Unable to login, sends me to login screen every time

Installing and Using OpenWrt
1

Howdy peeps,

I got up this morning and I can't log in to the GUI Web system.
I can access the CLI via SSH but I just can't get access to the web system any more.

I saw there were issues about this years ago, but I have not updated anything since last night.

Hope someone can help please?

Thanks.

2

not a ton of info here to help...

  • Have you tried clearing your browser cache?
  • have you tried different browsers?
  • What specifically is happening when you try to log in?
  • Are you using the correct username (root) and password (whatever you set)?

What did you do last night? What specific changes or updates?

Let's see your config:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Screenshot 2025-10-20 at 8.14.14 PM

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
cat /etc/config/uhttpd
3

Last night all I did was add a few records to the IP blocking for Brazil that was attacking me.

Litereally I see the login panel, I perform the submit, and it goes back to the login screen.
If I enter an incorrect password, then it tells me the details are wrong.

Same browser. I don't really want to have to spend the 3 hours rebuilding my machine to try other browsers.

So last night, using the GUI I added the following..

list src_ip '181.189.8.0/22'
list src_ip '172.200.0.0/13'
list src_ip '200.229.88.0/22'
list src_ip '187.94.12.0/22'
list src_ip '209.61.0.0/17'
list src_ip '191.36.168.0/21'
list src_ip '177.73.48.0/21'
list src_ip '168.0.140.0/22'
list src_ip '85.25.172.0/23'
list src_ip '216.73.216.0/22'
list src_ip '216.73.208.0/21'
list src_ip '113.161.32.0/19'
list src_ip '72.167.0.0/16'
list src_ip '191.6.192.0/19'

I'll be getting the full details with the appropriate redactions.

4

I should also mention it doesn't matter if it's HTTP or HTTPS, still fails.

5

ubus call system board

{
	"kernel": "6.6.119",
	"hostname": "XL5",
	"system": "[REDACTED]",
	"model": "[REDACTED]",
	"board_name": "[REDACTED]",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.5",
		"revision": "r29087-d9c5716d1d",
		"target": "x86/64",
		"description": "OpenWrt 24.10.5 r29087-d9c5716d1d",
		"builddate": "1766005702"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config interface 'int_lan'
	option proto 'static'
	option device '[LANPORT]'
	option ipaddr '[ipnet1].1'
	option netmask '255.255.255.0'
	option broadcast '[ipnet1].255'
	list dns '[SERVERNET].11'
	list dns_search '[INTERNALIDENT]'

config device
	option name '[WANPORT]'
	option sendredirects '0'
	option arp_accept '0'
	option drop_gratuitous_arp '1'
	option multicast '0'
	option learning '0'
	option unicast_flood '0'
	option ipv6 '0'
	option rpfilter 'strict'

config device
	option name '[LANPORT]'
	option ipv6 '0'

config device
	option name '[SRVPORT]'
	option ipv6 '0'

config device
	option name '[ADMPORT]'
	option ipv6 '0'

config device
	option name '[REMOTEPORT]'
	option ipv6 '0'

config interface 'int_wan'
	option proto 'dhcp'
	option device '[WANPORT]'
	option force_link '1'
	option clientid '3366AC45'
	option vendorid 'D-Link'
	option peerdns '0'
	option delegate '0'
	list dns '[SERVERNET].1'
	option hostname '*'

config interface 'int_[REMOTE]'
	option proto 'static'
	option device '[REMOTEPORT]'
	option ipaddr '[REMOTENET].1'
	option netmask '255.255.255.0'
	list dns '[ipnet1].1'
	list dns_search 'int.[REMOTE].net'

config interface 'int_servers'
	option proto 'static'
	option device '[SRVPORT]'
	option ipaddr '[SERVERNET].1'
	option netmask '255.255.255.0'
	list dns '1.1.1.1'
	list dns_search '[INTERNALIDENT]'

cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'zone_lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'int_lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'int_wan'

config forwarding
	option src 'zone_lan'
	option dest 'wan'

config zone
	option name 'zone_[REMOTE]'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device '[REMOTEPORT]'
	list network 'int_[REMOTE]'

