1/2 LAN no Internet Access 1/2 LAN yes Internet Access

Installing and Using OpenWrt
1

Hello all.

I have a strange situation. I have 2 internal interfaces: lan (br-lan) (192.168.0.0/23) and dmz (br-Robots) (192.168.3.0/24). From dmz I can surf the internet. From lan, I cannot. eth0.2 is the wan interface.

Doing a little tcpdump I see that when I try to ping 1.1.1.1 from lan is:

root@router:~# tcpdump -i eth0.2 -ln host 1.1.1.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0.2, link-type EN10MB (Ethernet), capture size 262144 bytes
10:05:05.400148 ARP, Request who-has 1.1.1.1 tell 73.13.64.28, length 28
10:05:06.442204 ARP, Request who-has 1.1.1.1 tell 73.13.64.28, length 28
10:05:07.480392 ARP, Request who-has 1.1.1.1 tell 73.13.64.28, length 28
10:05:08.519720 ARP, Request who-has 1.1.1.1 tell 73.13.64.28, length 28
10:05:09.562206 ARP, Request who-has 1.1.1.1 tell 73.13.64.28, length 28
^C
5 packets captured
5 packets received by filter
0 packets dropped by kernel

When I ping from dmz:

root@router:~# tcpdump -i eth0.2 -ln host 1.1.1.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0.2, link-type EN10MB (Ethernet), capture size 262144 bytes
10:10:45.495466 IP 73.13.64.28 > 1.1.1.1: ICMP echo request, id 145, seq 1, length 72
10:10:45.507457 IP 1.1.1.1 > 73.13.64.28: ICMP echo reply, id 145, seq 1, length 72
10:10:45.622743 IP 73.13.64.28 > 1.1.1.1: ICMP echo request, id 146, seq 1, length 72
10:10:45.638059 IP 1.1.1.1 > 73.13.64.28: ICMP echo reply, id 146, seq 1, length 72
10:10:45.754193 IP 73.13.64.28 > 1.1.1.1: ICMP echo request, id 147, seq 1, length 72
10:10:45.766631 IP 1.1.1.1 > 73.13.64.28: ICMP echo reply, id 147, seq 1, length 72
10:10:45.880227 IP 73.13.64.28 > 1.1.1.1: ICMP echo request, id 148, seq 1, length 72
10:10:45.891240 IP 1.1.1.1 > 73.13.64.28: ICMP echo reply, id 148, seq 1, length 72
10:10:46.008000 IP 73.13.64.28 > 1.1.1.1: ICMP echo request, id 149, seq 1, length 72
10:10:46.019035 IP 1.1.1.1 > 73.13.64.28: ICMP echo reply, id 149, seq 1, length 72
10:10:46.213394 IP 73.13.64.28 > 1.1.1.1: ICMP echo request, id 150, seq 1, length 72
10:10:46.225518 IP 1.1.1.1 > 73.13.64.28: ICMP echo reply, id 150, seq 1, length 72
10:10:46.341000 IP 73.13.64.28 > 1.1.1.1: ICMP echo request, id 151, seq 1, length 72
10:10:46.352219 IP 1.1.1.1 > 73.13.64.28: ICMP echo reply, id 151, seq 1, length 72
10:10:46.465160 IP 73.13.64.28 > 1.1.1.1: ICMP echo request, id 152, seq 1, length 72
10:10:46.480399 IP 1.1.1.1 > 73.13.64.28: ICMP echo reply, id 152, seq 1, length 72
10:10:46.595465 IP 73.13.64.28 > 1.1.1.1: ICMP echo request, id 153, seq 1, length 72
10:10:46.606533 IP 1.1.1.1 > 73.13.64.28: ICMP echo reply, id 153, seq 1, length 72
10:10:46.723217 IP 73.13.64.28 > 1.1.1.1: ICMP echo request, id 154, seq 1, length 72
10:10:46.734608 IP 1.1.1.1 > 73.13.64.28: ICMP echo reply, id 154, seq 1, length 72

I have wracked my brain trying to find a solution, but I can't figure it out. My lan hosts cannot get to the internet for some reason. I humbly request help with this, please.

