Hi,
I have:
- three networks: LAN (192.168.1.0/24), GUEST (192.168.254.0/24) and WAN;
- a web server running on LAN (192.168.1.10) at ports 80 and 443 and both ports are forwarded from WAN to LAN;
- a DNS pointing to WAN IP.
I have no problems if I try to access that server from a outside IP (mobile data, for example) or from a client on LAN using the DNS. If I try to access it from a client on GUEST, I get connection refused. I know the connection is refused on the router because I get no entries on server's logs.
Note: I do not want to access it by its LAN's IP (only through WAN's IP).
Want I need, from a noob perspective, is to access that server from GUEST network as I was outside of all my NAT.
Here is my /etc/config/network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdf9:9efd:f587::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'guest'
option proto 'static'
option netmask '255.255.255.0'
option ifname 'eth0.15'
option ipaddr '192.168.254.254'
option type 'bridge'
option ip6assign '60'
config interface 'wan'
option proto 'dhcp'
option ifname 'eth0.12'
config interface 'wan6'
option proto 'dhcpv6'
option ifname 'eth0.12'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '6t 1 2 3'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '6t 4t 0t'
option vid '12'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '6t 1t 2t 3t'
option vid '15'
and /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'guest'
list network 'guest'
option output 'ACCEPT'
option input 'REJECT'
option forward 'REJECT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option dest 'wan'
option src 'guest'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'guest'
option proto 'esp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'guest'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option enabled '0'
config rule
option dest_port '53'
option src 'guest'
option name 'GUEST: Allow DNS'
option target 'ACCEPT'
config rule
option src 'guest'
option name 'GUEST: Allow DHCP'
option target 'ACCEPT'
option dest_port '67-68'
config rule
option dest_port '80'
option src 'guest'
option name 'GUEST: Allow HTTP'
option dest 'wan'
option target 'ACCEPT'
list proto 'tcp'
config rule
option dest_port '443'
option src 'guest'
option name 'GUEST: Allow HTTPS'
option dest 'wan'
option target 'ACCEPT'
list proto 'tcp'
config rule
list proto 'all'
option name 'Block all if on LAN'
option dest '*'
option target 'REJECT'
option src 'lan'
list src_mac '00:51:ED:CA:DB:B6'
config include
option path '/etc/firewall.user'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '22'
option dest_ip '192.168.1.10'
option dest_port '22'
option name 'webserver/ssh'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '80'
option dest_ip '192.168.1.10'
option dest_port '80'
option name 'webserver/http'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '443'
option dest_ip '192.168.1.10'
option dest_port '443'
option name 'webserver/https'
Thanks!