config forwarding
	option src 'zone_[REMOTE]'
	option dest 'wan'

config zone
	option name 'zone_servers'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device '[SRVPORT]'
	list network 'int_servers'

config forwarding
	option src 'zone_servers'
	option dest 'wan'

config redirect
	option dest 'zone_servers'
	option target 'DNAT'
	option name 'web-in-443'
	option src 'wan'
	option src_dport '443'
	option dest_ip '[SERVERNET].26'
	option dest_port '443'
	list proto 'tcp'

config redirect
	option dest 'zone_servers'
	option target 'DNAT'
	option name 'web-in-443'
	option src 'wan'
	option src_dport '80'
	option dest_ip '[SERVERNET].26'
	option dest_port '80'
	list proto 'tcp'

config redirect
	option dest 'zone_servers'
	option target 'DNAT'
	option name 'dns-lan'
	option src 'zone_lan'
	option src_dport '53'
	option dest_ip '[SERVERNET].11'
	option dest_port '53'
	option reflection '0'

config forwarding
	option src 'zone_lan'
	option dest 'zone_servers'

config forwarding
	option src 'zone_[REMOTE]'
	option dest 'zone_servers'

config redirect
	option dest 'zone_servers'
	option target 'DNAT'
	option name 'dns-[REMOTE]'
	option src 'zone_[REMOTE]'
	option src_dport '53'
	option dest_ip '[SERVERNET].5'
	option dest_port '53'

config rule
	option src 'wan'
	option name 'ICMP Drop'
	option direction 'in'
	option device '[WANPORT]'
	list proto 'icmp'
	option target 'DROP'

config rule
	option src '*'
	option dest '*'
	list src_ip '0.0.0.0'
	list dest_ip '255.255.255.255'
	option target 'DROP'
	option name 'UDP pump'

