How do I redirect all HTTP requests from WAN to webserver? [Solved]

I'm trying to do something really simple: to expose a webserver to the internet. My goal is to redirect all HTTP/HTTPs requests to my webserver.

What is really odd is that port forwarding from 80 to 80 and 443 to 443 don't work, while if I forward, say 8080 to 80, it does work.

How do I redirect all HTTP request to my server?

You do that. However, without any idea of what rule you've actually created, we cannot offer advice as to why it's not working.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

Thank you!

root@OpenWrt:~# ubus call system board
at /etc/config/network
cat /etc/config/firewall{
        "kernel": "5.15.150",
        "hostname": "OpenWrt",
        "system": "Intel(R) Core(TM) i5-2400S CPU @ 2.50GHz",
        "model": "QEMU Standard PC (Q35 + ICH9, 2009)",
        "board_name": "qemu-standard-pc-q35-ich9-2009",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "x86/64",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd21:b712:c3b8::/48'

config interface 'wan'
        option device 'eth1'
        option proto 'pppoe'
        option username 'cliente@cliente'
        option password 'cliente'
        option ipv6 'auto'

config device
        option name 'eth0'
        option ipv6 '0'

config interface 'lan'
        option device 'eth0'
        option proto 'static'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'
        option ipv6 '0'

config device
        option name 'pppoe-wan'
        option ipv6 '0'

config device
        option name 'eth1'
        option ipv6 '0'
root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'HTTP redirect'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.0.7'
        option dest_port '80'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'HTTPS redirect'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.0.7'
        option dest_port '443'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'PHP HTTP'
        option src 'wan'
        option src_dport '8080'
        option dest_ip '192.168.0.7'
        option dest_port '80'

Your redirects (port forwards) look fine.

  • Is the host at 192.168.0.7 listening for connections on those three ports? If you test from within your network, can you reach it?
  • Do you have a public IP? For this, look at the output of ifstatus wan | grep address and compare that against what you see when you use an external website to check your IP (like googling "what's my IP").

Yes, the host is listening to them, as I can access the webpage from my internal network.

I do have an external IP and I can access the webpage from outside when I use the 8080 port - but I can't access it when I try using just port 80.

Edit /etc/config/uhttpd and replace 0.0.0.0 with 192.168.0.1 then reboot.
Untested, just an idea.

Thanks.

I did like you said and rebooted. Still the same...

Is it possible that your ISP blocks port 80 inbound?

Also, have you checked that your server is configured to allow connections from other subnets/internet -- it would seem yes, but verify that this is also true for the service configuration that is running on port 80.

1 Like

Oh, man....

It seems my ISP blocks ports 80 and 443. This is really anoying.

Thank you for your help!!!!

Bummer, but glad we figured that out.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.