Open webui from other networks

hi all,

I just installed openwrt into my mi router 4a giga. I can open webui from my pc3 which directly connect to the mi router but I can't open the web interface from networks other than openwrt has.

I can ping from openwrt's terminal to other networks but I can't even ping to openwrt from other networks.

here is my network and my device status:

how can I open webui from pc1 or pc2?

network927×773 8.57 KB

### System

|Hostname|OpenWrt|
| --- | --- |
|Model|Xiaomi Mi Router 4A Gigabit Edition|
|Architecture|MediaTek MT7621 ver:1 eco:3|
|Target Platform|ramips/mt7621|
|Firmware Version|OpenWrt 21.02.3 r16554-1d4dea6d4f / LuCI openwrt-21.02 branch git-22.083.69138-0a0ce2a|
|Kernel Version|5.4.188|
|Local Time|2022-08-13 14:21:44|
|Uptime|4h 50m 53s|
|Load Average|0.00, 0.00, 0.00|

You need to allow this in firewall settings.

I made a firewall rule which accepts all connections and move it to the top but nothing changed.

Firewall should accept connections from wan interface and luci should listen on wan too.

Please post contents of /etc/config/firewall and /etc/config/uhttpd.

/etc/config/firewall

config defaults
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'ACCEPT'
        option input 'DROP'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option output 'ACCEPT'
        option masq '1'

/etc/config/uhttpd

config uhttpd 'main'
        list listen_http '0.0.0.0:80'
        list listen_http '[::]:80'
        list listen_https '0.0.0.0:443'
        list listen_https '[::]:443'
        option redirect_https '0'
        option home '/www'
        option rfc1918_filter '1'
        option max_requests '3'
        option max_connections '100'
        option cert '/etc/uhttpd.crt'
        option key '/etc/uhttpd.key'
        option cgi_prefix '/cgi-bin'
        list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
        option script_timeout '60'
        option network_timeout '30'
        option http_keepalive '20'
        option tcp_keepalive '1'
        option ubus_prefix '/ubus'

config cert 'defaults'
        option days '730'
        option key_type 'ec'
        option bits '2048'
        option ec_curve 'P-256'
        option country 'ZZ'
        option state 'Somewhere'
        option location 'Unknown'
        option commonname 'OpenWrt'

Your firewall appears to be incomplete.

Also, I am having trouble understanding how your 192.168.3.0/24 devices are working through the mi router - you seem to have he same subnet on the wan and lan of that device, and that will not work at all.

even if I disable firewall webui is still not opening from other networks. wan and lan on same subnet? I only changed br-lan ip address from 192.168.1.1 to 192.168.3.2. could you give more detail please?

Ok... that actually is okay -- as long as the 192.168.3.0/24 network is LAN only on that device and you're not using the WAN port... it basically transforms the mi router to a dumb AP.

If that's the case...

the firewall on your Mi router won't matter at all if your Mi device is a dumb ap. You need to set your main router to allow inter-VLAN traffic. Currently, the firewall on that device may not allow it.

openwrt wan interface is DHCP and getting ip 192.168.3.3 from main router, lan interface is static 192.168.3.2

what do you suggest for not using mi router as dumb ap?

This cannot work. The subnets on the WAN and LAN must be different.

What is your goal for this device? It seems you already have a router ahead of this one that provides a network on 192.168.3.0/24 -- what is the purpose of the Mi router?

I don't have any goal right now. I just want to figured out how things get done at openwrt. as you said if I changed wan ip adress static like 192.168.4.1 it can not be reach to the internet.

If you wish to keep your current 'double' router setup, you need to change the LAN IP of the Xiaomi, not the WAN IP. eg. 192.168.4.1 would work for Xiaomi LAN.

Then set up a port forward rule on the Xiaomi to forward port 80 from WAN to LAN IP of the Xiaomi, eg if LAN IP is 192.168.4.1.

Then you should be able to access LuCI on the Xiaomi at its WAN IP of 192.168.3.2 (CORRECTION) from PC1 & PC2, provided your main router allows routing between the 192.168.2.x and 192.168.3.x subnets.

Where possible it is recommended to avoid 'daisy chaining' routers due to possible double NAT issues. ie. one 'router' behind another router is 'poor' practise. Suggest configure Xiaomi as a dumb access point if your main router can serve DHCP. (ie. turn OFF DHCP server and use only the LAN ports on Xiaomi. Assign a LAN IP of 192.168.3.x to the Xiaomi)

Update: typo error. Corrected IP address

That is also expected. The lan and wan must be different subnets. But the wan must be on the same subnet as the upstream connection (192.168.3.0/24), so it is the lan that must be changed.

If you don’t have a goal for the mi router, why are you using it? Your are only making your network unnecessarily complicated if there is no specific function it provides.

webui is accessible from 192.168.3.3.

thank you all for your efford.

You do not need a forward here. Just a basic rule is preferred. But the new lan ip is critical.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.