Bad network configuration

Singman33 · June 6, 2020, 1:46pm

Hi,
I have a D-Link DIR-842 C3 with OpenWrt SNAPSHOT and I want to update it.
That router have 4 LAN ports (black) and 1 WAN port (yellow). But I'm using it as a access point, not as firewall. My thougth was to use all the ports (LAN + WAN) as a switch, even if the uplink port (connected to my home network) is the WAN one.
For now, my config is working but the router can't connect to internet or resolve hostname.

root@OpenWrt:~# uci export network
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda0:f644:0493::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.0.5'
        option gateway '192.168.0.254'
        option ifname 'eth0 eth0.1 eth0.2'
        option force_link '0'
        option dns '192.168.0.10'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '00:ad:24:4a:ba:28'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config device 'wan_dev'
        option name 'eth0.2'
        option macaddr '00:ad:24:4a:ba:2a'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'

config switch
        option name 'switch0'
        option reset '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 4 3 2 1'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 5'
        option vid '2'

Hegabo · June 6, 2020, 2:57pm

Delete (or disable) wan and wan6 interfaces.
Set lan interface ifname to eth0.1 only
Edit vlan 1 to include port 5
Delete vlan 2
Disable DHCP Server on lan interface.
Make sure LAN IP is on main router's subnet.

psherman · June 6, 2020, 3:13pm

You also need to specify the dns server(s) for normal internet access (without dns, internet can work, but only by ip address)
Edit - looks like you already have it. Is that dns working properly? I’m guessing a pihole or similar?

Singman33 · June 6, 2020, 5:19pm

Hmm, but I should modify my /etc/resolv.conf to point on my internal DNS to have addresses resolved. I dont understand why setting in UI dont work.

root@OpenWrt:/etc# uci export network
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda0:f644:0493::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.0.5'
        option gateway '192.168.0.254'
        option force_link '0'
        option ifname 'eth0.1'
        list dns '192.168.0.10'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '00:ad:24:4a:ba:28'

config device 'wan_dev'
        option name 'eth0.2'
        option macaddr '00:ad:24:4a:ba:2a'

config switch
        option name 'switch0'
        option reset '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 4 3 2 1 5'

trendy · June 6, 2020, 5:22pm

What is the output of:

ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*

Singman33 · June 6, 2020, 5:38pm

root@OpenWrt:~# ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
lrwxrwxrwx    1 root     root            16 Jun  6  2020 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            42 Jun  5 22:10 /tmp/resolv.conf

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root            40 Jun  5 22:03 resolv.conf.auto
==> /etc/resolv.conf <==
search domain.lan
nameserver 192.168.0.10

==> /tmp/resolv.conf <==
search domain.lan
nameserver 192.168.0.10

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

trendy · June 6, 2020, 6:00pm

Pihole is configured for the OpenWrt as nameserver.
Better post more configurations to see where might be the mistake, after you have made the corrections pointed out by @Hegabo :

uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
head -n -0 /tmp/resolv.conf.d/*

mk24 · June 6, 2020, 6:22pm

In the top block of /etc/config/dhcp, change option rebind_protection to 0 and comment out option local '/lan/' This will allow resolving names on the LAN. Though without that it should still resolve Internet names. From the CLI, can you ping Internet sites by IP? Can you ping 192.168.0.10?

Singman33 · June 6, 2020, 6:35pm

Yes, I can ping from OpenWRT 192.168.0.10 (my DNS, not a pihole but an Ubuntu server DNS+DHCP)

Singman33 · June 6, 2020, 6:38pm

@trendy : when I reboot the router, nameserver is back to 127.0.0.1. I need to force it to 192.168.0.10
About @Hegabo's change, I've done them, rebooted and... some changes were automatically done. I'm trying to understand why.

trendy · June 6, 2020, 6:39pm

Not really. That is the default and works fine if you have not messed with dnsmasq configuration.

