I use an openWRT router (Fritzbox 4040) for parental control behind my provider router. Computers of the parents, printer, NAS and so on are in the network behind the provider router. Tablets and smartphones of the children are in the network of the openWRT router. The children were able the access the internet, and the printer and the NAS in the WAN-network of the openWRT router.
During the update of openWRT from 21.x to 23.05 I had to reset my configuration, beacause of a incompatible configuration version. I made screenshots and so on of the old configuration and tried to restore everthing. But there is one problem, I can’t resolve. No device in the parent network is accessible, f.eg. the NAS or the printer, but the children can surf in the internet.
Overwiew:
Internet <---> Provider Router <- 192.168.4.0-> openWRT <-192.168.41.0-> Children LAN
The openWRT has a static IP in 192.168.4.0 network.
I tried to allow traffic from the WAN zone in the firewall settings and static routes for the 192.168.4.0 network.
Can anyone help me? Which further information and configurations are nessary for help?
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
uci export network;
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd99:e1a7:aa1b::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.4.98'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'static'
option ipaddr '192.168.4.99'
option netmask '255.255.255.0'
option gateway '192.168.4.1'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'IF_FXXX'
option proto 'static'
option device 'br-if_fXXX'
option ipaddr '192.168.41.1'
option netmask '255.255.255.0'
config device
option type 'bridge'
option name 'br-if_fXXX'
list ports 'eth0'
list ports 'lan1'
config interface 'IF_LXXX'
option proto 'static'
option device 'br-if_lXXX'
option ipaddr '192.168.42.1'
option netmask '255.255.255.0'
config device
option type 'bridge'
option name 'br-if_lXXX'
list ports 'eth0'
uci export dhcp; uci export firewall
uci: Parse error (invalid character in name field) at line 17, byte 18
package firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'ACCEPT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option masq '1'
list network 'wan6'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'zone_fXXX'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'IF_FXXX'
config forwarding
option src 'zone_fXXX'
option dest 'wan'
config zone
option name 'zone_lXXX'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'IF_LXXX'
config forwarding
option src 'zone_lXXX'
option dest 'wan'
config rule
option name 'Allow-LuCI-on-WAN'
option src 'wan'
option dest_port '80'
option target 'ACCEPT'
list proto 'tcp'
list proto 'icmp'
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.4.99/24 brd 192.168.4.255 scope global wan
valid_lft forever preferred_lft forever
10: br-if_fXXX: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.41.1/24 brd 192.168.41.255 scope global br-if_fXXX
valid_lft forever preferred_lft forever
13: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.4.98/24 brd 192.168.4.255 scope global br-lan
valid_lft forever preferred_lft forever
18: br-if_lXXX: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.42.1/24 brd 192.168.42.255 scope global br-if_lXXX
valid_lft forever preferred_lft forever
default via 192.168.4.1 dev wan
192.168.4.0/24 dev br-lan scope link src 192.168.4.98
192.168.4.0/24 dev wan scope link src 192.168.4.99
192.168.41.0/24 dev br-if_fXXX scope link src 192.168.41.1
192.168.42.0/24 dev br-if_lXXX scope link src 192.168.42.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
local 192.168.4.98 dev br-lan table local scope host src 192.168.4.98
local 192.168.4.99 dev wan table local scope host src 192.168.4.99
broadcast 192.168.4.255 dev br-lan table local scope link src 192.168.4.98
broadcast 192.168.4.255 dev wan table local scope link src 192.168.4.99
local 192.168.41.1 dev br-if_fXXX table local scope host src 192.168.41.1
broadcast 192.168.41.255 dev br-if_fXXX table local scope link src 192.168.41.1
local 192.168.42.1 dev br-if_lXXX table local scope host src 192.168.42.1
broadcast 192.168.42.255 dev br-if_lXXX table local scope link src 192.168.42.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Ah, damn, these are remnants of the initial configuration, I don't need them anymore. If I set it to DHCP, of course I also get an IP from the 192.168.4.0 network. What do I have to set so that there is no IP there?
If there's no IP on the wan, there would be no connectivity upstream.
If the purpose of this device is to route (i.e. a distinct network on the lan of this network compared to the wan), you need to change the lan network address to something in a different subnet. anything other than the 192.168.4.x address range would be fine -- you could do 192.168.5.1/24 if you wanted, as an example.
Thanks to psherman and egc.
I changed the IP to something different and the children can access the NAS again
I tried DHCP, too, but then interface get an IP from parent network, but why?
