OpenWrt behind Fritzbox

frogger13 · April 2, 2020, 9:15am

Hi everyone...

i just started with openwrt on a TP-Link C7 router. i want to use it for a seperate network (not dmz) at home (mulitroom soundsystem). my internet comes with a AVM Fritzbox and the TP Link router is connected to it via WAN Port. the sound devices will be connect via LAN and Wifi to the TP Link router.

standard network with dhcp from the Fritzbox -> 192.168.2.0/24
WAN port of the TP Link Router -> 192.168.2.3
internal IP network of the TP Link -> 192.168.0.1/24

my problem is, that i cannot connect from my standard lan to the web frontend (192.168.2.3). ping is ok. so for configuration i have to connect a tablet or computer to the TP Link device via LAN or Wifi.

is there another solution to allow the access to the web gui of the TP Link Router from my standard network. or maybe using openwrt is to much for my problem. maybe it is easier to use the TP Link standard firmware.

Kind regards
Reiner

trendy · April 2, 2020, 9:50am

You need to allow it on the firewall, as by default it is blocked.

uci add firewall rule # =cfg3392bd
uci set firewall.@rule[-1].dest_port='80'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].name='Local HTTP'
uci add_list firewall.@rule[-1].src_ip='192.168.2.0/24'
uci set firewall.@rule[-1].family='ipv4'
uci add_list firewall.@rule[-1].dest_ip='192.168.2.3'
uci set firewall.@rule[-1].target='ACCEPT'
uci add_list firewall.@rule[-1].proto='tcp'
uci commit firewall
service firewall restart

You may want to do the same for SSH.

Hegabo · April 2, 2020, 9:55am

By default, the firewall of a router is designed to block traffic from the WAN side, for obvious security reasons.

If you want to allow access from the WAN side, you will need to configure the firewall to allow that particular port (let it be for Web, SSH or whatever application you want to allow).

It goes without saying that you would be exposing your router to the "outside" world, which would be fine if your upstream router is secure enough. But in other cases, say if that's your main router or if your main router firmware is outdated, that would be considered a risk.

Hegabo · April 2, 2020, 10:00am

You could also specify the source MAC address in the rules, for a little bit of added security.

frogger13 · April 3, 2020, 5:27am

hi everyone...

thanks for your posts... the thing with the firewall rules was the solution. i've added rules for port 80 and 22. so it looks fine for me...

i only need to find out which ports / protcoll my sound system is using... i am not able to connect from my iphone / ipad, when i am not in the same WLAN.

Regards
Reiner

Hegabo · April 3, 2020, 8:03am

You could also add the MAC address to the rule (under Advanced Settings) for little of added security.

trendy · April 3, 2020, 9:18am

This could be because the sound system is broadcasting its capabilities.
Check if you can define an IP on the application. If not you'll need a proxy apart from allowing ip/ports.

mpa · April 3, 2020, 11:55am

You might want to disable masquerading for the WAN zone on the OpenWrt router. This requires a static route on the Fritzbox: network 192.168.0.0, mask 255.255.255.0, gateway 192.168.2.3.
By itself, disabling masquerading may not solve the problem, but it can help to simplify the eventual solution because it will avoid port forwarding.

In addition, I suggest to add a zone forwarding from wan to lan temporarily.
Once everything works, you can return to a more restrictive firewall.

Finally, nothing of this is needed when all traffic can be handled by a proxy on the OpenWrt router. Not knowing your sound system and its protocols, I cannot say if this will be the case.