Hello. I have openwrt router with installed and running apache seever(listening on all interfaces). Openwrt router is connected to non-openwrt router in route mode. When i am trying to connect from non-openwrt router’s network to apache server it is not successful. Also when i am trying to connect from external network(mobile data) it is successful. My firewall rules and port forwarding rules are at attachments.
Start by fixing your firewall wan zone -- input and forwards should be set to reject.
Then, delete the port forward -- you should be using a traffic rule, not a port forward.
Next, are you sure your apache server is listening on port 90? (this would be non-standard, but can work). Further, you need to be testing using a web browser:
http://openwrt.router.ip.address:90
the :90 is critical here.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
netstat -plnt
1 Like
Yes, i am sure(port was setuped manually and it was checked twice). Thanks for help, i will try it now
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.137",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "Xiaomi Mi Router AX3000T",
"board_name": "xiaomi,mi-router-ax3000t",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.2",
"revision": "r23630-842932a63d",
"target": "mediatek/filogic",
"description": "OpenWrt 23.05.2 r23630-842932a63d 231212"
}
}
root@OpenWrt:~# cat /etc/config/networkcat /etc/config/networkcat /etc/config/ne
tworkcat /etc/config/networkcat /etc/config/networkcat /etc/config/networkcat /e
tc/config/network^C
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.137",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "Xiaomi Mi Router AX3000T",
"board_name": "xiaomi,mi-router-ax3000t",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.2",
"revision": "r23630-842932a63d",
"target": "mediatek/filogic",
"description": "OpenWrt 23.05.2 r23630-842932a63d 231212"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd33:8e69:f9d7::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'wan'
option macaddr 'a4:a9:30:2a:d3:81'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'apache'
option src 'wan'
option src_dport '90'
option dest_ip '192.168.1.1'
option dest_port '90'
option enabled '0'
root@OpenWrt:~# netstat -plnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1484/uhttpd
tcp 0 0 192.168.1.1:53 0.0.0.0:* LISTEN 7038/dnsmasq
tcp 0 0 192.168.1.110:53 0.0.0.0:* LISTEN 7038/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2418/dropbear
tcp 0 0 192.168.1.1:7681 0.0.0.0:* LISTEN 5090/ttyd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1484/uhttpd
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 7038/dnsmasq
tcp 0 0 fe80::a6a9:30ff:fecd:e4f8:53 :::* LISTEN 7038/dnsmasq
tcp 0 0 fe80::a6a9:30ff:fecd:e4f8:53 :::* LISTEN 7038/dnsmasq
tcp 0 0 :::80 :::* LISTEN 1484/uhttpd
tcp 0 0 :::90 :::* LISTEN 9505/apache2
tcp 0 0 fd33:8e69:f9d7::1:53 :::* LISTEN 7038/dnsmasq
tcp 0 0 ::1:53 :::* LISTEN 7038/dnsmasq
tcp 0 0 fe80::a6a9:30ff:fecd:e4fb:53 :::* LISTEN 7038/dnsmasq
tcp 0 0 :::22 :::* LISTEN 2418/dropbear
tcp 0 0 fd0e:96a8:144b:3046:a6a9:30ff:fe2a:d381:53 :::* LISTEN 7038/dnsmasq
tcp 0 0 fe80::a6a9:30ff:fe2a:d381:53 :::* LISTEN 7038/dnsmasq
tcp 0 0 :::443 :::* LISTEN 1484/uhttpd
tcp 0 0 fe80::a6a9:30ff:fecd:e4fa:53 :::* LISTEN 7038/dnsmasq
root@OpenWrt:~#
I disabled port forward rule because it will be needing in future
error was not resolved yet
I see that port 90 is listening, but it appears it may only be listening on IPv6.
Are you able to reach the apache server when you are connected to your 192.168.1.0/24 network and visit:
http://192.168.1.1:90
or
https://192.168.1.1:90
1 Like
Yes, i am able to access it from this network
Ok...
add a traffic rule that accepts TCP traffic from the wan zone on destination port 90.
Then try it from the upstream network by connecting to the router's IP address (as it appears on the upstream network, not 192.168.1.1), making sure to specify the port.
2 Likes
Destination zone should be input / this device, and no address should be specified.
1 Like
Also, moving forward, please don't post photos like this except when there are no other options.
In order of preference (driven by the ability to understand all the key details), the formats desired are:
- Text
- screenshot (performed by the operating system)
- photo of your screen (a camera pointed at your screen).
Use the method previously requested to post your text configs.
1 Like
Okay. I did it. I continue get this error
Don't specify SRC port.
Do not set a source port you only need a destination port:
option name 'Allow-apache'
option src 'wan'
option dest_port '90'
option proto 'tcp'
option target 'ACCEPT'
Thanks all. I will try it now
It was not helpful. Error was not resolved.
I'll provide the config (again, it helps if you show us the resultant configurations):
config redirect
option target 'DNAT'
option src 'wan'
option proto 'tcp'
option src_dport '90'
option dest_port '90'
option name 'HTTP'
option dest 'lan'
option dest_ip '192.168.1.1'
Lastly...I noticed your DST IP is 192.168.1.1, are you sure this is the IP address of the interface connected to your non-OpenWrt?
As far as I understood the OPs setup, the Apache server is setup on the OpenWRT router itself.
However this OpenWRT router is behind another non OpenWRT router which obviously needs a port forward to the OpenWRT router
1 Like
Correct, my question is if that's the IP of the OpenWrt's (I assume WAN) interface.
Usually 192.168.1.1 is the LAN IP. That also raises the question of if there's an IP numbering conflict on the networks.
In other words: Shouldn't the OP's Port Forward use the [DST] IP of WAN interface - and not LAN IP?