Hello!

I want access my router's GUI via internet (DDNS works well). But I trying several methods, searching everywhere but nothing. I have forwarded ports (80 but any other), redirected them but there are two results: CONNECTION ERROR or Forbidden Rejected request from RFC1918 IP to public server address.

I have a NAS. I can reach it with DDNS service and a specific port - works well.

Is there something that I can do for it?

Thanks for any help!

(I tried to insert my settings in this message but always got a message from forum: too many links but there were no links. Strange...)

G

(Last edited by Georgie9117 on 31 Dec 2017, 14:14)

80 can be blocked by your isp and keep in mind it is unecrypted, so I'd not recommend administering your router via port 80. You should administer your router via ssh or at least https.

If you want to do this, ssh to your router, run vi /etc/config/firewall, press a and add a rule like this:

config rule
        option name 'web-on-wan'
        option src 'wan'
        option proto 'tcp'
        option dest_port '80'
        option target 'ACCEPT'

If you have port 80 blocked by your isp, you can make redirect like this:

config redirect
       option name 'web-on-wan'
       option src              wan
       option src_dport        8080
       option dest             lan
       option dest_port        80
       option proto            tcp

Then you can admin your router with http://router_public_ip:8080.

(Last edited by nozombian on 31 Dec 2017, 16:21)

Thank you for your reply nozombian!

I added both script to my firewall. Result: ERR_CONNECTION_REFUSED. I use the 8080 port for my NAS, so modified to 8088 but no luck.

I don't want use just the 80 port, but any other port not work if I try to access the router's webGUI. But it very important for me because I like to use WOL and sometimes I have to modify some settings mostly open/close ports for LAN IPs.

I don't think my ISP blocked. I have another router with ddwrt and that is work fine. Only openWRT not works.

Are you using a separate Internet service to try to log in?   When you try to test remote login by using your public IP address on your own LAN, strange things can happen.

You saved my life!   Yes, another service (on my mobile, GSM data network) is working. I don't think about this because with ddwrt it doesn't matter and worked same internet service.

Thank you for your help!

You are talking about connection to LuCI with a browser, right?

Two things come into mind:

* Forbidden Rejected request from RFC1918 IP to public server address.
   - mentioned e.g. in https://forum.openwrt.org/viewtopic.php?id=71130
   - remove the "RFC1918 protection" from LuCI web server config (= /etc/config/uhttpd )
     There is rfc1918_filter '1' by default. Change that to 0 and restart the uhttpd service (or reboot)

root@LEDE:~# cat /etc/config/uhttpd

config uhttpd 'main'
...
        option rfc1918_filter '1'

* ERR_CONNECTION_REFUSED
  That sounds like your browser (Chrome?) not liking a private HTTPS certificate or something like that. You might test with another browser (like Firefox) that allows setting certificate exceptions for selected sites.

EDIT:

That makes me to think that the reason is likely the uhttps rfc1918 option.

(Last edited by hnyman on 31 Dec 2017, 18:45)

Yes, your'e right, I'm using Chrome (on my mobile as well). Yes, I want connect to LuCI webGUI via DDNS service (the port doesn't matter, if I can't use 80 I use 8088, or any other). The DDNS working well - I reach my NAS with that (the NAS port is 8080 and it is okay). I read that topic about rfc1918_filter '1' but it not helped. Same result with Firefox. Yes, later I will play with certs.

For now the only way to access the LuCI webGUI that use a completely different network - if I want remote access.

Thank you for your help!

Btw... Why I get error in this forum with there is a link in my message? There is no link nowhere.

Putting LuCI on the Internet really isn't considered secure.  In particular don't use port 80, your router will get hammered by bots and scripts from all over the world.

I use a SSH tunnel to LuCI.  This is quite secure and also doesn't require any extra software on the router.

Yes, I will use another port than 80.

SSH contains graphic user interface? Or it reduced to commands in terminal? For example it is easy to set-open-close ports or make wake-on-lan?

You can open a ssh connection that makes a secure tunnel to local port 80 on the router, as if you are accessing from the LAN.  Then you have remote full access to LuCI, but everything that goes over the Internet is encrypted.

On your remote computer do ssh root@routerhostname -L 80:localhost:8080. When the connection opens, port 8080 on your PC is a tunnel to port 80 on the router.  So leave the SSH session open and go to your web browser localhost:8080.

Thank you for your advice! Can I do this on my mobile too?

Yes. I just tested it with Termius on an Android phone.  The free version of Termius supports port forwards.  It is a paid option on most other SSH client apps.