Hi all,
I have strange situation and I'm stuck. What I have:
Two identical routers TP-Link Archer C20i, flashed with the latest snapshot OpenWrt SNAPSHOT r20513-a99707d14c / LuCI Master git-22.245.77360-10bcb22 (because of the failed 5 GHz radios with the release)
Two different ISPs, both with open ports 80/443
First router is configured with static internal ip address 192.168.66.1 and to forward all incoming requests on ports 80/443 to 192.168.66.103. DHCPD is on
Second router is configured with static internal ip address 192.168.66.175 and to forward all incoming requests on ports 80/443 to 192.168.66.103. DHCPD is off
The first router works as expected. The second is not working. Neither port 80 nor port 443 could be reached. Neither local nor global.
The settings are much similar.
Router 1:
ubus call system board; \
> uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
"kernel": "5.10.139",
"hostname": "koko_telekabel",
"system": "MediaTek MT7620A ver:2 eco:6",
"model": "TP-Link Archer C20i",
"board_name": "tplink,archer-c20i",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"revision": "r20513-a99707d14c",
"target": "ramips/mt7620",
"description": "OpenWrt SNAPSHOT r20513-a99707d14c"
}
}
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdaa:4956:5751::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.66.1'
config device
option name 'eth0.2'
option macaddr 'a4:2b:b0:cd:7b:19'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 6t'
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option force '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'koko'
option dns '1'
option mac '90:1B:0E:FE:B1:2C'
option ip '192.168.66.103'
config host
option name 'Niki'
option dns '1'
option mac '74:D4:35:B7:8E:FF'
option ip '192.168.66.156'
config host
option name 'airRohr'
option dns '1'
option mac '80:7D:3A:22:E6:5E'
option ip '192.168.66.135'
config host
option name 'meter.ac'
option dns '1'
option mac '98:D8:63:06:1F:DA'
option ip '192.168.66.206'
config host
option name 'Pantum'
option dns '1'
option mac '84:7A:B6:E3:DC:B0'
option ip '192.168.66.101'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'https'
list proto 'tcp'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.66.103'
option dest_port '443'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'http'
list proto 'tcp'
option src 'wan'
option src_dport '80'
option dest_ip '192.168.66.103'
option dest_port '80'
head: /etc/firewall.user: No such file or directory
-ash: iptables-save: not found
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.66.1/24 brd 192.168.66.255 scope global br-lan
valid_lft forever preferred_lft forever
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet externalip1/24 brd 31.13.201.255 scope global eth0.2
valid_lft forever preferred_lft forever
default via 31.13.201.1 dev eth0.2 src externalip1
31.13.201.0/24 dev eth0.2 scope link src externalip1
192.168.66.0/24 dev br-lan scope link src 192.168.66.1
broadcast 31.13.201.0 dev eth0.2 table local scope link src externalip1
local externalip1 dev eth0.2 table local scope host src externalip1
broadcast 31.13.201.255 dev eth0.2 table local scope link src externalip1
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.66.0 dev br-lan table local scope link src 192.168.66.1
local 192.168.66.1 dev br-lan table local scope host src 192.168.66.1
broadcast 192.168.66.255 dev br-lan table local scope link src 192.168.66.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Router 2
ubus call system board; \
> uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
"kernel": "5.10.139",
"hostname": "kokokokovski",
"system": "MediaTek MT7620A ver:2 eco:6",
"model": "TP-Link Archer C20i",
"board_name": "tplink,archer-c20i",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"revision": "r20513-a99707d14c",
"target": "ramips/mt7620",
"description": "OpenWrt SNAPSHOT r20513-a99707d14c"
}
}
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdec:9cc6:90b8::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.66.175'
config device
option name 'eth0.2'
option macaddr '30:b5:c2:eb:98:65'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 6t'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'http'
list proto 'tcp'
option src 'wan'
option src_dport '80'
option dest_ip '192.168.66.103'
option dest_port '80'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'https'
list proto 'tcp'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.66.103'
option dest_port '443'
head: /etc/firewall.user: No such file or directory
-ash: iptables-save: not found
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet externalip2/23 brd 91.204.159.255 scope global eth0.2
valid_lft forever preferred_lft forever
9: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.66.175/24 brd 192.168.66.255 scope global br-lan
valid_lft forever preferred_lft forever
default via 91.204.159.254 dev eth0.2 src externalip2
91.204.158.0/23 dev eth0.2 scope link src externalip2
192.168.66.0/24 dev br-lan scope link src 192.168.66.175
broadcast 91.204.158.0 dev eth0.2 table local scope link src externalip2
local externalip2 dev eth0.2 table local scope host src externalip2
broadcast 91.204.159.255 dev eth0.2 table local scope link src externalip2
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.66.0 dev br-lan table local scope link src 192.168.66.175
local 192.168.66.175 dev br-lan table local scope host src 192.168.66.175
broadcast 192.168.66.255 dev br-lan table local scope link src 192.168.66.175
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Could you tell me what more I can check to figure out what is wrong with the router 2 or it settings?
Could be because of 192.168.66.175 instead of setting first network address?
Best regards
Edit: uhttpd is configured to listen to the local ip address only. On both routers.
Router 1
config uhttpd 'main'
list listen_http '192.168.66.1:80'
# list listen_http '[::]:80'
list listen_https '192.168.66.1:443'
# list listen_https '[::]:443'
option redirect_https '0'
option home '/www'
option rfc1918_filter '1'
option max_requests '3'
option max_connections '100'
option cert '/etc/uhttpd.crt'
option key '/etc/uhttpd.key'
option cgi_prefix '/cgi-bin'
list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
option script_timeout '60'
option network_timeout '30'
option http_keepalive '20'
option tcp_keepalive '1'
option ubus_prefix '/ubus'
Router 2
config uhttpd 'main'
list listen_http '192.168.66.175:80'
list listen_http '[::]:80'
list listen_https '192.168.66.175:443'
list listen_https '[::]:443'
option home '/www'
option rfc1918_filter '1'
option max_requests '3'
option max_connections '100'
option cert '/etc/uhttpd.crt'
option key '/etc/uhttpd.key'
option cgi_prefix '/cgi-bin'
list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
option script_timeout '60'
option network_timeout '30'
option http_keepalive '20'
option tcp_keepalive '1'
option ubus_prefix '/ubus'
option redirect_https 'on'
