Cant reach my server

Hi, need some help so I'm not going down the wrong rabbit hole :sweat_smile:

My setup:

  • OpenWrt (23.05) with my server on a DMZ
  • The server has a VPN for public connection
  • Only ipv4 while faultfinding

The server works fine from outside my LAN (and did for a while from the LAN), but now it seens like ports are blocked from LAN!?

$ nmap -p 80 domain.tld
PORT   STATE  SERVICE
80/tcp closed http
$ nmap -p 443 domain.tld
PORT    STATE  SERVICE
443/tcp closed https

(The above works fine from the server thru the VPN.)

Any ideas on where to look now would be much appreciated!

post your /etc/config/firewall

2 Likes

My /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        list network 'lan'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option output 'ACCEPT'
        list network 'LAN2'
        option input 'REJECT'
        option forward 'REJECT'
        option name 'DMZ'

config zone
        option name 'media'
        option output 'ACCEPT'
        list network 'Media'
        option forward 'REJECT'
        option input 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'zero'
        option input 'ACCEPT'
        option masq '1'
        list network 'ZT0'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding
        option dest 'lan'
        option src 'zero'

config forwarding
        option dest 'wan'
        option src 'zero'

config forwarding
        option dest 'zero'
        option src 'lan'

config rule
        option dest_port '9993'
        option src '*'
        option name 'Allow-ZeroTier-Inbound'
        option target 'ACCEPT'
        list proto 'udp'

config forwarding
        option dest 'wan'
        option src 'media'

config rule
        option target 'ACCEPT'
        option dest_port '53'
        list proto 'tcp'
        list proto 'udp'
        option src 'DMZ'
        option name 'DMZ - DNS'
        option src_port '53'

config rule
        option dest_port '67 68'
        option target 'ACCEPT'
        option src 'DMZ'
        option name 'DMZ -  DHCP'
        option src_port '67 68'

config rule
        option src 'media'
        option target 'ACCEPT'
        option dest_port '53'
        option src_port '53'
        option name 'Media - DNS'

config rule
        option dest_port '67 68'
        option src 'media'
        option target 'ACCEPT'
        option src_port '67 68'
        option name 'Media - DHCP'

config forwarding
        option dest 'wan'
        option src 'DMZ'

config forwarding
        option src 'lan'
        option dest 'DMZ'

Thanks for the reply!

edit: updated firewall due to copy paste failure

Where is the server located? Is it on one of the networks on your router, or is it somewhere else on the internet? If local, which network?

From where are you testing the connection to the server? Is the requesting machine on the router (which network) or outside on the internet?

Hi, and thanks for coming back to my issue!

Its on the router "LAN2" (DMZ) as per above.

I have been testing from my "lan" as per above and from outside my router.
It works Ok from outside but not from "lan"

Your lan2 does not have access to the internet. And there is no access allowed from lan1 to lan2.

Is that by design, or would you like help fixing that?

Well, Im not sure if that is correct?
My "LAN2" has connection to internet and I can reach it from "lan", so maybe you can elaborate on this?

edit: UPS! I didnt copy whole firewall settings, will update asap

1 Like

That was very important in this case.

Let's see your /etc/config/network as well.

  • Can you elaborate on this?
  • Did you make any changes?
1 Like

Indeed!! :innocent:

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'
        option ula_prefix 'fd25:7e28:693d::/48'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.1'
        option device 'eth1'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0'

config interface 'wan6'
        option proto 'dhcpv6'
        option reqprefix 'auto'
        option reqaddress 'try'
        option device 'eth0'

config interface 'ZT0'
        option proto 'none'
        option device 'ztyxazj2by'

config route
        option target '192.168.10.0/24'
        option netmask '255.255.255.0'
        option interface 'lan'
        option gateway '192.168.1.2'

config route
        option target '192.168.11.0/24'
        option netmask '255.255.255.0'
        option interface 'lan'
        option gateway '192.168.1.2'
        option disabled '1'

config interface 'Media'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option device 'eth3'
        option ipaddr '192.168.4.1'

config interface 'LAN2'
        option proto 'static'
        option device 'eth2'
        option netmask '255.255.255.0'
        option ipaddr '192.168.3.1'
        option ip6assign '64'

I didn't do any change to my knowledge??

