No access from internet behind a modem & dmz

acognard · February 19, 2020, 9:28am

hi,
i am disapointed, not able to get acces from outside.
The modem does not permit bridge mode.

LiveBox orange is the modem (192.168.0.1) > dmz to OpenWRT (192.168.0.11) > Openwrt (192.168.1.1)
on the modem, i forward 80 & 443 to openwrt & firewall is disabled.
ddns is correct on OpeWrt.

some firewall extract :

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'

config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'
config rule
option src_port '80'
option src 'wan'
option name '80'
option target 'ACCEPT'
option dest_port '80'
option proto 'tcp udp'
option dest 'lan'
option enabled '0'
config rule
option src_port '443'
option src 'wan'
option name '443'
option target 'ACCEPT'
option dest_port '443'
option proto 'tcp udp'
option dest 'lan'
option enabled '0'

config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'TCP'
option src_dport '443'
option dest_ip '192.168.1.159'
option dest_port '443'
option name 'AT9192_https'

Network definition

config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd48:2080:194b::/48'

config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '8.8.8.8'
list dns '8.8.4.4'

config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'

config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr 'c0:4a:00:50:fd:6b'

config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'

config interface 'nordvpn_vpn'
option proto 'none'
option ifname 'tun0'
option metric '10'

config interface 'vpn0'
option ifname 'tun0'
option proto 'none'
option auto '1'

Any idea ? Tks in advance.
Arnaud

eduperez · February 19, 2020, 10:37am

I see several "enabled '0'" lines in that firewall configuration...

acognard · February 19, 2020, 11:07am

yep, changed, but same result

trendy · February 19, 2020, 1:57pm

The 2 rules will never be matched, because you are using source and destination ports 80 and 443. You shouldn't specify source port. Furthermore this will work in IPv6 only. For IPv4 you'll need redirects.
The redirect should work. Install tcpdump on the router and verify that you can see the packets coming from the modem.
tcpdump -i eth0.2 -vvn tcp port 443

Move the

list dns '8.8.8.8'
list dns '8.8.4.4'

from lan to wan interface if you don't want to use the resolver of the modem.

acognard · February 19, 2020, 9:30pm

hell @trendy, tks for your help. really trying to understand, but i really have no idea of what is wrong .

seems to work fine

22:22:13.092011 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 83)
192.168.0.11.20275 > 99.81.213.165.443: Flags [P.], cksum 0x98ac (correct), seq 580:611, ack 3574, win 1041, options [nop,nop,TS val 1327618998 ecr 2376358377], length 31
22:22:13.092056 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.11.20275 > 99.81.213.165.443: Flags [F.], cksum 0x0455 (correct), seq 611, ack 3574, win 1041, options [nop,nop,TS val 1327618998 ecr 2376358377], length 0

move dns to lan : done.

source port updated :

config rule
option src 'wan'
option name '443'
option target 'ACCEPT'
option dest_port '443'
option proto 'tcp udp'
option dest 'lan'

config rule
option src 'wan'
option name '80'
option target 'ACCEPT'
option dest_port '80'
option proto 'tcp udp'
option dest 'lan'

but same problem : "ERR_CONNECTION_REFUSED" on port 443 & 80. ERR_CONNECTION_TIMED_OUT on other open ports

trendy · February 19, 2020, 9:42pm

I told you that you need redirects, not rules.

config redirect
 option target='DNAT'
 option src='wan'
 option proto='tcp'
 option src_dport='443'
 option dest_ip='IP_OF_THE_HTTPS_SERVER'
 option dest_port='443'
 option name='Allow-HTTPS'
 option dest='lan'
 option reflection='1'

acognard · February 19, 2020, 10:36pm

ok, i deleted the rule. but redirections where defined (and worked fine before)

trendy · February 19, 2020, 11:04pm

This is not fine.
First redirect is forwarding all tcp traffic to itself.
If you want to open ports on the router, this is not the way and it is not advised to open Luci to the internet, as it is quite vulnerable.

acognard · February 20, 2020, 9:03pm

@trendy, i always did like that
if i want to acces to my NAS (AT9192) from outside, i forward ports (ie 993-->993) !

