Cannot acess every webpage and destination port unreachable

ashold7 · March 22, 2021, 2:33am

Hello,
i am using a server as an OpenWRT Router with an external modem. I establish the connection via ds-lite. I am able to access Openwrt.org and google. However I am getting the error, that the address could not be found for several pages (i.e web.de or stackexchange). When I ping web.de from a lan device I get the following response from the openwrt-router: Destination Port unreachable. However if I directly ping from the openwrt-router it works flawlessly. Furthermore if I turn off the firewall I am able to access the websites. Any ideas what the problem is?

Thank you in advance.

psherman · March 22, 2021, 6:11am

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

ashold7 · March 22, 2021, 8:38pm

Thank you for your answer. I do not have a wireless adapter therefore i can only share the 3 other configurations. This is my network configuration:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd52:d943:cf77::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth0.40'
	option proto 'pppoe'
	option password '123456'
	option ipv6 '1'
	option username 'user123'

config interface 'wan6'
	option proto 'dhcpv6'
	option ifname '@wan'
	option reqaddress 'try'
	option reqprefix 'auto'

config interface 'wan4'
	option proto 'dslite'
	option peeraddr 'aftr.prod.m-online.net'
	option encaplimit 'ignore'
	option tunlink 'wan6'
	option ifname 'wan'

This is my dhcp configuration:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'
	option rebind_protection '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

This is my firewall configuration:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option log '1'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option log '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

Thank you for your help.

psherman · March 22, 2021, 8:54pm

I'm not sure if this is the issue, but under your WAN and LAN firewall zones, you may want to remove

list network 'wan'
list network 'wan6'

and replace it with

option network 'wan wan6'

Also, what IP address do you see on the WAN -- if it is 192.168.1.x, the issue is an overlapping subnet on the wan/lan -- changing your LAN IP to some other subnet will fix that issue.

vgaetera · March 23, 2021, 4:06am

@psherman, that part looks fine:

github.com

openwrt/openwrt/blob/master/package/network/config/firewall/files/firewall.config#L16-L19


config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'

@ashold7, try to add the wan4 interface to the wan firewall zone.

ashold7 · March 23, 2021, 4:35pm

@vgaetera I will give your suggestion a try, thank you for your help.

@psherman What do you mean with the wan-ip? The public IP from the provider or which IP? And how can I check the Wan-ip?

psherman · March 23, 2021, 4:44pm

When you look at the main web interface "Status" page, you will see "IPv4 upstream" (you can also look at the Network > Interfaces screen and see the WAN IPv4 address; or use the command ip address when ssh'd into the device and look at the interface the maps to your WAN).
If you have a public IP address, you do not need to worry about subnet overlap. However, if you are behind another router (often home routers, but even that of small ISPs/WISPs) and the upstream router provides an address in the 192.168.1.0/24 network to your WAN, you will have a conflict.

ashold7 · March 23, 2021, 5:02pm

@psherman I do not have another Router in between. It is just a modem and then Openwrt.

psherman · March 23, 2021, 5:10pm

Ok... as long as the WAN is not in the 192.168.1.0/24 network, that is not the issue.

ashold7 · March 25, 2021, 8:44pm

@vgaetera It worked. Thank you very much.

system · April 4, 2021, 8:44pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.