flags [DF], proto TCP (6), length 60)
95.217.163.246.80 > 10.65.140.14.47876: Flags [S.], cksum 0xa922 (correct), seq 4043048311, ack 1086192454, win 65160, options [mss 1380,sackOK,TS val 2575342913 ecr 1782216620,nop,wscale 7], length 0
14:24:32.935449 IP (tos 0x0, ttl 50, id 0, offset 0, flags [DF], proto TCP (6), length 60)
95.217.163.246.80 > 192.168.10.187.47876: Flags [S.], cksum 0x740e (correct), seq 4043048311, ack 1086192454, win 65160, options [mss 1380,sackOK,TS val 2575342913 ecr 1782216620,nop,wscale 7], length 0
14:24:32.935453 IP (tos 0x0, ttl 50, id 0, offset 0, flags [DF], proto TCP (6), length 60)
95.217.163.246.80 > 192.168.10.187.47876: Flags [S.], cksum 0x740e (correct), seq 4043048311, ack 1086192454, win 65160, options [mss 1380,sackOK,TS val 2575342913 ecr 1782216620,nop,wscale 7], length 0
14:24:32.960759 IP (tos 0x0, ttl 64, id 9573, offset 0, flags [DF], proto TCP (6), length 52)
192.168.10.187.47876 > 95.217.163.246.80: Flags [.], cksum 0x9e7a (correct), ack 1, win 502, options [nop,nop,TS val 1782216783 ecr 2575342913], length 0
14:24:32.960759 IP (tos 0x0, ttl 64, id 9573, offset 0, flags [DF], proto TCP (6), length 52)
192.168.10.187.47876 > 95.217.163.246.80: Flags [.], cksum 0x9e7a (correct), ack 1, win 502, options [nop,nop,TS val 1782216783 ecr 2575342913], length 0
14:24:32.960786 IP (tos 0x0, ttl 63, id 9573, offset 0, flags [DF], proto TCP (6), length 52)
10.65.140.14.47876 > 95.217.163.246.80: Flags [.], cksum 0xd38e (correct), ack 1, win 502, options [nop,nop,TS val 1782216783 ecr 2575342913], length 0
14:24:32.960761 IP (tos 0x0, ttl 64, id 9574, offset 0, flags [DF], proto TCP (6), length 147)
192.168.10.187.47876 > 95.217.163.246.80: Flags [P.], cksum 0xa44c (correct), seq 1:96, ack 1, win 502, options [nop,nop,TS val 1782216783 ecr 2575342913], length 95: HTTP, length: 95
GET /check_network_status.txt HTTP/1.1
Host: archlinux.org
Accept: */*
Connection: close
14:24:32.960761 IP (tos 0x0, ttl 64, id 9574, offset 0, flags [DF], proto TCP (6), length 147)
192.168.10.187.47876 > 95.217.163.246.80: Flags [P.], cksum 0xa44c (correct), seq 1:96, ack 1, win 502, options [nop,nop,TS val 1782216783 ecr 2575342913], length 95: HTTP, length: 95
GET /check_network_status.txt HTTP/1.1
Host: archlinux.org
Accept: */*
Connection: close
14:24:32.960803 IP (tos 0x0, ttl 63, id 9574, offset 0, flags [DF], proto TCP (6), length 147)
10.65.140.14.47876 > 95.217.163.246.80: Flags [P.], cksum 0xd960 (correct), seq 1:96, ack 1, win 502, options [nop,nop,TS val 1782216783 ecr 2575342913], length 95: HTTP, length: 95
GET /check_network_status.txt HTTP/1.1
Host: archlinux.org
Accept: */*
Connection: close
14:24:33.089990 IP (tos 0x0, ttl 51, id 46768, offset 0, flags [DF], proto TCP (6), length 52)
95.217.163.246.80 > 10.65.140.14.47876: Flags [.], cksum 0xd28d (correct), ack 96, win 509, options [nop,nop,TS val 2575343068 ecr 1782216783], length 0
14:24:33.090005 IP (tos 0x0, ttl 50, id 46768, offset 0, flags [DF], proto TCP (6), length 52)
