As a relative newby I need some help finding out why I can't access one of of my two routers.
Background: for about a year I have been using a Fritzbox 4040 router running OpenWrt 22.03 as an exposed host behind my Fritzbox 5530 internet modem. This 4040 router serves all my computer gear in house (together with 2 auxiliary TP-Link APs). Let's call this Fritzbox router 4040-1. Now I want to migrate to OpenWrt 23.05 using a second Fritzbox 4040 (4040-2). In the past I have installed OpenWrt 23.05.02 on this router (and will upgrade to the latest version when I get access).
Steps I undertook:
As a first step I have (manually) duplicated the configuration of router 4040-1 to router 4040-2 (only the wan and lan IP addresses differ).
Both routers are connected from a lan port on the internet modem to their respective wan ports. Router 4040-1 is an exposed host seen from the internet modem.
What is working (4040-1):
my primary router 4040-1 is still playing it's role in my home network as before and is fully accessible (ping, trace route, ssh, luci)
What is working in router 4040-2 running 23.05:
it shows up as connected in the internet modem (192.168.178.8)
it responds to ping and trace route from my regular network served by 4040-1 (using either the wan and lan address)
when I access 4040-2 via its WLAN I can login with Luci
What is not working:
I can't use ssh to access 4040-2 (connection refused) although 'Password Authentication' is ticked as well as 'Allow root logins with password' ('Gateway Ports' not ticked in both 4040-1 and 4040-2)
I can't use Luci to login ("Server not responding")
What am I overlooking?
Configuration files:
Network (4040-2)
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxx::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.202.1'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.178.1'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
Firewall (4040-2) - except the standard rules
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
Both routers are connected from the same type of port: from the lan port on the internet modem to the wan port on the router. In this case I would expect the same behaviour from each of the routers which is, unfortunately, not the case at tjhe moment.
@_bernd
I couldn't find these firewall rules in my 4040-1 configuration but I still have ssh and http access. Where should I look for these rules in my configuration?
This is the Network configuration of my 4040-1 router which has worked for a year already (ie is fully accessible by ssh and luci).
Seen from the internet router, the WAN port of the router has IP address 192.168.178.7 in this case and is on the same subnet as the gateway. Isn't it?
Many thanks to all contributors for the help provided. Unfortunately I still don't have access.
Feedback for the latest recommendations: @psherman I have removed the gateway and yes, I have static routes on my internet modem for both 4040 routers. The two 4040 routers are the only devices connected to my internet modem and both have a static route defined:
My desktop is connected to the 4040-1 router and this is the trace route from my desktop to the 4040-2 router: (4040-1 = 192.168.200.1; internet modem = fritz.box; 4040-2 = 192.168.202.1):
If I'm following correctly you have connected the downstream router via their wan port to the edge router... Did you have ensured that you allow http/https and ssh on the wan zone at least for your (private) rfc1918 networks?
@_bernd Thanks for raising this question again. My inexperience with networking and firewall rules made me not fully understand the importance of your question.
To test your conclusion I tried the reverse route, ie to access the 4040-1 router (192.168.200.0/24 network) from my 4040-2 (192.168.202.0/24). Without firewall rules allowing this traffic, I got the same result: I could ping and use trace route to show there was traffic possible but I couldn't ssh nor use luci to access the 4040-1 router. And, without additional firewall rules allowing this, this behaviour is what you want (ie by default no ssh/http(s) access over the WAN interface, in particular when it is exposed to the outside world).
I'm going to test the 4040-2 router (OpenWrt 23.05) over the weekend as my exposed host replacing the 4040-1 router (OpenWrt 22.03).
Many thanks and I'll get back when I have another question.
I am not sure what you are trying to do here. Typically you have one router and any AP/switch etc on the same subnet. In that case you can connect from anywhere on your LAN to anywhere on your LAN. Alternatively you can make different subnets but then you have either have double NAT or need static routes, complicating things unnecessary. (Note by using the modem on a different subnet you already have double NAT, place the 4040-1 into the DMZ of the modem, then double NAT should not be much of an issue),
So I am not sure if that is what you want exactly. I would suggest for the 4040-2 to connect that via a LAN port on the 4040-1 LAN port then change the IP address of the 2nd router to 192.168.200.2.
Once I'm satisfied the second modem is up to its task and network traffic flows as expected, I will promote it to my main router running 23.05 and retire the first router (running 22.03).
What's the IP address of your client (computer) your are trying to access the Fritzbox 4040-2 with? Have you attempted the following? Set the IP address of your client manually to 192.168.202.x (where x is >1 < 255). Then try connecting to 192.168.202.1 again.