Is the VPN the preferred gateway on the server? Specifically, if you run (on the server)

traceroute openwrt.org

what is the first hop? Is it 192.168.3.1? Or is it something else?

This is the output from within my server

$ traceroute openwrt.org
traceroute to openwrt.org (64.226.122.113), 30 hops max, 60 byte packets
 1  10.6.0.1 (10.6.0.1)  10.527 ms  10.532 ms  10.493 ms
 2  172.31.1.1 (172.31.1.1)  16.909 ms  16.891 ms  16.864 ms
 3  26600.your-cloud.host (65.108.117.241)  10.365 ms  10.321 ms  10.289 ms
 4  * * *
 5  spine1.cloud1.hel1.hetzner.com (88.198.254.105)  11.451 ms  11.646 ms  11.616 ms
 6  * * *
 7  core31.hel1.hetzner.com (213.239.228.1)  9.844 ms core31.hel1.hetzner.com (213.239.228.9)  9.804 ms core32.hel1.hetzner.com (213.239.228.13)  9.776 ms
 8  core52.sto.hetzner.com (213.239.254.58)  16.251 ms  16.467 ms  16.414 ms
 9  * * *
10  core10.ams.hetzner.com (213.239.224.117)  41.756 ms  36.346 ms  36.256 ms
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  wiki-03.infra.openwrt.org (64.226.122.113)  49.595 ms  44.000 ms  44.002 ms

This is the problem. The VPN on your server is configured such that it is the default gateway and the traffic that would arrive from your lan to the lan2 network is rejected.

The issue you're experiencing is not related to OpenWrt, but instead the VPN configuration on the server. To validate this, you can disable the VPN and ensure that the traceroute goes out 192.168.3.1 as would be expected. At that point, inter-vlan routing should work as expected (unless you have a local firewall that rejects connections from other subnets -- windows does this by default, so make sure you don't have a host-level firewall that can interfere with this).

2 Likes

Thanks @psherman !
Now its a little over my skill level, so bear with me...
I did assume that the routing from lan to lan2/server was going via wan to the VPS/VPN and back.
So if I moved the server to lan, is that the solution, or what do you propose here?

It all depends on how the VPN is configured on the host. If it works when you move it back to your lan, problem solved! If not, or if you want the server to reside on that other network, you'll need to add routes to your server's operating system (or exclude them from the VPN tunnel) such that traffic on your local subnets can flow as expected.

As I suggested, if you simply disable/stop your VPN, you should be able to reach your server from your lan (assuming there is nothing else on that host which would prevent it).

[EDIT: The above would be a temporary disabling of the VPN to prove/disprove my assertion that the VPN is the problem.]

Another approach you could take would be to run the VPN on your router and establish the tunnel that way. You would use policy based routing to set the desired behaviors (i.e. server > VPN tunnel > VPS, maybe not everything else) -- based on your goals.

However, if the VPN is going to be running on the server itself, the specifics for resolving it on your server's OS/VPN configuration would be out of scope for the OpenWrt forums.

1 Like

Ok, after moving my server to lan (i.e bridging eth1 and eth2) it works fine.

So this assumption was obviously wrong. ...how can I get knowledge in this, any documentation you can recommend?

As always, I find this forum very helpful !
Thanks!

I think your server has no knowledge about the lan only about its own lan2.

What might work is adding a route on your server to route lan subnet via the router this should take precedence over the default route.

Maybe wait till @psherman can confirm if this has any chance of success

1 Like

Very strange, now I'm having the same problem again :upside_down_face:

Server accessible from outside but not from LAN...
...not sure where to go next

dig domain.tld command show the correct external IP and I can ping from LAN

I still believe that the issue is related to the VPN on the host. The ingress traffic is either not allowed or the related egress is going out through the VPN.

You need to either exclude the local subnets from your VPN tunnel or otherwise set static routes on the operating system of that host such that it routes traffic accordingly.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.