I have a server on network A and connections in network A works as usual, also on mobile 4g all connections work, but then when I go to network B I can’t connect to my server A, on network B I also have another server that is working fine everywhere. What could it be? I have openwrt as router on both networks, some NAT problem?
Can you provide more detail here...
- Are networks A and B at the same physical location?
- Are the networks serviced by the same router (or are there two different routers involved)?
- How are you trying to access the servers (domain names vs IP addresses, private vs public IPs, etc)?
Let's also take a look at the relevant configs:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
2 Likes
Those are two different networks in different locations with different routers both running openWRT. I am trying to access the server A on network A via IP, website and services like xmpp and nextcloud, nothing is working only when I am connected to network B, if I make a hotspot from my phone or connect to any network that is not network B everything works as expected. Those logs are necessary from both networks?
On network B, ping from the server in network A works as expected be it from the domains but also from the static ipv4.
Are the two networks using the same subnet (i.e. the default for OpenWrt is 192.168.1.0/24)?
And to clarify, you can reach the server located in network A when you are on any remote network other than network B?
Yes, that is correct
What about this question:
Do you mean if they are attached to the same ISP modem?
The same subnet would mean that they have devices using the same network address range -- so 192.168.1.x on both sides, as an example. But that would only normally matter if you're using a VPN.
Let's go ahead and look at the configs, starting with router A.
Both use 192.168.1.x but use different modems in different physical location, and I am not using a VPN.
Here goes the logs of router A:
# ubus call system board
{
"kernel": "6.6.73",
"hostname": "OpenWrt",
"system": "MediaTek MT7621 ver:1 eco:4",
"model": "TP-Link Archer AX23 v1",
"board_name": "tplink,archer-ax23-v1",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.0",
"revision": "r28427-6df0e3d02a",
"target": "ramips/mt7621",
"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
"builddate": "1738624177"
}
}
# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd91:7cd2:2805::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'pppoe'
option username 'username'
option password 'passwd'
option ipv6 'auto'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
config device
option name 'wan'
option ipv6 '1'
# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option masq '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config nat
option name 'NAT'
list proto 'all'
option src 'lan'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name '587'
list proto 'tcp'
option src 'wan'
option src_dport '587'
option dest_ip '192.168.1.xxx'
option dest_port '587'
config redirect
option dest 'lan'
option target 'DNAT'
option name '993'
list proto 'tcp'
option src 'wan'
option src_dport '993'
option dest_ip '192.168.1.xxx'
option dest_port '993'
config redirect
option dest 'lan'
option target 'DNAT'
option name '5222'
list proto 'tcp'
option src 'wan'
option src_dport '5222'
option dest_ip '192.168.1.xxx'
option dest_port '5222'
config redirect
option dest 'lan'
option target 'DNAT'
option name '5223'
list proto 'tcp'
option src 'wan'
option src_dport '5223'
option dest_ip '192.168.1.xxx'
option dest_port '5223'
config redirect
option dest 'lan'
option target 'DNAT'
option name '5224'
list proto 'tcp'
option src 'wan'
option src_dport '5224'
option dest_ip '192.168.1.xxx'
option dest_port '5224'
config redirect
option dest 'lan'
option target 'DNAT'
option name '5269'
list proto 'tcp'
option src 'wan'
option src_dport '5269'
option dest_ip '192.168.1.xxx'
option dest_port '5269'
config redirect
option dest 'lan'
option target 'DNAT'
option name '25'
list proto 'tcp'
option src 'wan'
option src_dport '25'
option dest_ip '192.168.1.xxx'
option dest_port '25'
config redirect
option dest 'lan'
option target 'DNAT'
option name '22'
list proto 'tcp'
option src 'wan'
option src_dport '22'
option dest_ip '192.168.1.xxx'
option dest_port '22'
config redirect
option dest 'lan'
option target 'DNAT'
option name '80'
list proto 'tcp'
option src 'wan'
option src_dport '80'
option dest_ip '192.168.1.xxx'
option dest_port '80'
config redirect
option dest 'lan'
option target 'DNAT'
option name '443'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.1.xxx'
option dest_port '443'
list proto 'tcp'
list proto 'udp'
config redirect
option dest 'lan'
option target 'DNAT'
option name '51413'
option src 'wan'
option src_dport '51413'
option dest_ip '192.168.1.xxx'
option dest_port '51413'
config redirect
option dest 'lan'
option target 'DNAT'
option name '5349'
option src 'wan'
option src_dport '5349'
option dest_ip '192.168.1.xxx'
option dest_port '5349'
list proto 'tcp'
config redirect
option dest 'lan'
option target 'DNAT'
option name '5350'
list proto 'tcp'
option src 'wan'
option src_dport '5350'
option dest_ip '192.168.1.xxx'
option dest_port '5350'
config redirect
option dest 'lan'
option target 'DNAT'
option name '3478'
list proto 'tcp'
option src 'wan'
option src_dport '3478'
option dest_ip '192.168.1.xxx'
option dest_port '3478'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'Allow-DNS-Guest'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Allow-DHCP-Guest'
list proto 'udp'
option src 'guest'
option dest_port '67'
option target 'ACCEPT'
Ok... so I'm not seeing any immediate issues with the config, but it does look like you're running things like a mail server? Is that right?
What specific service(s) and ports are you trying to use from network B > network A?
1 Like
Correct, I have a mail server and other services like nextcloud, xmpp. None are working from network B. I have this server running since a few years ago, never had this problem before.
It is possible that the ISP for network B is blocking things. For example, port 25 for a mail server is considered insecure and a magnet for spammers. As such, many ISPs block both inbound and outbound port 25.
But... there are other possible causes... does network B properly resolve the IP address of network A's public IP?
Both networks have corporate contract with the ISP with port 25 open as both have email services. But indeed it looks like something is being blocked,my network knowledge is limited on that regard though.
does network B properly resolve the IP address of network A's public IP?
How do I check this?
from both the router at network B as well as a host device behind the router, try:
nslookup <domain.name.of.network.a>
ping <domain.name.of.network.a>
Compare the nslookup result above with the following from router A:
ifstatus wan | grep address
And let's see the configs from router B to make sure there's nothing in there that would block these services.
nslookup and ping work as expected from my PC on network B querying
domain.name.of.network.a.
From the OpenWRT router on network B:
# ifstatus wan | grep address
"addresses",
"ipv4-address": [
"address": "192.168.15.xxx",
"ipv6-address": [
"ipv4-address": [
"ipv6-address": [
so this 192.168.3.xxx is my from my ISP modem and its DHCP.
In network A, I am using ISP modem on bridge mode. On network B, it's not on bridge mode and I've set the OpenWRT router B address as DMZ on modem B.
So router B is behind another router.... but actually, I was asking about that ifstatus command from router A (you don't need to post the result, though... just verify that it matches the nslookup result you got earlier).
This could be the problem. Is there a reason that the ISP device at location B is not in bridge mode?
Oh I see it matches the address, and there's this ptpaddress that I don't know what that is.
that is likely for the PPPoE connection.
1 Like