Hello Community,
since I have already searched the forum for the problem but have not found a suitable solution, I have created a new post.
I currently have a problem with my OpenWRT - Firewall - Traffic Rules or the port forwarding to the OpenWRT router. My setup is a classic router cascade and set up as follows:
VPN <> Fritzbox 7590 <> FritzBox 4040 (OpenWRT).
Since I have a NAS in the home network behind the FritzBox 4040, I would also like to use various services from the outside with a VPN access. The setup itself works, only with the firewall traffic rules and port forwarding I currently have problems and can not access the services of the NAS e.g. within the network of the FritzBox 7590 on the OpenWRT router.
I would like to use actually only 3 services:
-
Synology Drive Server / Ports: 80 (link sharing), 443 (link sharing), 5000 (HTTP), 5001 (HTTPS), 6690 (file synchronization) / TCP
-
DS-Notes / Ports: 5000 (HTTP), 5001 (HTTPS) / TCP
-
AFP / Port: 548 / TCP
OpenWRT - Settings:
Network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdee:8ee8:94fb::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option broadcast '192.168.189.255'
option ipaddr '192.168.189.2'
option gateway '192.168.189.1'
option device 'eth0'
option type 'bridge'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0'
config interface 'WAN6'
option proto 'dhcpv6'
option device 'eth1'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
option dns '0::1'
config interface 'loop'
option proto 'static'
list ipaddr '127.0.0.1/8'
option device 'lo'
config interface 'OReally'
option proto 'static'
option netmask '255.255.255.0'
option broadcast '192.168.250.255'
option ipaddr '192.168.250.1'
option type 'bridge'
option device 'wlan0'
config interface 'OReally2'
option proto 'static'
option ipaddr '192.168.130.1'
option netmask '255.255.255.0'
option broadcast '192.168.130.255'
option type 'bridge'
option device 'wlan0-1'
Wireless:
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/a000000.wifi'
option band '2g'
option htmode 'HT20'
option cell_density '0'
option country 'DE'
option channel '10'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/a800000.wifi'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
option country 'DE'
option channel '136'
config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'ap'
option ssid 'OReally'
option encryption 'psk2'
option isolate '1'
option key ''
option network 'OReally'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'Oreally2'
option encryption 'psk2'
option key ''
option network 'Oreally2'
DHCP:
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option confdir '/tmp/dnsmasq.d'
list server '127.0.0.1#5453'
list server '0::1#5453'
option dnssec '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option limit '150'
option leasetime '12h'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'NAS'
option dns '1'
option mac '00:11:32:DA:A4:E7'
option ip '192.168.189.22'
config dhcp 'OReally'
option interface 'OReally'
option start '100'
option limit '150'
option leasetime '4h'
list ra_flags 'none'
config dhcp 'OReally2'
option interface 'OReally2'
option start '100'
option limit '150'
option leasetime '4h'
list ra_flags 'none'
Firewall:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
list network 'wan'
list network 'WAN6'
option input 'REJECT'
option forward 'REJECT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
config include
option path '/etc/firewall.user'
config zone
option name 'OReally'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'OReally'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'OReally'
option dest 'wan'
config rule
option name 'HTTP, HTTPS'
list proto 'tcp'
option dest 'wan'
option dest_port '80 443'
option target 'ACCEPT'
option src 'OReally'
config rule
option name 'SMTPS, IMAPS, Sieve'
list proto 'tcp'
option dest_port '25 465 993 4190'
option target 'ACCEPT'
option src 'OReally'
option dest 'wan'
config rule
option name 'SSH'
list proto 'tcp'
option target 'ACCEPT'
option src 'OReally'
option dest 'wan'
option dest_port '22'
config rule
option name 'NTP'
list proto 'udp'
option dest_port '123'
option target 'ACCEPT'
option src 'OReally'
option dest 'wan'
config rule
option name 'Wireguard'
list proto 'udp'
option dest_port '51820'
option target 'ACCEPT'
option src 'OReally'
option dest 'wan'
config forwarding
option src 'OReally'
option dest 'lan'
config zone
option name 'WifiGeraete'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'OReally'
config forwarding
option src 'OReally'
option dest 'wan'
config rule
option target 'REJECT'
option src 'OReally'
option dest 'wan'
option name 'OReally - BlockALL'
list proto 'all'
config rule
list proto 'tcp'
option target 'ACCEPT'
option dest_port '80 443 548 5000 5001 6690 '
option src 'lan'
option dest 'wan'
option name 'NAS / Synology Drive Server / DS Notes / AFP OUT'
config rule
option name 'NAS / Synology Drive Server / DS Notes / AFP OUT'
list proto 'tcp'
option target 'ACCEPT'
option src 'wan'
option dest 'lan'
option dest_port '80 443 548 5000 5001 6690 '
config rule
option name 'Samba-Share'
option target 'ACCEPT'
option src 'lan'
option dest 'wan'
option dest_port '137-139 445'
config rule
option name 'LAN - BlockAll'
list proto 'all'
option src 'lan'
option dest 'wan'
option target 'REJECT'
config rule
option name 'OReally2 / HTTP, HTTPS'
list proto 'tcp'
option src 'OReally2'
option dest 'wan'
option dest_port '80 443'
option target 'ACCEPT'
config rule
option name 'OReally2 / BlockALL'
option src 'OReally2'
option dest 'wan'
list proto 'all'
option target 'REJECT'
config redirect
option target 'DNAT'
option name 'NAS'
option src 'wan'
option dest 'lan'
option dest_ip '192.168.189.22'
list proto 'tcp'
option src_dport '5000-5001'
option dest_port '5000-5001'
config rule
Information about the modem (Fritzbox 7590):
Port forwarding to the WAN interface of the OpenWRT router (FritzBox 4040) is available and access is also allowed (Internet access within the networks of the OpenWRT router works!).
Information about the NAS:
Inside the NAS there are no firewall restrictions (for now), as long as the access to the NAS does not work from the outside yet.
Does anyone have a tip for this problem?
Many thanks in advance.
Greetings,
cabbage