Help with configuration for external access

Hi, after moving to a new router I am having problems with external access to my server and I don't know what else to do.
The router I'm using is a tplink archer c7 v5 with openwrt 23.05.2.
I have already configured my lan, wan and wifi and ddns (duckdns) without any problem.
The problem is that I can't access my web servers from the internet. They worked fine on my previous router. But I don't know what else to do.
What I do:
I ping to my ddns and the ip was resolved correctly. If I unplug the router the ping fails, if I plug it in the ping goes fine.
Nothing else works after that. I tried to redirect using port forwarding and nothing, I tried to expose the router to the WAN to see if anything happened but I couldn't.
I don't know if this is a configuration problem or a connection problem.
But I have reached the limit of my knowledge and I don't know where to go from here.

pinging from where ?

post your /etc/config/firewall

I ping from my notebook, using my phone connection.

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option target 'DNAT'
	option name '80'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.168.3.1'
	option dest 'lan'
	option family 'ipv4'
	list proto 'tcp'
	option dest_port '80'
	option enabled '0'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name '443'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.3.10'
	option dest_port '443'
	option enabled '0'

config rule
	option name 'allow wan'
	list proto 'tcp'
	option src 'wan'
	option dest_port '80 443'
	option target 'ACCEPT'

and you're sure your ISP isn't blocking incoming connections on port 80 and 443 ?

1 Like

Until a few days ago, I had no problem and was able to access. I can't tell you if anything has changed. How can I test it?

Yes run tcpdump on the router's wan interface to confirm that port 80 / 443 requests from the Internet make it to your router. Tcpdump is not affected by the firewall, it shows packets directly from the line.

Fundamentally you should double check that the IP address held by the wan interface matches what is reported by a "what's my IP" test site. And then this IP must also be correct in the DDNS.

I'm not sure if this is allowed or if you have to write separate rules for each port. It's safer to open ssh to the Internet for testing since Luci / uhttpd server is not at all hardened against hacking.

I will do the tcpdump, meanwhile the IP from what's my ip and the one from the wan interface are different. My wan interface has the IPv4: 100.76.34.154/19 while my external IP is 181.85.52.###. My duckdns matches the second IP.

That is the problem, you have CGNAT. IPs that start with 100 (with the second number between 64 and 128) are from a block that is set aside for the customer side of CGNAT and are not routed on the Internet.

tcpdump show

12:17:46.092096 IP 100.76.34.154.59145 > 181.85.52.###.80: Flags [S], seq 2383155456, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

when I tried to connect through port 80.

that's going in the opposite direction ?

you going from your LAN to the ISPs public IP.

I run from the router

tcpdump -i eth0.2 port 80

And then I try to connect from my notebook to my ddns

but you're going via your own LAN, so it'll be an outgoing connection.

No, my notebook is connect to the internet through my phone.

doesn't agree with you ...

skip the laptop, just use the browser in your phone.

1 Like

and make sure that wifi in the phone is off, so the request is sent through the LTE connection which is a separate path to the Internet.

I can tell you right now that it is not going to work, because your ISP has started using CGNAT on your line, and that prevents being able to receive an incoming connection.

you are right

Just one minute ago I receive a patch to the modem and the wan ip change to 192.168.0.30/24

The latest ip address is part of the rfc1918 (private network) range and will mean that you most certainly cannot directly connect from outside. It does suggest that your modem is now in router mode, though, so you can see if there is a public ip on the modem/router wan.

you could also ask your ISP about setting your modem in bridge mode.

it was 10m ago