Cannot forward packets from WiFi to USB Modem

aobs · July 1, 2018, 1:27pm

Computer: Onion Omega2S
OS: LEDE 17.01

I am setting up the Omega2S as a hotspot router and have connected a ME906s-158 modem to the USB port.

I can connect to the computer by running ssh root@omega-39FF.local on my MAC. "omega-39FF" is the SSID.

I can access the internet by ping 8.8.8.8.

But when I connect my mobile phone to the omega-39FF WiFi network & open a browser, I cannot connect to the internet.

I am not too familiar with LEDE. On Debian, I set up forwarding using iptables. So, I tried setting up using iptables, but it did not work.

iptables -t nat -A POSTROUTING -o usb0 -j MASQUERADE
iptables -A FORWARD -i wlan -o usb0 -j ACCEPT

Running ip addr shows

4: usb0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether 02:1e:10:1f:00:00 brd ff:ff:ff:ff:ff:ff
    inet 100.xxx.96.3/29 brd 100.xxx.96.7 scope global usb0
       valid_lft forever preferred_lft forever
    inet6 fe80::1e:10ff:fe1f:0/64 scope link 
       valid_lft forever preferred_lft forever
6: apcli0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 1000
    link/ether 40:a3:6b:c0:39:00 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::42a3:6bff:fec0:3900/64 scope link 
       valid_lft forever preferred_lft forever
7: br-wlan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 40:a3:6b:c0:39:ff brd ff:ff:ff:ff:ff:ff
    inet 192.168.3.1/24 brd 192.168.3.255 scope global br-wlan
       valid_lft forever preferred_lft forever
    inet6 fd1d:48c4:7633::1/60 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::42a3:6bff:fec0:39ff/64 scope link 
       valid_lft forever preferred_lft forever

I tried configuring a usb zone in /etc/config/firewall, but I still could not access the internet from my mobile phone.

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option disable_ipv6 '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'wlan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wwan'
	option input 'ACCEPT'

config zone
	option name 'usb'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'usb'
	list network 'wlan'
	option input 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'usb'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

I believe FORWARDING is not set up properly. Any help is appreciated.

mk24 · July 1, 2018, 7:57pm

The most straightforward way to do this is to start from a default configuration of the networks and firewall. Install the USB drivers. Detach the wan network from the Ethernet port and attach it to the USB device instead.

In your config, the usb zone should contain only the usb device. There should be a forwarding rule from lan to usb, and not one from lan to wan. The wan network and firewall zone is going to be unused.

aobs · July 5, 2018, 12:22pm

Thanks for the advice. I have modified the /etc/config/firewall, but still cannot get internet access on my mobile's phone browser after connecting the WiFi to the Omega's access point.

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option disable_ipv6 '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wlan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wwan'
        option input 'ACCEPT'

config zone
        option name 'usb'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'usb'
        option input 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'usb'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule                            
        option name 'Allow-DHCPv6'     
        option src 'wan'               
        option proto 'udp'             
        option src_ip 'fc00::/6'       
        option dest_ip 'fc00::/6'      
        option dest_port '546'         
        option family 'ipv6'           
        option target 'ACCEPT'         
                                       
config rule                            
        option name 'Allow-MLD'        
        option src 'wan'               
        option proto 'icmp'            
        option src_ip 'fe80::/10'      
        list icmp_type '130/0'         
        list icmp_type '131/0'         
        list icmp_type '132/0'         
        list icmp_type '143/0'         
        option family 'ipv6'           
        option target 'ACCEPT'         
                                       
config rule                            
        option name 'Allow-ICMPv6-Input'
        option src 'wan'                
        option proto 'icmp'             
        list icmp_type 'echo-request'   
        list icmp_type 'echo-reply'     
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'         
        list icmp_type 'time-exceeded'          
        list icmp_type 'bad-header'             
        list icmp_type 'unknown-header-type'    
        list icmp_type 'router-solicitation'    
        list icmp_type 'neighbour-solicitation' 
        list icmp_type 'router-advertisement'   
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'                 
        option family 'ipv6'                    
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-ICMPv6-Forward'      
        option src 'wan'                        
        option dest '*'                         
        option proto 'icmp'                     
        list icmp_type 'echo-request'           
        list icmp_type 'echo-reply'             
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'         
        list icmp_type 'time-exceeded'          
        list icmp_type 'bad-header'             
        list icmp_type 'unknown-header-type'    
        option limit '1000/sec'                 
        option family 'ipv6'                    
        option target 'ACCEPT'          

        config include                                  
        option path '/etc/firewall.user'        
                                                
config rule                                     
        option src 'wan'                        
        option dest 'lan'                       
        option proto 'esp'                      
        option target 'ACCEPT'                  
                                                
config rule                                     
        option src 'wan'                        
        option dest 'lan'                       
        option dest_port '500'                  
        option proto 'udp'                      
        option target 'ACCEPT'