BT HH5A and 18.06.0 - Network and firewall configuration

Hi, I have installed 18.06.0 on a BT HH5A, which was moderately painless. However, I cannot make it connect to the VDSL. I have BT's "professional" broadband, and a block of 8 (or 5) static IPs.

BT's Professional broadband means you have a dedicated name and password for the PPP.

With 17.04, I had to create ptm0.101 and configured that. It worked - it is still working, but I accidentally locked out my ssh access with the firewall. (It is a different HH5A).

With 18.06.0, I get "USER_ERROR" (Sometimes, often nothing) If I don't configure the ptm0.101, then it does not work.

Also, I find it very hard to understand the firewall. I can follow the instructions if they do what I want, but they mostly don't. Without understanding, I can't make reasonable guesses. I have a DMZ with my servers on the yellow sockets (labelled LAN to confuse) and all my LAN on the red socket labelled "WAN" or wireless. I want stuff from the WAN (ie DSL) to go strait to the servers (DMZ) if they are in my static IP block, unmolested, and stuff from LAN to go to the WAN or DMZ as appropriate, but NATted. Stuff from the servers goes out to DSL, but not to the LAN (unless it is a reply to a request via NAT).

There appear to be various places where you set INPUT, OUTPUT or FORWARD, but I am not sure how they are handled, nor where I should tick the NAT box, and where not.

OpenWRT 18.06 uses a different ifname. ie. change ptm0.101 to dsl0.101 and it should hopefully solve your VDSL connectivity problem.

Thanks. Yes, this fixed the WAN issue on my BT HH5A. I now have a different problem:
I have a DMZ with servers on it (using some of the GBE ports). The servers sit in a block of public IP addresses. I have configured the firewall to the best of my understanding.

  • The outside world can access my servers.

  • AFAICT, the servers can access the outside world (which is needed)

  • The LAN can access the outside world.

  • To my enormous embarasment, the LAN can't access the servers.

I am using LuCI to configure. I have input, output and forwarding all accept, everywhere,
and masking and MSS clamping enabled on LAN to (WAN and DMZ).

Please help me!

Incidentally, I have three HH5As and two HH5Bs. All of them flake out if the ambient temperature reaches 30C, and some of them if it reaches 25C. I believe this does not happen if you disable the wirelesses, but have not done proper scientific tests.

I originally thought this was BT's flakey firmware. There is no evidence that their firmware is not flakey, but the hardware is definitely best kept in a cool place, not a cupboard full of servers.

Masqurade and MSS clamping on WAN only.
Allow Forwarding from LAN to DMZ to fix the problem.

But surely the servers need masquerading to see the LAN as having the spoofed (Router's) address, and not their LAN addresses?

Not necessary.It can work with native routing, with or without SNAT.

So I use the firewall on the HH5A to block input on 192.168/16 to all, and allow input on 192.168/16 on the servers? (I would not normally do that).

Is that how you handle it?

Why does the SNAT not work as I expect? (I think it did on 17.xx)

Please post here the output of the following command, all in one line, to have an idea what is the situation:
cat /etc/config/network; cat /etc/config/firewall; cat /etc/config/wireless ; cat /etc/config/dhcp ; ip -4 addr ; ip -4 ro ; ip -4 ru

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fde6:b263:f18c::/48'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option annex 'b'
	option tone 'a'
	option xfer_mode 'ptm'
	option ds_snr_offset '0'
	option line_mode 'vdsl'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.2.254'
	option gateway '81.143.240.110'
	option broadcast '192.168.2.255'
	option stp '1'
	option igmp_snooping '1'
	option dns '192.168.2.100'
	option ifname 'eth0.1 eth0.3'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr '18:62:2c:71:8a:ec'

config interface 'wan'
	option proto 'pppoe'
	option username 'xxxxxxx@hg70.btclick.com'
	option password 'xxxxxxx'
	option delegate '0'
	option ipv6 '0'
	option ifname 'dsl0.101'

config device 'wan_dev'
	option name 'dsl0'
	option macaddr '18:62:2c:71:8a:ed'

config interface 'wan6'
	option ifname '@wan'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '5 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option ports '0 1 2 6t'

config interface 'DMZ'
	option proto 'static'
	option ifname 'eth0.2'
	option ipaddr '81.143.240.110'
	option netmask '255.255.255.248'
	option broadcast '81.143.240.111'
	option delegate '0'

config route
	option interface 'wan'
	option target '0.0.0.0'
	option netmask '255.255.255.255'

config route
	option interface 'DMZ'
	option target '81.143.240.104'
	option netmask '255.255.255.248'

config route
	option interface 'lan'
	option target '192.168.2.0'
	option netmask '255.255.255.0'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '4 6t'


