Help setting up webserver to be accessible from lan and wan

Installing and Using OpenWrt Network and Wireless Configuration
1

Hey all,

I'm trying to set up a Truenas scale server running micro-services in my house, and I'd really appreciate your help.

Server has static ip 10.0.0.55. It's the only device in vlan server, and in firewall zone server. The services (served by Traefik on port 443) should be accessible from the local network and remotely without the use of a VPN.
On the factory Netgear firmware this was pretty simple, but I can't see what needs to be done to get it working on OpenWrt 21.02.2.
I hope it's alright if I paste screenshots of the relevant pages in Luci, as I'm currently unable to ssh into the router.

Best Regards,
Sombrero

openwrt-static-ipv4-routes
openwrt-static-ipv4-routes1254×380 145 KB

openwrt-dhcp-dns
openwrt-dhcp-dns1512×1912 297 KB

openwrt_firewall_traffic-rules
openwrt_firewall_traffic-rules1102×1974 337 KB

openwrt_firewall_port_forwards
openwrt_firewall_port_forwards1904×886 173 KB

openwrt_firewall_forwards
openwrt_firewall_forwards1954×1434 265 KB

2

You do not need to create routes for locally accessible nodes.

Please, post your network interfaces, too.

2 Likes
3

Thank you for the clear-up, Eduperez. Since nothing else was working I figured I might as well try adding routes.
Here is the interface overview, and the advanced settings for SERVER interface. ROUTERCHAIN is a separate VLAN for an "untrusted" stock router in the network. Should I post more?

openwrt_interfaces_overview
openwrt_interfaces_overview892×1426 248 KB

openwrt_interfaces_server_adv
openwrt_interfaces_server_adv1426×1482 176 KB

4

as i understand zone forwardings column for wan should be blank and only output=accept by default. then if you want to allow something put it to exception list and manually add rules for example via the port forward tab. with this current setup any traffic from wan can access your router (=input accept) unfiltered which normally you would not want.

5

Thanks. I changed it so that for WAN, only output=accept

6

Finally back home with ssh access. Hope you it's easier for you to assist me with actual text config files:

cat /etc/config/firewall

config defaults
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option input 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option masq '1'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config redirect
	option target 'DNAT'
	option name 'server'
	option src 'wan'
	option src_dport '443'
	option dest_port '443'
	option dest_ip '10.0.0.55'
	list proto 'tcp'
	option dest 'server'
	option reflection_src 'external'

config zone
	option name 'netgear'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'
	list device 'eth0.3'
	list network 'routerchain'
	option forward 'DROP'

config forwarding
	option src 'netgear'
	option dest 'lan'

config forwarding
	option src 'netgear'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'netgear'

config forwarding
	option src 'wan'
	option dest 'netgear'

config rule
	option src 'netgear'
	option target 'ACCEPT'
	list proto 'udp'
	option name 'routerchain-dhcp'
	option dest_port '67'

config rule
	option name 'routerchain-dns'
	list proto 'udp'
	option dest_port '53'
	option target 'ACCEPT'
	option src 'netgear'

config rule
	option name 'routerchain-ntp'
	list proto 'udp'
	option src 'netgear'
	option dest_port '123'
	option target 'ACCEPT'

config zone
	option name 'server'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'server'
	list device 'eth0.2'
	option masq '1'

config forwarding
	option src 'server'
	option dest 'lan'

config forwarding
	option src 'server'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'server'

config forwarding
	option src 'wan'
	option dest 'server'

config rule
	option name 'websecure-server'
	option src 'wan'
	option src_port '443'
	option dest 'server'
	list dest_ip '10.0.0.55'
	option dest_port '443'
	option target 'ACCEPT'

config rule
	option name 'local-dns'
	option src 'lan'
	option dest 'server'
	list dest_ip '10.0.0.55'
	option target 'ACCEPT'
	option dest_port '53'

config rule
	option name 'server-dns'
	option src 'server'
	option dest 'wan'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'lan-to-server-websecure'
	option src 'lan'
	option dest 'server'
	list dest_ip '10.0.0.55'
	option dest_port '443'
	option target 'ACCEPT'

cat /etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf2:f190:4891::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'
	option vlan_filtering '1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0.2'
	option macaddr '94:a6:7e:b2:7b:3c'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option type 'bridge'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcp'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option description 'others'
	option ports '1 2 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'
	option description 'wifi'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '3 6t'
	option description 'routerchain'

config device
	option name 'wlan0'

config interface 'routerchain'
	option device 'eth0.3'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.4.1'

config device
	option name 'eth0.3'
	option type '8021q'
	option ifname 'eth0'
	option vid '3'
	option acceptlocal '1'
	option promisc '1'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option description 'server'
	option ports '0 6t'

config device
	option name 'eth0.4'
	option type '8021q'
	option ifname 'eth0'
	option vid '4'

config interface 'server'
	option device 'eth0.4'
	option proto 'static'
	option ipaddr '10.0.0.1'
	option netmask '255.255.255.0'

config device
	option name 'wlan1'
	option multicast_router '1'

cat /etc/config/wireless

	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/10300000.wmac'
	option cell_density '0'
	option channel 'auto'
	option txpower '20'
	option htmode 'HT20'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option key '****************'
	option encryption 'psk2'
	option ssid 'OpenWrt2.4'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'VHT80'
	option txpower '20'
	option country 'NO'
	option cell_density '2'
	option channel 'auto'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'OpenWrt'
	option key '********************'
	option network 'lan'
	option encryption 'psk2'