OpenWrt on Rpi 4B not allowing https connection over ip adress

I am using a Rasberry Pi 4B in place of my router that crapped out yesterday, and I am running into a problem: if the Rpi is connected to the internet via an ethernet cable to my modem, the control panel that is normally acessable over the Rpi's ip adress (192.168.1.199) is unacesable over https or ssh. If I unplug the Rpi from my modem, everything works fine, and I can use the control panel. When the Rpi is plugged into the modem the wifi works fine with my chromebook and iphone. The order that stuff is plugged in goes like this: Verizon Modem ---> Rpi running OpenWrt

I am currently using the Rpi as both a router and access point while I wait for a new access point to arrive, which should be this friday. Anyway, how can I make it so I can get into the OpenWrt control panel without disconnecting the Rpi from my modem? Thank you in advance

unnamed1920×2560 541 KB

Yellow wire is going into the modem, other wires are either HDMI, for the keyboard or for the power supply.

Your modem is plugged into the built-in RJ45 port of the RPI4?

Because that port by default is the Lan port. If you plugin the modem into that RJ45 port without reconfiguring a few things in OpenWRT, both RPI and modem provide DHCP which will result into undefined behavior.

What are "those few things" that I have to reconfigure? Thanks for the help - I'm learning as I go, but at least I have wifi in a very small area of my house now

My 4B is currently out of home, so I cannot provide a copy of exact config.

As is:

• There is the 1x RJ45 part (I think the device is called "eth0" in OpenWRT on RPI4)
• there is a LAN interface and a LAN zone already there
• maybe there is a WAN interface and WAN zone also present
• sounds like you already have a working Wifi setup as AP for your LAN interface

A very rough outline, of what you need, to make the 1 RPI built-in RJ45 become a WAN port and keep the already enabled RPI4-Wifi enabled as LAN access point:
(all can be done via Luci)

LAN interface:

• you need to remove "eth0" device from the LAN interface. You need to keep the remaining LAN interace as is, as your Wifi is associated with it. Do not simply move the LAN interface to the WAN zone. You can no longer administrate the RPI via LAN cable after that, you need to conenct via Wifi to adminstrate

WAN interface:

• if a WAN interface is not yet there, create it.
• The WAN interface needs to be: "protocol": "DHCP client" + "device": "eth0"

firewall under "Zones":

• add a "WAN" zone, if not present.
• a "WAN=>reject" line should now be listed, needing: "In: reject, Out: accept, forward: reject"
• of line "WAN=>reject" under "Edit"
  • Both "MSS Clamping" + "masquerading" checkmarks to be set
  • "covered networks": "WAN" (the WAN interface mentioned before)
• there should be a zone line "LAN => ..."
  • it needs: "in: accept, out: accept, forward: accept"
  • it needs "Allow forward to destination zones": "WAN"

Maybe post your network and firewall file, if it does not work as expected. Not sure, if I can help in short term, but likely others can.

Do they not, also, need to make a bridge device and add/combine it with wireless to lan?

Pico has done alot of the config for you.

However DO NOT change eth0 until you can connect wirelessly.

Once you are sure the wireless is working then remove eth0.

Okay, I've had my coffee and breakfast and I am grasping more of what is going on.

This is not easy to do the first time. Likely it will take an hour or two.

#1 your router should be 192.168.1.1 on the LAN side by default so I'm going to presume the whole thing is getting its ip from the modem..

Instead of fixing this, we need to start over. Luckily for you I have been putting off trying to run openwrt on a pi zero w just to watch it melt.

If you really cannot deal with one more day, we will need to start from scratch.

And no, you cannot do this without unplugging the Ethernet cord.

Could i just get another USB 3.0 to ethernet dongle? I already ordered one anyway.

Given i don’t actually have a access point to use right now and this is just being brodcast off the raspberry pi as a proof of concept while i wait for my access point to arrive this isn’t really a issue until i get that set up, as i can just unplug the ethernet cable coming from the modem if i need to edit anything with luci

We just need the eth0 for set up. we will delete it and make another eth0 for wan after you login in its wifi.
Can you access the internet using the Pi's wifi? I think I missed something.

No more Ambien forum chat for me.

Right now you have what OpenWrt calls a dumb Access Point. The problem is it is only
acting like a switch with wireless i.e. no firewall no DHCP no NAT no Firewall; everything is just being passed from the modem.
DHCP must be handed out to your devices from the modem. I'll bet you can get into the modem at 192.168.1.1.

I'm more than happy to get you a real router setup because I do not think you have any firewall, and you could get very unlucky.
You can get it configured and just save the SD card in case you need OpenWrt in the future.

Right now I can get onto the internet just via connecting to the rpi, which is how I'm on this forum. I cannot connect to the modem via 192.168.1.1, I don't actually know if it's a "modem" per se, that's just what people have told me it is. I'll attach a picture. I've just been following the guide for OpenWrt, and it seems to be working fine so far, aside from the fact that I don't actually have a acess point so it's all just connecting to the rpi's onboard stuff, which does not have very good transmission distance (at least that's how I think it's working - my networking experience is cloud based mostly, I have little experience with this)

unnamed1920×1440 260 KB

Edit: that's the thing my parent's keep calling a modem even though I have a feeling it's not actually a modem

You are not going to get much distance with any Pi. They are most useful as a travel router (like I'm trying to see how bad it is on a zero w)

right click your network icon in the bottom right.
choose open network and internet settings
scroll down to change adapter options
right click your wifi and look at the status
what it is showing as the gateway and what is your ip address
edit

Yeah I said left, sorry

Nothing is really a modem anymore, it is a legacy term from dial-up. We just call them modems because both bring internet to the house.

and

that help?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Not really. I was not expecting an address like that. good news: I could not ping it.

Go ahead and do what psherman suggested; I think its going to return those are not configured. But I'm sure they know more than me

open cmd using the search in the bottom left
in the black box type ssh

it will ask for a password but I doubt you have set one up so hit enter
then type or paste their commands.

second edit:

we are not sure what OpenWrt has as an address so try that.

Oh yeah, they need to redact those numbers.

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.134",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 3",
        "model": "Raspberry Pi 4 Model B Rev 1.4",
        "board_name": "raspberrypi,4-model-b",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0",
                "revision": "r23497-6637af95aa",
                "target": "bcm27xx/bcm2711",
                "description": "OpenWrt 23.05.0 r23497-6637af95aa"
        }
}


root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr 
        option netmask

config globals 'globals'
        option ula_prefix 'fd41:0d4c:bb6d::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr 
        option netmask 
        option ip6assign '60'

config interface 'wwan'
        option proto 'dhcp'



root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option country 'US'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'psk2'
        option key [redacted]


root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

that's the huge block of text it put out, not sure what among this needs to be censored