Port forwarding error

Hello,
I have a NAS to which I want to connect from outside the home network. I set up portworvarding on ports 443 directly on the NAS (192.168.1.10).

# /etc/config/firewall

uci add firewall redirect # =cfg0f3837uci set firewall.@redirect[-1].dest_port= '80' uci set firewall.@redirect[-1].src= 'wan' uci set firewall.@redirect[-1].name= 'NAS 80' uci set firewall.@redirect[-1].src_dport= '80' uci set firewall.@redirect[-1].target= 'DNAT' uci set firewall.@redirect[-1].dest_ip= '192.168.1.10' uci set firewall.@redirect[-1].dest= 'lan' uci set firewall.@redirect[-1].proto= 'tcp udp' uci add firewall redirect # =cfg103837uci set firewall.@redirect[-1].dest_port= '443' uci set firewall.@redirect[-1].src= 'wan' uci set firewall.@redirect[-1].name= 'NAS 443' uci set firewall.@redirect[-1].src_dport= '443' uci set firewall.@redirect[-1].target= 'DNAT' uci set firewall.@redirect[-1].dest_ip= '192.168.1.10' uci set firewall.@redirect[-1].dest= 'lan' uci set firewall.@redirect[-1].proto= 'tcp udp'

Then write "Failed to confirm apply within 30s, waiting for rollback…" and everything will go back.

Can you please advise me on how to fix this problem?

Are you connected to the router from the wan port maybe?

Yes, the router is connected via wan.
However, another router is connected in front of the OpenWrt router, which serves as a "modem". BTW this is because OpenWrt does not have Coaxial input. On this "modem" I turned off the firewall and set the portforwarding of all ports on the OpenWrt router.

Involvement as follows:
Modem (firewall disabled, nat and full port forwarding to OpenWrt) <192.168.1.5> from lan -> to wan OpenWrt (portforwarding to NAS, firewall and nat settings on) <192.168.1.1> from lan -> to NAS <192.168.1.10>.

How can you have two IP addresses inside the same range on different interfaces?

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

I don't understand what you mean?


Here is the output:
cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdf3:bc78:c8e1::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '1.1.1.1'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr 'd4:5f:25:fc:b4:14'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'static'
        option netmask '255.255.255.0'
        option broadcast '255.255.255.0'
        option ipaddr '192.168.1.1'
        option gateway '192.168.1.5'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr 'd4:5f:25:fc:b4:15'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 6t'

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
        option htmode 'HT20'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option key 'XXXX'
        option ssid 'XXXX_2,4G'
        option encryption 'psk2'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:01.0/0000:02:00.0'
        option htmode 'VHT80'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option key 'XXXXX'
        option ssid 'XXXXX_5G'
        option encryption 'psk2'

config wifi-iface 'wifinet2'
        option encryption 'psk2'
        option device 'radio0'
        option mode 'ap'
        option network 'lan'
        option key 'XXXXX'
        option ssid 'XXXXX_guest'

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config redirect
        option dest_port '80'
        option src 'wan'
        option name 'NAS 80'
        option src_dport '80'
        option target 'DNAT'
        option dest_ip '192.168.1.10'
        option dest 'lan'
        option proto 'tcp udp'

config redirect
        option dest_port '443'
        option src 'wan'
        option name 'NAS 443'
        option src_dport '443'
        option target 'DNAT'
        option dest_ip '192.168.1.10'
        option dest 'lan'
        option proto 'tcp udp'



PS: Now portforwarding works, but first I had to change the web administration port to 444. If I didn't do it first, the router would go back to the settings because there is no connection to the browser.
I consider this only a temporary solution to the problem.
/etc/config/uhttpd

# Server configuration
config uhttpd main

        # HTTP listen addresses, multiple allowed
        list listen_http        0.0.0.0:81
        list listen_http        [::]:81

        # HTTPS listen addresses, multiple allowed
        list listen_https       0.0.0.0:444
        list listen_https       [::]:444

        # Redirect HTTP requests to HTTPS if possible
        option redirect_https   1

        # Server document root
        option home             /www

        # Reject requests from RFC1918 IP addresses
        # directed to the servers public IP(s).
        # This is a DNS rebinding countermeasure.
        option rfc1918_filter 1

        # Maximum number of concurrent requests.
        # If this number is exceeded, further requests are
        # queued until the number of running requests drops
        # below the limit again.
        option max_requests 3

        # Maximum number of concurrent connections.
        # If this number is exceeded, further TCP connection
        # attempts are queued until the number of active
        # connections drops below the limit again.
        option max_connections 100

        # Certificate and private key for HTTPS.
        # If no listen_https addresses are given,
        # the key options are ignored.
        option cert             /etc/uhttpd.crt
        option key              /etc/uhttpd.key

        # CGI url prefix, will be searched in docroot.
        # Default is /cgi-bin
        option cgi_prefix       /cgi-bin

        # List of extension->interpreter mappings.
        # Files with an associated interpreter can
        # be called outside of the CGI prefix and do
        # not need to be executable.
#       list interpreter        ".php=/usr/bin/php-cgi"
#       list interpreter        ".cgi=/usr/bin/perl"

        # List of prefix->Lua handler mappings.
        # Any request to an URL beneath the prefix
        # will be dispatched to the associated Lua
        # handler script. Lua support is disabled when
        # no handler mappings are specified. Lua prefix
        # matches have precedence over the CGI prefix.
        list lua_prefix         "/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua"

        # Specify the ubus-rpc prefix and socket path.
#       option ubus_prefix      /ubus
#       option ubus_socket      /var/run/ubus.sock

When you enable the port forward, you will not be able to connect to Luci from the wan port anymore. You'll need to connect from LAN port or to change the listening port of uhttpd from 80 to something else.

You have the same IP 192.168.1.1 on both lan and wan. This is wrong and creates problems. Use a different address/mask on lan or wan, for example 192.168.2.1/24.

3 Likes

I think I solved it. I set the "modem" to 192.168.0.1 wan OpenWrt to 192.168.0.2 and lan OpenWrt to 192.168.1.1.
I set port forwarding on the "modem" to 192.168.0.2 and on OpenWrt on the NAS 192.168.1.10.
The mask is everywhere 255.255.255.0.
Then I reset Port Luci to 80 and 443 and everything works.
Thank you for help

I have one more question: When I turn off the firewall on the "modem", will the firewall on OpenWrt manage to protect my network from attack? Firewall settings are the default and written in my previous post.

1 Like

It depends on the attack type.
By default the OpenWrt firewall doesn't let anything in from the internet to your lan. However you already opened http and https. Also it won't save you if you accidentally open a malicious attachment in an email or visit a site which does nasty things.

Ok, now it works as I would expect.

However, having two NATs chained is far from ideal. I would try to reconfigure the modem to a bridged setup, so the router gets a public IP address.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.