Can you please help me to check my configuration, I have some issues

Hi,

I'm trying to set a network as in my scheme:

But I'm facing issues:

1. I had to set "Network" => "interfaces" => "WAN_BOX" => "Advanced stettings" => "Use custom DNS server" => "192.168.1.1" to be able to reach internet from the router itself or from its clients since I added the statics routes and restarted the ISP ADSL Box
2. The internet network is completely unstable since I added the static routes and restarted the ISP ADSL Box
3. I can't ping client 192.168.11.3 or 192.168.11.12 from client 192.168.12.3 or 192.168.12.12. Same issue for the reverse.
4. When I traceroute client 192.168.11.3 or 192.168.11.12 from client 192.168.12.3 or 192.168.12.12 it stops at 192.168.1.52 router. Same issue for the reverse it stops at routeur 192.168.1.51.
5. I Can't use server 192.168.11.5 services from client 192.168.12.3 or 192.168.12.12 without routing ports in router 1 (maybe normal?)
6. My DDNS configuration ends with an "XHR request timed out" error (but seems to work) (I have a curl script to get the internet IP from the ISP ADSLBOX API's.
7. I have a lot of daemon.err odhcpd[1276]: Failed to send to ff02::1%lan@br-lan (Network unreachable) erros in system logs. I bet it is from IPv6, but I dosn't want to use IPv6 for now.

Could you please help me to check my configurations and identify what I'm doing wrong?

uci show wireless

wireless.radio0=wifi-device
wireless.radio0.type='mac80211'
wireless.radio0.hwmode='11g'
wireless.radio0.path='platform/10300000.wmac'
wireless.radio0.htmode='HT20'
wireless.radio0.channel='auto'
wireless.radio0.cell_density='0'
wireless.wifinet0=wifi-iface
wireless.wifinet0.device='radio0'
wireless.wifinet0.mode='sta'
wireless.wifinet0.network='wwan_BOX'
wireless.wifinet0.ssid='BOX'
wireless.wifinet0.encryption='psk'
wireless.wifinet0.key='xxxxxxxxxxxxxxxxxxxx'
wireless.wifinet1=wifi-iface
wireless.wifinet1.device='radio0'
wireless.wifinet1.mode='ap'
wireless.wifinet1.ssid='internal'
wireless.wifinet1.encryption='psk2'
wireless.wifinet1.key='xxxxxxxxxxxxxxxx'
wireless.wifinet1.network='lan wan'

uci show network

network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='xxxx:xxxx:xxxx::/48'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth0.1'
network.@device[0].ipv6='0'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.11.1'
network.lan.netmask='255.255.255.0'
network.@device[1]=device
network.@device[1].name='eth0.2'
network.@device[1].macaddr='xx:xx:xx:xx:xx:xx'
network.@device[1].ipv6='0'
network.wan=interface
network.wan.device='eth0.2'
network.wan.proto='dhcp'
network.wan.type='bridge'
network.wan6=interface
network.wan6.device='eth0.2'
network.wan6.proto='dhcpv6'
network.wan6.auto='0'
network.wan6.reqaddress='try'
network.wan6.reqprefix='auto'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='4 2 6t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='1 6t'
network.@device[2]=device
network.@device[2].name='eth0'
network.@device[2].ipv6='0'
network.@device[3]=device
network.@device[3].name='eth0.1'
network.@device[3].type='8021q'
network.@device[3].ifname='eth0'
network.@device[3].vid='1'
network.@device[3].ipv6='0'
network.@device[4]=device
network.@device[4].name='wlan0'
network.@device[4].ipv6='0'
network.wwan_BOX=interface
network.wwan_BOX.device='wlan0'
network.wwan_BOX.proto='static'
network.wwan_BOX.gateway='192.168.1.1'
network.wwan_BOX.ipaddr='192.168.1.51'
network.wwan_BOX.netmask='255.255.255.0'
network.wwan_BOX.dns='192.168.1.1'
network.@route[0]=route
network.@route[0].gateway='192.168.1.52'
network.@route[0].target='192.168.12.0/24'
network.@route[0].disabled='0'
network.@route[1]=route
network.@route[1].gateway='192.168.1.53'
network.@route[1].target='192.168.13.0/24'
network.@route[1].disabled='0'