95.217.163.246.80 > 192.168.10.187.47876: Flags [.], cksum 0x9d79 (correct), ack 96, win 509, options [nop,nop,TS val 2575343068 ecr 1782216783], length 0
14:24:33.090009 IP (tos 0x0, ttl 50, id 46768, offset 0, flags [DF], proto TCP (6), length 52)
95.217.163.246.80 > 192.168.10.187.47876: Flags [.], cksum 0x9d79 (correct), ack 96, win 509, options [nop,nop,TS val 2575343068 ecr 1782216783], length 0
14:24:33.090022 IP (tos 0x0, ttl 51, id 46769, offset 0, flags [DF], proto TCP (6), length 255)
95.217.163.246.80 > 10.65.140.14.47876: Flags [P.], cksum 0x519a (correct), seq 1:204, ack 96, win 509, options [nop,nop,TS val 2575343068 ecr 1782216783], length 203: HTTP, length: 203
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 21 Feb 2021 19:24:33 GMT
Content-Type: text/plain
Content-Length: 24
Connection: close
Cache-Control: max-age=0, must-revalidate
NetworkManager is online[!http]
14:24:33.090029 IP (tos 0x0, ttl 50, id 46769, offset 0, flags [DF], proto TCP (6), length 255)
95.217.163.246.80 > 192.168.10.187.47876: Flags [P.], cksum 0x1c86 (correct), seq 1:204, ack 96, win 509, options [nop,nop,TS val 2575343068 ecr 1782216783], length 203: HTTP, length: 203
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 21 Feb 2021 19:24:33 GMT
Content-Type: text/plain
Content-Length: 24
Connection: close
Cache-Control: max-age=0, must-revalidate
NetworkManager is online[!http]
14:24:33.090032 IP (tos 0x0, ttl 50, id 46769, offset 0, flags [DF], proto TCP (6), length 255)
95.217.163.246.80 > 192.168.10.187.47876: Flags [P.], cksum 0x1c86 (correct), seq 1:204, ack 96, win 509, options [nop,nop,TS val 2575343068 ecr 1782216783], length 203: HTTP, length: 203
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 21 Feb 2021 19:24:33 GMT
Content-Type: text/plain
Content-Length: 24
Connection: close
Cache-Control: max-age=0, must-revalidate
NetworkManager is online[!http]
14:24:33.090252 IP (tos 0x0, ttl 51, id 46770, offset 0, flags [DF], proto TCP (6), length 52)
95.217.163.246.80 > 10.65.140.14.47876: Flags [F.], cksum 0xd1c1 (correct), seq 204, ack 96, win 509, options [nop,nop,TS val 2575343068 ecr 1782216783], length 0
14:24:33.090260 IP (tos 0x0, ttl 50, id 46770, offset 0, flags [DF], proto TCP (6), length 52)
95.217.163.246.80 > 192.168.10.187.47876: Flags [F.], cksum 0x9cad (correct), seq 204, ack 96, win 509, options [nop,nop,TS val 2575343068 ecr 1782216783], length 0
14:24:34.592490 IP (tos 0x20, ttl 64, id 13251, offset 0, flags [DF], proto TCP (6), length 232)
192.168.10.228.33145 > 158.69.124.83.443: Flags [P.], cksum 0xf8ad (correct), seq 1:193, ack 1, win 64240, length 192
14:24:34.592490 IP (tos 0x20, ttl 64, id 13251, offset 0, flags [DF], proto TCP (6), length 232)
192.168.10.228.33145 > 158.69.124.83.443: Flags [P.], cksum 0xf8ad (correct), seq 1:193, ack 1, win 64240, length 192
14:24:34.592510 IP (tos 0x20, ttl 63, id 13251, offset 0, flags [DF], proto TCP (6), length 232)
10.65.140.14.33145 > 158.69.124.83.443: Flags [P.], cksum 0x2deb (correct), seq 1:193, ack 1, win 64240, length 192
14:24:34.618681 IP (tos 0x18, ttl 55, id 16458, offset 0, flags [DF], proto TCP (6), length 40)
