Web Server behind openwrt detect router IP not external real ip

I have web server behind my router, I already succeeded port forward port 80 and 443. I can access my web from internet but my web server always detect my router Lan ip as the one and only in log :sweat_smile:
anything I need to setting in firewall or nat or anything
any suggestions really appreciated :slightly_smiling_face:

  • As the SRC IP of the request (i.e. the client), or the DST IP (i.e. your server)?

It's normal that the server detects its own IP as DST, and the Public IP of the client should be the SRC.

  • Or do you mean it sees the client IP as 192.168.1.1?
  • Also, what log?

Can we see the port forwarding rule?

(You provided no details regarding your configuration.)

What is the output of uci export firewall ?
Most likely masq is enabled on lan.

2 Likes
        config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'

config zone
        option name 'wan'
        list network 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option mtu_fix '1'
        option masq '1'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wg0'
        option masq '1'

config redirect
        option dest 'lan'
        option name 'fw-http'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.x.x.9'
        option dest_port '80'
        option proto 'tcp'

config redirect
        option dest 'lan'
        option name 'fw-https'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.x.x.9'
        option dest_port '443'
        option proto 'tcp'

thats parts of /etc/config/firewall

my web server is 192.x.x.9 and my LAN IP on router is 192.x.x.243

here is the log on my web server


which detected my router LAN IP

I try to untick masquerading on LAN, but my web server not responding when accessed from internet

PS : I'm replying on my phone, sorry if messy

Yep, disable masquerade on LAN.

Odd...

Redacting Private IP addresses doesn't add more privacy - it actually makes it difficult for us to help you troubleshoot.

I assume 192.17x.x.243 is the router?

1 Like

This is either a firewall setting on the web server or some access list on the web server.

It is.

1 Like

I use dynamic public IP address and setting no-ip ddns, web server behind my router and also wireguard vpn to remote local network

network configuration

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fffff:aaaa:aaaa::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan0'
	list ports 'lan1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.x.x.243'
	option netmask '255.255.255.0'

config interface 'wan'
	option device 'wan'
	option proto 'pppoe'
	option ipv6 'auto'
	option username 'isp_user'
	option password 'pass'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'redacted'
	option listen_port 'sect_port'
	list addresses '10.x.x.1/24'

config wireguard_wg0 'client'
	option description 'client'
	option preshared_key 'redacted'
	option public_key 'mypsk'
	option route_allowed_ips '1'
	list allowed_ips '10.x.x.2/32'

and firewall config


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option flow_offloading_hw '1'
	option flow_offloading '1'
	option disable_ipv6 '1'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'

config zone
	option name 'wan'
	list network 'wan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option name 'fw-http'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.x.x.9'
	option dest_port '80'
	option proto 'tcp'

config redirect
	option dest 'lan'
	option name 'fw-https'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.x.x.9'
	option dest_port '443'
	option proto 'tcp'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wg0'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'vpn'

This is either a firewall setting on the web server or some access list on the web server.

web server can access on any ip in configuration

Hi

as far LAN masq is enabled, it is "normal" to router will rewrite SRC with is own address

so, you need first to disable masq on LAN

ok, it is another problem
first, disable all firewall on SERVER/PC
maybe firewall on server is blocking public IP's on port 80/443
if it does not work
stay with disabled firewall and check your WEB server access lists
maybe problem is with .htaccess or something similar to not allow "outside" IPs

if none of these solution work, stay with disabled firewall and install tcpdump on server/pc
then we should see what kind of address/packet going in your server/pc

Evidently this is not the case.
You either have limited the web server firewall or the web server itself to respond to local IPs only. And your minimal responses don't really help troubleshooting.
It anyway is not connected to OpenWrt, so not exactly in the scope of the forum. We have provided you with some clues, best of luck finding out the culprit.

2 Likes

nice motivation :sweat_smile:
any luck if I set on section firewall NAT Rules? dnat or snat?

You have that already. masq enabled on lan zone is SNAT for packets going out of the lan interface. And the fact that the web server responds to these packets, but not to the ones with source IP not belonging to the local-net is quite hard evidence that you have server restrictions on which IPs it will serve.

1 Like