Hello,
I have the default "LAN" firewall zone and configured an additional "DMZ" firewall zone. Now in the DMZ network I have a server which exposes nginx. All works fine, the server has a DHCP adress from the DMZ address range. Now when I create a port forwading rule, it only works if I set the destination zone to "LAN" (nginx default page shwos up). If I set the destination zone to DMZ the request doesn't get any response. I don't see any rejected/dropped packages in the WAN or DMZ firewall. What could be wrong?
The relevant firewall parts
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
option log '1'
option log_limit '500'
config zone
option name 'dmz'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'dmz'
config redirect
option target 'DNAT'
option name 'http_nginx'
option src 'wan'
option src_dport '80'
option dest_ip '192.168.99.147'
option dest_port '80'
option family 'ipv4'
list proto 'tcp'
option dest 'dmz'
I changed the lucy interface to only listen on internal 192.168.181.1:80 interface, but I already tried with different external port, also I already changed the DMZ rules to ACCEPT ACCEPT ACCEPT all without success...
Best regards,
Markus
The problem here is that the forward option is set to 'REJECT'. This means that any traffic being forwarded to the DMZ zone (which includes traffic from port forwarding) is being rejected by default.
We'll need specific firewall rules to allow the forwarding
# Allow LAN to DMZ HTTP traffic
config rule
option name 'Allow-LAN-to-DMZ-HTTP'
option src 'lan'
option dest 'dmz'
option proto 'tcp'
option dest_port '80'
option target 'ACCEPT'
try this?
Thanks for the hint, you probably mean WAN to DMZ right?
config rule
option name 'Allow-WAN-to-DMZ-HTTP'
option src 'wan'
option dest 'dmz'
option dest_port '80'
option target 'ACCEPT'
I tried but still no success. Please note that I don't see any dropped packages in the WAN firewall logs. For testing purposes as mentioned, I alread set the DMZ zone to
config zone
option name 'dmz'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'dmz'
This is for me so strange because when I set the forwarding rule to
config redirect
option dest 'lan'
option target 'DNAT'
option name 'http_nginx'
option src 'wan'
option src_dport '80'
option dest_ip '192.168.99.147'
option dest_port '80'
It works. But only if I set here the magic zone LAN any other zone which has exactly the same settings as LAN doesn't work. And my target device is always in zone DMZ...
No, this is incorrect. The zone forward rule is what controls intra-zone forwards. This applies to two or more networks that are assigned to the same firewall zone. It has nothing to do with port forwards or inter-zone forwarding.
3 Likes
Let’s take a look at the complete config.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like
Here you are:
{
"kernel": "5.15.162",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 5 (v7l)",
"model": "AVM FRITZ!Box 7530",
"board_name": "avm,fritzbox-7530",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.4",
"revision": "r24012-d8dd03c46f",
"target": "ipq40xx/generic",
"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd98:aa78:f385::/48'
config atm-bridge 'atm'
option vpi '1'
option vci '32'
option encaps 'llc'
option payload 'bridged'
option nameprefix 'dsl'
config dsl 'dsl'
option annex 'b'
option tone 'bv'
option ds_snr_offset '0'
option xfer_mode 'ptm'
option line_mode 'vdsl'
config interface 'lan'
option device 'switch.181'
option proto 'static'
option ipaddr '192.168.181.1'
option netmask '255.255.255.0'
option ip6assign '64'
config device
option name 'dsl0'
option macaddr 'xxxxxxxxxxxxxxxxxxx'
config interface 'wan'
option device 'dsl0.7'
option proto 'pppoe'
option username 'xxxxxxxxxxxxxxxxxxxxxx'
option password 'xxxxxxxxxxxxxxxxxxx'
option ipv6 '1'
config interface 'wan6'
option device '@wan'
option proto 'dhcpv6'
config device
option type 'bridge'
option name 'switch'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config bridge-vlan
option device 'switch'
option vlan '181'
list ports 'lan2:t'
list ports 'lan3'
list ports 'lan4'
config bridge-vlan
option device 'switch'
option vlan '10'
list ports 'lan2:t'
config bridge-vlan
option device 'switch'
option vlan '20'
list ports 'lan1'
list ports 'lan2:t'
config interface 'guest'
option proto 'static'
option device 'switch.10'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
config interface 'family'
option proto 'static'
option device 'switch.20'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
config bridge-vlan
option device 'switch'
option vlan '99'
list ports 'lan2:t'
config interface 'dmz'
option proto 'static'
option device 'switch.99'
option ipaddr '192.168.99.1'
option netmask '255.255.255.0'
option ip6assign '64'
config bridge-vlan
option device 'switch'
option vlan '98'
list ports 'lan2:t'
config bridge-vlan
option device 'switch'
option vlan '97'
list ports 'lan2:t'
config interface 'dmz97'
option proto 'static'
option device 'switch.97'
option ipaddr '192.168.97.1'
option netmask '255.255.255.0'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/a000000.wifi'
option channel 'auto'
option band '2g'
option htmode 'HT40'
option country 'DE'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'family'
option mode 'ap'
option ssid 'pr-family'
option encryption 'psk2'
option key 'xxxxxxxxxxxxxx'
option wpa_disable_eapol_key_retries '1'
option ieee80211r '1'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option nasid '0001'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/a800000.wifi'
option channel 'auto'
option band '5g'
option htmode 'VHT80'