158.69.124.83.443 > 10.65.140.14.33145: Flags [.], cksum 0xc28a (correct), ack 193, win 42708, length 0
14:24:34.618693 IP (tos 0x18, ttl 54, id 16458, offset 0, flags [DF], proto TCP (6), length 40)
158.69.124.83.443 > 192.168.10.228.33145: Flags [.], cksum 0x8d4d (correct), ack 193, win 42708, length 0
14:24:34.618696 IP (tos 0x18, ttl 54, id 16458, offset 0, flags [DF], proto TCP (6), length 40)
158.69.124.83.443 > 192.168.10.228.33145: Flags [.], cksum 0x8d4d (correct), ack 193, win 42708, length 0
14:24:34.618698 IP (tos 0x18, ttl 54, id 16458, offset 0, flags [DF], proto TCP (6), length 40)
158.69.124.83.443 > 192.168.10.228.33145: Flags [.], cksum 0x8d4d (correct), ack 193, win 42708, length 0
14:24:34.618710 IP (tos 0x18, ttl 55, id 16459, offset 0, flags [DF], proto TCP (6), length 40)
158.69.124.83.443 > 10.65.140.14.33145: Flags [F.], cksum 0xc289 (correct), seq 1, ack 193, win 42708, length 0
14:24:34.618718 IP (tos 0x18, ttl 54, id 16459, offset 0, flags [DF], proto TCP (6), length 40)
158.69.124.83.443 > 192.168.10.228.33145: Flags [F.], cksum 0x8d4c (correct), seq 1, ack 193, win 42708, length 0
14:24:34.618720 IP (tos 0x18, ttl 54, id 16459, offset 0, flags [DF], proto TCP (6), length 40)
158.69.124.83.443 > 192.168.10.228.33145: Flags [F.], cksum 0x8d4c (correct), seq 1, ack 193, win 42708, length 0
14:24:34.618722 IP (tos 0x18, ttl 54, id 16459, offset 0, flags [DF], proto TCP (6), length 40)
158.69.124.83.443 > 192.168.10.228.33145: Flags [F.], cksum 0x8d4c (correct), seq 1, ack 193, win 42708, length 0
14:24:34.619396 IP (tos 0x20, ttl 64, id 13252, offset 0, flags [DF], proto TCP (6), length 40)
192.168.10.228.33145 > 158.69.124.83.443: Flags [F.], cksum 0x3930 (correct), seq 193, ack 2, win 64239, length 0
14:24:34.619396 IP (tos 0x20, ttl 64, id 13252, offset 0, flags [DF], proto TCP (6), length 40)
192.168.10.228.33145 > 158.69.124.83.443: Flags [F.], cksum 0x3930 (correct), seq 193, ack 2, win 64239, length 0
14:24:34.619420 IP (tos 0x20, ttl 63, id 13252, offset 0, flags [DF], proto TCP (6), length 40)
10.65.140.14.33145 > 158.69.124.83.443: Flags [F.], cksum 0x6e6d (correct), seq 193, ack 2, win 64239, length 0
14:24:34.641344 IP (tos 0x18, ttl 55, id 16460, offset 0, flags [DF], proto TCP (6), length 40)
158.69.124.83.443 > 10.65.140.14.33145: Flags [.], cksum 0xc289 (correct), ack 194, win 42707, length 0
14:24:34.641355 IP (tos 0x18, ttl 54, id 16460, offset 0, flags [DF], proto TCP (6), length 40)
158.69.124.83.443 > 192.168.10.228.33145: Flags [.], cksum 0x8d4c (correct), ack 194, win 42707, length 0
14:24:34.641358 IP (tos 0x18, ttl 54, id 16460, offset 0, flags [DF], proto TCP (6), length 40)
158.69.124.83.443 > 192.168.10.228.33145: Flags [.], cksum 0x8d4c (correct), ack 194, win 42707, length 0
14:24:34.641361 IP (tos 0x18, ttl 54, id 16460, offset 0, flags [DF], proto TCP (6), length 40)
158.69.124.83.443 > 192.168.10.228.33145: Flags [.], cksum 0x8d4c (correct), ack 194, win 42707, length 0
14:24:35.190052 IP (tos 0x0, ttl 58, id 36555, offset 0, flags [DF], proto TCP (6), length 67)
