2nd Openwrt router connected to 1st can't ping ipv4 addresses

Installing and Using OpenWrt
1

Hi all, to get straight to it this is the setup I have:

Google Fiber to Openwrt Router 1 (Connected to Wan port)
Openwrt Router 1 to Openwrt Router 2 (Connected from Lan1 to Wan Respectively)

I created the route table for both routers, I can ping devices on either router fine, even with them being on different subnets (Router 1 uses x.x.4.0, Router 2 uses x.x.3.0)

Now for whatever reason, no matter how many different things I ticked on and off in DHCP, Router 2 cannot access hostnames on router 1, AND it cannot ping websites via ipv4. So I can visit websites fine on router 2, I can ping openwrt.org from router 2 using ipv6, but I cannot ping ipv4 websites (And am trying to confirm if I can visit http websites, hard to find one that doesn't default you to their https version automatically). So I'm thinking maybe something to do with DNS. Gateway and DNS are defaulted to Router 1.

Both Openwrt routers are freshly installed, only customization I did was their respective hostnames and subnets on the lan interface.

2

Let's get some information on the two routers...

Please make it clear which is OpenWrt Router 1 and which is router 2.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
cat /etc/config/dhcp
3

As requested:

Router 1 (Named V-Matrix 3)

***********************
*ubus call system board*
***********************

root@V-Matrix3:~# ubus call system board
{
        "kernel": "6.1.79",
        "hostname": "V-Matrix3",
        "system": "ARMv8 Processor rev 4",
        "model": "Dynalink DL-WRX36",
        "board_name": "dynalink,dl-wrx36",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r25389-fe0081eecf",
                "target": "qualcommax/ipq807x",
                "description": "OpenWrt SNAPSHOT r25389-fe0081eecf"
        }
}

*************************
*cat /etc/config/network*
*************************

root@V-Matrix3:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd1d:47a8:9295::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.4.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config route
        option interface 'lan'
        option target '192.168.3.0/24'
        option gateway '192.168.4.252'

**************************
*cat /etc/config/firewall*
**************************

root@V-Matrix3:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'V-Frame Website (HTTP)'
        list proto 'tcp'
        option src 'wan'
        option src_dport '*Redacted*'
        option dest_ip '*Redacted*'
        option dest_port '*Redacted*'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'V-Frame Website (HTTPs)'
        list proto 'tcp'
        option src 'wan'
        option src_dport '443'
        option dest_ip '*Redacted*'
        option dest_port '*Redacted*'

**********************
*cat /etc/config/dhcp*
**********************

root@V-Matrix3:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option boguspriv '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name '*Redacted*'
        option ip '*Redacted*'
        list mac '*Redacted*'

config host
        option ip '*Redacted*'
        list mac '*Redacted*'

config host
        option name '*Redacted*'
        option ip '*Redacted*'
        list mac '*Redacted*'

config host
        option name '*Redacted*'
        option ip '*Redacted*'
        list mac '*Redacted*'

config host
        option name '*Redacted*'
        option duid *Redacted*
        list mac '*Redacted*'
        option ip '*Redacted*'

Router 2 (Named V-Matrix 2)

************************
*ubus call system board*
************************

root@V-Matrix2:~# ubus call system board
{
        "kernel": "6.1.80",
        "hostname": "V-Matrix2",
        "system": "ARMv8 Processor rev 4",
        "model": "Dynalink DL-WRX36",
        "board_name": "dynalink,dl-wrx36",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r25398-d40d64fc62",
                "target": "qualcommax/ipq807x",
                "description": "OpenWrt SNAPSHOT r25398-d40d64fc62"
        }
}

*************************
*cat /etc/config/network*
*************************

root@V-Matrix2:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd74:2c31:edd4::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config route
        option interface 'wan'
        option target '192.168.4.0/24'
        option gateway '192.168.4.1'

**************************
*cat /etc/config/firewall*
*************************

root@V-Matrix2:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'CVAT Collab'
        list proto 'tcp'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.3.4'
        option dest_port '8080'

**********************
*cat /etc/config/dhcp*
**********************
root@V-Matrix2:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option local '/lan/'
        option localise_queries '1'
        option authoritative '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name '*Redacted*'
        option duid *Redacted*
        list mac '*Redacted*'
        option ip '*Redacted*'
4

Remove this from router 2 -- it's not necessary.