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option drop_invalid '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'lan'
	option masq '1'
	option mtu_fix '1'
	option forward 'ACCEPT'
	option family 'ipv4'
	option conntrack '1'

config zone
	option name 'wan'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option network 'wan wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option src '*'
	option dest '*'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'DMZ'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'DMZ'
	option forward 'ACCEPT'

config redirect
	option target 'SNAT'
	option src 'lan'
	option dest 'wan'
	option proto 'all'
	option src_dip '81.143.240.110'
	option name 'NATting'

config redirect
	option target 'SNAT'
	option src 'lan'
	option dest 'DMZ'
	option proto 'all'
	option src_dip '81.143.240.110'
	option name 'NAT-DMZ'

config forwarding
	option dest 'DMZ'
	option src 'wan'

config forwarding
	option dest 'wan'
	option src 'DMZ'

config forwarding
	option dest 'DMZ'
	option src 'lan'

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option dest 'lan'
	option src 'DMZ'


config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'pci0000:01/0000:01:00.0/0000:02:00.0'
	option htmode 'VHT80'
	option country 'GB'
	option legacy_rates '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Grill-Net'
	option encryption 'psk2'
	option key 'xxxxxxxx'
	option network 'lan'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'pci0000:00/0000:00:0e.0'
	option htmode 'HT20'
	option country 'GB'
	option legacy_rates '1'
	option channel '9'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option encryption 'psk2'
	option key 'xxxxxxxx'
	option ssid 'Grill-Net'
	option network 'lan'


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option expandhosts '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option local 'grillet.home'
	option domain 'home'
	list server '9.9.9.9 8.8.8.8 '
	option allservers '1'

config dhcp 'lan'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option start '64'
	option limit '98'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'DMZ'
	option interface 'DMZ'
	option ignore '1'

config dhcp 'Nett'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'Nett'
	option force '1'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.254/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 81.143.240.110/29 brd 81.143.240.111 scope global eth0.2
       valid_lft forever preferred_lft forever
13: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN qlen 3
    inet 81.139.163.161 peer 81.139.160.1/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
0.0.0.0 dev pppoe-wan scope link 
default via 81.139.160.1 dev pppoe-wan 
81.139.160.1 dev pppoe-wan scope link  src 81.139.163.161 
81.143.240.104/29 dev eth0.2 scope link 
192.168.2.0/24 dev br-lan scope link

Remove this from LAN interface.

These are wrong. You have the default gateway from the PPPoE (which by the way is 0.0.0.0/0.0.0.0) and the other two are unnecessary as you have the interfaces directly connected.

config route
option interface 'wan'
option target '0.0.0.0'
option netmask '255.255.255.255'

config route
option interface 'DMZ'
option target '81.143.240.104'
option netmask '255.255.255.248'

config route
option interface 'lan'
option target '192.168.2.0'
option netmask '255.255.255.0'

In Firewall zone LAN remove: masq and mtu_fix. Are you sure you need conntrack?

In firewall zone WAN add masq and mtu_fix and exclude the public addresses of the DMZ from NAT. Also you better change INPUT and FORWARD to DROP/REJECT.

SNAT for LAN to DMZ is pointless. Native routing works fine here and you have forwarding enabled. You only need to allow forwarding from WAN to the IP/ports of the servers in DMZ.

This looks like it is some leftover

config dhcp 'Nett'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'Nett'
option force '1'

Thanks.

I do not really understand the firewall configuration at all - probably obvious.
I used LuCI to set this up. (I am quite happy using command line).