104.26.10.153.443 > 10.65.140.14.34434: Flags [P.], cksum 0x398a (correct), seq 3674478800:3674478827, ack 2884301206, win 71, length 27
14:24:35.190070 IP (tos 0x0, ttl 57, id 36555, offset 0, flags [DF], proto TCP (6), length 67)
104.26.10.153.443 > 192.168.10.152.34434: Flags [P.], cksum 0x0499 (correct), seq 3674478800:3674478827, ack 2884301206, win 71, length 27
14:24:35.190075 IP (tos 0x0, ttl 57, id 36555, offset 0, flags [DF], proto TCP (6), length 67)
104.26.10.153.443 > 192.168.10.152.34434: Flags [P.], cksum 0x0499 (correct), seq 0:27, ack 1, win 71, length 27
14:24:35.190077 IP (tos 0x0, ttl 57, id 36555, offset 0, flags [DF], proto TCP (6), length 67)
104.26.10.153.443 > 192.168.10.152.34434: Flags [P.], cksum 0x0499 (correct), seq 0:27, ack 1, win 71, length 27
14:24:35.190683 IP (tos 0x0, ttl 64, id 19257, offset 0, flags [DF], proto TCP (6), length 40)
192.168.10.152.34434 > 104.26.10.153.443: Flags [.], cksum 0x563d (correct), ack 27, win 501, length 0
14:24:35.190683 IP (tos 0x0, ttl 64, id 19257, offset 0, flags [DF], proto TCP (6), length 40)
192.168.10.152.34434 > 104.26.10.153.443: Flags [.], cksum 0x563d (correct), ack 27, win 501, length 0
14:24:35.190708 IP (tos 0x0, ttl 63, id 19257, offset 0, flags [DF], proto TCP (6), length 40)
10.65.140.14.34434 > 104.26.10.153.443: Flags [.], cksum 0x8b2e (correct), ack 27, win 501, length 0
14:24:35.253798 IP (tos 0x0, ttl 244, id 41584, offset 0, flags [none], proto TCP (6), length 40)
51.222.143.1.36574 > 135.23.172.137.80: Flags [S], cksum 0x498a (correct), seq 1770610768, win 5840, length 0
14:24:35.253836 IP (tos 0x0, ttl 243, id 41584, offset 0, flags [none], proto TCP (6), length 40)
51.222.143.1.36574 > 192.168.10.228.80: Flags [S], cksum 0xb19e (correct), seq 1770610768, win 5840, length 0
14:24:35.253840 IP (tos 0x0, ttl 243, id 41584, offset 0, flags [none], proto TCP (6), length 40)
51.222.143.1.36574 > 192.168.10.228.80: Flags [S], cksum 0xb19e (correct), seq 1770610768, win 5840, length 0
14:24:35.253842 IP (tos 0x0, ttl 243, id 41584, offset 0, flags [none], proto TCP (6), length 40)
51.222.143.1.36574 > 192.168.10.228.80: Flags [S], cksum 0xb19e (correct), seq 1770610768, win 5840, length 0
14:24:35.254475 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
192.168.10.228.80 > 51.222.143.1.36574: Flags [S.], cksum 0xda7d (correct), seq 3729063149, ack 1770610769, win 64240, options [mss 1460], length 0
14:24:35.254475 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
192.168.10.228.80 > 51.222.143.1.36574: Flags [S.], cksum 0xda7d (correct), seq 3729063149, ack 1770610769, win 64240, options [mss 1460], length 0
14:24:35.254499 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 44)
135.23.172.137.80 > 51.222.143.1.36574: Flags [S.], cksum 0x7269 (correct), seq 3729063149, ack 1770610769, win 64240, options [mss 1460], length 0
14:24:35.369840 IP (tos 0x0, ttl 244, id 51318, offset 0, flags [none], proto TCP (6), length 40)
51.222.143.1.11265 > 135.23.172.137.80: Flags [S], cksum 0x94e8 (correct), seq 898477003, win 5840, length 0
