I have 4 vlans set up: wan, lan, wlan, and svclan. My daily use devices all live on lan and wlan, while my server and anything else internet-facing lives on svclan. I have several services already forwarded wan->svclan, lan->svclan, and wlan->svclan. I have to forward all three, otherwise I can't use my domain name to hit them from lan or wlan.
I want to set up nginx on the server and put all my web pages under subdomains. After changing LuCi to ports 8000 and 44300 and forwarding 80 and 443 lan->svclan, I could hit the nginx default page on my server using my domain name on my desktop. This immediately broke access to duckduckgo.com and several minutes later broke access to discord.com. At some point while troubleshooting, all websites stopped working. My phone is on wlan and had no issues. After deleting the port forwarding rules everything worked fine again, other than hitting nginx with my domain name.
Attached is a screenshot of my firewall config. What happened here? How can I forward 80 and 443 without breaking internet access?
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
Yes, these rules are necessary. Without them I have to use the server's IP address to access those services from lan and wlan. With them I can just use my domain name because it goes to the router and gets forwarded.
It looks like I forgot to put the offending 80 and 443 forwards back before capturing the config files. My apologies. If I leave them in I can't get HTTP/S to the internet, so I removed them immediately after taking the screenshot.
Yeah I don't know what's up with the WiFi stuff, I have the 5GHz one disabled and the 2.4GHz one works fine. It's kinda been a "don't touch it until it breaks" deal.
What do you want to have in terms of WiFi for each network? For each, your options are:
WiFi + Ethernet
dual band wifi (2.4G and 5G)
ethernet only
single band wifi only (2.4G or 5G)
But it is already broken... we can fix it if we know what you want to do.
You're using the rules incorrectly. Yes, it sorta works, but it's not really the right way to do it.
What is your intent?
You can set host/domain resolution in dnsmasq and/or use NAT reflection... both of which are better solutions than what you have going on right now.
I need to see the details of the rules you setup. Can you recreate them and then grab the firewall config. (you can delete them after you have the contents of the firewall file).
So to be clear, this is the wrong approach to take. You should be using NAT reflection or adding a hostname to the dnsmasq so that it resolves as you desire.
At the end of the day I want to have svclan separated from lan/wlan. All my internet-facing devices should go on svclan and all the "general" devices (pc, phone, etc.) should go on lan/wlan. svclan is wired only and has its own port on the router. Traffic into svclan and responses out of it should be accepted from all other vlans, but traffic out of svclan should only be allowed to wan.
With Namecheap I have DNS pointing awesomecronk.com (and all subdomains) at my router's public IP, with the desired ports forwarded to my server on svclan. I want to be able to plug in factorio.awesomecronk.com:34251 or https://awesomecronk.com or whatever, whether I'm wired into lan or away from home. I do not want to have to use the server's local IP for services I have exposed to the internet when I'm at home.
I was going to set up DNS on my router to point at my server directly, but for one that would mean I have 2 totally different addresses provided depending on where I'm connected and I really don't want to deal with those potential headaches. For two, I could not seem to get my PC (Linux Mint 22) to use my router for DNS, no matter what I tried.
Also I am not super clear on how NAT reflection works or how I would set it up on OpenWrt. It was easier to just port forward.
Your configuration is not currently configured to provide this separation.
Is there any specific reason you are separating your lan from your wlan? Unless there is a good reason, this is usually a needless complication.
No problem.
This is easy to accomplish. But you're currently doing it in a way that doesn't make sense.
From outside, the subdomains can only really work with a web server (usually a reverse proxy); it won't work with most other services. Interally, though, you could easily specify the hosts that way.
Like I said, the correct and commonly used approach for this is NAT reflection and/or DNS based using your router's DNS configuration (dnsmasq).
This is why using NAT reflection is the best approach.
I haven't used Mint, but in almost all OSs, there are options for DNS... if they have a hardcoded DNS, there is probably a way to override it. If not, you'll be looking at more complex things like DNS hijacking and the like. Check Mint's documentation or forums or whatever for information about how to use your own DNS.
Port forwarding inside is the wrong approach, as I have described. NAT reflection is the way to do this... make sure it is enabled. And then you may need to do this:
Your configuration is not currently configured to provide this separation.
How so? I have the firewall rules set to not allow traffic from svclan to lan or wlan, aside from the ports I have forwarded. See the first screenshot. What did I do wrong?
Is there any specific reason you are separating your lan from your wlan? Unless there is a good reason, this is usually a needless complication.
The only reason lan and wlan are separate is because I went through a tutorial to set it up and didn't know they could be the same. I really don't have any specific reason why they can't be the same. I have just left them as is because my WiFi works. (Works as in devices can connect and work normally.)
NAT reflection is the way to do this... make sure it is enabled. And then you may need to do this:
I am reading through the thread you linked, thank you.
Even with the other issues raised, it still hasn't been addressed why the port 80 and 443 rules are breaking lan -> wan HTTP/S traffic. I thought port forwarding only interacted with traffic directed at the router itself.
Sorry... you're right. I thought I had seen forwarding stanzas allowing svclan > lan/wlan -- that was my mistake. So yes, your network isolation is fine.
The default configuration has the lan covering both Ethernet and WiFi. You just need to setup the WiFi parameters (SSID, encryption type, passphrase, country code, and then enable it). It will generally make things easier to have just a single lan.
I have decided to leave lan and wlan separate for now, I can address that later.
I looked at the port forwarding rule Factorio-wan (easy to test) and noticed that under Advanced SettingsEnable NAT Loopback was already checked. I added lan and wlan to the Reflection zones list and disabled the Factorio-lan and Factorio-wlan rules. No access to factorio.awesomecronk.com from lan.
I started looking at promiscuous mode after that and, best I can tell, it's part of the interface settings. I cannot find it. I did find some things that suggest that it's not supported on all hardware, but I'm not sure about that.