I don't really get what INPUT, FORWARD and OUTPUT actually do on a device like this. I don't know
what conntrack does either. How do I exclude the DMZ addresses from the forwarding?

Another thing that may be an issue is that I have my own nameservers for the LAN - one to cache
the public internet, and another to serve my internal hosts (there are about 40 IPs, some with more than six domains on). I would like the DHCP to give their IPs out with leases. I would also like to give the
routers IP (.254) out as a DNS server, and have the router query .100 (the caching server) rather than
use a hosts file.

The Nett business is that I am planning a subnet 192.168.1.0/24 at the end of a wire in one of the switch
ports. However, I need to get the basics working before I try to get clever! I realise the sensible thing
would be to have a 192.168.2.0 address on the router at the other end of the wire, but it is BT HH3,
not yet running OpenWRT, and very inflexible indeed. I have deleted it for now.

Thanks very much for your help!

INPUT and OUTPUT is the policy applied to the interfaces bound to the zone. Generally OUTPUT can be ACCEPT for every zone. INPUT should be ACCEPT for zones that you trust, e.g LAN, but DROP/REJECT for untrusted zones, like WAN, GUEST, IoT. If the policy is DROP, then packets are discarded silently. Else with REJECT the router sends and ICMP message to inform of the discard (better for troubleshooting).
FORWARDING is for traffic traversing different interfaces of the same zone through the firewall. You only have one interface per zone, so not applicable in your case.
When you have DROP/REJECT policy, you need to manually open any ports or flows.

Forces connection tracking when NAT is disabled, in order to have stateful firewall. You could use it on the WAN interface for DMZ. Definitely not on LAN zone.

Basically you can exclude them by not including them in the addresses that will be NATed.
Add list masq_src '192.168.2.0/24' under WAN zone in firewall (or Advanced Settings tab of the WAN edit zone in Luci)

https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#dhcp_options
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#conditional_dns_forwarding

1 Like

Thanks for your help, but I am in trouble - my WAN will not connect. I spent about 2 hours on the phone to BT getting the correct settings (I have VDSL FTTC). I cannot get it to connect. I have a HH5B unflashed, obviously, and that connects fine (but is no use cos the configuration options are too limited).

I have a second HH5A, which I also flashed with 18.06.2, and it also does not connect to the VDSL.

I tried to to a "sysupgrade" restore to 17.04, and it says the file is not a compatible format.

(Also, I tried to restore settings I saved, and it saves a tar.gz file, but restore wants gzip!)

Where do I go from here?

Any ideas?

I tried to do a "sysupgrade" restore to 17.04, and it says the file is not a compatible format.

Download the installation guide for hh5a
https://openwrt.ebilan.co.uk/viewtopic.php?f=7&t=266

section 4.4 covers downgrading to 17.01.4.

eg. use
sysupgrade –n –F /tmp/lede-lantiq-xrx200-BTHOMEHUBV5A-squashfs-sysupgrade.bin

For readers unfamiliar with BT Business broadband block of 5 or 8 static IP addresses, here is link to their hub configuration.
https://btbusiness.custhelp.com/app/answers/detail/a_id/19138/c/5099/

HOWTO: Setting up multiple static IP's on NON BT Hardware.
https://business.forums.bt.com/t5/Archive/HOWTO-Setting-up-multiple-static-IP-s-on-NON-BT-Hardware/td-p/13670

https://openwrt.org/docs/guide-user/network/wan/isp-configurations#united_kingdom

Today everything is back to working fine on one of my HH5As with 18.06.2.

I suspect BT of fowl play, but after another "no fault found" call last night, its staying up.

The lessons learned are:

you can't trust LuCI to configure the firewall - you need to know how to do it (or know someone who does) and do it yourself.

BT VDSL is G993.2 and Annex B where I am (East London), However, it is annex A in some parts of the country. The VPI and VCI are 0 and 35 (not 38 or 32).

fyi, the VPI and VCI settings are for ADSL connections. ie. the default ATM bridge section can be optionally deleted for VDSL connections.

You can, but still you need to have an idea what you want to accomplish. Defaults will work fine and securely for the majority of the users. Therefore, each time you change some default setting you have to clearly understand why you would want to do that.