I have an TP-Link Archer C6 v2 running OpenWrt 21.02.2 r16495-bf0c965af0
I'm trying to get my Nextcloud server into its own zone so I can fully control which devices should have access and in the future also only allow it to ping some servers needed to have the mobile application working.
while on my process of baby steps (to learn how openwrt works), I've created my server zone, created a firewall entry...
what I have now is my laptop and server on two different subnets:
lan - 192.168.2.xxx
server - 192.168.4.xxx
I've set the forward rule on the firewall to make all my devices to be able to communicate with the server, with that I can ping my server from my laptop, but I can't HTTP(s) to it.
I was able to see some traffic going in/out from the router and also I can see them on the server as well using tcpdump
The interesting part is that if I run a tracepath command on my laptop than the browser starts to accept the routing and I can browse my Nextcloud server. I can't do the same on my phone so I can't use the app.
Since it works after tracepath command I'm pretty sure I'm doing some very dumb mistake , I appreciate any help.
here is my current configs (I've already removed some sensitive info):
cat /etc/config/network;
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxx:xxxx:xxxx::/48' # edited
config interface 'lan'
option proto 'static'
option ipaddr '192.168.2.100'
option device 'br-lan.1'
option netmask '255.255.255.0'
option ip6assign '64'
option ip4table 'local'
option ip6table 'local'
config interface 'xboxlan'
option proto 'static'
option ipaddr '192.168.3.101'
option ip6assign '64'
option device 'br-lan.10'
option netmask '255.255.255.0'
option ip6ifaceid '::10'
config interface 'server'
option proto 'static'
option ip6assign '64'
option device 'br-lan.20'
option ipaddr '192.168.4.1'
option netmask '255.255.255.0'
option ip4table 'local'
option ip6table 'local'
option ip6ifaceid '::20'
config interface 'wan'
option device 'eth0.2'
option proto 'pppoe'
option username 'xxxx'
option password 'xxxx'
option ipv6 'auto'
option peerdns '0'
list dns 'xxx.xxx.xxx.20' # my internet provider dns
list dns 'xxx.xxx.xxx.21' # my internet provider dns
list dns '8.8.8.8'
list dns '1.1.1.1'
option ip6assign '64'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t 4 5'
option description 'main'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 1'
option vid '2'
config device
option name 'br-lan'
option type 'bridge'
option mtu '1480'
option mtu6 '1480'
list ports 'eth0.1'
list ports 'eth0.10'
list ports 'eth0.20'
option acceptlocal '1'
config device
option name 'eth0'
option macaddr 'xx:xx:xx:xx:xx:xx' #edited
option mtu '1480'
option mtu6 '1480'
config device
option name 'eth0.1'
option type '8021q'
option ifname 'eth0'
option vid '1'
option macaddr 'xx:xx:xx:xx:xx:xx' #edited
option mtu '1480'
option mtu6 '1480'
option acceptlocal '1'
config device
option name 'eth0.2'
option type '8021q'
option ifname 'eth0'
option vid '2'
option macaddr 'xx:xx:xx:xx:xx:xx' #edited
option mtu '1480'
option mtu6 '1480'
config device
option name 'wlan1'
option multicast_fast_leave '1'
option unicast_flood '0'
option mtu '1480'
option mtu6 '1480'
option acceptlocal '1'
config device
option name 'wlan0'
option unicast_flood '0'
option mtu '1480'
option mtu6 '1480'
config device
option name 'eth0.20'
option type '8021q'
option ifname 'eth0'
option vid '20'
option acceptlocal '1'
config device
option name 'br-lan.20'
option type '8021q'
option ifname 'br-lan'
option vid '20'
option acceptlocal '1'
config device
option name 'br-lan.1'
option type '8021q'
option ifname 'br-lan'
option vid '1'
option acceptlocal '1'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '10'
option ports '0t 3'
option description 'xbox'
config switch_vlan
option device 'switch0'
option vlan '4'
option vid '20'
option description 'fileserver'
option ports '0t 2'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'eth0.1:u*'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'eth0.20:u*'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'eth0.10:u*'
cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option band '5g'
option htmode 'VHT80'
option country 'BR'
option cell_density '1'
option channel '100'
option diversity '1'
option txpower '20'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/ahb/18100000.wmac'
option band '2g'
option htmode 'HT40'
option country 'BR'
option cell_density '1'
option channel '3'
option noscan '1'
option diversity '1'
config wifi-iface 'wifinet1'
option device 'radio1'
option mode 'ap'
option key 'password'
option network 'lan'
option ssid 'MyWiFi'
option encryption 'sae-mixed'
option disassoc_low_ack '0'
option macfilter 'allow'
list maclist 'XX:XX:XX:XX:XX:XX' # I know that there is better ways to secure my wifi but I've set a list of allowed Macs
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'My5GWiFi'
option encryption 'sae-mixed'
option key 'password'
option ieee80211r '1'
option mobility_domain '4321'
option ft_over_ds '1'
option ft_psk_generate_local '1'