14:24:35.369876 IP (tos 0x0, ttl 243, id 51318, offset 0, flags [none], proto TCP (6), length 40)
51.222.143.1.11265 > 192.168.10.228.80: Flags [S], cksum 0xfcfc (correct), seq 898477003, win 5840, length 0
14:24:35.369880 IP (tos 0x0, ttl 243, id 51318, offset 0, flags [none], proto TCP (6), length 40)
51.222.143.1.11265 > 192.168.10.228.80: Flags [S], cksum 0xfcfc (correct), seq 898477003, win 5840, length 0
14:24:35.369882 IP (tos 0x0, ttl 243, id 51318, offset 0, flags [none], proto TCP (6), length 40)
51.222.143.1.11265 > 192.168.10.228.80: Flags [S], cksum 0xfcfc (correct), seq 898477003, win 5840, length 0
14:24:35.370518 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
192.168.10.228.80 > 51.222.143.1.11265: Flags [S.], cksum 0x7253 (correct), seq 1411332764, ack 898477004, win 64240, options [mss 1460], length 0
14:24:35.370518 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
192.168.10.228.80 > 51.222.143.1.11265: Flags [S.], cksum 0x7253 (correct), seq 1411332764, ack 898477004, win 64240, options [mss 1460], length 0
14:24:35.370540 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 44)
135.23.172.137.80 > 51.222.143.1.11265: Flags [S.], cksum 0x0a3f (correct), seq 1411332764, ack 898477004, win 64240, options [mss 1460], length 0
14:24:35.414821 IP (tos 0x0, ttl 118, id 30438, offset 0, flags [none], proto TCP (6), length 60)
66.130.90.10.52120 > 135.23.172.137.443: Flags [S], cksum 0x0679 (correct), seq 1389895784, win 65535, options [mss 1460,sackOK,TS val 1559221205 ecr 0,nop,wscale 8], length 0
14:24:35.414865 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
135.23.172.137.443 > 66.130.90.10.52120: Flags [R.], cksum 0xd047 (incorrect -> 0x9f0e), seq 0, ack 1389895785, win 0, length 0
14:24:36.145288 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
192.168.10.228.80 > 51.222.143.1.31943: Flags [S.], cksum 0x2386 (correct), seq 3667061291, ack 734559637, win 64240, options [mss 1460], length 0
14:24:36.145288 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
192.168.10.228.80 > 51.222.143.1.31943: Flags [S.], cksum 0x2386 (correct), seq 3667061291, ack 734559637, win 64240, options [mss 1460], length 0
14:24:36.145315 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 44)
135.23.172.137.80 > 51.222.143.1.31943: Flags [S.], cksum 0xbb71 (correct), seq 3667061291, ack 734559637, win 64240, options [mss 1460], length 0
14:24:36.245910 IP (tos 0x0, ttl 64, id 57352, offset 0, flags [DF], proto TCP (6), length 98)
192.168.10.152.44054 > 151.101.126.110.443: Flags [P.], cksum 0x030a (correct), seq 1889102919:1889102965, ack 1874420010, win 501, options [nop,nop,TS val 2938340480 ecr 843237132], length 46
14:24:36.245910 IP (tos 0x0, ttl 64, id 57352, offset 0, flags [DF], proto TCP (6), length 98)
HEAD /generate_204 HTTP/1.1
Host: connectivitycheck.gstatic.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Linux; Android 8.0; Build/OPR2.170623.027.S25) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.57 Safari/537.36 CrKey/1.50.228700
Accept-Encoding: gzip, deflate
Accept-Language: en-US
