Cannot access Internet with Linksys WRT3200ACM (Solved)

DeenOub · July 5, 2019, 10:42am

Hello,

I have a WRT3200ACM and I would like to create wifi 2.4GHz and 5GHz. The wifi spot exists but I cannot access to Internet, neither in WIFI nor LAN. Here are my config files :

cat /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd4:95fb:2e8f::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option proto 'dhcp'
	option ifname 'eth1.2'

config interface 'wan6'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option ifname 'eth1.2'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option ports '4 5 6t'

cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'DROP'
	option network 'lan wan6'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'DROP'
	option forward 'DROP'
	option network 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config include 'bcp38'
	option type 'script'
	option path '/usr/lib/bcp38/run.sh'
	option family 'IPv4'
	option reload '1'

config forwarding
	option dest 'wan'
	option src 'lan'

How could I resolve this issue ?

Thanks a lot for your help,
DeenOub

diizzy · July 5, 2019, 10:47am

One would imagine that listing related information would help...

WAN --> Any IP address(?)
Is it behind another router or does your provider use CGNAT? If so does it use the same /24 network range?

DeenOub · July 5, 2019, 12:15pm

Thank you for your answer.

My routeur is behind one another, and Internet works perfectly when I am connected to it, and its IP Adress is not the same as my Linksys routeur.

The WAN IP Adress is 192.168.1.37

eduperez · July 5, 2019, 12:27pm

Why does port 5 appear on both VLAN 1 and VLAN 2? Is your set-up different to the default configuration?

DeenOub · July 5, 2019, 12:32pm

I don't remember changing it . Should I come back to default configuration ?

DeenOub · July 5, 2019, 12:47pm

The modification I made on the default configuration was assigning firewall-zone of WAN to LAN.

Edit : I also changed IP Address of the LAN from 192.168.1.1 to 192.168.2.1.
Now I changed my configuration to get back to firewall-zone assigned to WAN (instead of LAN), and I disabled the 2.4GHz WAN connection.

Here are the results of my Ethernet connection :

Even with it, I can't access to Internet through the LAN cable.

lleachii · July 5, 2019, 1:59pm

@DeenOub, welcome to the community!

What does this mean?
Why?
Speaking of, why did you place the WAN6 interface under LAN firewall zone - and have you fixed that too?

Doesn't this config exist by default?

What's in this script?

To be clear, this is after:

resetting back to defaults
changing LAN IP to 192.168.2.1
enabling 2.4 and 5.4 GHz wireless

correct?

DeenOub · July 5, 2019, 2:10pm

Hello lleachii, thanks a lot for your time !

In Network>Interfaces, I edited WAN to be under LAN firewall zone to check if this was about it. I thought we needed to do this to get an access from Internet. But even without it, I couldn't access to Internet. (with default configuration).
Then, I put it back to default configuration.

Indeed, there is two radio by default and I had to Enable wifi network on both of them.

#!/bin/sh
# BCP38 filtering implementation for CeroWrt.
#
# This program is free software; you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free Software
# Foundation; either version 3 of the License, or (at your option) any later
# version.
#
# Author: Toke Høiland-Jørgensen <toke@toke.dk>

STOP=$1
IPSET_NAME=bcp38-ipv4
IPTABLES_CHAIN=BCP38

. /lib/functions.sh

config_load bcp38

add_bcp38_rule()
{
	local subnet="$1"
	local action="$2"

	if [ "$action" == "nomatch" ]; then
		ipset add "$IPSET_NAME" "$subnet" nomatch
	else
		ipset add "$IPSET_NAME" "$subnet"
	fi
}

detect_upstream()
{
	local interface="$1"

	subnets=$(ip route show dev "$interface"  | grep 'scope link' | awk '{print $1}')
	for subnet in $subnets; do
		# ipset test doesn't work for subnets, so strip out the subnet part
		# and test for that; add as exception if there's a match
		addr=$(echo $subnet | sed 's|/[0-9]\+$||')
		ipset test "$IPSET_NAME" $addr 2>/dev/null && add_bcp38_rule $subnet nomatch
	done
}

run() {
    	local section="$1"
    	local enabled
	local interface
	local detect_upstream
	config_get_bool enabled "$section" enabled 0
	config_get interface "$section" interface
	config_get detect_upstream "$section" detect_upstream

	if [ "$enabled" -eq "1" -a -n "$interface" -a -z "$STOP" ] ; then
		setup_ipset
		setup_iptables "$interface"
		config_list_foreach "$section" match add_bcp38_rule match
		config_list_foreach "$section" nomatch add_bcp38_rule nomatch
		[ "$detect_upstream" -eq "1" ] && detect_upstream "$interface"
	fi
	exit 0
}

setup_ipset()
{
	ipset create "$IPSET_NAME" hash:net family ipv4
	ipset flush "$IPSET_NAME"
}

setup_iptables()
{
	local interface="$1"
	iptables -N "$IPTABLES_CHAIN" 2>/dev/null
	iptables -F "$IPTABLES_CHAIN" 2>/dev/null

	iptables -I output_rule -m conntrack --ctstate NEW -j "$IPTABLES_CHAIN"
	iptables -I input_rule -m conntrack --ctstate NEW -j "$IPTABLES_CHAIN"
	iptables -I forwarding_rule -m conntrack --ctstate NEW -j "$IPTABLES_CHAIN"

	# always accept DHCP traffic
	iptables -A "$IPTABLES_CHAIN" -p udp --dport 67:68 --sport 67:68 -j RETURN
	iptables -A "$IPTABLES_CHAIN" -o "$interface" -m set --match-set "$IPSET_NAME" dst -j REJECT --reject-with icmp-net-unreachable
	iptables -A "$IPTABLES_CHAIN" -i "$interface" -m set --match-set "$IPSET_NAME" src -j DROP
}

destroy_ipset()
{
	ipset flush "$IPSET_NAME" 2>/dev/null
	ipset destroy "$IPSET_NAME" 2>/dev/null
}

destroy_iptables()
{
	iptables -D output_rule -m conntrack --ctstate NEW -j "$IPTABLES_CHAIN" 2>/dev/null
	iptables -D input_rule -m conntrack --ctstate NEW -j "$IPTABLES_CHAIN" 2>/dev/null
	iptables -D forwarding_rule -m conntrack --ctstate NEW -j "$IPTABLES_CHAIN" 2>/dev/null
	iptables -F "$IPTABLES_CHAIN" 2>/dev/null
	iptables -X "$IPTABLES_CHAIN" 2>/dev/null
}

destroy_iptables
destroy_ipset
config_foreach run bcp38

exit 0

Correct. 2.4GHz and 5.2GHz to be precise.

Thank you for your help.

rj-45 · July 5, 2019, 2:15pm

Do you know what this script does?

DeenOub · July 5, 2019, 2:35pm

It seems to work now : I reset all to defaults once again and just changed my IP address to 192.168.2.1 (by ssh logging), and enabled 2 wifi. I must have done something wrong, modifying the interface and all. Thank you all !

system · July 15, 2019, 2:35pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.