How to open ports for internal services on OpenWrt

Hello dear friends,

I'm kinda new to networking so I need your help. I have some services running on my openWRT (like upd2raw and stunnel on specific ports) but so far I was not able access those services from my lan devices. can you guys please tell how should I fix the issue? maybe I should open that ports in firewall somehow?

I can use these services with online ubuntu servers but I need them in my openWRT router.

Normally the firewall allows full access from your lan to services on yours openwrt device. How were you trying to access them?

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall
2 Likes

I'm trying to access them with by "routerIPaddress:portThatServiceIsRunningOn" like this "192.168.50.1:4030"

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd04:18b2:2d72::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'
        option mtu '1500'
        option mtu6 '1500'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.50.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option metric '20'
        option hostname '####'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'OpenVPN'
        option proto 'none'
        option device 'tun0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key '####'
        list addresses '10.66.66.2/32'
        list addresses 'fd42:42:42::2/128'
        option auto '0'
        option metric '30'
        option mtu '1280'

config wireguard_wg0
        option description '####'
        option public_key '####'
        option private_key '####'
        option preshared_key '#####'
        list allowed_ips '####'
        list allowed_ips '####'
        option route_allowed_ips '1'
        option endpoint_host '####'
        option endpoint_port '####'

config device
        option name 'eth0.2'
        option type '8021q'
        option ifname 'eth0'
        option vid '2'
        option mtu '1500'

config device
        option name 'eth0'

config device
        option name 'eth0.1'
        option type '8021q'
        option ifname 'eth0'
        option vid '1'

config device
        option name 'wg0'
        option mtu '1280'
        option acceptlocal '1'
        option ipv6 '1'
        option multicast '0'
        option promisc '1'
        option ip6segmentrouting '0'

config device
        option name 'wlan0'
        option mtu '1500'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'OpenVPN'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'wg0'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wg0'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'wg0'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

This indicates that there is no restriction on the lan (input = accept).

Are you sure the service is running? What is the output of the following:

netstat -plnt
4 Likes

If they are udp sockets they won't show up. Better use -pln

5 Likes

my service is not in netstat -pln output. there must be an issue with my services, am I correct? I have to investigate whats wrong with those services.

Thank you so much for helping guys

Check the logs to see if your service is starting properly (or at all), or if it is hitting errors.

Here are some things to try, where blah is the service name or some part of it:

$ service
... list of services and their status ...

$ logread -e blah
$ dmesg | grep -i blah
... both of these might show any error messages ...
3 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.