This is not safe ??? So, What is the best way ?
Tks.
Arnaud

slh · February 20, 2020, 9:27pm

E.g. setting up incoming VPN connections.

acognard · February 20, 2020, 9:35pm

ok it is in progress

acognard · February 21, 2020, 1:04am

@trendy,
well, same issue with a VPN. Connection timeout !

bellow a resume of my conf :

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'

config zone
option name 'vpn'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'nordvpn_vpn'
option input 'REJECT'
option forward 'REJECT'

config forwarding
option src 'lan'
option dest 'wan'

config forwarding
option src 'lan'
option dest 'vpn'

config forwarding
option src 'vpn'
option dest 'wan'

config forwarding
option src 'vpn'
option dest 'lan'

config rule
option name 'Allow-OpenVPN'
option target 'ACCEPT'
option src 'wan'
option dest_port '1194'
list proto 'tcp'
list proto 'udp'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'

config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd48:2080:194b::/48'

config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'

config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
#list dns '8.8.8.8'
#list dns '8.8.4.4'

config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr 'xx:xx:xx:50:fd:6b'

config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'

config interface 'nordvpn_vpn'
option proto 'none'
option ifname 'tun0'
option metric '10'

config interface 'vpn0'
option ifname 'tun0'
option proto 'none'
option auto '1'

tcpdump -i eth0.2 -vvn tcp port 443 & tcpdump -i eth0.2 -vvn tcp port 80 are correct

if i change WAN output zone to 'accept', i can access to my OpenWRT using https

a dmz to openwrt (192.168.0.1)
NAT on modem 443 forwarded to 1194 :

vpn is running

config openvpn 'vpn_server'
option dev 'tun'
option ifconfig '10.0.0.1 10.0.0.2'
option keepalive '10 60'
option log '/var/log/openvpn.log'
option status '/var/run/openvpn.status 5'
option mute '5'
option mode 'server'
option port '1194'
option route_gateway 'dhcp'
option persist_tun '1'
option persist_key '1'
option server '10.8.0.0 255.255.255.0'
option client_to_client '1'
option tls_server '1'
option cert '/etc/easy-rsa/pki/issued/vpn_server.crt'
option key '/etc/easy-rsa/pki/private/vpn_server.key'
option tls_auth '/etc/easy-rsa/pki/ta.key 0'
option user 'nobody'
option group 'nogroup'
option dh '/etc/easy-rsa/pki/dh.pem'
option ca '/etc/easy-rsa/pki/ca.crt'
option comp_lzo 'yes'
option enabled '1'
option proto 'tcp-server'
list push 'persist-key'
list push 'persist-tun'
list push 'user nobody'
list push 'topology subnet'
list push 'route-gateway dhcp'
list push 'redirect-gateway def1'
list push 'dhcp-option DNS 192.168.1.1'
list push 'block-outside-dns'
option verb '3'

vpn client

float
dev tun
proto udp
ca ca.crt
cert vpn_client.crt
key vpn_client.key
tls-auth ta.key 1
client
auth-nocache
remote-cert-tls server
remote xxx.domain.site 443

resulting with a timeout

pls help...
tks in advance.

trendy · February 21, 2020, 9:05am

Let's take a step back.

It actually is not.

22:22:13.092011 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 83)
192.168.0.11.20275 > 99.81.213.165.443: Flags [P.], cksum 0x98ac (correct), seq 580:611, ack 3574, win 1041, options [nop,nop,TS val 1327618998 ecr 2376358377], length 31
22:22:13.092056 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.11.20275 > 99.81.213.165.443: Flags [F.], cksum 0x0455 (correct), seq 611, ack 3574, win 1041, options [nop,nop,TS val 1327618998 ecr 2376358377], length 0

Both packets are traffic from a host in the LAN with IP 192.168.0.11 to some https server in the internet.
I don't see any incoming traffic from the internet to your https.
So first verify that your provider's router is forwarding indeed before we troubleshoot OpenWrt part.

acognard · February 21, 2020, 1:16pm

192.168.0.11 is the ip of the openwrt router seen by isp modem.
i tryied some configurations
dmz activated & nat 80-->80 Both + 443-->1194 Both
dmz activated & no nat
dmz desactivated & nat 80-->80 Both + 443-->1194 Both

same results.
By the way, now i can access to my NAS (5991) from internet, but no access to openwrt.

