OpenWRT firewall crashes with port forwarding 443

Hello everyone,

I'm currently setting up OpenWRT 25.12 on my NanoPi R5S as a router between my main router (Fritz!Box) and my mini-PC running web services. Today, I wanted to configure port forwarding to an IPv4 address in a downstream Docker MacVLAN using LuCI.

Problem: When I configure port forwarding for port :443, the OpenWRT firewall crashes immediately, and OpenWRT becomes accessible only via SSH. My browser suddenly tries to force HTTPS, but this fails because I haven't enabled or configured it in OpenWRT.

image2385×866 110 KB

Fortunately, it remains accessible via SSH. If I stop the firewall (commend: /etc/init.d/firewall stop) there, I can reload LuCI and delete the port forwarding rules. After that, everything works again. Unfortunately, port forwarding doesn't work.

Here's a dump of my firewall settings:

root@NanoPiOpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option synflood_protect '1'
        option drop_invalid '1'
        option flow_offloading '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'wan'
        option dest 'lan'

config rule
        option src 'wan'
        option name 'Cust-Allow-LuCI-from-WAN'
        list proto 'tcp'
        list src_ip '192.168.xxx.0/24'
        option dest_port '80 443'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option name 'Cust-Allow-SSH-from-WAN'
        list proto 'tcp'
        list src_ip '192.168.xxx.0/24'
        option dest_port '22'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option dest 'lan'
        option name 'Cust-Allow-DNS-FB-to-LAN'
        option dest_port '53'
        option target 'ACCEPT'

root@NanoPiOpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option synflood_protect '1'
        option drop_invalid '1'
        option flow_offloading '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'wan'
        option dest 'lan'

config rule
        option src 'wan'
        option name 'Cust-Allow-LuCI-from-WAN'
        list proto 'tcp'
        list src_ip '192.168.xxx.0/24'
        option dest_port '80 443'
root@NanoPiOpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option synflood_protect '1'
        option drop_invalid '1'
        option flow_offloading '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'wan'
        option dest 'lan'

config rule
        option src 'wan'
        option name 'Cust-Allow-LuCI-from-WAN'
        list proto 'tcp'
        list src_ip '192.168.xxx.0/24'
        option dest_port '80 443'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option name 'Cust-Allow-SSH-from-WAN'
        list proto 'tcp'
        list src_ip '192.168.xxx.0/24'
        option dest_port '22'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option dest 'lan'
        option name 'Cust-Allow-DNS-FB-to-LAN'
        option dest_port '53'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Caddy HTTPS'
        option family 'ipv4'
        list proto 'tcp'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.xxx.yyy'
        option dest_port '443'

What could be causing this, and how can I fix it?

Thank you for your helpful tips.

Regards,
Mic.

These rules conflict:

Also, it's not clear to me that the firewall is actually crashing from this... how have you determined that it is actually crashed vs just doing something you didn't expect?

Crashing: I can for exmaple not open LuCI in Browser anymore.

Can you support me to correct them?

That doesn't mean it's actually crashing. Is there anything in the log that shows a problem?
Does service firewall status show it running?

Maybe "blocking" is the better word than "crashing".

I can check the service logs tomorrow.

Do you think my two firewall rules are the rootcause? How can I change this? The first problematic rule is supposed to allow me access to LuCI from the WAN port, since there's no PC connected to the LAN that I could use to access it. The second rule seems to be my configured port forwarding.

From the lan port? You don't need a rule for that.

This seems to contradict the previous need.

Yes.

The only conflict is port 443. If you're using LuCI with only port 80, then remove port 443 from the first rule I showed.

However, it might be a good idea to see a simple topology diagram that shows the physical setup and where things are connected (for example, the PC used for managing this device, etc.).

Sorry. Typo: "LuCI from WAN"

The second rule is supposed to be port forwarding to a device running OpenWRT. That's exactly what I need. It has nothing to do with LuCI.

Try removing port 443 from the following rule:

Also, it should go without saying -- this (along with the dns and ssh rules) is never safe to do when your router is directly facing the internet or any untrusted upstream network. In your case, it seems safe since you said this is behind your main router.

Thank you for your feedback. Yes, OpenWRT is just a router for a subnet behind my main router (Fritz!Box). I've usually configured it so that OpenWRT can only be accessed via WAN from IP addresses within this subnet. I hope that's secure enough, even though I've configured port forwarding for OpenWRT on the main router.

Internet --> Fritz!Box --> OpenWRT --> MacVLAN in Docker

What I don't quite understand, though, is why this rule is related to port forwarding in OpenWRT for a downstream subnet. Shouldn't both work together?

I'll test it, though.

Hello,

I tried it again. No chance. In the moment I activate the port forwarding rules in OpenWRT LuCI the WebGUI LuCI is not reachable anymore from WAN with its WAN IP address. It does no matter if I change from :80 to :443.

