How to configure HTTPS as the default for OpenWrt

Blastorix · July 16, 2020, 4:04pm

Hi,

I have set my ISP modem/router combo to Bridge mode and now my OpenWRT router is the one dealing with all of the things the ISP modem/router should have done such as NAT.

However, this comes with a myriad of issues such as me being unable to access DSL Reports anymore. Attached is a screenshot for reference:

Additionally, it seems like every time I want to access a website via the search bar, it leads me to the HTTP variant of the website, causing an "Authorization Required" Prompt that is annoying to no end.

Furthermore, I am no longer able to update my Windows 10 Laptop and its corresponding apps due to this same issue as well.

I would be grateful if I were to be educated on how to solve, or if not possible alleviate the issue.

Blastorix · July 16, 2020, 4:36pm

Hi,

Please disregard this complaint. All that was needed was to input Port 80 into the Port Forwarding section of the firewall.

trendy · July 16, 2020, 9:34pm

I think you have added some wrong redirect.
You may post here the firewall configuration to verify that it is correct.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

ubus call system board; \
uci export firewall; head -n -0 /etc/firewall.user

Blastorix · July 17, 2020, 2:25am

{
        "kernel": "4.14.180",
        "hostname": "ImbudWRT",
        "system": "MediaTek MT7628AN ver:1 eco:2",
        "model": "TP-Link Archer C20 v4",
        "board_name": "tplink,c20-v4",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.3",
                "revision": "r11063-85e04e9f46",
                "target": "ramips/mt76x8",
                "description": "OpenWrt 19.07.3 r11063-85e04e9f46"
        }
}
package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config redirect
        option src 'wan'
        option name 'HTTP Port'
        option src_dport '80'
        option target 'DNAT'
        option dest 'lan'
        list proto 'tcp'

config redirect
        option src 'wan'
        option name 'HTTPS Port'
        option src_dport '443'
        option target 'DNAT'
        option dest 'lan'
        list proto 'tcp'

config redirect
        option src 'wan'
        option name 'Xbox Live 1'
        option src_dport '88'
        option target 'DNAT'
        option dest 'lan'
        list proto 'udp'

config redirect
        option src 'wan'
        option name 'Xbox Live 2'
        option src_dport '3074'
        option target 'DNAT'
        option dest 'lan'

config redirect
        option src 'wan'
        option name 'Xbox Live 3'
        option src_dport '53'
        option target 'DNAT'
        option dest 'lan'

config redirect
        option src 'wan'
        option name 'Xbox Live 4'
        option src_dport '500'
        option target 'DNAT'
        option dest 'lan'
        list proto 'udp'

config redirect
        option src 'wan'
        option name 'Xbox Live 5'
        option src_dport '3544'
        option target 'DNAT'
        option dest 'lan'
        list proto 'udp'

config redirect
        option src 'wan'
        option name 'Xbox Live 6'
        option src_dport '4500'
        option target 'DNAT'
        option dest 'lan'
        list proto 'udp'

config redirect
        option src 'wan'
        option name 'Xbox Live 7'
        option src_dport '60209'
        option target 'DNAT'
        option dest 'lan'

Here's the code as attached. I have additional problems that are off-tangent to this topic; although I am able to open most sites given the necessary port forwards, Facebook Business Dashboard is showing an error that shows too many redirects. Furthermore, I am completely stumped with how to actually enable UPnP. Although I am able to sucessfully configure NAT-PMP, I'm not able to for UPnP. It does not show that miniupnpd is enabled on the Chain Input, Forward, and Output.

EDIT 1: Please Disregard Facebook. It's a bug on their end. I still get redirect errors with some websites, though; I'm just concerned now with making sure UPnP works and that the firewall configuration is correct.

Any advice?

trendy · July 17, 2020, 9:05am

All your redirects are missing the destination ip option, that means the lan IP that the ports will be forwarded to.

Blastorix · July 17, 2020, 9:43am

So, I should use the router's IP as the destination to ensure that the ports will work as intended?

Additionally, how do I give you access to the logs of luci-app-upnp so that you can verify if it works? What commands should I input in SSH?

trendy · July 17, 2020, 9:59am

Not the router's IP, the host's IP in the lan. For example if the OpenWrt has 192.168.1.1 and the Xbox 192.168.1.100, you'll use the latter as the destination IP for the redirect.

iptables-save -c | grep DNAT

Blastorix · July 17, 2020, 10:41am

Got it. I'll do that.

Attached is the output:

[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT

Did it work?

trendy · July 17, 2020, 10:42am

No, you didn't fix it yet.

Blastorix · July 17, 2020, 11:33am

Would you know what's wrong so that I can fix it?