Singman33 · June 6, 2020, 8:47pm

root@OpenWrt:~# uci export network
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda0:f644:0493::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.0.5'
        option gateway '192.168.0.254'
        option force_link '0'
        list dns '192.168.0.10'
        option ifname 'eth0'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '00:ad:24:4a:ba:28'

config device 'wan_dev'
        option name 'eth0.2'
        option macaddr '00:ad:24:4a:ba:2a'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0 4 3 2 1 5'

root@OpenWrt:~# uci export wireless
package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option htmode 'VHT80'
        option country 'FR'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'DOMO_5Ghz'
        option encryption 'psk2'
        option key 'xxxxxxxxxxx'
        option wpa_disable_eapol_key_retries '1'
        option wmm '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '5'
        option hwmode '11g'
        option path 'platform/ahb/18100000.wmac'
        option country 'FR'
        option htmode 'HT20'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'DOMO'
        option encryption 'none'
        option wmm '0'
        option macfilter 'allow'
        list maclist 'xx:x:xx:xx:xx:xx'
        list maclist 'xx:xx:xx:xx:xx:xx'

root@OpenWrt:~# uci export dhcp
package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option expandhosts '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option domain 'domain.lan'
        list server 'tech02.domain.lan'
        option localservice '0'

config dhcp 'lan'
        option interface 'lan'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

tech02.domain.lan is 192.168.0.10 (DNS server)

root@OpenWrt:~# uci export firewall
package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

root@OpenWrt:~# head -n -0 /etc/firewall.user;
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

root@OpenWrt:~# head -n -0 /etc/firewall.user;
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
root@OpenWrt:~# iptables-save -c
# Generated by iptables-save v1.8.4 on Sat Jun  6 22:44:59 2020
*nat
:PREROUTING ACCEPT [3819:822219]
:INPUT ACCEPT [211:50405]
:OUTPUT ACCEPT [307:22522]
:POSTROUTING ACCEPT [307:22522]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[3819:822219] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[3816:821777] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[307:22522] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[281:20757] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[281:20757] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[3816:821777] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Sat Jun  6 22:44:59 2020
# Generated by iptables-save v1.8.4 on Sat Jun  6 22:44:59 2020
*mangle
:PREROUTING ACCEPT [10968:2368985]
:INPUT ACCEPT [7359:1597118]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8200:8385748]
:POSTROUTING ACCEPT [8200:8385748]
COMMIT
# Completed on Sat Jun  6 22:44:59 2020
# Generated by iptables-save v1.8.4 on Sat Jun  6 22:44:59 2020
*filter
:INPUT ACCEPT [84:26904]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[212:17360] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[7144:1579470] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[6730:1458222] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[25:1200] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[330:94344] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[212:17360] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[7986:8368460] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[7591:8335636] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[395:32824] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[25:1200] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[395:32824] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[330:94344] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[330:94344] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[395:32824] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[395:32824] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[330:94344] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
COMMIT
# Completed on Sat Jun  6 22:44:59 2020

root@OpenWrt:~# ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.0.5/24 brd 192.168.0.255 scope global br-lan
       valid_lft forever preferred_lft forever

root@OpenWrt:~# ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.0.5/24 brd 192.168.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
root@OpenWrt:~# ip -4 ro li tab all
default via 192.168.0.254 dev br-lan
192.168.0.0/24 dev br-lan scope link  src 192.168.0.5
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.0.0 dev br-lan table local scope link  src 192.168.0.5
local 192.168.0.5 dev br-lan table local scope host  src 192.168.0.5
broadcast 192.168.0.255 dev br-lan table local scope link  src 192.168.0.5

root@OpenWrt:~# ip -4 ru
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

root@OpenWrt:~# head -n -0 /tmp/resolv.conf.d/*
# Interface lan
nameserver 192.168.0.10

Singman33 · June 6, 2020, 8:50pm

And I've added my wireless interfaces to LAN

trendy · June 6, 2020, 9:04pm

This is wrong in all aspects. You cannot define a nameserver with its name, only IP. But it is not needed, you have already configured it under lan interface.

You may want to switch that back to 'lan' or change option local '/domain.lan/'

Finally define where to find the namerver
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'

psherman · June 6, 2020, 9:26pm

i think you might be best served by resetting to defaults (first boot && reboot) and then implementing your dumb AP again using this guide. You don't need to change all that much to get the device to be just a simple dumb AP.

Don't forget that since you are running a snapshot, resetting to defaults will erase your installation of LuCI and any other packages, so you'll need to reinstall them. Fortunately, your main router appears to be setting up a network in the 192.168.0.0/24 range, so you can actually just connect from your main LAN to the WAN port of the OpenWrt router (and then connect via an ethernet cable between your OpenWrt router and your computer for ssh access). You can run opkg update and then install any packages such as LuCI that you want/need, and then proceed to the dumb ap configuration process.

Singman33 · June 7, 2020, 9:32am

It was my starting point a few months ago, but evolved to add a VPN and two VLAN for temporary access. I think I will clean everything because now, my AP is not working all the time, I got many many disconnections every minutes.
The only problem is to find a recent snapshot for my device....