uci show firewall

firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan' 'wan6' 'wwan_BOX'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].src='wan'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Support-UDP-Traceroute'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='33434:33689'
firewall.@rule[9].proto='udp'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].enabled='0'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='messagerie'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].src_dport='xxxx'
firewall.@redirect[0].dest_ip='192.168.11.5'
firewall.@redirect[0].dest_port='xxxx'
firewall.@redirect[0].dest='lan'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].src_dport='xxxx'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].dest_ip='192.168.11.5'
firewall.@redirect[1].dest_port='xxxx'
firewall.@redirect[2]=redirect
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].name='coturn'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].src_dport='xxxx'
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].dest_port='xxxx'
firewall.@redirect[2].dest_ip='192.168.11.5'
firewall.@redirect[3]=redirect
firewall.@redirect[3].target='DNAT'
firewall.@redirect[3].name='coturn1'
firewall.@redirect[3].src='wan'
firewall.@redirect[3].src_dport='xxxx'
firewall.@redirect[3].dest='lan'
firewall.@redirect[3].dest_ip='192.168.11.5'
firewall.@redirect[3].dest_port='xxxx'
firewall.@redirect[4]=redirect
firewall.@redirect[4].target='DNAT'
firewall.@redirect[4].name='coturn2'
firewall.@redirect[4].src='wan'
firewall.@redirect[4].src_dport='xxxx'
firewall.@redirect[4].dest='lan'
firewall.@redirect[4].dest_ip='192.168.11.5'
firewall.@redirect[4].dest_port='xxxx'
firewall.@redirect[5]=redirect
firewall.@redirect[5].target='DNAT'
firewall.@redirect[5].name='coturnports'
firewall.@redirect[5].proto='udp'
firewall.@redirect[5].src='wan'
firewall.@redirect[5].src_dport='xxxxx-xxxxx'
firewall.@redirect[5].dest='lan'
firewall.@redirect[5].dest_ip='192.168.11.5'
firewall.@redirect[5].dest_port='xxxxx-xxxxx'
firewall.@redirect[6]=redirect
firewall.@redirect[6].target='DNAT'
firewall.@redirect[6].name='matrix2'
firewall.@redirect[6].src='wan'
firewall.@redirect[6].src_dport='xxxx'
firewall.@redirect[6].dest='lan'
firewall.@redirect[6].dest_ip='192.168.11.5'
firewall.@redirect[6].dest_port='xxxx'
firewall.@redirect[7]=redirect
firewall.@redirect[7].target='DNAT'
firewall.@redirect[7].name='matrix2ssl'
firewall.@redirect[7].src='wan'
firewall.@redirect[7].src_dport='xxxx'
firewall.@redirect[7].dest='lan'
firewall.@redirect[7].dest_ip='192.168.11.5'
firewall.@redirect[7].dest_port='xxxx'
firewall.@redirect[8]=redirect
firewall.@redirect[8].target='DNAT'
firewall.@redirect[8].name='testmessagerie'
firewall.@redirect[8].src='wan'
firewall.@redirect[8].src_dport='xxxx'
firewall.@redirect[8].dest='lan'
firewall.@redirect[8].dest_ip='192.168.11.5'
firewall.@redirect[8].dest_port='xxxx'
firewall.@redirect[9]=redirect
firewall.@redirect[9].target='DNAT'
firewall.@redirect[9].name='testmessageriessl'
firewall.@redirect[9].src='wan'
firewall.@redirect[9].src_dport='xxxx'
firewall.@redirect[9].dest='lan'
firewall.@redirect[9].dest_ip='192.168.11.5'
firewall.@redirect[9].dest_port='xxxx'
firewall.@redirect[10]=redirect
firewall.@redirect[10].target='DNAT'
firewall.@redirect[10].name='ctestmatrix'
firewall.@redirect[10].proto='tcp'
firewall.@redirect[10].src='wan'
firewall.@redirect[10].src_dport='xxxx'
firewall.@redirect[10].dest='lan'
firewall.@redirect[10].dest_ip='192.168.11.5'
firewall.@redirect[10].dest_port='xxxx'
firewall.@redirect[11]=redirect
firewall.@redirect[11].target='DNAT'
firewall.@redirect[11].name='cmatrix2'
firewall.@redirect[11].proto='tcp'
firewall.@redirect[11].src='wan'
firewall.@redirect[11].src_dport='xxxx'
firewall.@redirect[11].dest='lan'
firewall.@redirect[11].dest_ip='192.168.11.5'
firewall.@redirect[11].dest_port='xxxx'
firewall.@redirect[12]=redirect
firewall.@redirect[12].target='DNAT'
firewall.@redirect[12].name='cmatrix'
firewall.@redirect[12].proto='tcp'
firewall.@redirect[12].src='wan'
firewall.@redirect[12].src_dport='xxxx'
firewall.@redirect[12].dest='lan'
firewall.@redirect[12].dest_ip='192.168.11.5'
firewall.@redirect[12].dest_port='xxxx'
firewall.@redirect[13]=redirect
firewall.@redirect[13].target='DNAT'
firewall.@redirect[13].name='ccoturn'
firewall.@redirect[13].proto='tcp'
firewall.@redirect[13].src='wan'
firewall.@redirect[13].src_dport='xxxx'
firewall.@redirect[13].dest='lan'
firewall.@redirect[13].dest_ip='192.168.11.5'
firewall.@redirect[13].dest_port='xxxx'
firewall.@redirect[14]=redirect
firewall.@redirect[14].target='DNAT'
firewall.@redirect[14].name='certif'
firewall.@redirect[14].proto='tcp'
firewall.@redirect[14].src='wan'
firewall.@redirect[14].src_dport='xxxx'
firewall.@redirect[14].dest='lan'
firewall.@redirect[14].dest_port='xxxx'
firewall.@redirect[14].dest_ip='192.168.11.5'
firewall.@redirect[15]=redirect
firewall.@redirect[15].target='DNAT'
firewall.@redirect[15].name='apt-cache'
firewall.@redirect[15].proto='tcp'
firewall.@redirect[15].src='wan'
firewall.@redirect[15].src_dport='3142'
firewall.@redirect[15].dest='lan'
firewall.@redirect[15].dest_ip='192.168.11.5'
firewall.@redirect[15].dest_port='3142'