Remove the last 2 lines from this in router 2 (masquerading and mtu_fix)

Add a forwarding rule from wan > lan like this (in router 2):

config forwarding
        option src 'wan'
        option dest 'lan'

Then reboot router 2 and test again.

EDIT: I wanted to add that you could entirely eliminate the need for the second router and run both subnets on the main router. Your second router could then be a dumb AP and managed switch... the advantage is that then all the actual routing and firewall functions are handled by the main router -- eaiser to maintain and such. This is just an option, though.... depends on your goals and topology.

EDIT 2: fixed some problems in the recommended changes... things got out of order and that wouldn't have worked properly. Fixed now.

1 Like
5

Sorry for the delay, I have the following questions, some for the sake of learning:

Remove this from router 2 -- it's not necessary.

That leaves just the lan -> rejected zone, why is this not necessary? When I did preliminary testing, as soon as I remove that zone, the router appears to lose the ability to communicate through the wan port. Interested in how this eventually works with the other configurations.

Remove the last 2 lines from this in router 2 (masquerading and mtu_fix)

So I could go and use vi to remove the last two lines, but then that just leaves the "option interface 'wan' " line. Is this correct and how does this work? If I go to the pertaining luci entry to try and make this change, it would complain saying that such a entry is invalid if I just try to use interface wan and no additional data.

Add a forwarding rule from wan > lan like this (in router 2):

config forwarding
        option src 'wan'
        option dest 'lan'

This one I would need help with understanding where exactly I'm inserting this in, it seems to me pretty self explanatory about what it is doing (forwarding wan traffic to lan), I was also, like the previous, trying to find what would of been the related luci interface just to try and understand things better.

btw, when I also edited the wan zone to accept input and intra zone traffic, I could now ipv4 ping all websites and go to sites I couldn't access that were http. Would I be correct in understanding that:

  1. input pertains to request from the source
  2. output pertains to the destination the traffic is trying to go to with regard to the interface listed on the zone
  3. intrazone pertains to traffic that is only destined between the two interfaces themselves? So not the actual end devices, but in this example, router to router?

Thanks again for the help and trying to learn. Soon as I know where to put that forwarding info into via vi and confirm to indeed remove the last two lines from route (also by vi since luci will complain), I'll go ahead and go with the full requested changes and update you accordingly.

6

gah....I think I may have messed up in what I was suggesting... Don't do anything quite yet. Sorry for any confusion.

let me re-read this and get back to you.

7

Thanks a ton and appreciate your time on the matter. So much to learn and it's hard to know where to start. I'm familiar with networking, but by no means am I advance nor familiar with how openwrt may do things. Plus I am highly susceptible to atrophy, so when I go a sufficient amount of time without doing some technically stuff, I forget it all and need a refresher lol

8

Ok... figured out what happened... some stuff ended up getting out of order with my recommendations. I've fixed it now. Take a look and let me know if you have questions.

9

Thanks, Everything just about works as far as I can tell, only one more thing now.

Regarding hostnames, how do I get it so that when I enter a hostname that is established by router 1, on router 2, that it is able to find it?

So for example, I could enter the hostname of router 2 in the browser, and be navigated to the openwrt luci page, but if I tried to enter the hostname for router 1, it can't find it. But if I enter the ip address, I can get to it no problem. is this possible from an automation standpoint or do I need to manually create these associations on router 2?

10

Why don't you create a new thread for this question -- then we can explore a few different aspects of what you want. and how to achieve it.

Awesome. Sorry for the confusion earlier.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

1 Like
11

Thanks a ton, thumbs up and marked your edited post as the solution. For those who come to this thread in the future, the follow-on thread created for the hostnames is here: Sharing Hostnames between Openwrt Routers

1 Like
12

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.