Is this related with solving the UPnP being not active?

trendy · July 17, 2020, 1:08pm

Blastorix:

config redirect
        option src 'wan'
        option name 'Xbox Live 1'
        option src_dport '88'
        option target 'DNAT'
        option dest 'lan'
        list proto 'udp'
        option dest_ip '192.168.1.100'  <- you need to add this line, the IP is an example

Or in Luci fill in the "Internal IP address" in the Port Forward.

Blastorix · July 17, 2020, 1:13pm

Thanks for that.

How about the UPnP issue?

Since it does not show it's working, how do I configure it to ensure functionality? Does the reply you mentioned above play a factor into this, or is it a completely separate thing altogether? I'm guessing yes since said reply pertains to port forwarding and the current issue I'm talking about is UPnP.

trendy · July 17, 2020, 1:48pm

You are using wrong addresses in Upnp.
It should be 192.168.1.0/24

Blastorix · July 17, 2020, 2:21pm

I've altered it to the correct address that you mentioned?

What should I expect from the output given the same command?

trendy · July 17, 2020, 2:23pm

I don't understand your questions.

Blastorix · July 17, 2020, 2:25pm

I already changed the address from 1.1 to 1.0 as you said. I'm just asking how do I know if UPnP actually worked this time.

Do I use this same command? Surely the output of this would be different from previously.

trendy · July 17, 2020, 2:27pm

You'll see active upnp leases at the top of the page.

You can see them from there too.

Blastorix · July 17, 2020, 2:30pm

[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT

Seems like it didn't work.

And there's no active leases either.

Would it be better to erase the config of UPnP and just configure it from scratch, or should I test a program that can take advantage of UPnP? What would you recommend?

trendy · July 17, 2020, 2:33pm

You need some upnp client to request for a port, in case you didn't try with one.

Post the following:

uci export firewall; head -n -0 /etc/firewall.user; uci export miniupnpd

Blastorix · July 17, 2020, 2:35pm

Here's the output:

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config redirect
        option src 'wan'
        option name 'HTTP Port'
        option src_dport '80'
        option target 'DNAT'
        option dest 'lan'
        list proto 'tcp'

config redirect
        option src 'wan'
        option name 'HTTPS Port'
        option src_dport '443'
        option target 'DNAT'
        option dest 'lan'
        list proto 'tcp'

config redirect
        option src 'wan'
        option name 'NAT-PMP Ports'
        option src_dport '28987'
        option target 'DNAT'
        option dest 'lan'

config redirect
        option src 'wan'
        option name 'Xbox Live 1'
        option src_dport '88'
        option target 'DNAT'
        option dest 'lan'
        list proto 'udp'

config redirect
        option src 'wan'
        option name 'Xbox Live 2'
        option src_dport '3074'
        option target 'DNAT'
        option dest 'lan'

config redirect
        option src 'wan'
        option name 'Xbox Live 3'
        option src_dport '53'
        option target 'DNAT'
        option dest 'lan'

config redirect
        option src 'wan'
        option name 'Xbox Live 4'
        option src_dport '500'
        option target 'DNAT'
        option dest 'lan'
        list proto 'udp'

config redirect
        option src 'wan'
        option name 'Xbox Live 5'
        option src_dport '3544'
        option target 'DNAT'
        option dest 'lan'
        list proto 'udp'

config redirect
        option src 'wan'
        option name 'Xbox Live 6'
        option src_dport '4500'
        option target 'DNAT'
        option dest 'lan'
        list proto 'udp'

config redirect
        option src 'wan'
        option name 'Xbox Live 7'
        option src_dport '60209'
        option target 'DNAT'
        option dest 'lan'

config redirect
        option src 'wan'
        option name 'Xbox Live 8'
        option src_dport '49962'
        option target 'DNAT'
        option dest 'lan'
        list proto 'udp'

config redirect
        option src 'wan'
        option src_dport '27000-27100'
        option target 'DNAT'
        option dest 'lan'
        list proto 'udp'
        option name 'Steam Client'

config redirect
        option src 'wan'
        option name 'Plug and Play Port'
        option src_dport '5000'
        option target 'DNAT'
        option dest 'lan'

config redirect
        option src 'wan'
        option name 'Steam Client 2'
        option src_dport '4380'
        option target 'DNAT'
        option dest 'lan'
        list proto 'udp'

config redirect
        option src 'wan'
        option name 'Steam Networking'
        option src_dport '4379'
        option target 'DNAT'
        option dest 'lan'
        list proto 'udp'

config redirect
        option src 'wan'
        option name 'Steam Networking 2'
        option src_dport '3478'
        option target 'DNAT'
        option dest 'lan'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

The reason why I left the Internal IP blank is because I intended to make sure that all the devices in my network (Wired and Wireless) all get access to the ports that I've opened.