Hi everyone, I have a TP-Link TL-MR6400 v4 with IP 192.168.1.1. I need to open port 80 so that I can access the router address from outside via a DDNS. The DDNS configuration works because the no-ip.com website sees the address being updated, but the port forwarding rule for external access is not working. What am I doing wrong? Can you help me? I'm going crazy.
Keeping port 80 wide open on internet is crazy stupid.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
1 Like
As @frollic said, it is not recommended to open port 80 in general, but specifically and especially to your router itself.
If you need to be able to remotely connect to the router (and/or the network behind it), you should do this by means of a VPN. It's super easy to setup Wireguard:
Actually, it's just a test to see if it works. Then I want to use WireGuard.
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.73",
"hostname": "OpenWrt",
"system": "MediaTek MT7628AN ver:1 eco:2",
"model": "TP-Link TL-MR6400 v4",
"board_name": "tplink,tl-mr6400-v4",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.0",
"revision": "r28427-6df0e3d02a",
"target": "ramips/mt76x8",
"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
"builddate": "1738624177"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd00:1234:5678::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface 'wwan'
option proto 'dhcp'
config interface 'LTE'
option proto 'qmi'
option device '/dev/cdc-wdm0'
option apn 'internet.it'
option auth 'none'
option pdptype 'ipv4'
list dns '8.8.8.8'
list dns '1.1.1.1'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wwan'
list network 'LTE'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Allow-WAN-HTTP'
option src 'wan'
option proto 'tcp'
option dest_port '80'
option target 'ACCEPT'
config rule
option name 'Allow-WAN-HTTPS'
option src 'wan'
option proto 'tcp'
option dest_port '443'
option target 'ACCEPT'
config rule
option name 'Allow-WAN-HTTP'
option src 'wan'
option proto 'tcp'
option dest_port '443'
option target 'ACCEPT'
config rule
option name 'Allow-WAN-HTTP'
option src 'wan'
option proto 'tcp'
option dest_port '80'
option target 'ACCEPT'
config rule
option name 'Permetti-Porta-8080'
option src 'wan'
option dest_port '8080'
option proto 'tcp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'modem esterno'
list proto 'tcp'
option src 'wan'
option src_dport '7777'
option dest_ip '192.168.1.1'
option dest_port '80'
root@OpenWrt:~#
wow, you failed to follow half of the instruction you were given, good work.
since you're using a LTE modem as uplink, you're most likely CGNAT:ed.
it won't work, at least not using ipv4.
what are the 1st two octets of your wwan IP ?
1 Like
If you got public IP address by now your device and your home is hacked all over 20x.
2 Likes
My God, how do I fix this?
1 Like
reset ?
delete the rule ?
preventive: don't make changes you don't understand.
2 Likes
So, since I don't know, can you help me? Thank you. How do I make the change to be sure it's secure?
reset is in the firmware flashing submenu.
but not making them 
1 Like
How can I delete the rule and fix everything without resetting the modem?
Reset the device
Assesss your NAT functionality https://natchecker.com/
Anything saying "cone" or "open" is a good candidate to run UPNP
Do you want to run any public service like webserver? VPN?
I'll try later. Yes, I would like to enable external access to use WireGuard and access my network from outside.
did you understand what you were told in Port Forwarding doesn't work TP-Link TL-MR6400 - #5 by frollic ?
1 Like
Ok . Thank you
1 Like
you can always try setting a Cloudflare tunnel or similar to bypass the CGNAT restriction.
See my notes how I setup a WireGuard server:
WireGuard Server Setup Guide
First read the paragraph in the introduction about a Public IP address, chances are you do not have one which makes it impossible to setup a WireGuard server on your router.
The alternatives, using a Man in the middle to reach your home, are also mentioned.
You can open incoming port using pmp or pnp, tail scale does it.
Of course that is described in the alternatives
If you are behind CGNAT, so do not have a public IPv4 address and do not have a public IPv6 address (check with: ifstatus wan6) or using IPv6 is not applicable then you have to involve a (commercial) third party to get a public IP address.
This can be a VPN provider which supports port forwarding (e.g. ProtonVPN), or you can rent a Virtual Private Server ( I have an Oracle VPS which can be had for free, see at the bottom of this guide), or use things like Netbird, Zerotier, Cloudflared, Tailscale, ngrok, pinggy or tunnelmole and there are more, I have setup Netbird on several OpenWRT and Windows and Linux clients and it works well, see my notes about setting up Netbird on OpenWRT and the Netbird support thread.