config rule
	option name 'blockerz'
	option target 'DROP'
	option dest '*'
	option src 'wan'
	list src_ip '179.189.0.0/16'
	list src_ip '189.36.0.0/16'
	list src_ip '45.172.0.0/16'
	list src_ip '186.209.0.0/16'
	list src_ip '179.108.0.0/16'
	list src_ip '143.0.0.0/16'
	list src_ip '45.224.0.0/16'
	list src_ip '177.152.96.0/22'
	list src_ip '186.2.165.0/24'
	list src_ip '204.76.203.0/24'
	list src_ip '185.16.38.0/23'
	list src_ip '185.73.23.0/24'
	list src_ip '205.210.31.0/24'
	list src_ip '172.84.94.0/24'
	list src_ip '199.30.228.0/22'
	list src_ip '176.65.149.0/24'
	list src_ip '168.232.220.0/22'
	list src_ip '177.23.108.0/22'
	list src_ip '152.32.133.0/24'
	list src_ip '31.209.136.0/21'
	list src_ip '14.16.0.0/12'
	list src_ip '80.66.66.0/24'
	list src_ip '195.3.220.0/23'
	list src_ip '85.217.140.0/24'
	list src_ip '150.0.0.0/8'
	list src_ip '145.131.90.0/24'
	list src_ip '176.74.224.0/19'
	list src_ip '177.23.200.0/21'
	list src_ip '163.43.147.0/24'
	list src_ip '45.91.64.0/24'
	list src_ip '92.118.39.0/24'
	list src_ip '195.170.172.0/24'
	list src_ip '95.215.0.0/24'
	list src_ip '170.39.192.0/22'
	list src_ip '170.106.0.0/16'
	list src_ip '8.220.219.161/11'
	list src_ip '202.70.132.0/23'
	list src_ip '185.177.72.0/24'
	list src_ip '149.86.0.0/16'
	list src_ip '194.15.36.0/24'
	list src_ip '45.233.176.0/22'
	list src_ip '177.136.224.0/19'
	list src_ip '187.108.192.0/20'
	list src_ip '177.53.148.0/22'
	list src_ip '58.65.241.0/24'
	list src_ip '185.12.56.0/22'
	list src_ip '34.128.0.0/10'
	list src_ip '35.240.0.0/13'
	list src_ip '35.224.0.0/12'
	list src_ip '35.208.0.0/12'
	list src_ip '5.61.209.0/24'
	list src_ip '122.243.0.0/17'
	list src_ip '143.202.247.0/24'
	list src_ip '138.118.168.0/22'
	list src_ip '131.161.60.0/22'
	list src_ip '45.225.160.0/22'
	list src_ip '186.249.216.0/22'
	list src_ip '170.80.208.0/22'
	list src_ip '45.5.220.0/22'
	list src_ip '131.100.40.0/22'
	list src_ip '143.202.52.0/22'
	list src_ip '200.4.116.0/22'
	list src_ip '131.221.128.0/22'
	list src_ip '170.83.68.0/22'
	list src_ip '45.225.236.0/22'
	list src_ip '143.202.0.0/16'
	list src_ip '168.232.216.0/22'
	list src_ip '168.232.0.0/16'
	list src_ip '45.163.0.0/16'
	list src_ip '45.186.0.0/16'
	list src_ip '45.148.10.0/24'
	list src_ip '172.232.0.0/13'
	list src_ip '95.214.52.0/22'
	list src_ip '116.128.0.0/10'
	list src_ip '45.141.214.0/24'
	list src_ip '167.94.138.0/24'
	list src_ip '206.168.32.0/22'
	list src_ip '209.38.0.0/16'
	list src_ip '132.220.0.0/16'
	list src_ip '51.158.128.0/17'
	list src_ip '78.128.114.38'
	list src_ip '78.128.114.0/24'
	list src_ip '144.202.82.0/23'
	list src_ip '67.213.112.0/20'
	list src_ip '45.92.1.0/24'
	list src_ip '167.250.0.0/16'
	list src_ip '174.138.0.0/17'
	list src_ip '189.206.0.0/16'
	list src_ip '167.71.0.0/16'
	list src_ip '47.253.0.0/16'
	list src_ip '27.192.0.0/11'
	list src_ip '159.89.0.0/16'
	list src_ip '89.248.168.0/24'
	list src_ip '115.190.230.0/23'
	list src_ip '60.165.0.0/15'
	list src_ip '79.137.140.0/22'
	list src_ip '79.137.144.0/20'
	list src_ip '79.137.160.0/22'
	list src_ip '139.226.0.0/15'
	list src_ip '141.76.0.0/16'
	list src_ip '113.131.0.0/16'
	list src_ip '203.55.131.0/24'
	list src_ip '167.86.116.0/23'
	list src_ip '172.94.0.0/17'
	list src_ip '172.105.160.0/19'
	list src_ip '172.105.148.0/22'
	list src_ip '172.105.192.0/18'
	list src_ip '172.105.152.0/21'
	list src_ip '216.180.240.0/21'
	list src_ip '216.180.246.0/24'
	list src_ip '188.212.100.0/22'
	list src_ip '165.245.128.0/17'
	list src_ip '89.42.231.0/24'
	list src_ip '93.114.82.0/24'
	list src_ip '119.176.0.0/12'
	list src_ip '123.4.0.0/14'
	list src_ip '66.132.172.0/24'
	list src_ip '163.179.0.0/16'
	list src_ip '165.22.0.0/16'
	list src_ip '151.243.11.0/24'
	list src_ip '179.107.48.0/22'
	list src_ip '201.149.124.0/22'
	list src_ip '177.75.224.0/20'
	list src_ip '93.174.93.0/24'
	list src_ip '93.123.109.0/24'
	list src_ip '66.132.195.0/24'
	list src_ip '159.65.0.0/16'
	list src_ip '20.192.0.0/10'
	list src_ip '13.126.0.0/15'
	list src_ip '45.33.0.0/17'
	list src_ip '31.151.128.0/17'
	list src_ip '192.109.200.0/24'
	list src_ip '34.4.64.0/18'
	list src_ip '34.4.8.0/21'
	list src_ip '34.4.128.0/17'
	list src_ip '34.8.0.0/13'
	list src_ip '34.32.0.0/11'
	list src_ip '34.4.5.0/24'
	list src_ip '34.5.0.0/16'
	list src_ip '34.4.16.0/20'
	list src_ip '34.16.0.0/12'
	list src_ip '34.6.0.0/15'
	list src_ip '34.4.6.0/23'
	list src_ip '34.4.32.0/19'
	list src_ip '201.55.64.0/20'
	list src_ip '45.194.42.0/24'
	list src_ip '177.185.7.0/25'
	list src_ip '189.45.248.0/21'
	list src_ip '138.118.128.0/17'
	list src_ip '138.118.140.0/22'
	list src_ip '138.118.120.0/21'
	list src_ip '91.231.89.0/24'
	list src_ip '168.195.0.0/22'
	list src_ip '159.223.0.0/16'
	list src_ip '65.49.0.0/17'
	list src_ip '65.49.20.64/26'
	list src_ip '134.199.128.0/17'
	list src_ip '104.234.119.0/24'
	list src_ip '104.234.0.0/17'
	list src_ip '64.227.0.0/17'
	list src_ip '141.98.83.0/24'
	list src_ip '149.57.0.0/16'
	list src_ip '142.248.80.0/24'
	list src_ip '157.230.0.0/16'
	list src_ip '176.124.222.0/24'
	list src_ip '181.189.8.0/22'
	list src_ip '172.200.0.0/13'
	list src_ip '200.229.88.0/22'
	list src_ip '187.94.12.0/22'
	list src_ip '209.61.0.0/17'
	list src_ip '191.36.168.0/21'
	list src_ip '177.73.48.0/21'
	list src_ip '168.0.140.0/22'
	list src_ip '85.25.172.0/23'
	list src_ip '216.73.216.0/22'
	list src_ip '216.73.208.0/21'
	list src_ip '113.161.32.0/19'
	list src_ip '72.167.0.0/16'
	list src_ip '191.6.192.0/19'