Version Info (I know it's old, but each upgrade attempt has failed and costs me a day to get it back to working order so I am waiting on a new device to upgrade and [hopefully] restore my config to):

root@router:/etc# cat openwrt_release
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='19.07.4'
DISTRIB_REVISION='r11208-ce6496d796'
DISTRIB_TARGET='ipq806x/generic'
DISTRIB_ARCH='arm_cortex-a15_neon-vfpv4'
DISTRIB_DESCRIPTION='OpenWrt 19.07.4 r11208-ce6496d796'
DISTRIB_TAINTS=''
root@router:/etc# cat openwrt_version
r11208-ce6496d796
root@router:/etc#

ip r:

root@router:~# ip r
default via 73.13.64.1 dev eth0.2  src 73.13.64.28
73.13.64.0/21 dev eth0.2 scope link  src 73.13.64.28
192.168.0.0/23 dev br-lan scope link  src 192.168.0.1
192.168.3.0/24 dev br-Robots scope link  src 192.168.3.1
192.168.5.0/24 dev br-Spy scope link  src 192.168.5.1
192.168.7.0/24 dev eth1.7 scope link  src 192.168.7.1
192.168.254.0/24 dev br-Management scope link  src 192.168.254.1

ip a:

root@router:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 38:94:ed:b6:6c:50 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::3a94:edff:feb6:6c50/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 38:94:ed:b6:6c:4f brd ff:ff:ff:ff:ff:ff
    inet6 fe80::3a94:edff:feb6:6c4f/64 scope link
       valid_lft forever preferred_lft forever
7: br-Management: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 38:94:ed:b6:6c:4f brd ff:ff:ff:ff:ff:ff
    inet 192.168.254.1/24 brd 192.168.254.255 scope global br-Management
       valid_lft forever preferred_lft forever
    inet6 fe80::3a94:edff:feb6:6c4f/64 scope link
       valid_lft forever preferred_lft forever
8: eth1.254@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-Management state UP qlen 1000
    link/ether 38:94:ed:b6:6c:4f brd ff:ff:ff:ff:ff:ff
9: br-Robots: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 38:94:ed:b6:6c:4f brd ff:ff:ff:ff:ff:ff
    inet 192.168.3.1/24 brd 192.168.3.255 scope global br-Robots
       valid_lft forever preferred_lft forever
    inet6 fe80::3a94:edff:feb6:6c4f/64 scope link
       valid_lft forever preferred_lft forever
10: eth1.3@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-Robots state UP qlen 1000
    link/ether 38:94:ed:b6:6c:4f brd ff:ff:ff:ff:ff:ff
11: br-Spy: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 38:94:ed:b6:6c:4f brd ff:ff:ff:ff:ff:ff
    inet 192.168.5.1/24 brd 192.168.5.255 scope global br-Spy
       valid_lft forever preferred_lft forever
    inet6 fe80::3a94:edff:feb6:6c4f/64 scope link
       valid_lft forever preferred_lft forever
12: eth1.5@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-Spy state UP qlen 1000
    link/ether 38:94:ed:b6:6c:4f brd ff:ff:ff:ff:ff:ff
15: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 38:94:ed:b6:6c:4f brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/23 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet 192.168.1.1/23 brd 192.168.1.255 scope global secondary br-lan
       valid_lft forever preferred_lft forever
    inet6 fe80::3a94:edff:feb6:6c4f/64 scope link
       valid_lft forever preferred_lft forever
17: eth1.7@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 38:94:ed:b6:6c:4f brd ff:ff:ff:ff:ff:ff
    inet 192.168.7.1/24 brd 192.168.7.255 scope global eth1.7
       valid_lft forever preferred_lft forever
    inet6 fe80::3a94:edff:feb6:6c4f/64 scope link
       valid_lft forever preferred_lft forever
18: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 38:94:ed:b6:6c:50 brd ff:ff:ff:ff:ff:ff
    inet 73.13.64.28/21 brd 73.13.71.255 scope global eth0.2
       valid_lft forever preferred_lft forever
    inet6 2001:558:6027:3e:d4f:3c4a:2726:85b0/128 scope global dynamic
       valid_lft 289386sec preferred_lft 289386sec
    inet6 fe80::3a94:edff:feb6:6c50/64 scope link
       valid_lft forever preferred_lft forever
39: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 38:94:ed:b6:6c:52 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::3a94:edff:feb6:6c52/64 scope link
       valid_lft forever preferred_lft forever
40: wlan1-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-Robots state UP qlen 1000
    link/ether 3a:94:ed:b6:6c:52 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::3894:edff:feb6:6c52/64 scope link
       valid_lft forever preferred_lft forever
48: eth1.10@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 38:94:ed:b6:6c:4f brd ff:ff:ff:ff:ff:ff
49: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 38:94:ed:b6:6c:51 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::3a94:edff:feb6:6c51/64 scope link
       valid_lft forever preferred_lft forever
50: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-Robots state UP qlen 1000
    link/ether 3a:94:ed:b6:6c:51 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::3894:edff:feb6:6c51/64 scope link
       valid_lft forever preferred_lft forever
51: wlan0-2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-Management state UP qlen 1000
    link/ether 3e:94:ed:b6:6c:51 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::3c94:edff:feb6:6c51/64 scope link
       valid_lft forever preferred_lft forever
root@router:~#