First, why would you do that? The device needs to have an address on its lan (assuming you are running it in routing mode).
Second, that doesn't make sense on the surface, but as I look, it seems that you have multiple bridges, some of them are re-using the same port. This is not valid.
Above you've got all 4 lan ports. That's fine.
But below, you have a bridge using lan1 again -- that's not okay. A port can only be in a single bridge.
Similarly, above you use eth0, then you have another bridge below that is also using eth0. Again, this is not valid.
It would probably be best if you reset your router to defaults and start over.
What is it that you are hoping to acheive with each of these bridges?
Yes, I aggree it makes no. But I tried it and got an IP from WAN network and wondert about it. And then I asked for the reason.
As I wrote, I configured an complete different static IP to the LAN-bridge.
Thats a mistake, yes. I removed lan1 from br-lan and left lan1 to br-if_fXXX.
I seem to remember that the eth0 port is for the connection to the cpu. Well, I removed eth0 from the bridge device br-if_fXXX, but then no device in the connected WLAN was able to communicate, and I had to reset the configuration.
At the moment I need to different WLANs and one of them with an lan port. These networks must be seperated from the parent network, which is connected to the wan port.
A network that is wireless-only and doesn't use ethernet doesn't need any ports in the bridge. One that is connecting to ethernet obviously does need a port in the bridge.
In the pre-DSA days, yes, this was true. However, most DSA devices don't have eth0 or eth1 exposed in the configs (it is abstracted so the user doesn't see it anymore). There are some devices that do have ethX in their configs, but it shouldn't be added if it's not there in the default configuration.
Therefore, I would recommend that you reset to defaults and then post that default configuration. Then we'll have a reference for what should actually be present in your router's config (it varies depending on the specific model). That will allow us to make the exact edits that are required.
uci export network;
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd11:c2a9:b9f5::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
uci export dhcp; uci export firewall;
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.4.163/24 brd 192.168.4.255 scope global wan
valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
default via 192.168.4.1 dev wan src 192.168.4.163
192.168.1.0/24 dev br-lan scope link src 192.168.1.1
192.168.4.0/24 dev wan scope link src 192.168.4.163
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
local 192.168.1.1 dev br-lan table local scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local scope link src 192.168.1.1
local 192.168.4.163 dev wan table local scope host src 192.168.4.163
broadcast 192.168.4.255 dev wan table local scope link src 192.168.4.163
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
As I said before, one network needs a lan port. But to be preperated for the future, each network should have two lan ports.
Thanks for the default config. As expected, eth0 doesn't exist in the default config, so it should not be added. We'll just work with the lan1-lan4 ethernet ports and the wan port.
I don't want to rely on the old config to infer your goals because it could possible lead us down the wrong path. With that in mind, please describe:
The name of each network
The subnet for each of those networks
The VLAN ID for each network (if relevant; we will be using VLANs, but you only need to worry about the specific IDs if you'll be using tagged networks over ethernet and thus need to have consistency with downstream equipment)
The ethernet port(s) in use for each network, or if it will be wifi only (also, for wifi only -- describe if it is one band or dual-band)
If relevant, the tagged/untagged status of each network on each port
So for example (just making this up):
Main lan (192.168.10.0/24: ports 1 and 2 untagged, port 4 taggged), VLAN ID 10
Guest network (192.168.20.0/24): port 3 untagged, port 4 tagged), VLAN ID 20
child1 network (192.168.41.0/24: port 1 and 2 untagged), VLAN ID 41, wifi dual band
child2 network (192.168.42.0/24: port 3 and 4 untagged), VLAN ID 42, wifi dual band
Add the networks vlan41 and vlan42 to the lan firewall zone (at least for now... you can change this later if desired, but this is the best way to ensue that everything works as expected:
config zone
option name 'lan'
list network 'lan'
list network 'vlan41'
list network 'vlan42'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
You'll probably want to setup a DHCP server for the two VLANs -- you can edit the lan dhcp server to be vlan41, and then duplicate that and change to vlan42 for the name/network.
Finally, you can setup your SSIDs and link them against the appropriate networks (vlan41 or vlan42).
Restart your router and you should be good to go. We can tighten down the firewall -- if desired -- after this is known to work.
EDIT: added the untagged port status in the bridge-vlans.
Sounds good. I suspect that the changes should only take around 10 minutes to implement, but obviously if you have any issues, you'll want some time to debug.
Report back when you have success and/or if you run into issues.