config rule
	option name 'blockerzsingle'
	option target 'DROP'
	option dest '*'
	option direction 'in'
	option device '[WANPORT]'
	option src 'wan'
	list src_ip '34.158.79.105'
	list src_ip '47.236.227.106'
	list src_ip '40.99.129.2'
	list src_ip '87.121.84.50'
	list src_ip '45.205.1.8'
	list src_ip '3.129.187.38'
	list src_ip '194.187.178.179'
	list src_ip '193.163.125.254'
	list src_ip '152.32.133.174'
	list src_ip '3.76.72.143'
	list src_ip '212.87.212.154'
	list src_ip '18.64.50.101'
	list src_ip '18.236.179.219'
	list src_ip '4.236.13.253'
	list src_ip '34.192.0.0/10'
	list src_ip '188.212.100.204'

config rule
	option src 'zone_servers'
	option dest 'zone_lan'
	option name 'CodingForward'
	list proto 'tcp'
	list src_ip '[SERVERNET].74'
	list dest_ip '[ipnet1].3'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option name 'goldnettelecom.com.br'
	option target 'DROP'
	option direction 'in'
	option device '[WANPORT]'
	option ipset 'brazil-telecom'
	list proto 'all'

config rule
	option src 'wan'
	option name '169.254.84.179'
	option target 'DROP'

config ipset
	option name 'brazil-telecom'
	option family 'ipv4'
	option maxelem '65535'
	option counters '1'
	list match 'ip'
	list entry '64.62.156.162'
	list entry '85.11.183.25'
	list entry '78.128.112.74'
	list entry '179.189.0.0/16'
	list entry '198.235.24.254'
	list entry '189.36.0.0/16'
	list entry '45.172.0.0/16'

config rule
	option src '*'
	option dest '*'
	option name 'Blockpermanten'
	option target 'DROP'
	option ipset 'BlockAlls'

config ipset
	option name 'BlockAlls'
	option family 'ipv4'
	list match 'ip'
	list entry '212.87.212.154'
	list entry '123.253.150.17'

config rule
	option src '*'
	option name 'BlockoutbountIPs'
	option target 'DROP'
	list dest_ip '20.42.73.24'
	list dest_ip '0.0.0.0'

config nat
	list proto 'all'
	option src 'wan'
	option target 'SNAT'
	option snat_ip '[REDACTED]'

