I have set my ISP modem/router combo to Bridge mode and now my OpenWRT router is the one dealing with all of the things the ISP modem/router should have done such as NAT.
However, this comes with a myriad of issues such as me being unable to access DSL Reports anymore. Attached is a screenshot for reference:
Additionally, it seems like every time I want to access a website via the search bar, it leads me to the HTTP variant of the website, causing an "Authorization Required" Prompt that is annoying to no end.
{
"kernel": "4.14.180",
"hostname": "ImbudWRT",
"system": "MediaTek MT7628AN ver:1 eco:2",
"model": "TP-Link Archer C20 v4",
"board_name": "tplink,c20-v4",
"release": {
"distribution": "OpenWrt",
"version": "19.07.3",
"revision": "r11063-85e04e9f46",
"target": "ramips/mt76x8",
"description": "OpenWrt 19.07.3 r11063-85e04e9f46"
}
}
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config redirect
option src 'wan'
option name 'HTTP Port'
option src_dport '80'
option target 'DNAT'
option dest 'lan'
list proto 'tcp'
config redirect
option src 'wan'
option name 'HTTPS Port'
option src_dport '443'
option target 'DNAT'
option dest 'lan'
list proto 'tcp'
config redirect
option src 'wan'
option name 'Xbox Live 1'
option src_dport '88'
option target 'DNAT'
option dest 'lan'
list proto 'udp'
config redirect
option src 'wan'
option name 'Xbox Live 2'
option src_dport '3074'
option target 'DNAT'
option dest 'lan'
config redirect
option src 'wan'
option name 'Xbox Live 3'
option src_dport '53'
option target 'DNAT'
option dest 'lan'
config redirect
option src 'wan'
option name 'Xbox Live 4'
option src_dport '500'
option target 'DNAT'
option dest 'lan'
list proto 'udp'
config redirect
option src 'wan'
option name 'Xbox Live 5'
option src_dport '3544'
option target 'DNAT'
option dest 'lan'
list proto 'udp'
config redirect
option src 'wan'
option name 'Xbox Live 6'
option src_dport '4500'
option target 'DNAT'
option dest 'lan'
list proto 'udp'
config redirect
option src 'wan'
option name 'Xbox Live 7'
option src_dport '60209'
option target 'DNAT'
option dest 'lan'
Here's the code as attached. I have additional problems that are off-tangent to this topic; although I am able to open most sites given the necessary port forwards, Facebook Business Dashboard is showing an error that shows too many redirects. Furthermore, I am completely stumped with how to actually enable UPnP. Although I am able to sucessfully configure NAT-PMP, I'm not able to for UPnP. It does not show that miniupnpd is enabled on the Chain Input, Forward, and Output.
EDIT 1: Please Disregard Facebook. It's a bug on their end. I still get redirect errors with some websites, though; I'm just concerned now with making sure UPnP works and that the firewall configuration is correct.
Not the router's IP, the host's IP in the lan. For example if the OpenWrt has 192.168.1.1 and the Xbox 192.168.1.100, you'll use the latter as the destination IP for the redirect.
Since it does not show it's working, how do I configure it to ensure functionality? Does the reply you mentioned above play a factor into this, or is it a completely separate thing altogether? I'm guessing yes since said reply pertains to port forwarding and the current issue I'm talking about is UPnP.
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
Seems like it didn't work.
And there's no active leases either.
Would it be better to erase the config of UPnP and just configure it from scratch, or should I test a program that can take advantage of UPnP? What would you recommend?
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option src 'wan'
option name 'HTTP Port'
option src_dport '80'
option target 'DNAT'
option dest 'lan'
list proto 'tcp'
config redirect
option src 'wan'
option name 'HTTPS Port'
option src_dport '443'
option target 'DNAT'
option dest 'lan'
list proto 'tcp'
config redirect
option src 'wan'
option name 'NAT-PMP Ports'
option src_dport '28987'
option target 'DNAT'
option dest 'lan'
config redirect
option src 'wan'
option name 'Xbox Live 1'
option src_dport '88'
option target 'DNAT'
option dest 'lan'
list proto 'udp'
config redirect
option src 'wan'
option name 'Xbox Live 2'
option src_dport '3074'
option target 'DNAT'
option dest 'lan'
config redirect
option src 'wan'
option name 'Xbox Live 3'
option src_dport '53'
option target 'DNAT'
option dest 'lan'
config redirect
option src 'wan'
option name 'Xbox Live 4'
option src_dport '500'
option target 'DNAT'
option dest 'lan'
list proto 'udp'
config redirect
option src 'wan'
option name 'Xbox Live 5'
option src_dport '3544'
option target 'DNAT'
option dest 'lan'
list proto 'udp'
config redirect
option src 'wan'
option name 'Xbox Live 6'
option src_dport '4500'
option target 'DNAT'
option dest 'lan'
list proto 'udp'
config redirect
option src 'wan'
option name 'Xbox Live 7'
option src_dport '60209'
option target 'DNAT'
option dest 'lan'
config redirect
option src 'wan'
option name 'Xbox Live 8'
option src_dport '49962'
option target 'DNAT'
option dest 'lan'
list proto 'udp'
config redirect
option src 'wan'
option src_dport '27000-27100'
option target 'DNAT'
option dest 'lan'
list proto 'udp'
option name 'Steam Client'
config redirect
option src 'wan'
option name 'Plug and Play Port'
option src_dport '5000'
option target 'DNAT'
option dest 'lan'
config redirect
option src 'wan'
option name 'Steam Client 2'
option src_dport '4380'
option target 'DNAT'
option dest 'lan'
list proto 'udp'
config redirect
option src 'wan'
option name 'Steam Networking'
option src_dport '4379'
option target 'DNAT'
option dest 'lan'
list proto 'udp'
config redirect
option src 'wan'
option name 'Steam Networking 2'
option src_dport '3478'
option target 'DNAT'
option dest 'lan'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
The reason why I left the Internal IP blank is because I intended to make sure that all the devices in my network (Wired and Wireless) all get access to the ports that I've opened.