[SOLVED]Ping from wan/internet and forwarding don't work

Hello,

i recently installed lede(or openwrt i'm not even sure at this point) on my archer c7 1750 v2 (OpenWrt SNAPSHOT r7066-060e1ecefa / LuCI Master (git-18.151.24607-5452cc2)). I use luci for configuration, since i'm pretty new to this.
I do have a working internet connection and can access the router via ssh from the lan.
My problem is that accessing my network from the wan is not possible. Not only does the forwarding not work, i'm also unable to even ping my public ip address. I can howevery ping any other like google.com etc. . I basicly tried to change every setting in the luci interface i could find that i thought could cause this, yet i'm still not able to ping or access a device of my lan network from the wan/internet.

0
321

Any help would be greatly appreciated.

I'm sure i'm doing some kind of rookie mistake but i have absolutly no idea what it is.

Wow, please reset that router back to defaults immediately. You've basically completely disabled the firewall right now. I will start typing a more in-depth response now, but I wanted to give you a heads up as soon as possible.

1 Like
  1. You should never ever forward all connections or allow all input connections from WAN to your router or LAN. You've basically completely disabled your firewall now. And for IPv6 connections, NAT isn't even there to save you. Hopefully your LAN devices were properly firewalled. That last screenshot shows input and forward set to accept. These should be drop or reject (your preference). Also leave the general settings to their defaults. The default firewall settings are really good on Lede/Openwrt, and unless you know what you are doing you shouldn't be turning random stuff to accept for no reason. But really, please return to the default values for now and let's go from there. I don't know what else you changed, and it seems like your knowledge isn't sufficient to go changing firewall rules by yourself (no offense, we're here to help you :slight_smile:)
  2. I see you have 3 different forwarding rules. Hopefully you are using private/public key based authentication on that ssh box or a very strong password to avoid being bruteforced. Also consider using non-standard external ports for ssh, for example by mapping 53831 (random) to the internal 22 port. The same holds true for those other services
  3. As a matter of fact, opening multiple different services to the internet is never a good idea, because you rely on all of those services being secure without any exploits.
    a) Consider running a VPN. This way, you only expose one service to the outside (the VPN), and you can connect to all the different services running on your LAN via the VPN.
    b) If you insist on opening those services to the outside world, consider running the host running those services on a different VLAN with a different firewall zone. Should any of those services be compromised, at least they won't be able to wreak havoc to the rest of your LAN devices.
  4. Really, as I mentioned in my previous message, please go back to default settings and go from there. Lede accepts pings on all interfaces (so WAN as well by default) and should require no additional configuration on that part. Are you sure your ISP isn't blocking pings?
  5. Are you sure you aren't using double NAT? That would also explain why port forwarding isn't working. Is your WAN interface getting an external IP (not in the private range)?
2 Likes

Finally i can reply. Thanks mods.

  1. I deactivated the firewall on purpose to check if it was causing my problems. It probably didn't since all the changes didn't fix my problem. Don't worry i did not planned to use these settings in the long run, they were more like temporary test settings tpo figure out my problem.
  2. i know i know...
  3. As a matter of fact i do run multiple home servers which require public accessibility, therefore a vpn (even though one of these servers also runs an openvpn server instance) is not a suiteable replacement. However your suggestion of using a different VLAN could be a good idea for some of these machines. But that's not that urgent imo.
  4. Already did that. I only wanted to show that even de-facto deactivating the firewall was not fixing the problem. Right now the only thing i changed are the root password as well as the wifi encryption and password.
  5. Thanks this one fixed it.

Shit it was such an easy mistake. You see before i had the same ip for month (basicly static), so i registred domains for it etc. I figured the router would get the same ip after the reinstallation, but of course that wasn't true. Thankfully i could now just assign the old static ip in the router and it works. Man thank you without you i wouldn't have found that error. ^^

Glad to see it's fixed and glad to hear you understood that you disabled the firewall by that :slight_smile: Please consider marking this topic as [SOLVED] by adding it to the title :slight_smile:

Okay i did that. Thanks again. I always make some tiny mistakes that cost me hours to correct. Just a week ago i forgot to test a change in /etc/fstab with "mount -a" and made my rasberry pi unable to boot. When i tried to fix it by editing it on another pc i accidentially had the microsd to sd card adapter set on "write protection" (you know that little switch). Took me hours to figure out why the hell i couldn't write, i already thought i had killed yet another microsd card. ^^

Haha, we've all been there and done that :slight_smile: Perks of playing around with technology :wink:

This topic was automatically closed 6 days after the last reply. New replies are no longer allowed.