I can't reach wireless nas from pc's

here is my network diagram. I want to reach wireless nas from pc's.

f44ae4fb03b34ba4ec7c4d5f43f363156b3f54071174×776 11.3 KB

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd95:65dd:ecdc::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.4.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'

/etc/config/firewall

config defaults
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option input 'REJECT'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option forward 'REJECT'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-SSH'
        list proto 'tcp'
        option src 'wan'
        option src_port '22'
        option dest_port '22'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        list proto 'tcp'
        option src_dport '80'
        option dest_port '80'
        option dest_ip '192.168.4.1'
        option src 'wan'
        option dest 'lan'
        option name 'OpenWRT WebUI'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'SSH'
        list proto 'tcp'
        option src 'wan'
        option src_dport '22'
        option dest_ip '192.168.4.1'
        option dest_port '22'

You need to create port forward in your OpenWrt router that forwards any relevant ports from the WAN of the OpenWrt device to 192.168.4.11.

I tried this but didn't work. I also created a ICMP forward rule. I couldn't ping the device from pc's but I can ping it from cell phone.

I also can login webui or SSH from pc's.

I don't see these rules in your firewall file. Did you remove them?

Also, what ports do you need for your NAS? If you will be using ports 22 and/or 80, those will conflict with your desire to have the OpenWrt web UI accessible from the upstream network. You'll have to make some changes to the ports to accommodate.

You may find that you will be better served by turning off NAT masquerading and instead using a static route on your main router (if supported).

fwiw, what IP address are you trying to access from PCs to NAS ?

192.168.4.11 will never work.

You need to access the NAS using IP address 192.168.3.2 after setting up port forwarding rules on Xiaomi.

Also, what type of NAS are you using, and what method/protocol are the PCs going to use to access the NAS? (eg. smb, ftp?)

I feel it would be better to remove NAT / masquerading and properly set-up static routes on all the routers if that is possible

yes, when I add a static route to the main router, this solved the problem.

thank you for your help.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.