uci show dhcp

dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].ednspacket_max='1232'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv4='server'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_flags='managed-config' 'other-config'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'

ip -4 addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.11.1/24 brd 192.168.11.255 scope global br-lan
       valid_lft forever preferred_lft forever
8: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.51/24 brd 192.168.1.255 scope global wlan0
       valid_lft forever preferred_lft forever

ip -4 ro

default via 192.168.1.1 dev wlan0 
192.168.1.0/24 dev wlan0 scope link  src 192.168.1.51 
192.168.11.0/24 dev br-lan scope link  src 192.168.11.1

ip -4 ru

0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default

I Hided (xxxx) some parameters for security reasons and switched IPs to match my Scheme.

Thank you much
Sorry for my bad English level hope you understood me

• With symmetric routing, turn off masquerade on the wan.
• Install DHCP reservations for the sub routers in the main router.
• The wan network cannot be a bridge in order to use wifi AP-STA as the wan link. Remove the eth port from the wan network. wan will have no device called out in /etc/config/network. The wireless attaches to it via the /etc/config/wireless config.
• Disable DHCPv6 server in a v4 only network. In /etc/config/dhcp, remove the option dhcpv6 server line and the lines below it.

Hi, thank you much for your answers.

=> Is it possible to keep the masquerade for the ISP ADSLBox but desactivate it only for the openwrt routers?
=> Is this explaining all issues? or only the ping / traceroute ones?
=> Before I set the statics routes and rebooted I think I didn't had issues with DNS.

The IP of the 3 openwrt routers si set manually in their configuration. Is it still necessary to reserve IP in the ISP ADSLBox for them?

I'm sorry I don't understand this. Can you explain a little more?
Is it possible to do this modification through luci?

Is it possible to do this modification through luci?

Yes that is what to do. In IPv4, the main router must masquerade to the Internet since your whole site has one IP from the ISP. Within your site, the sub routers do not masquerade since they all have unique IP subnets and the main router has routes to them.

I did not see that it looked like the wan network was DHCP client. That is how I would do it, have the sub routers DHCP client with their 192.168.1.X (X=51, 52, etc) reserved in the main router.

If you do static IP the wan networks in the sub routers make sure to specify the main router is the gateway and (usually) the DNS server. That is automatic if you use DHCP.

Your drawing seems to show that the links from the main router to the sub routers are WiFi. If that is the case, the wan network interface must attach only the wifi STA. Choose device as unspecified in the network interfaces settings. On the wifi configuration choose wan as the Network.
For testing you could plug in Ethernet from the main router to a sub router's wan port in the same room, leaving the wan configuration as default where it uses the Ethernet port. That will confirm that routes, Internet access, etc. work before switching over to a wireless link.

=> Nice :), I doesn't want my ISP ADLSBOX router to know all clients behind the 3 openwrt routers. It has only to know this 3 routers and to pass all request at destination of 192.168.11.x, 192.168.12.x and 192.168.13.x to them.
=> But how can I set this?

=> My ISP ADSLBOX DHCP server range is configured between 1 and 50. So on the first openwrt router I set "Network" => "Interfaces" => "WWAM_BOX" (wlan0) => "Edit" => "General settings" => "IPv4 address" => " 192.168.1.51" (and so on with the two other with 192.168.1.52 and 192.168.1.53)
Is it still better to set it inside the ISP ADSLBox?

=> Correct (no special wifi like mesh or whatever only "classic" wifi)

=> I'm trying to understand, should I "Network" => "Wireless" => "internal" (The wifi AP provided from the openwrtrouter) => "Edit" => "General setup" => "Network" => Uncheck lan and just let wan checked?
=> Will the openwrt router wifi clients still be able to see the same openwrt router RJ45 clients?