option country 'DE'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'family'
option mode 'ap'
option ssid 'pr-family'
option encryption 'psk2'
option key 'xxxxxxxxxxx'
option wpa_disable_eapol_key_retries '1'
option ieee80211r '1'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option nasid '0001'
config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid 'Hochstraess-Gaeste'
option encryption 'psk2'
option key 'xxxxxxxxxxx'
option ieee80211r '1'
option nasid '0001'
option ft_over_ds '0'
option wpa_disable_eapol_key_retries '1'
option network 'guest'
option ft_psk_generate_local '1'
config wifi-iface 'wifinet4'
option device 'radio1'
option mode 'ap'
option ssid 'Hochstraess-Gaeste'
option encryption 'psk2'
option key 'xxxxxxxxxxxxx'
option ieee80211r '1'
option nasid '0001'
option ft_over_ds '0'
option wpa_disable_eapol_key_retries '1'
option ft_psk_generate_local '1'
option network 'guest'
config wifi-iface 'wifinet5'
option device 'radio0'
option mode 'ap'
option ssid 'pieye-bodolz'
option encryption 'sae-mixed'
option key 'xxxxxxxxxxxxxxx'
option ieee80211r '1'
option nasid '0001'
option ft_over_ds '0'
option wpa_disable_eapol_key_retries '1'
option network 'lan'
config wifi-iface 'wifinet6'
option device 'radio1'
option mode 'ap'
option ssid 'pieye-bodolz'
option encryption 'sae-mixed'
option key 'xxxxxxxxxxxxxxxx'
option ieee80211r '1'
option nasid '0001'
option ft_over_ds '0'
option wpa_disable_eapol_key_retries '1'
option network 'lan'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config domain
option name 'pve-hppavillon'
option ip '192.168.181.3'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'family'
option interface 'family'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'dmz'
option interface 'dmz'
option start '100'
option limit '150'
option leasetime '12h'
option ra 'server'
option dhcpv6 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config domain
option name 'pve-codeblock'
option ip '192.168.181.4'
config domain
option name 'pve-hppavillon'
option ip 'fd98:aa78:f385::2'
config domain
option name 'pve-codeblock'
option ip 'fd98:aa78:f385::3'
config dhcp 'dmz97'
option interface 'dmz97'
option start '100'
option limit '150'
option leasetime '12h'
and finally root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
option log '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'Guest-DHCP'
option src 'guest'
option dest_port '67 68'
option target 'ACCEPT'
config rule
option name 'Guest-DNS'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'guest'
config zone
option name 'dmz'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'dmz'
config rule
option name 'DMZ-Allow-DHCP'
option dest_port '67 68'
option target 'ACCEPT'
option src 'dmz'
config rule
option name 'DMZ-Allow-DNS'
option src 'dmz'
option dest_port '53'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'dmz'
config zone
option name 'family'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'family'
config forwarding
option src 'family'
option dest 'wan'
config forwarding
option src 'family'
option dest 'guest'
config zone
option name 'dmz_97'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'dmz97'
config forwarding
option src 'dmz_97'
option dest 'wan'
config rule
option name 'DMZ97-DHCP'
option src 'dmz_97'
option dest_port '67 68'
option target 'ACCEPT'
config rule
option name 'DMZ97-DNS'
option src 'dmz_97'
option dest_port '53'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'dmz_97'
config forwarding
option src 'dmz'
option dest 'wan'
config rule
option name 'DMZ-Allow-DHCPv6'
option src 'dmz'
option dest_port '546'
option target 'ACCEPT'
option family 'ipv6'
list proto 'udp'
config rule
option name 'DMZ-Allow-ICMPv6-Input'
option target 'ACCEPT'
option family 'ipv6'
list proto 'icmp'
list icmp_type 'bad-header'
list icmp_type 'destination-unreachable'
list icmp_type 'echo-reply'
list icmp_type 'echo-request'
list icmp_type 'neighbour-advertisement'
list icmp_type 'neighbour-solicitation'
list icmp_type 'packet-too-big'
list icmp_type 'router-advertisement'
list icmp_type 'router-solicitation'
list icmp_type 'time-exceeded'
list icmp_type 'unknown-header-type'
option src 'dmz'
option limit '1000/sec'
config forwarding
option src 'lan'
option dest 'family'
config redirect
option dest 'dmz'
option target 'DNAT'
option name 'http_4'
option src 'wan'
option src_dport '80'
option dest_ip '192.168.99.147'
option dest_port '80'
Coimbra1984:
192.168.99.147
Can you reach this host as expected from your main lan (192.168.181..0/24)?
How are you testing the port forward itself?
Yes from my PC (192.168.181.180) I can ssh into the machine. I can also open the nginx default page in a browser. http://192.168.99.147 opens a web page "Welcome to nginx".
When I type my public IP into the browser, than the request is not responded.
import urllib.request
host = "reverse-proxy"
host = "192.168.99.147"
host = "--- PUBLIC IP ----"
contents = urllib.request.urlopen(f"http://{host}").read()
print(contents)
the first two host methods work, the third with my public ip works only if I change the port forward rule to:
config redirect
option dest 'lan'
option target 'DNAT'
option name 'http_4'
option src 'wan'
option src_dport '80'
option dest_ip '192.168.99.147'
option dest_port '80'
Sounds like you are testing from within your network? Have you tried testing from outside such by using the cellular network (not your wifi) and/or a different network entirely (like at the house of a friend or family member or work/school/cafe)?
2 Likes
Oh, you are right! Testing from outside works.
Thanks
1 Like
system
October 28, 2024, 4:46pm
12
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