openvpn.nordvpn_france=openvpn
openvpn.nordvpn_france.config='/etc/openvpn/nordvpn_france.ovpn'
openvpn.vpn_server=openvpn
openvpn.vpn_server.dev='tun'
openvpn.vpn_server.ifconfig='10.0.0.1 10.0.0.2'
openvpn.vpn_server.keepalive='10 60'
openvpn.vpn_server.log='/var/log/openvpn.log'
openvpn.vpn_server.status='/var/run/openvpn.status 5'
openvpn.vpn_server.mute='5'
openvpn.vpn_server.mode='server'
openvpn.vpn_server.port='1194'
openvpn.vpn_server.route_gateway='dhcp'
openvpn.vpn_server.persist_tun='1'
openvpn.vpn_server.persist_key='1'
openvpn.vpn_server.server='10.8.0.0 255.255.255.0'
openvpn.vpn_server.client_to_client='1'
openvpn.vpn_server.tls_server='1'
openvpn.vpn_server.cert='/etc/easy-rsa/pki/issued/vpn_server.crt'
openvpn.vpn_server.key='/etc/easy-rsa/pki/private/vpn_server.key'
openvpn.vpn_server.tls_auth='/etc/easy-rsa/pki/ta.key 0'
openvpn.vpn_server.user='nobody'
openvpn.vpn_server.group='nogroup'
openvpn.vpn_server.dh='/etc/easy-rsa/pki/dh.pem'
openvpn.vpn_server.ca='/etc/easy-rsa/pki/ca.crt'
openvpn.vpn_server.comp_lzo='yes'
openvpn.vpn_server.enabled='1'
openvpn.vpn_server.proto='tcp-server'
openvpn.vpn_server.push='persist-key' 'persist-tun' 'user nobody' 'topology subnet' 'route-gateway dhcp' 'redirect-gateway def1' 'dhcp-option DNS 192.168.1.1' 'block-outside-dns'
openvpn.vpn_server.verb='3'
openvpn.vpn_server.float='1'

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd48:2080:194b::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan.dns='8.8.8.8' '8.8.4.4'
network.wan_eth0_2_dev=device
network.wan_eth0_2_dev.name='eth0.2'
network.wan_eth0_2_dev.macaddr='c0:4a:00:50:fd:6b'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='2 3 4 5 0t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='1 0t'
network.nordvpn_vpn=interface
network.nordvpn_vpn.proto='none'
network.nordvpn_vpn.ifname='tun0'
network.nordvpn_vpn.metric='10'
network.vpn0=interface
network.vpn0.ifname='tun0'
network.vpn0.proto='none'
network.vpn0.auto='1'

firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].input='REJECT'
firewall.@zone[2]=zone
firewall.@zone[2].name='vpn'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@zone[2].network='nordvpn_vpn'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].input='ACCEPT'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='lan'
firewall.@forwarding[1].dest='vpn'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='vpn'
firewall.@forwarding[2].dest='wan'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].src='vpn'
firewall.@forwarding[3].dest='lan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Autoriser-OpenVPN'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].src='wan'
firewall.@rule[0].dest_port='1194'
firewall.@rule[0].proto='tcp' 'udp'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-DHCP-Renew'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='udp'
firewall.@rule[1].dest_port='68'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].family='ipv4'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-Ping'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='icmp'
firewall.@rule[2].icmp_type='echo-request'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-IGMP'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='igmp'
firewall.@rule[3].family='ipv4'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-DHCPv6'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='udp'
firewall.@rule[4].src_ip='fc00::/6'
firewall.@rule[4].dest_ip='fc00::/6'
firewall.@rule[4].dest_port='546'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-MLD'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].src_ip='fe80::/10'
firewall.@rule[5].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Input'
firewall.@rule[6].src='wan'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-ICMPv6-Forward'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='*'
firewall.@rule[7].proto='icmp'
firewall.@rule[7].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[7].limit='1000/sec'
firewall.@rule[7].family='ipv6'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-IPSec-ESP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].proto='esp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Allow-ISAKMP'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest='lan'
firewall.@rule[9].dest_port='500'
firewall.@rule[9].proto='udp'
firewall.@rule[9].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'

firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].name='Transparent Proxy Redirect'
firewall.@redirect[0].src='lan'
firewall.@redirect[0].proto='tcp'
firewall.@redirect[0].dest_port='8888'
firewall.@redirect[0].src_dport='80'
firewall.@redirect[0].src_dip='!192.168.1.1'
firewall.@redirect[0].dest_ip='192.168.1.1'
firewall.@redirect[0].enabled='0'
firewall.@redirect[1]=redirect
firewall.@redirect[1].dest_port='80'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].name='http'
firewall.@redirect[1].src_dport='80'
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].dest_ip='192.168.1.1'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].proto='tcp'
firewall.@redirect[2]=redirect
firewall.@redirect[2].dest_port='993'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].name='993'
firewall.@redirect[2].src_dport='993'
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].dest_ip='192.168.1.159'
firewall.@redirect[2].dest='lan'
firewall.@redirect[3]=redirect
firewall.@redirect[3].dest_port='5991'
firewall.@redirect[3].src='wan'
firewall.@redirect[3].name='5991'
firewall.@redirect[3].src_dport='5991'
firewall.@redirect[3].target='DNAT'
firewall.@redirect[3].dest_ip='192.168.1.159'
firewall.@redirect[3].dest='lan'
firewall.@redirect[4]=redirect
firewall.@redirect[4].dest_port='8443'
firewall.@redirect[4].src='wan'
firewall.@redirect[4].name='8443'
firewall.@redirect[4].src_dport='8443'
firewall.@redirect[4].target='DNAT'
firewall.@redirect[4].dest_ip='192.168.1.126'
firewall.@redirect[4].dest='lan'
firewall.@redirect[5]=redirect
firewall.@redirect[5].dest_port='51023'
firewall.@redirect[5].src='wan'
firewall.@redirect[5].name='Lifedomus'
firewall.@redirect[5].src_dport='51023'
firewall.@redirect[5].target='DNAT'
firewall.@redirect[5].dest_ip='192.168.1.126'
firewall.@redirect[5].dest='lan'
firewall.@redirect[5].proto='tcp'
firewall.@redirect[6]=redirect
firewall.@redirect[6].dest_port='8090'
firewall.@redirect[6].src='wan'
firewall.@redirect[6].name='LifeDomus'
firewall.@redirect[6].src_dport='8090'
firewall.@redirect[6].target='DNAT'
firewall.@redirect[6].dest_ip='192.168.1.126'
firewall.@redirect[6].dest='lan'
firewall.@redirect[6].proto='tcp'
firewall.@redirect[7]=redirect
firewall.@redirect[7].target='DNAT'
firewall.@redirect[7].src='wan'
firewall.@redirect[7].dest='lan'
firewall.@redirect[7].proto='tcp'
firewall.@redirect[7].src_dport='4022'
firewall.@redirect[7].dest_ip='192.168.1.140'
firewall.@redirect[7].dest_port='4022'
firewall.@redirect[7].name='RPI_ssh'
firewall.@redirect[8]=redirect
firewall.@redirect[8].target='DNAT'
firewall.@redirect[8].src='wan'
firewall.@redirect[8].dest='lan'
firewall.@redirect[8].proto='tcp'
firewall.@redirect[8].src_dport='4080'
firewall.@redirect[8].dest_ip='192.168.1.140'
firewall.@redirect[8].dest_port='4080'
firewall.@redirect[8].name='RPI_http'
firewall.@redirect[9]=redirect
firewall.@redirect[9].target='DNAT'
firewall.@redirect[9].src='wan'
firewall.@redirect[9].dest='lan'
firewall.@redirect[9].proto='tcp'
firewall.@redirect[9].src_dport='2880'
firewall.@redirect[9].dest_ip='192.168.1.128'
firewall.@redirect[9].dest_port='80'
firewall.@redirect[9].name='Mobotix_http'
firewall.@redirect[10]=redirect
firewall.@redirect[10].target='DNAT'
firewall.@redirect[10].src='wan'
firewall.@redirect[10].dest='lan'
firewall.@redirect[10].proto='TCP'
firewall.@redirect[10].src_dport='587'
firewall.@redirect[10].dest_ip='192.168.1.159'
firewall.@redirect[10].dest_port='587'
firewall.@redirect[10].name='AT9192_pop'
firewall.@redirect[11]=redirect
firewall.@redirect[11].target='DNAT'
firewall.@redirect[11].src='wan'
firewall.@redirect[11].dest='lan'
firewall.@redirect[11].proto='TCP'
firewall.@redirect[11].src_dport='6690'
firewall.@redirect[11].dest_ip='192.168.1.159'
firewall.@redirect[11].dest_port='6690'
firewall.@redirect[11].name='AT9192_Cloud'
firewall.@redirect[12]=redirect
firewall.@redirect[12].target='DNAT'
firewall.@redirect[12].src='wan'
firewall.@redirect[12].dest='lan'
firewall.@redirect[12].proto='TCP'
firewall.@redirect[12].src_dport='21'
firewall.@redirect[12].dest_ip='192.168.1.159'
firewall.@redirect[12].dest_port='5921'
firewall.@redirect[12].name='AT9192_ftp'
firewall.@redirect[13]=redirect
firewall.@redirect[13].target='DNAT'
firewall.@redirect[13].src='wan'
firewall.@redirect[13].dest='lan'
firewall.@redirect[13].proto='tcp'
firewall.@redirect[13].src_dport='22'
firewall.@redirect[13].dest_ip='192.168.1.159'
firewall.@redirect[13].dest_port='5922'
firewall.@redirect[13].name='AT9192_ftps'

