Hello,
I have a NAS to which I want to connect from outside the home network. I set up portworvarding on ports 443 directly on the NAS (192.168.1.10).
# /etc/config/firewall
uci add firewall redirect # =cfg0f3837uci set firewall.@redirect[-1].dest_port= '80' uci set firewall.@redirect[-1].src= 'wan' uci set firewall.@redirect[-1].name= 'NAS 80' uci set firewall.@redirect[-1].src_dport= '80' uci set firewall.@redirect[-1].target= 'DNAT' uci set firewall.@redirect[-1].dest_ip= '192.168.1.10' uci set firewall.@redirect[-1].dest= 'lan' uci set firewall.@redirect[-1].proto= 'tcp udp' uci add firewall redirect # =cfg103837uci set firewall.@redirect[-1].dest_port= '443' uci set firewall.@redirect[-1].src= 'wan' uci set firewall.@redirect[-1].name= 'NAS 443' uci set firewall.@redirect[-1].src_dport= '443' uci set firewall.@redirect[-1].target= 'DNAT' uci set firewall.@redirect[-1].dest_ip= '192.168.1.10' uci set firewall.@redirect[-1].dest= 'lan' uci set firewall.@redirect[-1].proto= 'tcp udp'
Then write "Failed to confirm apply within 30s, waiting for rollback…" and everything will go back.
Can you please advise me on how to fix this problem?
Yes, the router is connected via wan.
However, another router is connected in front of the OpenWrt router, which serves as a "modem". BTW this is because OpenWrt does not have Coaxial input. On this "modem" I turned off the firewall and set the portforwarding of all ports on the OpenWrt router.
Involvement as follows: Modem (firewall disabled, nat and full port forwarding to OpenWrt) <192.168.1.5> from lan -> to wan OpenWrt (portforwarding to NAS, firewall and nat settings on) <192.168.1.1> from lan -> to NAS<192.168.1.10>.
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option dest_port '80'
option src 'wan'
option name 'NAS 80'
option src_dport '80'
option target 'DNAT'
option dest_ip '192.168.1.10'
option dest 'lan'
option proto 'tcp udp'
config redirect
option dest_port '443'
option src 'wan'
option name 'NAS 443'
option src_dport '443'
option target 'DNAT'
option dest_ip '192.168.1.10'
option dest 'lan'
option proto 'tcp udp'
PS: Now portforwarding works, but first I had to change the web administration port to 444. If I didn't do it first, the router would go back to the settings because there is no connection to the browser.
I consider this only a temporary solution to the problem. /etc/config/uhttpd
# Server configuration
config uhttpd main
# HTTP listen addresses, multiple allowed
list listen_http 0.0.0.0:81
list listen_http [::]:81
# HTTPS listen addresses, multiple allowed
list listen_https 0.0.0.0:444
list listen_https [::]:444
# Redirect HTTP requests to HTTPS if possible
option redirect_https 1
# Server document root
option home /www
# Reject requests from RFC1918 IP addresses
# directed to the servers public IP(s).
# This is a DNS rebinding countermeasure.
option rfc1918_filter 1
# Maximum number of concurrent requests.
# If this number is exceeded, further requests are
# queued until the number of running requests drops
# below the limit again.
option max_requests 3
# Maximum number of concurrent connections.
# If this number is exceeded, further TCP connection
# attempts are queued until the number of active
# connections drops below the limit again.
option max_connections 100
# Certificate and private key for HTTPS.
# If no listen_https addresses are given,
# the key options are ignored.
option cert /etc/uhttpd.crt
option key /etc/uhttpd.key
# CGI url prefix, will be searched in docroot.
# Default is /cgi-bin
option cgi_prefix /cgi-bin
# List of extension->interpreter mappings.
# Files with an associated interpreter can
# be called outside of the CGI prefix and do
# not need to be executable.
# list interpreter ".php=/usr/bin/php-cgi"
# list interpreter ".cgi=/usr/bin/perl"
# List of prefix->Lua handler mappings.
# Any request to an URL beneath the prefix
# will be dispatched to the associated Lua
# handler script. Lua support is disabled when
# no handler mappings are specified. Lua prefix
# matches have precedence over the CGI prefix.
list lua_prefix "/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua"
# Specify the ubus-rpc prefix and socket path.
# option ubus_prefix /ubus
# option ubus_socket /var/run/ubus.sock
When you enable the port forward, you will not be able to connect to Luci from the wan port anymore. You'll need to connect from LAN port or to change the listening port of uhttpd from 80 to something else.
You have the same IP 192.168.1.1 on both lan and wan. This is wrong and creates problems. Use a different address/mask on lan or wan, for example 192.168.2.1/24.
I think I solved it. I set the "modem" to 192.168.0.1 wan OpenWrt to 192.168.0.2 and lan OpenWrt to 192.168.1.1.
I set port forwarding on the "modem" to 192.168.0.2 and on OpenWrt on the NAS 192.168.1.10.
The mask is everywhere 255.255.255.0.
Then I reset Port Luci to 80 and 443 and everything works.
Thank you for help
I have one more question: When I turn off the firewall on the "modem", will the firewall on OpenWrt manage to protect my network from attack? Firewall settings are the default and written in my previous post.
It depends on the attack type.
By default the OpenWrt firewall doesn't let anything in from the internet to your lan. However you already opened http and https. Also it won't save you if you accidentally open a malicious attachment in an email or visit a site which does nasty things.