LuCI or SSH access on WAN port connected to local LAN

Hi Folks,

Im sure this is going to be an obvious and easily resolved post/question but im really struggling to figure out what im doing wrong. Yes im new to OpenWRT, but I have some knowledge (therefore dangerous! lol) - I have been reading the docs and post and learning.

Im playing with/trialling a netgear r7800, with a view that it becomes my replacement router to my BT Smart Hub 6A. (Im also getting a hg612 modem)

I have flashed hnyman/openwrt latest master FW on it successfully and have been familiarising myself with the LuCI interface, enabling wifi etc ... currently I directly connect PC->r7800 via ethernet or WIFI, but as the WAN interface isnt connected to anything/the internet I cant read forums/access the web at the same time as being connected and playing.

So I would like to temporarily access the r7800 on my current "live" network served by the BT Hub. So I have connected the WAN port of the r7800 via ethernet to a switch on the LAN side of the BT Hub. The BT Hub diligently gives the r7800 and IP (I can see this if I connect via wifi to the r7800) 192.168.1.20 from my specified DHCP range in the BT Hub and my plan is to port forward access to LuCI and then SSH (Temporally - I know what would not be wise when I have it connected to a modem). But I can seem to get it to work.

I have ensured dropbear is accepting on any/all interfaces (https://blog.differentpla.net/blog/2015/05/27/openwrt-ssh-wan/) and I have tried various GUI ways to forward the port under network>firewall>port forwards but cant get an ping / login or response on 192.168.1.20 on the BT side of the LAN

I have tried adding a forward TCP source:wan external port 80 (also tried 22 & 443)

with no other settings but also various combinations of destination LAN / internal IP 192.168.1.1(r7800 DHCP LAN table) internal ports etc ...

And im just confusing myself as all I get is no response on the BT LAN 192.168.1.20 address at all, I have a suspicion that it might be the whole theory of what im trying to do that is messing with me!.
(I did consider connecting the LAN side of the r7800 to the LAN side of the BT router and disabling the DHCP on openwrt to stop it conflicting)

So, yes a "solution" would be great but also maybe some tip on how to debug this as I will be forwarding ports in anger when I go live!

I assume im also better to setup SSH and configure over CLI, but the GUI is just easy as im starting ...

Thanks and sorry if this is all a bit dull/basic

HNY and all the very best
Taemo

Also just tied adding "traffic rules" and forward IPv4 & v6 from WAN to LAN accept

And still nothing .... need to understand the difference between traffic rules, port forwards and zones in my reading ...

Taemo

why not connect your ethernet cable directly to the r7800 ?

But the main issue is probably your 6A and the r7800 both use the 192.168.1 subnet...

2 Likes

Thanks you for your reply

Ethernet cable is connected directly to the r7800 -> 6A (via a switch), if you mean connect the ethernet directly PC-r7800, yes that works but then I have no wider network access on the PC, so I want to "add" the r7800 to my existing network.

The 192.168.1 subnet of the 6A should not impact the r7800 if im connecting the r7800 via the WAN interface to the 6A network. I believe/think its true that the 6A then just functions like the ISP would and assign an IP to the r7800 (192.168.1.20).

Then on the LAN side of the r7800 its free to using any IP number system and does used 192.168.1.X

Taemo

Any IP number system, except the same as on its wan side... The only forbidden is 192.168.1.x as the 6A already uses it.

If you have the same subnet on wan and lan, the router gets confused for routing.

Much easier might be to config R7800 as dumb AP and connect it via LAN port, and leave wan empty. Then it naturally can use 192.168.1.x as it is on the same Lan side. E.g. 192.168.1.2 and then set DNS and gateway to main router's 192.168.1.1

exactly,

set fixed a fixed 192.168.1. IP (or a static DHCP lease in the 6A) on the R7800, and hook it up via a LAN port.

Excellent, thank hnyman & forllic - great reply

If you have the same subnet on wan and lan, the router gets confused for routing.
This makes a lot of sense

R7800 as dumb AP
Yes did consider doing this above, just by disabling DHCP on the r7800 LAN side. I just want to to learn about port forwarding for the future, so took the WAN route

Cheers both
Taemo

Maybe flogging a dead horse .... but the other option should be to change the IP numbering system on the r7800 LAN side to something other than 192.168.1.x that way it wouldnt clash and should still allow me to play/learn with the WAN/Firewall ///

that's correct.

Yes, but just remember that then you have a double NAT with two stacked firewalls. The OpenWrt router is not accessible from internet. To test port forwarding, you would need to first config forward in the first router from internet to the OpenWrt router, and then config the OpenWrt router to forward into your PC. Quite possible, but cumbersome.

