Virtual server not forwarded port 80 and 443

Hello,
I am a new user and I have tried to install OpenWRT on my Archer C6v2 (simple as everything is explained).
I would like to make a virtual server (on the internal IP 192.168.1.14). The server works perfectly (request from outside) with the default firmware from tp-link.

After I installed the OpenWRT, I can't manage to make the port forward work.
I used the GUI in the firewall part (port forward) to forward the needed ports (443 and 80) as these ports are necessary for the Lets Encrypt.
The internal ports are 443 (for 443) and 8013 (for external 80)

I have no idea about what I do wrong.
When I search in the forum I don't see what I need.
Can you please help me?
Thank you
Here is my firewall config.

cat  /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Plex'
        list proto 'tcp'
        option src 'wan'
        option src_dport '32400'
        option dest_ip '192.168.1.14'
        option dest_port '32400'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'httpNextcloud'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.1.14'
        option dest_port '8013'
        list proto 'tcp'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'httpsNextcloud'
        list proto 'tcp'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.1.14'
        option dest_port '443'

The redirect rules seem correct. Check the rules hit count.

iptables-save -t nat -c | grep Nextcloud | grep zone_wan_prerouting

Hello,

Thank you for the help

Here is the result of the command
I have made tests from the GSM (without Wifi and with a computer in the network).

 iptables-save -t nat -c | grep Nextcloud | grep zone_wan_prerouting
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: httpNextcloud" -j DNAT --to-destination 192.168.1.14:8013
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: httpsNextcloud" -j DNAT --to-destination 192.168.1.14:443

There are no hits, so the packets do not reach the wan interface.

Are you sure you are using the correct public IP address? It may have changed after installing OpenWrt.

This should also work because of the nat reflection rules. Run the following and look for the current wan IP address in the rules (after the -d parameter).

iptables-save -t nat -c | grep Nextcloud | grep zone_lan_prerouting

Hello,

Thank you for the help.
I think I have an idea of the problem (but no idea to solve it).
I have put my router in the DMZ zone of my ISP router (I have sometimes stability problem with my line and they don't want a bridge so I have no choice at the moment).
So the Wan zone is 192.168.0.13/32 (the 192.168.0.13/24 is the IP address of my TP-link behind the ISP router (DMZ).

The LAN zone is 192.168.1.0/24

I guess it is the same problem for the loopback.
a ping (......ddns.net gives the correct IP (the same as whatismyip.com)

Do you have an idea to solve the problem?
Thank you very much

iptables-save -t nat -c | grep Nextcloud | grep zone_lan_prerouting
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.0.13/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: httpNextcloud (reflection)" -j DNAT --to-destination 192.168.1.14:8013
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.0.13/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: httpsNextcloud (reflection)" -j DNAT --to-destination 192.168.1.14:443

Most likely the DMZ of the ISP router is not working as expected. If possible, try creating dedicated port forwarding rules on that router as well.

Regarding the nat reflection, if you want to use the public IP address, you will have to create the rules manually.

Hello,

I have seen something strange. If I activate (or disable) the Wifi of My ISP box, it is working, (loopback and from external IP). After a reboot of the OpenWRT, it is not working anymore.

Hello,

For the record, restarting the ISP box has solved the problem (without having to change the wifi of the ISP box to make it work).

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.