OpenWRT Port 80 Forwarding to YunoHost

Hi all,

I've been struggling with this for a few weeks now. I'm trying to install YunoHost on my local network, which is explained below (it's complicated):

  • External internet comes from my ISP to a wireless router. Port forwarding and DMZ creation is allowed and I have forwarded the necessary ports to OpenWRT and put it in the DMZ.

  • OpenWRT runs on a Raspberry Pi 4 (2 gb) and connects to my wireless router over Wifi. I run a LAN off of OpenWRT on a separate subnet and it can't communicate to devices connected to the base network, only with ones on the OpenWRT lan (expected and normal behavior). It has two wifi adapters and works great with my network and other port forwards other than port 80

  • Yunohost also runs on a Raspberry Pi 4 (4gb) and connects to OpenWRT over wifi. All port forwards needed except port 80 work.

I've tried connecting the YunoHost direct to my home network and it works worse then when behind openwrt :smiley: so I want to keep it behind openwrt. Originally, I thought it was a luci problem, but I changed the port of luci in /etc/config/uhttpd. If there's another place I need to change, I haven't found it and would appreciate knowing where it is. It's not an ISP/port forwarding problem because I've forwarded port 80 years ago for a different project and all the other forwards are working.

Any tips/possible next steps are appreciated. Let me know if you need more info. I've tried to be super detailed.

I'm not saying they have, but the ISP may have changed their policies in the ensuing few years.
I'd recommend setting up something (anything) on port 80 and directly connecting that host to your ISP router. Set the port forward appropriately on your ISP router to this specific host, and see if the forwarding works.

If it does, move that host behind OpenWrt. Remove the port 80 forward you setup previously (on the ISP router) and ensure that the ISP router's DMZ is enabled and pointing to your OpenWrt router. Setup the port 80 forward on OpenWrt and test again. If it doesn't work, connect a computer to the ISP router's network and try accessing via the OpenWrt's wan address (which will be an RFC1918 adress from the ISP's lan).

Report back what happens.

Hey Peter,

I tried to run an http server on my main PC, but some service running on that is blocking me from running that. Now that I think about it, before I moved the service behind openwrt, port 80 was not blocked. So I don't think it's that.

Did you test to verify that the server works when connected to the isp router?

Yes. Port 80 worked when it was connected, but nothing else. Now, everything but port 80 works :woozy_face:

OK, I think I figured out the problem - my ISP doesn't allow hairpinning

Ok. So let’s see your config

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall
/etc/config/network:
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd61:fa32:7d2b::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.55.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'br-lan'

config interface 'wwan'
	option proto 'dhcp'
	option peerdns '0'
	option dns '1.1.1.1 8.8.8.8'


/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option masq '1'

config zone
	option name 'wan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'wwan'

config forwarding
	option src 'wan'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'http'
	option src 'wan'
	option src_port '80'
	option dest 'lan'
	list dest_ip '192.168.55.222'
	option dest_port '80'
	option target 'ACCEPT'

config rule
	option name 'http-out'
	option src 'lan'
	list src_ip '192.168.55.222'
	option src_port '80'
	option dest 'wan'
	option dest_port '80'
	option target 'ACCEPT'

config rule
	option name 'https'
	option src 'wan'
	option src_port '443'
	option dest 'lan'
	list dest_ip '192.168.55.222'
	option dest_port '443'
	option target 'ACCEPT'

config rule
	option name 'https-out'
	option src 'lan'
	list src_ip '192.168.55.222'
	option src_port '80'
	option dest 'wan'
	option dest_port '80'
	option target 'ACCEPT'


Turn off masquerading in the lan zone.

This is where your problem is. Set input and forward to reject.

Delete this

Delete this... it is not necessary.

Same here: