I'm looking to do networking 101 here, but can't seem to setup the port forwarding rules to get this working.
Node 3 in this image is hosting a web server on 192.168.70.30:30080 and I can access it within my network.
I've added Firewall rules to allow WAN on 30080 to forward to my zone with IP 192.168.70.30 port 30080 and cannot seem to get outbound access working at all. Is there something obvious I'm missing?
There are two things we need to do here:
First, let's make sure you do have a public IP. Please look at the main LuCI status page and find the "IPv4 upstream" section -- you'll see an IP there. Please post the first to octets here (in bold: aaa.bbb.ccc.ddd)
Then, post this:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
Hm ok interesting, the upstream is 192.168.0.115. I have my ISP router/modem combo configured to act as a bridge. What should I do for this to register my public IP (if I'm understanding this correctly I assume this should read as my ISP IPv4)
You have two options here:
or
Ok, just got public IP to show up as the upstream. Looks like the bridge button actually wasn't enabled on my modem. I set the IP from modem -> router to be static now as well.
Public IP:
70.185.xxx.xxx/22
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'vpn'
list network 'Cluster'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'WGVPN'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'Guest-DHCP'
list proto 'udp'
option src 'guest'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'Guest DNS'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'G2L'
list proto 'all'
option src 'guest'
option dest 'lan'
option target 'ACCEPT'
config rule
option name 'L2G'
list proto 'all'
option src 'lan'
option dest 'guest'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Local Server'
option src 'lan'
option src_dport '4321'
config rule
option src 'lan'
option dest 'lan'
option target 'ACCEPT'
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'vpn'
list network 'Cluster'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'WGVPN'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'Guest-DHCP'
list proto 'udp'
option src 'guest'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'Guest DNS'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'G2L'
list proto 'all'
option src 'guest'
option dest 'lan'
option target 'ACCEPT'
config rule
option name 'L2G'
list proto 'all'
option src 'lan'
option dest 'guest'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Local Server'
option src 'lan'
option src_dport '4321'
config rule
option src 'lan'
option dest 'lan'
option target 'ACCEPT'
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd0b:c24d:66f8::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '8.8.8.8'
list dns '8.8.4.4'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option peerdns '0'
list dns '2001:4860:4860::8888'
list dns '2001:4860:4860::8844'
config device
option type 'bridge'
option name 'br-vpn'
option bridge_empty '1'
list ports 'lan1'
config interface 'vpn'
option proto 'static'
option device 'br-vpn'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
list dns '192.168.1.1'
config interface 'WGVPN'
option proto 'wireguard'
option nohostroute '1'
list addresses 'fc00:bbbb:bbbb:bb01::4:df96/128'
config rule
option src '192.168.10.1/24'
option in 'vpn'
option lookup '3'
config wireguard_WGVPN
option description 'us-lax-wg-201.conf'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
option endpoint_port '51820'
config rule
option in 'guest'
option lookup '3'
option disabled '1'
config device
option type 'bridge'
option name 'br-guest'
list ports 'lan2'
option bridge_empty '1'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
list dns '1.1.1.1'
config rule
option in 'vpn'
option out 'lan'
config device
option type 'bridge'
option name 'ClusterBridge'
list ports 'lan3'
option bridge_empty '1'
config interface 'Cluster'
option proto 'static'
option device 'ClusterBridge'
option ipaddr '192.168.70.1'
option netmask '255.255.255.0'
config route
option interface 'WGVPN'
option target '0.0.0.0/0'
option table '3'
config route
option interface 'Cluster'
option target '192.168.70.1/24'
config rule
option in 'lan'
option out 'Cluster'
{
"kernel": "6.1.63",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "Dynalink DL-WRX36",
"board_name": "dynalink,dl-wrx36",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"revision": "r24455-df167450a5",
"target": "qualcommax/ipq807x",
"description": "OpenWrt SNAPSHOT r24455-df167450a5"
}
}
annnnd we are back in business! WOW I never realized I didn't have a public IP assigned here. Thanks psherman, you're always so helpful and kind on here. Cheers
Have you ever thought of using something like Tailscale so you don't need ports open to the internet?
Did you have considered just using IPv6 to gain and fulfill the end to end connectivity principles (again)?
It's 2023 and there is simply no benefit in being stuck on private IP space and NAT shizzle. (Even if you do not want to expose your "private" services to the global Internet you should just use global IP space and adjust your firewall inbound policy accordingly.)
But there are still people claiming that 3 layers of NAT and encapsulation would be solving anything... Seriously I'm getting old and tiered.
Yes I am using tunnels for inbound private access but toying around with the idea of exposing certain Kubernetes pods (like static blog) to the public internet. Bad idea?
I was thinking if I restrict inbound TLS on 443 to my K8s nodes I’d be safe in certain scenarios I’ve “hardened”. Let’s say 443 redirects to my control plane then I leverage ingress to handle routing internally within the cluster.
It’s on the list!
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.