It is still reachable by its local IP address, when I connect a LAN cable to LAN1 but this does not help for me.

How can I resolve this issue to activate a port forwarding AND make LuCI reachable from WAN? What are the correct settings?

Thank you in advance!

Regards
Mic.

DNAT (port forwarding) rules use the prerouting hook, so they take precedence. The destination address/port is changed before a routing decision is made, the packet is considered as non-local and it is forwarded directly to the target host.

A possible workaround is to use a different (external) src_dport to avoid conflict with a local service that needs to be accessed through the same inbound interface.

Example:

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Caddy HTTPS'
        option family 'ipv4'
        list proto 'tcp'
        option src 'wan'
        option src_dport '80443'
        option dest_ip '192.168.xxx.yyy'
        option dest_port '443'

Hello @pavelgl,

this means there is no "non-workaround" solution to geth "both" (access LuCI from WAN and Portforwarding to a device behind OpenWRT)?

What you mean is a kind of portmapping. From Internet my web services need to be reachable by port :80 and :443 and the target web service also needs :80 and :443. I would need to do somethings like this. Is this possible?

Another question: Do I need to setup port forwarding rules for IPv4 and IPv6 target addresses in parallel? I wonder why I need to select IP addresses as targets in OpenWRT. In my Fritz!Box port forwarding is set up with MAC addresses as targets (indipendent from IPv4/IPv6).

Thank you for your feedback.

Regards
Mic.

Requests to the same IP address and port will always be treated the same way - by the rule with the higher priority. So no, there is no a "non-workaround" solution.

How often do you modify the OpenWrt configuration?
Just change the uhttpd listening port(s). That would be a small inconvenience.

AFAIK in OpenWrt there is no such option, so you will have to create separate rules for ipv4/ipv6.

Okay, thanks for the info.

Where can I change the uhttp port for LuCI?

Interestingly, with my asymmetric port forwarding configuration, LuCI is no longer reachable via the Fritzbox's IP address, but it's still accessible via its own IP address within its network. That would be fine with me, though.

What do you think is better: the asymmetric port forwarding configuration or moving the uhttp port?

Change the ports in /etc/config/uhttpd.

config uhttpd 'main'
        list listen_http '0.0.0.0:80'
        list listen_http '[::]:80'
        list listen_https '0.0.0.0:443'
        list listen_https '[::]:443'
        ...

Don't forget to restart the service afterwards.

Another non-workaround option could be this:
If you configure OpenWrt as a router, i.e. without NAT (masquerading), then you don't need any port forwarding on your OpenWrt box. You need to add a static route to your Fritz!Box that tells it where to find the subnet the OpenWrt router is responsible for and then do the port forwarding directly to this address from the Fritz!Box.

Edit: Basically, this scenario should work:

Thank you. I think this is not a solution for me. I want to have NAT and a sub net for routing filtering by using banIP plugin.

I have set two levels of "sub nets" via IPv6 prefix delegation. I wonder, do I also need to set port forwarding in OpenWRT for IPv6 if my two Docker MacVLAN are in its own delegated sub sub net?

sub_sub_net642×142 9.12 KB

I have done now these changes in:

config uhttpd 'main'
        list listen_http '0.0.0.0:81'
        list listen_http '[::]:81'
        list listen_https '0.0.0.0:442'
        list listen_https '[::]:442'
        ...

... and it works fine. I can access from WAN to LuCI but I still can use the OpenWRT IP to enter LuCI only (192.168.1.1:81) but not the Main Router IP (192.168.178.xxx:81). This is not a blocker for me but I wonder if this still is a configuration issue.

Do I maybe need to change this rule also? What are the right settings for option dest_port '80 443' with changed listening ports for LuCI?

config rule
        option src 'wan'
        option name 'Cust-Allow-LuCI-from-WAN'
        list proto 'tcp'
        list src_ip '192.168.xxx.0/24'
        option dest_port '80 443'
        option target 'ACCEPT'

Thank you and have a nice weekend.

Okay, I found the solution to enter LuCI also from its "external" IP address via WAN. You need to add it to the traffic rule.

config rule
        option src 'wan'
        option name 'Cust-Allow-LuCI-from-WAN'
        list proto 'tcp'
        list src_ip '192.168.xxx.0/24'
        option target 'ACCEPT'
        list dest_ip '192.168.1.1'
        list dest_ip '192.168.xxx.yyy'     <== Add this line.

Hi everyone.

I've now got my entire setup up and running. I ended up having to use asymmetric port forwarding after all (see here). The problem of port forwarding blocking the standard ports of the web GUI isn't limited to LuCI. It affects all web GUIs behind OpenWRT. So, ports :80 and :443 must always be excluded from any port forwarding to the WAN port on OpenWRT.

I don't know if this is a bug or a feature of OpenWRT, but if the upstream main router supports asymmetric port forwarding, this problem can be elegantly circumvented.

Cheers,
Mic.