cat /etc/config/network:

root@router:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdff:fd26:db4b::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option igmp_snooping '1'
        option delegate '0'
        list ipaddr '192.168.0.1/23'
        list ipaddr '192.168.1.1/23'
        option ifname 'eth1.10'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '2a10:50c0::ad1:ff'
        list dns '2a10:50c0::ad2:ff'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '0t 5'

config switch_vlan
        option device 'switch0'
        option vlan '8'
        option vid '3'
        option ports '6t 2 1t'

config interface 'Robots'
        option proto 'static'
        option type 'bridge'
        option igmp_snooping '1'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option delegate '0'
        option ifname 'eth1.3'
        list dns '94.140.14.14'
        list dns '94.140.15.15'

config switch_vlan
        option device 'switch0'
        option vlan '9'
        option vid '10'
        option ports '6t 4 3 1t'

config interface 'Spy'
        option proto 'static'
        option netmask '255.255.255.0'
        option delegate '0'
        option ipaddr '192.168.5.1'
        option ifname 'eth1.5'
        option type 'bridge'

config switch_vlan
        option device 'switch0'
        option vlan '12'
        option vid '1'
        option ports '6t 1'

config switch_vlan
        option device 'switch0'
        option vlan '13'
        option vid '5'
        option ports '6t 1t'

config switch_vlan
        option device 'switch0'
        option vlan '14'
        option vid '9'
        option ports '6t 1t'

config switch_vlan
        option device 'switch0'
        option vlan '15'
        option vid '7'
        option ports '6t 1t'

config interface 'FBI'
        option proto 'static'
        option ifname 'eth1.7'
        option ipaddr '192.168.7.1'
        option netmask '255.255.255.0'

config interface 'Management'
        option proto 'static'
        option netmask '255.255.255.0'
        option type 'bridge'
        option ifname 'eth1.254'
        option ipaddr '192.168.254.1'

config rule
        option in 'lan'
        option lookup '100'

config route
        option interface 'wan'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option metric '200'
        option table '100'

root@router:~#

cat /etc/config/firewall:

root@router:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading '1'
        option flow_offloading_hw '1'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option family 'ipv4'
        option log '1'
        option log_limit '100/minute'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        option forward 'REJECT'

config rule
        option dest_port '7345 9000'
        list dest_ip '192.168.1.135'
        option target 'ACCEPT'
        option name 'Hubitat-Vizio'
        option dest '*'
        option src '*'
        list src_ip '192.168.3.27'
        list src_ip '192.168.3.109'
        list proto 'tcp'
        list proto 'icmp'

config rule
        option dest 'wan'
        option target 'REJECT'
        list src_ip '192.168.1.128/25'
        option name 'INetBlocked'
        list proto 'all'
        option src '*'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option dest_port '443'
        option src '*'
        option name 'OpenVPNServer'
        option family 'ipv4'
        option target 'ACCEPT'
        list proto 'udp'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config include 'bcp38'
        option type 'script'
        option path '/usr/lib/bcp38/run.sh'
        option family 'IPv4'
        option reload '1'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config zone
        option name 'dmz'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option log '1'
        option family 'ipv4'
        list device 'br-Robots'
        option log_limit '100/minute'
        list network 'Robots'
        list network 'droids'

config forwarding
        option dest 'wan'
        option src 'dmz'

config forwarding
        option dest 'dmz'
        option src 'lan'

config rule
        option dest_port '123'
        option src '*'
        option name 'NTPAllowed'
        option dest '*'
        option target 'ACCEPT'
        list proto 'udp'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Spy'
        list network 'FBI'
        option name 'Inetblocked'

config zone
        option name 'management'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Management'

config rule
        option name 'RemoteAccess'
        list proto 'tcp'
        option src 'wan'
        option dest_port '80'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'RemoteAccess443'
        list proto 'tcp'
        option src 'wan'
        option dest_port '443'
        option target 'ACCEPT'
        option enabled '0'

config forwarding
        option src 'lan'
        option dest 'management'

config forwarding
        option src 'lan'
        option dest 'wan'

root@router:~#
2

What device and version?

