[Solved] LuCi accessible from wan without configure it!

I have my router running OpenWrt 19.07.3. The problem is that luCI is accessible from an external ip without ever having configured it to have it. This router is cascaded to the provider's primary router. On this router of the provider I created a DMZ with an IP to which the second router with OperWrt connects. Someone explain to me why my router in cascade is accessible from the outside without having ever configured it? I also tried to create traffic rules in order to block this problem but the problem remains.Am I wrong in something? Because seen in this way it seems that the router has a hole. Thank you.

maybe you post your network/firewall config?

He have many rules to post . There's a way to reset to default only the traffic rules or i must to reset the router?

I managed to block access by creating a drop rule between the ip of the first lan-side router and the device (router openwrt) on ports 443 and 80. It's a patch but it doesn't explain the underlying problem.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

uci export network; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
2 Likes

As I wrote before there is too much stuff and the risk that some data will pass is high. Is there a way to reset the firewall section to default?

You can try How to reset OpenWrt firewall?

If this router has a single ethernet port, then it will be used as lan. lan firewall zone accepts everything by default.
Since you are not posting configurations nor the router model, one can only speculate.

3 Likes

At least post the firewall settings

uci export firewall

There shouldn't be any sensetive info there.

1 Like

I did and the problem seems to be solved. Maybe a mistake in the zone rules. I have to be more careful. Thanks @ThomasCr @krazeh .

@Hegabo already defaulted sorry. I wanted to sort it out quickly.

1 Like

@trendy the router is Archer C7 V5 . He have 4 lan port and 1 wan/lan port . For the last i'm not sure.

If the "too much stuff" includes configuration you made, then there is a big chance you accidentally exposed it. And if it's just the default info, then you can post your network uci export network; just remember to redact your MAC addresses and your WiFi info. I don't imagine you have a public IP on that router, so you don't have to worry about that bit.

1 Like

It's a WAN port (which is protected by the firewall in the default config).

My best guess is that you accidentally assigned the LAN firewall zone to the WAN interface.

@Hegabo how can i see if this is still present?

If you reset the firewall settings, and also the problem displayed, then it's unlikely to be so present.

Anyway, in the the default config the LAN zone is green and the WAN zone is red. If you go to the network page and see the WAN interface Red then that's likely to be correct.
You should have something like this


1 Like

@Hegabo the same like you . The only difference in wan i have br-wan and you eth0.2. I think is not relevant.

It shouldn't make a difference in this particular case (as you appear to have only one interface in your WAN bridge - - most probably eth0.2), but why do you have a bridge for your WAN interface?

On what port can you connect to your router?

Maybe try temporary stop Dropbear and try if you can still access your router.

May be a setting error. But i don't know so solve. I have another problem. I am trying to configure the router so that it does not receive pings from wan addresses but although I have tried several ways to avoid it, I am continuing to receive it from the external ip of the mobile phone and I do not understand why.

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option src 'wan'
        option target 'DROP'
        list src_ip '10.10.10.10'
        list src_ip '10.10.10.100'
        option dest_port '20-23 443 80 3389'
        option name '20 21 22 23 443 80 3389 Wan'
        option family 'ipv4'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option proto 'icmp'
        option target 'DROP'
        option name 'NO Allow-Ping'
        list src_ip '10.10.10.10'
        list src_ip '10.10.10.100'
        option src 'wan'
        option family 'ipv4'
        list icmp_type 'echo-request'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

These are not so many rules. Better post the whole troubleshooting commands to get a better picture.
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
1 Like