Port forwarding 443 breaks https

I have a server at home with an https web server (10.1.0.132) that I want to forward to the internet. but when I do that by adding this to the firewall config:

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'test'
	list proto 'tcp'
	option src 'wan'
	option src_dport '443'
	option dest_ip '10.1.0.132'
	option dest_port '443'

I notice that ALL https traffic going to the internet gets redirected to the 10.1.0.132 server (I could see a lot of requests coming from the router's IP in the logs). My port forwarding setup is made a little more complicated by being behind double NAT but I haven't had any problems with this because I asked my ISP to map all ports of my OpenWRT router 1:1 to my dedicated IP address. This setup has worked fine for me and forwarding web traffic and other protocols on ports other than 443 has been without issues. While debugging this I made a few observations.

  1. Http web traffic to the internet on port 80 still works
  2. Https locally still works. I have a local https proxy manager setup (following this video) and that still works
  3. When I use Wireguard to connect to a different network (thus proxying my https traffic through a different port) https works again
  4. The web interface shouldn't be interfering with the port forward because i changed it to port 81 and 444 and limited it to the LAN

Here is some more info about my setup:

This if my firewall setup without the breaking forward:


config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Forward1'
	option src 'wan'
	option src_dport '51820'
	option dest_ip '10.1.2.6'
	option dest_port '51820'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Forward2'
	option src 'wan'
	option src_dport '16000-16200'
	option dest_ip '10.1.0.183'
	option dest_port '16000-16200'

I'm running OpenWRT version 23.05.3 on a Zimaboard.
My LAN is 10.1.0.0/16
And my WAN (Under my ISP's router) is 192.168.0.0/24

PS: I found a few topics talking about this but I didn't find any solution on how to fix this.

Let's see the complete configuration:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

ubus call system board

{
	"kernel": "5.15.150",
	"hostname": "OpenWrt",
	"system": "Intel(R) Celeron(R) CPU J3455 @ 1.50GHz",
	"model": "Default string Default string",
	"board_name": "default-string-default-string",
	"rootfs_type": "ext4",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23809-234f1a2efa",
		"target": "x86/64",
		"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd17:0af9:721a::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config interface 'lan'
	option device 'eth1'
	option proto 'static'
	option ipaddr '10.1.0.1'
	option netmask '255.255.0.0'
	option ip6assign '60'
        option force_link '1'


config interface 'wan'
	option device 'eth0'
	option proto 'static'
        option ipaddr '192.168.0.4'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'
        dns '1.1.1.1 9.9.9.9'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

I don't have any wireless config

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '6,10.1.2.6,1.1.1.1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'BRWACD5641F6093'
	option ip '10.1.0.202'
	option mac 'AC:D5:64:1F:60:93'

cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Forward1'
	option src 'wan'
	option src_dport '51820'
	option dest_ip '10.1.2.6'
	option dest_port '51820'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Forward2'
	option src 'wan'
	option src_dport '16000-16200'
	option dest_ip '10.1.0.183'
	option dest_port '16000-16200'


Input should usually be set to REJECT. Restart the router and then test again.

Changed it, but forwarding 443 still breaks https in the LAN

I assume the issue is https for reaching the router itself (i.e. LuCI web interface)?

  • From where are you connecting (what IP address/are you on your lan)?
  • What address are you using to bring up the LuCI interface?
  • What browser are you using (and have you tried others)?
  • Have you tried other devices (a different computer/tablet/phone)?
  • What is the specific error you're seeing?

The error is for any https traffic. I will give you steps to recreate the problem:

  1. Add the following port forward
config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'test'
	list proto 'tcp'
	option src 'wan'
	option src_dport '443'
	option dest_ip '10.1.0.132'
	option dest_port '443'
  1. Run an https server on 10.1.0.132
  2. If I go to ANY https website on the internet (e.g. https://www.google.com) on ANY device on the LAN (e.g. my notebook on 10.1.0.100) I get the SSL_ERROR_BAD_CERT_DOMAIN because the request for google gets redirected to my server on 10.1.0.132. The error is because of a certificate mismatch which I understand, my browser is expecting a certificate for google but instead receives a certificate for my domain. I can even see those request in the log of the server coming from the IP of the router (10.1.0.1). I have tried different OSes, browsers and devices but I think the problem is network-wide.

This port forward rule could not cause the error -- at least not in isolation. This only affects port 443 inbound traffic, not outbound, and not returning traffic from your requests to the web.

Here's what I'd recommend...

  1. Make a backup
  2. Reset your router to defaults
  3. change your router's IP address to 10.1.0.1 (I would recommend keeping it as a /24 -- I'm not sure why you've set a /16).
  4. Configure wifi, if desired.
  5. Test https connections
  6. create that same port forward again
  7. Test https connections again.