14:24:40.022292 IP (tos 0x0, ttl 64, id 36048, offset 0, flags [DF], proto TCP (6), length 364)
192.168.10.242.46976 > 172.217.164.227.80: Flags [P.], cksum 0x8b1a (correct), seq 312:624, ack 84, win 1369, options [nop,nop,TS val 37238366 ecr 4168670677], length 312: HTTP, length: 312
HEAD /generate_204 HTTP/1.1
Host: connectivitycheck.gstatic.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Linux; Android 8.0; Build/OPR2.170623.027.S25) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.57 Safari/537.36 CrKey/1.50.228700
Accept-Encoding: gzip, deflate
Accept-Language: en-US
14:24:40.022313 IP (tos 0x0, ttl 63, id 36048, offset 0, flags [DF], proto TCP (6), length 364)
135.23.172.137.46976 > 172.217.164.227.80: Flags [P.], cksum 0x2314 (correct), seq 312:624, ack 84, win 1369, options [nop,nop,TS val 37238366 ecr 4168670677], length 312: HTTP, length: 312
HEAD /generate_204 HTTP/1.1
Host: connectivitycheck.gstatic.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Linux; Android 8.0; Build/OPR2.170623.027.S25) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.57 Safari/537.36 CrKey/1.50.228700
Accept-Encoding: gzip, deflate
Accept-Language: en-US
I'm not sure what it means. I ran the command before getting my son to try and connect from outside the lan but could not make any sense of it.
Any insight would be much appreciated.
Thanks.
bdika
1 Like
It looks like the request can reach the server but the reply is lost.
Collect the output and post it to pastebin.com redacting the private parts:
ubus call system board; uci show network; uci show firewall; \
uci show vpn-policy-routing; /etc/init.d/vpn-policy-routing support; \
ip address show; ip route show table all; ip rule show; iptables-save
Hi vegaetera:
First of all, thank you for having patience with me. I have been quite busy lately and am not a computer professional.
I wasn't sure if I had to generate the output of your latest commands while trying to access my website from outside the lan or not. The attached output was generated by entering your commands but not while someone was trying to access the site from outside of the lan.
I wasn't sure what to redact, but I redacted most of the ip numbers. If I have redacted too much or not enough, please let me know.
Again, thank you for your help.
bdika
This might be a daft question - forgive me if so - but when this was working previously, was it with this very same router, with this very same configuration?
Is there any chance that uhttpd on the router itself might be intercepting the external queries to 80/tcp and 443/tcp?
If uhttpd is bound to 0.0.0.0, does it override DNAT if there's a conflict, or does it give way to DNAT?
Thanks for the reply.
The same router definitely. The very same configuration (yes as far as I remember) but I was using NO-IP when it was working.
Sorry but I don't know or really understand this. How can I go about testing and responding back to you?
Thanks.
bdika
What is the output of iptables-save -c -t nat | grep DNAT ?
1 Like
Also, what are the outputs of netstat -anp | grep :80 and netstat -anp | grep :443 ?
