Reflashed router. Http/https no longer forwards to my server

WoRThog · February 28, 2021, 9:38pm

Hi there,
I had this working before I reflashed my router, so I'm pretty sure it's the config and not the ISP / server.

I have a webserver connected by ethernet with a static IP address. Requests from outside the LAN just time out though.

Setup:

Ports 80 / 443 are forwarded to my servers internal IP address. This is enabled and set for TCP and UDP.
I've checked the domain is pointing to the correct public IP address.
Model: TP-Link Archer C7 v5, Firmware: OpenWrt 19.07.5 r11257-5090152ae3

Firewall is using the defaults, ie:

General settings Input:Accept, Output:Accept, Forward:Reject
Zones Wan>Lan Accept/Accept/Accept, Wan>Rejected Reject/Accept/Reject.

Is there anything else I could try / check to get requests from outside the LAN working?

frollic · February 28, 2021, 9:57pm

https is port 443 though .... ?

WoRThog · February 28, 2021, 10:02pm

https is port 443 though .... ?

Yes, sorry. That was a typo. I checked and the port forward was for 443 and 80, not 446. Fixed in the post above.

iplaywithtoys · February 28, 2021, 10:07pm

Yes.

What are the contents of /etc/config/network and /etc/config/firewall?

What does tcpdump show for traffic arriving at the WAN interface from the outside world?

What does tcpdump show for traffic leaving the LAN interface?

WoRThog · March 5, 2021, 3:54am

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd8e:85b4:2f45::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr 'd8:47:32:a0:9e:e9'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config redirect
        option dest_port '80'
        option src 'wan'
        option name 'http'
        option src_dport '80'
        option target 'DNAT'
        option dest_ip '192.168.1.100'
        option dest 'lan'

config redirect
        option dest_port '443'
        option src 'wan'
        option name 'https'
        option src_dport '443'
        option target 'DNAT'
        option dest_ip '192.168.1.100'
        option dest 'lan'

config redirect
        option dest_port '8123'
        option src 'wan'
        option name 'HA'
        option src_dport '8123'
        option target 'DNAT'
        option dest_ip '192.168.1.126'
        option dest 'lan'

Still figuring out how to get the interface names to use with tcpdump. I put the names that show up in the interfaces menu (wlan, wlan6, lan), but it doesn't seem to recognize the names and says that no interface with that name exists.

mk24 · March 5, 2021, 4:00am

The kernel name for wan is eth0.2 (the real port) and lan is br-lan (OpenWrt adds "br-" for a bridge).

leeandy · March 5, 2021, 4:49am

By default, the router device's uhttpd(LUCI) is listening port 80/443 on all of its network interfaces, you need to modify it so that it listens on another port or limit it to the lan interface.

cat /etc/config/uhttpd

config uhttpd 'main'
        list listen_http '0.0.0.0:80'
        list listen_https '0.0.0.0:443'