I just received my Netgear R7800 and I have installed openWRT 18.06.1. I am manually transferring my configuration over from my old router (i.e. re-entering the data via LuCI). As I make changes I perform a SAVE-APPLY. However, when I enter my port HTTP/HTTPS port forwarding rules and SAVE-APPLY, I loose LuCI connectivity. I can access the router via ssh but LuCI no longer works. I get "The Site cannot be reached" in my browser (Google Chrome). This configuration works fine on my old router (TP-Link Archer C7 v2) running LEDE Reboot 17.01.5. What am I missing?
Can you show us this old and new config?
What's the best way to do that? What file(s) should I make available?
- Screenshot of the old and new LuCI...
- Copy of old and new /etc/config/firewall
- Description of what you're port forwarding to
- Whatever way you have a copy of the old config, please show.
Thanks.
I am trying to forward ports 80 and 443 to my web server. BTW, I just tried to remove the REDIRECTS (80/443) from the /etc/config/firewall and I reloaded the firewall (/etc/init.d/firewall reload) but that didn't seem to have any effect. LuCI still inaccessible.
New /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '80'
option dest_ip '10.3.17.26'
option dest_port '80'
option name 'HTTP'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '443'
option dest_ip '10.3.17.26'
option dest_port '443'
option name 'HTTPS'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '3690'
option dest_ip '10.3.17.26'
option dest_port '3690'
option name 'SVN'
Old /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'vpn_client'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option masq '1'
option network 'vpn_client'
config forwarding
option dest 'lan'
option src 'vpn_client'
config forwarding
option dest 'vpn_client'
option src 'lan'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '80'
option dest_ip '10.3.17.26'
option dest_port '80'
option name 'HTTP'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '443'
option dest_ip '10.3.17.26'
option dest_port '443'
option name 'HTTPS'
config redirect
option enabled '1'
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '3690'
option dest_ip '10.3.17.26'
option dest_port '3690'
option name 'SVN'
config rule
option enabled '1'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '1194'
option name 'Allow-OpenVPN-Inbound'
option src '*'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
LuCI's web server is uhttpd. The default /etc/config/uhttpd has uhttpd listening on all interfaces:
list listen_http '0.0.0.0:80'By default, port WAN port 80 is blocked in the firewall, so LuCI actually only works on the LAN. If you open port 80 for something else, there is now a conflict. So you should change the uhttpd port to something other than 80, or specify the LAN IP instead of 0.0.0.0 in /etc/config/uhttpd so that it does not try to bind with the WAN.
I see noting wrong, nor do I see a need to change the uHTTPd port, honestly.
- Does HTTPS work when you create the port forward?
- I would try @mk24's suggestion.
Interesting. My /etc/config/uhttpd has nothing but ^@ entries on one line (when viewed in vi) where as my old router appears to have a valid /etc/config/uhttpd file. Is the /etc/config/uhttpd file corrupt on my new router? If so, how did this happen!?
Yep, that is the problem. My /etc/config/uhttpd is getting corrupted some how. I just reset the router back to defaults and it now has a valid /etc/config/uhttpd. The only other extra package I installed was openVPN.
1 Like
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.