Ok thanks for your excellent help.

Just to close off this thread ...

Attaching the LAN on the r7800 tot he LAN on my 6A internal network worked if I turned off DHCP and set a static IP. But obvs it stopped me playing with the Firewall port forward. So reverting back to std master hynman FW & setting then ...

As above changed the IP address of the LAN side of the r7800 to something other than the IP address nomenclature that the 6A was handing out, in my case the r7800 to 192.168.100.x and plugging in a ethernet cable between my 6A LAN and the r7800 WAN port ..
This post was very useful as I had problems that via LuCI changing the LAN IP doesnt really work as OpenWrt tries to recover .... [Solved] How to correctly change router LAN's IP address?

The 6A gave the r7800 the IP 192.168.1.20 which I could now ping OK

Then logging into the r7800 via the WiFi on another laptop I could use a port forward to forward port 80 to the r7800 and BOOM :slight_smile: I can access LuCI on m local 6A LAN.

And yes there is a yukkey double nat happening if your connected to the r7800, but devices on it can see the internet. And yes if I wanted to go further as hnyman suggested above I would need to forward the first router. No need as thing I wanted to test are working. So im all done.

This "If you have the same subnet on wan and lan, the router gets confused for routing." was the problem that was confusing me.

Thanks all much appreciated the support.

1 Like

The simple "Port forward" looked like this

1 Like

I'm a bit confused about why you are double-NAT'ing. If you set the LAN address, gateway, and DNS properly, your OpenWrt router can be on the same LAN as your main router (your 6A). Further, you should be able to reach LuCI and SSH to administer the device without any special settings.

Finally, the preferred method of opening ports to the router itself is not using the port forward method, but rather using the Traffic Rules. For what you are doing on a trusted network (behind a firewall), this is fine. However, ssh and LuCI should never be opened to the internet as a whole (in other words, do not open the ports if the OpenWrt is directly connected to the internet, including DMZ'd from the upstream router).

1 Like

I'm a bit confused about why you are double-NAT'ing. If you set the LAN address, gateway, and DNS properly, your OpenWrt router can be on the same LAN as your main router (your 6A). Further, you should be able to reach LuCI and SSH to administer the device without any special settings.

I was only using the WAN -> 6A LAN connection as a trial before I place the r7800 as my main router. I wanted a way I could use the firewall and see the logs .... for the very reason of your next point .... the double NAT was just a consequence, but will not be doing that when the r7800 is connected to a hg612 modem.

Finally, the preferred method of opening ports to the router itself is not using the port forward method, but rather using the Traffic Rules.

Thank you for this advice, this is exactly the reason why I was doing this, to learn about many options I now have. I will now move from a Port Forward to a Firewall Rule and understand the difference.

However, ssh and LuCI should never be opened to the internet as a whole (in other words, do not open the ports if the OpenWrt is directly connected to the internet, including DMZ'd from the upstream router).

Thank you, understood and agree with both points there. My plan is also to learn/configure wireguard VPN - which im also expecting not to function quite right due to the double NAT.

Thanks for your feedback its really useful, especially about the firewall rule vs port forward.

Jamie

Sounds good. With your new explanation, my thoughts are:

  • You have a good plan to learn how to use and configure OpenWrt (and work with additional packages) while safely behind your existing firewall/router, as this will reduce the liklihood of disrupting your internet access for your home as well as prevent accidental security exposure as you play with the system.
  • In this context, you are actually better off running your OpenWrt in normal router mode (i.e. creating double NAT) so that you can actually have the traffic route through the system rather than just switching through. My apologies for providing advice earlier to the contrary -- I now understand your goals better and thus a different strategy is warranted.
  • If you want to be able to easily experiment with OpenWrt, would highly recommend that you consider using (purchasing, if necessary) a second OpenWrt capable device (or using a virtual machine) so that you have a sandbox/playground/lab environment that has little-to-no consequence if things go wrong -- you'll have a 'production' that will serve your network, and a 'test/dev' system to use for experimentation/learning.
  • As you figure out what you want to do with the router (configurations, additional packages, etc.), document it, then reset the device to defaults and re-create your configuration. This will allow you to ensure you have a clean starting point for your configuration (good for cleaning up any mistakes, etc. that might otherwise be forgotten). It will also allow you to verify that you totally understand what you are aiming to do.
  • You can take backups at any time -- this is a good idea, especially as you close in on your 'production' setup. If you mess up, simply reset to defaults, restore the backup, and install any additional packages as needed.
1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.