Help opening the firewall to administer router from the internet

Installing and Using OpenWrt Network and Wireless Configuration
1

My goal is to be able to SSH or LuCI into my router from the internet but securely using my phone's MAC address only. I have a guest network that turns on/off via the WPS button and a Web Server. Firewall config included but would it be a rule or a forward that I would use?

#> uci show firewall

firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[0].forward='REJECT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].input='REJECT'
firewall.@rule[0]=rule
firewall.@rule[0].proto='tcp'
firewall.@rule[0].src_port='1234'
firewall.@rule[0].src='wan'
firewall.@rule[0].name='G8toSSH'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[0].dest_port='1234'
firewall.@rule[0].src_mac='MA:CA:DD:RE:SS'
firewall.@rule[0].enabled='0'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-DHCP-Renew'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='udp'
firewall.@rule[1].dest_port='68'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].family='ipv4'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-Ping'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='icmp'
firewall.@rule[2].icmp_type='echo-request'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[2].enabled='0'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-IGMP'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='igmp'
firewall.@rule[3].family='ipv4'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[3].enabled='0'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-DHCPv6'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='udp'
firewall.@rule[4].src_ip='fc00::/6'
firewall.@rule[4].dest_ip='fc00::/6'
firewall.@rule[4].dest_port='546'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-MLD'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].src_ip='fe80::/10'
firewall.@rule[5].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[5].enabled='0'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Input'
firewall.@rule[6].src='wan'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[6].enabled='0'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-ICMPv6-Forward'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='*'
firewall.@rule[7].proto='icmp'
firewall.@rule[7].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[7].limit='1000/sec'
firewall.@rule[7].family='ipv6'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[7].enabled='0'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-IPSec-ESP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].proto='esp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[8].enabled='0'
firewall.@rule[9]=rule
firewall.@rule[9].name='Allow-ISAKMP'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest='lan'
firewall.@rule[9].dest_port='500'
firewall.@rule[9].proto='udp'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].enabled='0'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].name='guest'
firewall.@zone[2].masq='1'
firewall.@zone[2].network='guest'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].forward='REJECT'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[0].src='guest'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='wan'
firewall.@forwarding[1].src='lan'
firewall.@rule[10]=rule
firewall.@rule[10].src='guest'
firewall.@rule[10].name='Block Guest to Guest [ISOLATE]'
firewall.@rule[10].target='REJECT'
firewall.@rule[10].dest='guest'
firewall.@rule[11]=rule
firewall.@rule[11].src='guest'
firewall.@rule[11].name='Disable Router Access [HTTP]'
firewall.@rule[11].dest_port='80'
firewall.@rule[11].target='REJECT'
firewall.@rule[12]=rule
firewall.@rule[12].src='guest'
firewall.@rule[12].name='Disable Router Access [HTTPS]'
firewall.@rule[12].dest_port='443'
firewall.@rule[12].target='REJECT'
firewall.@rule[13]=rule
firewall.@rule[13].src='guest'
firewall.@rule[13].name='Disable Router Access [SSh]'
firewall.@rule[13].target='REJECT'
firewall.@rule[13].dest_port='1234'
firewall.@rule[14]=rule
firewall.@rule[14].src='guest'
firewall.@rule[14].name='Disable Router Access [Telnet]'
firewall.@rule[14].dest_port='23'
firewall.@rule[14].target='REJECT'
firewall.@rule[15]=rule
firewall.@rule[15].name='Disable Guest LAN Access'
firewall.@rule[15].src='guest'
firewall.@rule[15].dest='lan'
firewall.@rule[15].target='REJECT'
firewall.@rule[15].proto='all'
firewall.@redirect[0]=redirect
firewall.@redirect[0].src='wan'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='G8'
firewall.@redirect[0].dest_port='1234'
firewall.@redirect[0].proto='tcp udp'
firewall.@redirect[0].src_dport='1234'
firewall.@redirect[0].src_mac='MA:CA:DD:RE:SS'
firewall.@redirect[0].dest_ip='192.168.1.1'
firewall.@redirect[0].enabled='0'
firewall.@redirect[1]=redirect
firewall.@redirect[1].src='wan'
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].dest_ip='192.168.1.111'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].dest_port='80'
firewall.@redirect[1].name='wan2port80'
firewall.@redirect[1].src_dport='80'
firewall.@redirect[1].proto='tcp'
firewall.@redirect[2]=redirect
firewall.@redirect[2].dest_port='1234'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].name='wan2port1234'
firewall.@redirect[2].src_dport='1234'
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].dest_ip='192.168.1.111'
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].proto='tcp'

2

Your phone's MAC address is not "visible" to your router when connecting over the internet.
They are different approaches to accomplish this.

  • Create a firewall (input) rule that allows connection to port 22(ssh) and 443 (luci).
    But I don't recommend using the default ports.
    The the ports can be changed/added in the configs (/etc/config/dropbear, /etc/config/uhttpd).
    Or use iptables for redirection.
    Use keyfiles instead of passwords for ssh.
    Use a port knocker (like knockd, for example) to open the ports only when actually needed.
  • Use a tunnel to directly connect to your internal network. (openVPN, wireguard)
1 Like
3

I agree with @shm0 - a vpn tunnel is the best option. Actually quite easy to set up and gives you easy access to your router and your network as well as tunneling the internet through your home if you desire for security or geo reasons.