OpenWrt Forum Archive

Topic: Access home server from the Internet

The content of this topic has been archived on 1 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
amuza
18 Jul 2017, 16:21

Hi,

I am trying to install a server at home to be accessible from the Internet and from a second LAN I have (configured with VLANs). Long ago I managed to have the firewall rules working ok so users in the second VLAN cannot enter into the first one. That is ok.

Now the problem is that I do not know how to make the server on the LAN visible from the Internet. The server has its DDNS configured, and I have configured redirects and rules. But I can only access the server from the local LAN using its local IP address or its local hostname. I cannot access it through the Internet with its DDNS name.

I do not properly understand priorities on zones, redirects and rules. Once redirects are matched, are they immediately connected or do they have to go through every firewall rule too?

When configuring redirects, do I always need to specify the LAN port and the WAN port?

Are zones just a default rule that can be overrided by rules?

Anyway, I think I have opened everything I had to open but the server is not accessible from the Internet.

In order to check if the problem was the firewall, I disabled it, but then I completely lost Internet connectivity. Why?

I think I need a plan to troubleshoot all this.

How would you proceed (tests, commands to get info, how and where to check logs, how to debug...)?

Thank you!!

Post #2
eduperez
18 Jul 2017, 16:35

If you have everything else working, just go to the firewall section in LuCI and add a "port forward", and fill in the form.

Post #3
amuza
19 Jul 2017, 10:11

I did so. Those are the 'redirects' I meant.

Post #4
eduperez
19 Jul 2017, 12:21

Post your config files here, please.

Post #5
mk24
19 Jul 2017, 13:32

To see a connection coming in, your router has to be connected to the Internet in a way that its WAN interface has a public IP.  If your cable or DSL modem is also acting as a router, it will block incoming traffic.  This situation can be recognized by the OpenWrt router's WAN having obtained a private IP such as 192.168.x.x from the modem/router.  You need to either put the modem/router box into a bridge mode, or open the port on it to forward from the Internet to your router.

Post #6
amuza
29 Jan 2018, 10:42

Hey, I'm back. Sorry, I disappeared for some months.

I keep having the problem, and I keep having the doubts explained in the original post : (

I can access my home server from the LAN, but not from the Internet. It is not a DNS problem.

As asked by @eduperez:

network file:
https://share.riseup.net/#cavc8QDy9F08ihGZ4V1tWg
firewall file:
https://share.riseup.net/#PuB_iWoKwu509TjLfewZ1w

Please let me know if you would need any other file or data.

Thank you very much!!

Post #7
eduperez
29 Jan 2018, 11:22

I think you should start debugging this issue using a packet sniffer... do you receive the traffic on the WAN interface of the router? does it leave the LAN interface? does it reach the server? ...

Post #8
amuza
29 Jan 2018, 12:06

Hey thanks!

Does that mean you think the configuration is ok?

How do I do that packet sniffing thing?

Post #9
nozombian
29 Jan 2018, 13:51

And your server is what? Linux (which one - ubuntu server has no firewall by default, but centos has very tough one) or windows? Have you allowed all zones on the server, not only lan? Since port forwarding is very easy, I'd be looking there. Have you tried to disable firewall on the server? You cannot disable firewall on the router, because it is responsible for doing NAT.

Post #10
amuza
29 Jan 2018, 15:47

Thanks nozombian.

The server is ok, it comes with the ports opened by default.

What else should I look on port forwarding? Did you see my config files?

By the way I use 2 different user VLANs (home network and community network). It works ok, just mentioning to clarify my config.

Thank you for the firewall explanation on OpenWRT, did not know that!

But, how is the filtering done?
I don't understand everything in the firewall file; there are rules, redirects, defaults, zones, forwarding...

Is there an order to apply those different things?

Or are things applied as soon as there is a match reading from the top to the bottom of the file?

Post #11
joefisher695
29 Jan 2018, 16:34

Do you have fix IP?

Post #12
amuza
29 Jan 2018, 17:00

The public IP address of the WAN interface of my home router is dynamically assigned by the ISP.
The private IP address of my server is reserved to its mac address (configured in the DHCP server of my home router).
The server uses DDNS to be reached from the Internet.

Post #13
mk24
29 Jan 2018, 17:19

You have to test using a different Internet connection such as a hotspotted smartphone, so you truly are coming in to the network from the Internet.   Trying to access your public IP from inside your LAN usually does not work.

Post #14
amuza
29 Jan 2018, 23:04

I think my tests were ok. They were done from the Internet, out of my LAN. I did some tests from Tor and some others with remote online tools from the clear web: port checkers, ping, etc.

Post #15
amuza
10 Mar 2018, 20:40

Problem solved.

By chance I discovered my ISP was implementing Carrier-Grade NAT [0]. That's why port forwarding was not working. I asked to disable it for me, they did it, I was assigned a normal dynamic address and everything works now!

Thank you very much to everyone for your help!

[0] https://en.wikipedia.org/wiki/Carrier-grade_NAT

The discussion might have continued from here.