Second upgrade - second problem with access to ssh/luci

s3b0 · 2025-04-05T15:39:18.518Z

Hi, first post

I did upgrade for my second router in home and i notice same issue that i had last time when i was doing upgrade for first one. After upgrade, network seems to work like i need but i cannot access luci web interface nor ssh. For first one router - after upgrade - i needed to reset it to factory defaults and manually reconfigure it, because reconfiguration form backupconfig did same thing: network worked as expected but no access to luci or ssh.

I have different setup for my both routers than "normal", my routers works as dummy router without dhcp and firewall (this is my desire setup). I have my own dhcp+dns on pfsense and both routers works only like access points(with ap roming) and as dummy switches. Those functionalities works as expected (after upgrade or restoring form backup) but i cannot access them.

It looks like firewall has been enabled(i turn it off - this is my default) and blocks all my requests or ssh/luci has been misconfigured.

Does anyone has something similar? How can i fix that?
Maybe this is issue somewhere in openwrt?

brada4 · 2025-04-05T15:56:37.725Z

What would be the model of "router" preferably via ubus call system board

psherman · 2025-04-05T16:16:11.621Z

You haven't provided a lot of info to go on (as noted by @brada4 , you didn't even tell us what device(s) apply here). We also need to know what OpenWrt version you were using previously and what you upgraded to, and ideally more information about the configurations.

That said...

s3b0:

I have different setup for my both routers than "normal", my routers works as dummy router without dhcp and firewall (this is my desire setup)

Disabling DHCP is (usually) required for bridged APs, so that's good (although hopefully you disabled DHCP explicitly via configuration; dnsmasq does not need to be disabled). But the firewall does not need to be disabled, and as you have learned, it may become re-enabled as a result of the upgrade. As a result, you need to make sure that your firewall is configured to allow access even when it is enabled. My guess is that your configuration does not currently account for this condition.

s3b0:

It looks like firewall has been enabled(i turn it off - this is my default) and blocks all my requests or ssh/luci has been misconfigured.

Likely the firewall is enabled again.

s3b0:

Maybe this is issue somewhere in openwrt?

It is possible to argue that disabled services should remain disabled after an upgrade. But, that is secondary to the real issue here -- you need to make sure your configuration is correct.

My recommendation is to leave both dnsmasq and the firewall services enabled. Use the configuration to explicitly disable the DHCP server so that it can never be accidentally reactivated. Likewise, in the firewall configuration, your 'management' network should be in a zone that always allows access (i.e. input = ACCEPT).

You can use failsafe mode to grab the configs and even fix the issues. Or you can also reset to defaults from there and then reconfigure.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

s3b0 · 2025-04-06T09:09:23.095Z

Linksys MR8300 (Dallas)
target: ipq40xx/generic

s3b0 · 2025-04-06T09:18:50.344Z

psherman:

Disabling DHCP is (usually) required for bridged APs, so that's good (although hopefully you disabled DHCP explicitly via configuration; dnsmasq does not need to be disabled). But the firewall does not need to be disabled, and as you have learned, it may become re-enabled as a result of the upgrade. As a result, you need to make sure that your firewall is configured to allow access even when it is enabled. My guess is that your configuration does not currently account for this condition.

I've disabled everything that - from my perspective - should be disabled:

firewall
dnsmasq
dhcp

psherman:

Likely the firewall is enabled again.

It looks like this - i didn't know about proper firewall config even if you want to disable it permanently. Human learn all his life - i will do that.

psherman:

You can use failsafe mode to grab the configs and even fix the issues. Or you can also reset to defaults from there and then reconfigure.

I think it is the only way right now - i need to find time for it, and when its done i will post output from commands that you posted.

My upgrade was from 23.05.2 to 23.05.5

s3b0 · 2025-04-12T11:11:54.757Z

One more question: I did backup of my config(at working installation) - is it possible to turn off firewall in it? Or - at least - set it to accept all.

brada4 · 2025-04-12T12:50:23.176Z

You can remove firewall zones and set in/out accept forward drop for defaults. That will start firewall that does nothing.