This is the output:
[0:0] -A zone_lan_prerouting -s 192.168.10.0/24 -d 135.23.172.137/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: gateway80 (reflection)" -j DNAT --to-destination 192.168.10.228:80
[2665:107708] -A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: gateway80" -j DNAT --to-destination 192.168.10.228:80
This is the output:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2374/uhttpd
tcp 0 0 :::80 :::* LISTEN 2374/uhttpd
and
Here is the output:
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2374/uhttpd
tcp 0 0 :::443 :::* LISTEN 2374/uhttpd
Thanks.
bdika
At the moment your router listens on ports 80 and 443 on all interfaces, even the WAN interface. That's what the 0.0.0.0:80 and 0.0.0.0:443 entries mean. I believe that might be interfering with your attempts to open port 80 inbound. If you limit uhttpd to listening solely on the LAN interface, and not the WAN interface, it should - all being well - allow inbound traffic on ports 80 and 443 to your internal server.
I'm going to hazard a guess that your router's LAN interface is on 192.168.10.1. If my guess is wrong, feel free to replace the IP address with the correct one.
I reckon your /etc/config/uhttpd probably starts like this:
# HTTP listen addresses, multiple allowed
list listen_http 0.0.0.0:80
list listen_http [::]:80
# HTTPS listen addresses, multiple allowed
list listen_https 0.0.0.0:443
list listen_https [::]:443
If you change those lines to the following (remembering to change the IP address if my guess is wrong), and restart uhttpd, it might do the trick:
# HTTP listen addresses, multiple allowed
list listen_http 192.168.10.1:80
list listen_http [::]:80
# HTTPS listen addresses, multiple allowed
list listen_https 192.168.10.1:443
list listen_https [::]:443
To restart uhttpd from the commane line, issue the command /etc/init.d/uhttpd restart
I followed your instructions and something has changed. When I use the open port tool, it shows my external IP address as different than the one show above (135.xxxxxx). When I replace the external IP address with the one above (135.xxxxxx) and test port 80, it says it is open! But when I try port 443 it says it is closed. I want to reboot my router but I can't right now because of other people in the household depending on a steady internet connection. I will reboot it later tonight and see if anything changes.
I got my son to try and connect from outside my lan, with both http and https but no luck.
If you have any idea why my external IP is different than what is showing on my router (VPN?) or know why port 443 would show as closed, I would appreciate your knowledge.
Why was the change you suggested required? Did I inadvertently change something since using NO-IP?
In any case I will keep you posted.
Thank you very much.
bdika
Be very careful that you don't expose the OpenWRT admin web page to the Internet by mistake.
I've re-read what I wrote last night, and I realised I omitted something rather fundamental: an explanation of why OpenWRT listens on ports 80 and 443 already.
The default installation of OpenWRT opens both ports 80 and 443 for its own admin web page, which is why those 0.0.0.0:80/443 entries already exist. If you've changed one of those entries in /etc/config/uhttpd from what I suggested to your public-facing address instead, you risk opening your router's admin web page to the whole world.
Successful traffic flow requires three things:
- A route ("where do I send this?")
- A firewall rule ("is this permitted?")
- Something at the other end listening for the traffic
That final point might be why port 443 is still closed. If you've altered my suggestions and used your public address where I suggest to use your router's LAN address, traffic might be hitting your router on port 443 and uhttpd might be trying to process it.
However, the default installation of OpenWRT does not include luci-ssl pre-installed, so any attempts to connect directly to the router's management web page via HTTPS (443/tcp) will fail. You can try it yourself on your router's LAN address:
- http://192.168.10.1/ will work (assuming your router's IP address is 192.168.10.1)
- https://192.168.10.1/ will fail if
luci-sslis not installed.
If you want to manage your router via HTTPS, luci-ssl will be useful. If you want to allow inbound HTTPS traffic to a different server entirely, you don't need luci-ssl on OpenWRT.
To summarise: remember the difference between trying to connect directly to OpenWRT's own web server (which is used by OpenWRT for its own management) and trying to connect to a web server sitting on the network behind OpenWRT.
1 Like
It doesn't matter as the DNAT rule in the PREROUTING chain changes the routing decision.
Moreover, interface/socket binding is best to avoid due to possible race conditions.
1 Like