[SOLVED] Access a LAN webserver from a guest network using the public IP

Noeljunior · April 6, 2020, 3:12pm

Hi,

I have:

three networks: LAN (192.168.1.0/24), GUEST (192.168.254.0/24) and WAN;
a web server running on LAN (192.168.1.10) at ports 80 and 443 and both ports are forwarded from WAN to LAN;
a DNS pointing to WAN IP.

I have no problems if I try to access that server from a outside IP (mobile data, for example) or from a client on LAN using the DNS. If I try to access it from a client on GUEST, I get connection refused. I know the connection is refused on the router because I get no entries on server's logs.
Note: I do not want to access it by its LAN's IP (only through WAN's IP).

Want I need, from a noob perspective, is to access that server from GUEST network as I was outside of all my NAT.

Here is my /etc/config/network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf9:9efd:f587::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'guest'
	option proto 'static'
	option netmask '255.255.255.0'
	option ifname 'eth0.15'
	option ipaddr '192.168.254.254'
	option type 'bridge'
	option ip6assign '60'

config interface 'wan'
	option proto 'dhcp'
	option ifname 'eth0.12'

config interface 'wan6'
	option proto 'dhcpv6'
	option ifname 'eth0.12'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '6t 1 2 3'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '6t 4t 0t'
	option vid '12'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '6t 1t 2t 3t'
	option vid '15'

and /etc/config/firewall


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'guest'
	list network 'guest'
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option dest 'wan'
	option src 'guest'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'guest'
	option proto 'esp'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'guest'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option dest_port '53'
	option src 'guest'
	option name 'GUEST: Allow DNS'
	option target 'ACCEPT'

config rule
	option src 'guest'
	option name 'GUEST: Allow DHCP'
	option target 'ACCEPT'
	option dest_port '67-68'

config rule
	option dest_port '80'
	option src 'guest'
	option name 'GUEST: Allow HTTP'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'tcp'

config rule
	option dest_port '443'
	option src 'guest'
	option name 'GUEST: Allow HTTPS'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'tcp'

config rule
	list proto 'all'
	option name 'Block all if on LAN'
	option dest '*'
	option target 'REJECT'
	option src 'lan'
	list src_mac '00:51:ED:CA:DB:B6'


config include
	option path '/etc/firewall.user'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '22'
	option dest_ip '192.168.1.10'
	option dest_port '22'
	option name 'webserver/ssh'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '80'
	option dest_ip '192.168.1.10'
	option dest_port '80'
	option name 'webserver/http'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '443'
	option dest_ip '192.168.1.10'
	option dest_port '443'
	option name 'webserver/https'

Thanks!

trendy · April 6, 2020, 5:03pm

The easy solution is to create an entry in Network/Hostnames in Luci (or domain in config/dhcp) with the FQDN and the private IP, then allow rule on firewall from guest to lan for 192.168.1.10 ports 80/443.
Asking to access the server in another zone by WAN IP would require a series of DNATs and SNATs and is not worth the trouble.

Noeljunior · April 6, 2020, 7:20pm

Ok, if it works, that's good for me.

Added this to dhcp:

config domain
        option name 'fqqn.
        option ip '192.168.1.10'

And this to firewall:


config rule
        option name 'GUEST: Allow HTTP to server'
        option src 'guest'
        option src_port '80'
        option dest 'lan'
        list dest_ip '192.168.1.10'
        option dest_port '80'
        list proto 'tcp'
        option target 'ACCEPT'

config rule
        option name 'GUEST: Allow HTTPS to server'
        option src 'guest'
        option src_port '443'
        option dest 'lan'
        list dest_ip '192.168.1.10'
        option dest_port '443'
        list proto 'tcp'
        option target 'ACCEPT'

Still connection refused. Did I miss something?

trendy · April 6, 2020, 9:49pm

Remove the src_port from both rules.

Noeljunior · April 6, 2020, 10:11pm

That solved the problem, thanks!

system · April 16, 2020, 10:13pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.