trendy · February 21, 2020, 2:17pm

Please fix the previous post and use preformatted text (the </> button) and not blockquote when pasting console output.
Other than that, forwarding vpn->wan is not needed. Same for vpn->lan.
The http redirect is wrong, I told you this is not the way to open the port and it is not safe to open the http port on the internet. I cannot read much out of it for more comments till you fix the formatting.
First verify with tcpdump that you can see the traffic coming to the wan port, then troubleshoot the redirect. My feeling is that your modem is not forwarding the http/https traffic.

acognard · March 4, 2020, 7:24pm

hello,
ok,

forwarding vpn to wan & lan have been deleted
http redirections are temporarly used to be able to access until vpn is not configured properly.
about tcpdump, i really have no idea of what is the problem.
Modem is 192.168.0.1 > DMZ to OpennWrt 192.168.0.11> OpenWRT 192.168.1.1.

sincerly

trendy · March 4, 2020, 9:17pm

The configuration is still hard to read when not formatted properly.
Edit the post above, select the console output, click the </> button and save.

mk24 · March 4, 2020, 9:57pm

The configuration has become a real mess. I would suggest starting over.

In order to access services hosted on the router (ssh, VPN server, etc) they should be simple accepts on WAN rather than forwards to 192.168.1.1. This is called "opening a port".

config rule
	option name 		Allow-SSH
	option src		wan
	option dest_port	22
	option proto		tcp
	option target		ACCEPT
	option family		ipv4

Start simple to be sure your ISP will let incoming connections through. Install the rule above then try to ssh to the router from outside through your public IP address. This requires using a different Internet connection such as a smartphone. It very seldom works to access your public IP directly from inside the private network associated with it. This is called a "hairpin route" and most ISPs do not support it.

You can also test this by connecting a PC to the intermediate network (the ISP router's LAN network 192.168.0.0) then hit your OpenWrt router from the WAN side at 192.168.0.11. As far as OpenWrt knows, that network is part of the Internet. If your ISP and ISP router forwards / DMZ are working properly, the real Internet can also get through to there.

Note that reflection (aliasing internal access to the public IP back into and through the redirect) cannot work here, since the OpenWrt router holds an intermediate IP not the public IP.

acognard · March 4, 2020, 10:27pm

i am able to connect to openwrt on the lan from the wan (ssh http) and to some other machines by opening ports.
Il confirm also that i can access to my isp modem (192.168.0.) from the lan (192.168.1.x).
But, if i am connected to my isp modem, i am not able to connect to DMZ openwrt 192.168.0.11 !

i suppose it should work ?

mk24 · March 4, 2020, 10:32pm

When you're on OpenWrt's LAN, of course you can reach OpenWrt and all of your LAN machines directly, since this is the trusted network 192.168.1.X.
I think you're saying on your test if you are on 192.168.0.X after plugging the PC into the ISP router, you can't get into OpenWrt ports that should be open at 192.168.0.11. This means that the firewall is not set properly.