I'm running openwrt on raspberry pi 3. I've been trawling google trying to get openwrt to connect to the internet but no luck. I installed openwrt using:
openwrt-19.07.7-brcm2708-bcm2710-rpi-3-ext4-factory.img.gz
I can ping www.google.co.uk and it replies fine but if I run opkg update or opkg install it fails with: opkg_download: Check your network settings and connectivity
can anybody tell me what my network files should contain? my lan is on 172.16.1.x / 255.255.0.0.
here is my /etc/config/network:
Apart from the unusual size of your subnet (do you really need space for 65534 devices in a single subnet?) I can't see anything untoward about that configuration; prima facie, it ought to work. But it's not the full story. Other components could be getting in the way.
What's the output of ip route ?
What are the contents of /etc/config/firewall ?
What is the complete output of opkg update?
If you run a traceroute to an external host, does it take the path you expect?
If possible, try to download the installation packages for tcpdump and its dependencies on a separate computer and copy them across to the Pi for local installation. tcpdump can be a useful tool to observe network activity to help determine what may - or may not - be going on.
I can ssh into the pi3 and I can ping google but can't download anything
root@OpenWrt:~# ip route
default via 172.16.1.60 dev eth0 src 172.16.1.216
172.16.0.0/16 dev eth0 scope link src 172.16.1.216
root@OpenWrt:~# vim /etc/config/firewall
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fc00::/6
option dest_ip fc00::/6
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
# option src lan
# option src_ip 192.168.45.2
# option dest wan
# option proto tcp
# option target REJECT
# block a specific mac on wan
#config rule
# option dest wan
# option src_mac 00:11:22:33:44:66
# option target REJECT
# block incoming ICMP traffic on a zone
#config rule
# option src lan
# option proto ICMP
# option target DROP
# port redirect port coming in on wan to lan
#config redirect
# option src wan
# option src_dport 80
# option dest lan
# option dest_ip 192.168.16.235
# option dest_port 80
# option proto tcp
# port redirect of remapped ssh port (22001) on wan
#config redirect
# option src wan
# option src_dport 22001
# option dest lan
# option dest_port 22
# option proto tcp
### FULL CONFIG SECTIONS
#config rule
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 80
# option dest wan
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
# option target REJECT
#config redirect
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 1024
# option src_dport 80
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
- /etc/config/firewall 195/195 100%
root@OpenWrt:~# opkg update
Downloading http://downloads.openwrt.org/releases/19.07.7/targets/brcm2708/bcm2710/packages/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.7/targets/brcm2708/bcm2710/packages/Packages.gz
Downloading http://downloads.openwrt.org/releases/19.07.7/targets/brcm2708/bcm2710/kmods/4.14.221-1-ae418ed2395263358bbe7536d318ae28/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.7/targets/brcm2708/bcm2710/kmods/4.14.221-1-ae418ed2395263358bbe7536d318ae28/Packages.gz
Downloading http://downloads.openwrt.org/releases/19.07.7/packages/aarch64_cortex-a53/base/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.7/packages/aarch64_cortex-a53/base/Packages.gz
Downloading http://downloads.openwrt.org/releases/19.07.7/packages/aarch64_cortex-a53/freifunk/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.7/packages/aarch64_cortex-a53/freifunk/Packages.gz
Downloading http://downloads.openwrt.org/releases/19.07.7/packages/aarch64_cortex-a53/luci/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.7/packages/aarch64_cortex-a53/luci/Packages.gz
Downloading http://downloads.openwrt.org/releases/19.07.7/packages/aarch64_cortex-a53/packages/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.7/packages/aarch64_cortex-a53/packages/Packages.gz
Downloading http://downloads.openwrt.org/releases/19.07.7/packages/aarch64_cortex-a53/routing/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.7/packages/aarch64_cortex-a53/routing/Packages.gz
Downloading http://downloads.openwrt.org/releases/19.07.7/packages/aarch64_cortex-a53/telephony/Packages.gz
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.7/packages/aarch64_cortex-a53/telephony/Packages.gz
Collected errors:
* opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.7/targets/brcm2708/bcm2710/packages/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.
* opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.7/targets/brcm2708/bcm2710/kmods/4.14.221-1-ae418ed2395263358bbe7536d318ae28/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.
* opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.7/packages/aarch64_cortex-a53/base/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.
* opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.7/packages/aarch64_cortex-a53/freifunk/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.
* opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.7/packages/aarch64_cortex-a53/luci/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.
* opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.7/packages/aarch64_cortex-a53/packages/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.
* opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.7/packages/aarch64_cortex-a53/routing/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.
* opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.7/packages/aarch64_cortex-a53/telephony/Packages.gz, wget returned 4.
* opkg_download: Check your network settings and connectivity.
root@OpenWrt:~# traceroute google.com
traceroute to google.com (142.250.185.238), 30 hops max, 46 byte packets
1 172.16.1.60 (172.16.1.60) 0.499 ms 0.421 ms 0.398 ms
2 10.8.0.1 (10.8.0.1) 21.897 ms 21.883 ms 21.515 ms
3 * * *
4 10.80.71.15 (10.80.71.15) 23.096 ms 10.80.71.7 (10.80.71.7) 22.154 ms 10.80.71.15 (10.80.71.15) 22.059 ms
5 138.197.249.102 (138.197.249.102) 22.677 ms 138.197.249.126 (138.197.249.126) 24.821 ms 138.197.249.100 (138.197.249.100) 22.491 ms
6 138.197.251.142 (138.197.251.142) 22.306 ms 138.197.251.138 (138.197.251.138) 22.024 ms 138.197.251.142 (138.197.251.142) 22.901 ms
7 74.125.49.86 (74.125.49.86) 22.529 ms * 22.684 ms
8 * 74.125.242.115 (74.125.242.115) 23.512 ms *
9 216.239.58.133 (216.239.58.133) 24.529 ms 216.239.59.77 (216.239.59.77) 90.773 ms 216.239.57.207 (216.239.57.207) 23.699 ms
10 209.85.142.166 (209.85.142.166) 29.207 ms 74.125.242.114 (74.125.242.114) 22.447 ms 108.170.246.143 (108.170.246.143) 24.487 ms
11 209.85.244.159 (209.85.244.159) 35.996 ms 34.257 ms 216.239.57.207 (216.239.57.207) 23.823 ms
12 209.85.240.112 (209.85.240.112) 37.002 ms 108.170.226.2 (108.170.226.2) 50.188 ms 209.85.241.230 (209.85.241.230) 36.206 ms
13 108.170.252.65 (108.170.252.65) 34.983 ms 209.85.142.97 (209.85.142.97) 36.307 ms *
14 209.85.241.230 (209.85.241.230) 36.326 ms 35.679 ms 209.85.252.215 (209.85.252.215) 34.188 ms
15 108.170.251.193 (108.170.251.193) 36.548 ms 108.170.252.65 (108.170.252.65) 34.668 ms 108.170.251.193 (108.170.251.193) 35.976 ms
16 172.253.50.151 (172.253.50.151) 36.471 ms fra16s53-in-f14.1e100.net (142.250.185.238) 37.079 ms 142.250.236.57 (142.250.236.57) 36.402 ms
looks ok to me.
thanks if you can shed any further light
The first public address in your traceroute is 138.197.249.102, which assigned to Digital Ocean. DO is a well-known host for virtual machines. Many people use the company's services (me included).
If your traffic is going via Digital Ocean, does your firewall at DO permit HTTP traffic?
sorry don't know anything about DO or its firewall. I just don't understand why a brand new install of openwrt can ping the internet and yet won't download anything, everything else on my lan is connected and works fine. have I used the wrong install file?
Well, something's sending your traffic via Digital Ocean. If you can ping an external host that means that ICMP ECHO REQUEST and the associated replies are permitted. But ICMP is a different protocol from HTTP. Just because one protocol is permitted doesn't mean that all protocols are permitted. As a test, try pinging downloads.openwrt.org and see what response - if any - you get.
Possibly. Which install file did you use, and where did you get it?
hang on, just had a breakthrough. I put /etc/config/network back the way it was but changed the gateway to 172.16.1.30 which is a normal internet gateway and its downloading. 172.16.1.60 is my vpn gateway. this is the first device I've ever encountered that won't work through my vpn gateway. weird..
ps: I've also got the web interface up now too.
thankyou for your help on this however I don't see where the http block comes in. I have other linux machines here and they all download stuff fine through the vpn
As for other machines being able to use the VPN, there's a quick test you can carry out: temporarily take one of those machines offline and give its IP address details to the Raspberry Pi. Then attempt the same activities as before.