option network 'lan'
option disassoc_low_ack '0'
option macfilter 'allow'
list maclist 'XX:XX:XX:XX:XX:XX' # I know that there is better ways to secure my wifi but I've set a list of allowed Macs
cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option ednspacket_max '1232'
option allservers '1'
option quietdhcp '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option start '101'
option limit '169'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
list ra_flags 'none'
config dhcp 'server'
option interface 'server'
option leasetime '12h'
option start '171'
option limit '180'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ra 'hybrid'
option dhcpv6 'hybrid'
option dns_service '0'
config dhcp 'xboxlan'
option interface 'xboxlan'
option leasetime '12h'
option start '102'
option limit '110'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option dhcpv6 'server'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'FileServer'
option dns '1'
option mac 'XX:XX:XX:XX:XX:XX'
option ip '192.168.4.174'
config host
option name 'Laptop'
option dns '1'
option ip '192.168.2.109'
option mac 'XX:XX:XX:XX:XX:XX'
config host
option name 'Xbox'
option dns '1'
option ip '192.168.3.102'
option mac 'XX:XX:XX:XX:XX:XX'
cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
option forward 'DROP'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'br-lan.1'
config zone
option output 'ACCEPT'
option name 'server'
option network 'server'
option input 'ACCEPT'
option forward 'ACCEPT'
list device 'br-lan.20'
config zone
option output 'ACCEPT'
option input 'REJECT'
option name 'xbox'
option network 'xboxlan'
option forward 'REJECT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'server'
config forwarding
option src 'lan'
option dest 'xbox'
config forwarding
option src 'server'
option dest 'wan'
config forwarding
option src 'server'
option dest 'lan'
config forwarding
option src 'xbox'
option dest 'wan'
config rule
option name 'Xbox DNS & DHCP'
option dest_port '53 67 68 547'
option target 'ACCEPT'
option src 'xbox'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP-Xbox'
list proto 'esp'
option src 'wan'
option target 'ACCEPT'
option dest 'xbox'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP-Xbox'
list proto 'udp'
option src 'wan'
option dest_port '500'
option target 'ACCEPT'
option dest 'xbox'
config include
option path '/etc/firewall.user'
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '53208'
option dest_ip '192.168.3.102'
option dest_port '53208'
option name 'XBL_TCP+UDP-53208'
list proto 'tcp'
list proto 'udp'
option src_port '3544'
option dest 'xbox'
config redirect
option target 'DNAT'
option src 'wan'
option proto 'tcp udp'
option src_dport '3074'
option dest_ip '192.168.3.102'
option dest_port '3074'
option name 'XBL_TCP+UDP-3074'
option dest 'xbox'
ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
9: br-lan.10@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noqueue state UP qlen 1000
inet 192.168.3.101/24 brd 192.168.3.255 scope global br-lan.10
valid_lft forever preferred_lft forever
14: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1472 qdisc fq_codel state UNKNOWN qlen 3
inet xxx.xxx.xxx.xxx peer xxx.xxx.xxx.xxx/32 scope global pppoe-wan
valid_lft forever preferred_lft forever
17: br-lan.20@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noqueue state UP qlen 1000
inet 192.168.4.1/24 brd 192.168.4.255 scope global br-lan.20
valid_lft forever preferred_lft forever
18: br-lan.1@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noqueue state UP qlen 1000
inet 192.168.2.100/24 brd 192.168.2.255 scope global br-lan.1
valid_lft forever preferred_lft forever
ip -4 ro li tab all
default via xxx.xxx.xxx.xxx dev pppoe-wan
xxx.xxx.xxx.xxx dev pppoe-wan scope link src xxx.xxx.xxx.xxx
192.168.3.0/24 dev br-lan.10 scope link src 192.168.3.101
local xxx.xxx.xxx.xxx dev pppoe-wan table local scope host src xxx.xxx.xxx.xxx
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.2.0 dev br-lan.1 table local scope link src 192.168.2.100
192.168.2.0/24 dev br-lan.1 table local scope link
local 192.168.2.100 dev br-lan.1 table local scope host src 192.168.2.100
broadcast 192.168.2.255 dev br-lan.1 table local scope link src 192.168.2.100
broadcast 192.168.3.0 dev br-lan.10 table local scope link src 192.168.3.101
local 192.168.3.101 dev br-lan.10 table local scope host src 192.168.3.101
broadcast 192.168.3.255 dev br-lan.10 table local scope link src 192.168.3.101
broadcast 192.168.4.0 dev br-lan.20 table local scope link src 192.168.4.1
192.168.4.0/24 dev br-lan.20 table local scope link
local 192.168.4.1 dev br-lan.20 table local scope host src 192.168.4.1
broadcast 192.168.4.255 dev br-lan.20 table local scope link src 192.168.4.1
ip -4 ru
0: from all lookup local
10000: from 192.168.4.1 lookup local
10000: from 192.168.2.100 lookup local
20000: from all to 192.168.4.1/24 lookup local
20000: from all to 192.168.2.100/24 lookup local
32766: from all lookup main
32767: from all lookup default
90017: from all iif lo lookup local
90018: from all iif lo lookup local