ubus call system board
3

Apologies for neglecting that information.

root@router:~# ubus call system board
{
        "kernel": "4.14.275",
        "hostname": "router",
        "system": "ARMv7 Processor rev 0 (v7l)",
        "model": "Netgear Nighthawk X4S R7800",
        "board_name": "netgear,r7800",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.4",
                "revision": "r11208-ce6496d796",
                "target": "ipq806x/generic",
                "description": "OpenWrt 19.07.4 r11208-ce6496d796"
        }
}
root@router:~#

How I got into this position:

I attempted to set up wireguard yesterday but could not (handshake worked, but could not get to the internet after connecting) so I backed out and uninstalled wireguard. Later that evening I noticed that br-lan could not get to the internet (similar to what was happening with wireguard). After attempting to fix the issue, I chose to restore to a good known backup (Nov19th, 2023). This, after 8 hours of struggling with the restore, did not fix the issue. Hopefully this helps, and thank you again for taking a look.

4

If the lan device has a 192.168.0.0/24 (not /23) IP address, it will not work. This is because LAN broadcasts go to 192.168.1.255, which is outside that scope.

5

It is /23. All lan devices are unable to get out to the internet and nearly all of them are DHCP.

6

Hi

it is wrong
they are overlapping

calculation for 192.168.0.1/23

IP Address:	192.168.0.1
Network Address:	192.168.0.0
Usable Host IP Range:	192.168.0.1 - 192.168.1.254
Broadcast Address:	192.168.1.255
Total Number of Hosts:	512
Number of Usable Hosts:	510
Subnet Mask:	255.255.254.0
7

Thank you. This is another ip assignment for the lan interface. This has been in place for years without issue. Just in case, since I'm at the end of my rope, I've removed it and restarted the interface. Sadly, this did not have any effect on this strange issue. Thank you for the keen eye.

8

please post your current config/network file

9

It's posted in the first post, second to last block, just before /etc/condig/firewall.

Copied here for ease of reference.

root@router:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdff:fd26:db4b::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option igmp_snooping '1'
        option delegate '0'
        list ipaddr '192.168.0.1/23'
        list ipaddr '192.168.1.1/23'
        option ifname 'eth1.10'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '2a10:50c0::ad1:ff'
        list dns '2a10:50c0::ad2:ff'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '0t 5'

config switch_vlan
        option device 'switch0'
        option vlan '8'
        option vid '3'
        option ports '6t 2 1t'

config interface 'Robots'
        option proto 'static'
        option type 'bridge'
        option igmp_snooping '1'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option delegate '0'
        option ifname 'eth1.3'
        list dns '94.140.14.14'
        list dns '94.140.15.15'

config switch_vlan
        option device 'switch0'
        option vlan '9'
        option vid '10'
        option ports '6t 4 3 1t'

config interface 'Spy'
        option proto 'static'
        option netmask '255.255.255.0'
        option delegate '0'
        option ipaddr '192.168.5.1'
        option ifname 'eth1.5'
        option type 'bridge'

config switch_vlan
        option device 'switch0'
        option vlan '12'
        option vid '1'
        option ports '6t 1'

config switch_vlan
        option device 'switch0'
        option vlan '13'
        option vid '5'
        option ports '6t 1t'

config switch_vlan
        option device 'switch0'
        option vlan '14'
        option vid '9'
        option ports '6t 1t'

config switch_vlan
        option device 'switch0'
        option vlan '15'
        option vid '7'
        option ports '6t 1t'

config interface 'FBI'
        option proto 'static'
        option ifname 'eth1.7'
        option ipaddr '192.168.7.1'
        option netmask '255.255.255.0'

config interface 'Management'
        option proto 'static'
        option netmask '255.255.255.0'
        option type 'bridge'
        option ifname 'eth1.254'
        option ipaddr '192.168.254.1'

config rule
        option in 'lan'
        option lookup '100'

config route
        option interface 'wan'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option metric '200'
        option table '100'

root@router:~#
10

so, please, your current network config after removing overlapped IPs

11

OMG, I'm so sorry. It's the sleep deprivation kicking in. I was up till 3am attempting to fix this router.