cat /etc/config/uhttpd

config uhttpd 'main'
	list listen_http '[ipnet1].1:80'
#	list listen_http '[::]:80'
	list listen_https '[ipnet1].1:443'
#	list listen_https '[::]:443'
	option redirect_https '1'
	option home '/www'
	option rfc1918_filter '1'
	option max_requests '1'
	option max_connections '2'
	option cert '/etc/uhttpd.crt'
	option key '/etc/uhttpd.key'
	option cgi_prefix '/cgi-bin'
	list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
	option script_timeout '5'
	option network_timeout '3'
	option http_keepalive '2'
	option tcp_keepalive '0'
	option ubus_prefix '/ubus'

config cert 'defaults'
	option days '397'
	option key_type 'ec'
	option bits '2048'
	option ec_curve 'P-256'
	option country '[REDACTED]'
	option state '[REDACTED]'
	option location '[REDACTED]'
	option commonname '[REDACTED]'
6

Just mitigated a mass attack from Brazil again... added another bunch of subnets.
Still not able to log in.

Should I run an upgrade of the local software from opkg?

# opkg list-upgradable 
luci-mod-system - 25.340.26705~d88390b - 26.088.70241~a7f416f
luci-theme-bootstrap - 25.340.26705~d88390b - 26.088.70241~a7f416f
procd-ujail - 2024.12.22~42d39376-r1 - 2026.03.14~c59f2d80-r1
procd - 2024.12.22~42d39376-r1 - 2026.03.14~c59f2d80-r1
luci-mod-status - 25.340.26705~d88390b - 26.088.70241~a7f416f
luci-app-firewall - 25.340.26705~d88390b - 26.088.70241~a7f416f
luci-ssl - 25.340.26705~d88390b - 26.088.70241~a7f416f
procd-seccomp - 2024.12.22~42d39376-r1 - 2026.03.14~c59f2d80-r1
luci-app-package-manager - 25.340.26705~d88390b - 26.088.70241~a7f416f
luci-proto-ppp - 25.340.26705~d88390b - 26.088.70241~a7f416f
luci-mod-admin-full - 25.340.26705~d88390b - 26.088.70241~a7f416f
luci-base - 25.340.26705~d88390b - 26.088.70241~a7f416f
luci-proto-ipv6 - 25.340.26705~d88390b - 26.088.70241~a7f416f
luci - 25.340.26705~d88390b - 26.088.70241~a7f416f
luci-light - 25.340.26705~d88390b - 26.088.70241~a7f416f
luci-mod-network - 25.340.26705~d88390b - 26.088.70241~a7f416f
7

Why was this redacted?

There is no need to redact this stuff at all (except maybe dns_search) -- it doesn't reveal anything private about your network.

The list goes on -- you've over-redacted this whole thing to the point at which it is useless.

But... if I had to guess..

This is your problem...
restore the defaults for this file and it might work gain.

8

No!!

Did you do that previously? That would be the real cause of the issue.

Upgrading packages (via the CLI opkg upgrade/apk upgrade commands or the LuCI Upgrade... button) can result in major problems. It is generally highly discouraged, unless you know what you are doing or if there is specific instruction to do so.

Just to be clear... if your device is properly configured, unsolicited traffic will not be allowed into the router or through to your lan.

You may still encounter DDOS attacks if that's what is happening, but adding those rules won't really fix your issue (your router still has to process those packets to then reject or drop them).

9

What is the problem with that?
It has been like that for months.

And since I don't have IPv6 it makes no difference.

10

No I have not updated in weeks.

Yes, it is primarily a DDOS attack, just SYN-ACK connections that sit there on my internal web server.
So they are routed just fine. Just saying that I constantly am blocking and adding to the list.

I even restarted the OpenWRT box to try to remedy, but that didn't fix it.
Everything is listenning correctly.

It just fails to work... How can I do an upgrade of the system to the latest without access to the gui?
Do I just download the image, then DD it on to the partition?

11

But you have done the package upgrades in the past, right?

ssh into the device and use either OWUT / ASU, or just simply sysupgrade on the command line.

1 Like