Here's the new /etc/config/network:

root@router:~# date
Sat Nov 25 11:50:19 EST 2023
root@router:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdff:fd26:db4b::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option igmp_snooping '1'
        option delegate '0'
        option ifname 'eth1.10'
        list ipaddr '192.168.0.1/23'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '2a10:50c0::ad1:ff'
        list dns '2a10:50c0::ad2:ff'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '0t 5'

config switch_vlan
        option device 'switch0'
        option vlan '8'
        option vid '3'
        option ports '6t 2 1t'

config interface 'Robots'
        option proto 'static'
        option type 'bridge'
        option igmp_snooping '1'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option delegate '0'
        option ifname 'eth1.3'
        list dns '94.140.14.14'
        list dns '94.140.15.15'

config switch_vlan
        option device 'switch0'
        option vlan '9'
        option vid '10'
        option ports '6t 4 3 1t'

config interface 'Spy'
        option proto 'static'
        option netmask '255.255.255.0'
        option delegate '0'
        option ipaddr '192.168.5.1'
        option ifname 'eth1.5'
        option type 'bridge'

config switch_vlan
        option device 'switch0'
        option vlan '12'
        option vid '1'
        option ports '6t 1'

config switch_vlan
        option device 'switch0'
        option vlan '13'
        option vid '5'
        option ports '6t 1t'

config switch_vlan
        option device 'switch0'
        option vlan '14'
        option vid '9'
        option ports '6t 1t'

config switch_vlan
        option device 'switch0'
        option vlan '15'
        option vid '7'
        option ports '6t 1t'

config interface 'FBI'
        option proto 'static'
        option ifname 'eth1.7'
        option ipaddr '192.168.7.1'
        option netmask '255.255.255.0'

config interface 'Management'
        option proto 'static'
        option netmask '255.255.255.0'
        option type 'bridge'
        option ifname 'eth1.254'
        option ipaddr '192.168.254.1'

config rule
        option in 'lan'
        option lookup '100'

config route
        option interface 'wan'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option metric '200'
        option table '100'

root@router:~#
12

OK

please try to remove these 2 block and restart network

13

Sir. I can't begin to express my appreciation for your help in fixing this!!! Please send me a private message with your venmo or paypal or money service of choice. I will be sending you a small token of my appreciation.

Thank you so much!!!!!!!!!! I am so grateful!!

Thank you!!! Thank you!!!

14

no need for this, i am glad that we sorted out your prblem

It's the sleep deprivation kicking in

and now, go to sleep :slight_smile: :slight_smile:

have a nice weekend. Bye

1 Like
15

You should really upgrade to the latest openwrt. The version you are using is eol and unsupported. It contains many known security vulnerabilities.

https://firmware-selector.openwrt.org/?version=23.05.2&target=ipq806x%2Fgeneric&id=netgear_r7800

16

Furthermore the r7800 really has not problems to run 23.05.x either, as it has plenty of performance and flash/ RAM, so you really should.

1 Like
17

I was in a rush yesterday(holidays), but it's like to understand what those blocks were doing. I'm guessing that they were a by product of implementing wireguard.

Is there a reference for what those blocks mean, if you know of one, please?

18

Hi Peter.
I absolutely want to do this, but it failed last time I tried (last weekend) . I spent about 8 hours getting the router back to working order. I will try again and probably come back here with hat in hand to figure out why the attended upgrade fails.

Fortunately, I have my r7800 jtagged so I have console access to help.

I attempted to go to 21.02 at that stated I could restore my back up.

Anyway, yes, you're right. That was my intent. I'll try again next weekend, and thank you again.

19

Agreed. Next weekend, I'll try again to upgrade.

20

Hi
you could start with these
and then, google, and google, and learn about routing and multiple routing tables inside linux kernel

but, for starters, there is no need to use these unless you really really need it, or want to complicate things
if you wanted some routing decisions with WG to say, ahaaaa, host X will be routed to WG, but hostY won't, then maybe PBR package is your friend. It is more user frienly and does not require deep knowledge.
But please let this topic to be closed as [solved]