Hey there,
I have an upstream router using the 192.168.1.0/24 subnet mask that has connectivity to the internet. I have a fresh install of OpenWRT, I updated the LAN bridge to use the 192.168.2.0/24 subnet which successfully issues DHCP leases to clients on the correct subnet. Further, I left the WAN interface as the default configuration (DHCP client) which successfully receives a valid DHCP lease from the upstream router, and to confirm this I successfully SSH'd into the router via the LAN interface then tested ping/nslookup/etc to the public internet which works with no issues at all. I also left the default firewall rules which allows forwarding from the LAN zone to the WAN zone, with no configuration changes. However, I am unable to reach any devices connected to the WAN subnet, even including the WAN IP address that I received from the upstream router via DHCP. I hope I provided enough details/context, as I barely changed any configuration settings but if there's any further details you need to help please let me know. Thanks in advance, I appreciate your help.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Please see below:
root@OpenWrt:~# ubus call system board
{
"kernel": "5.10.138",
"hostname": "OpenWrt",
"system": "Qualcomm Atheros QCA550X ver 1 rev 0",
"model": "TP-Link Archer A9 v6",
"board_name": "tplink,archer-a9-v6",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "22.03.0",
"revision": "r19685-512e76967f",
"target": "ath79/generic",
"description": "OpenWrt 22.03.0 r19685-512e76967f"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd19:d68a:b764::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.1'
config device
option name 'eth0.2'
option macaddr 'x'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option disabled '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option masq '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
b3ckyblu3:
"version": "22.03.0",
You should update. The version you are using is eol and unsupported now.
https://firmware-selector.openwrt.org/?version=23.05.4&target=ath79%2Fgeneric&id=tplink_archer-a9-v6
Meanwhile, what is the output of:
ifstatus wan | grep address
Ok will do, thanks.
Please note that the WAN interface works just fine locally from the OpenWRT shell, but doesn't work from LAN > WAN.
Please find the output below:
root@OpenWrt:~# ifstatus wan | grep address
"addresses",
"ipv4-address": [
"address": "192.168.1.70",
"ipv6-address": [
"ipv4-address": [
"ipv6-address": [
It should theoretically work. How are you testing and what are the errors you see?
Have you restarted your openwrt router and forced the clients to get a new dhcp lease?
Sorry, I'm stupid and did my tests from the OpenWRT shell again lol (where everything works). I still am experiencing the same issues from the LAN.
From your computer, run the following:
ping 192.168.2.1
ping 192.168.1.1
ping 8.8.8.8
ping openwrt.org
Show the results.
Please see below:
becky@ubuntu:~$ ping 192.168.2.1
PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=0.341 ms
64 bytes from 192.168.2.1: icmp_seq=2 ttl=64 time=0.227 ms
64 bytes from 192.168.2.1: icmp_seq=3 ttl=64 time=0.310 ms
64 bytes from 192.168.2.1: icmp_seq=4 ttl=64 time=0.291 ms
^C
--- 192.168.2.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3098ms
rtt min/avg/max/mdev = 0.227/0.292/0.341/0.041 ms
becky@ubuntu:~$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
^C
--- 192.168.1.1 ping statistics ---
14 packets transmitted, 0 received, 100% packet loss, time 13335ms
becky@ubuntu:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
11 packets transmitted, 0 received, 100% packet loss, time 10227ms
becky@ubuntu:~$ ping openwrt.org
ping: openwrt.org: Temporary failure in name resolution
becky@ubuntu:~$ nslookup google.ca
;; Got SERVFAIL reply from 127.0.0.53
Server: 127.0.0.53
Address: 127.0.0.53#53
** server can't find google.ca: SERVFAIL
Also worth noting I cannot reach 192.168.1.70 (WAN IP) either from the LAN.
What is the full output of ifstatus wan
Please see below:
root@OpenWrt:~# ifstatus wan
{
"up": true,
"pending": false,
"available": true,
"autostart": true,
"dynamic": false,
"uptime": 2945,
"l3_device": "eth0.2",
"proto": "dhcp",
"device": "eth0.2",
"updated": [
"addresses",
"routes",
"data"
],
"metric": 0,
"dns_metric": 0,
"delegation": true,
"ipv4-address": [
{
"address": "192.168.1.70",
"mask": 24
}
],
"ipv6-address": [
],
"ipv6-prefix": [
],
"ipv6-prefix-assignment": [
],
"route": [
{
"target": "0.0.0.0",
"mask": 0,
"nexthop": "192.168.1.254",
"source": "192.168.1.70/32"
}
],
"dns-server": [
"1.1.1.1",
"1.0.0.1",
"192.168.1.254"
],
"dns-search": [
],
"neighbors": [
],
"inactive": {
"ipv4-address": [
],
"ipv6-address": [
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
]
},
"data": {
"dhcpserver": "192.168.1.254",
"leasetime": 86400
}
}
Looks like the gateway is actually 192.168.1.254.
Can you ping that from your computer?
Nope, same issue, I cannot ping any devices on the 192.168.1.0/24 network including the OpenWRT WAN interface (192.168.1.70), nor the upstream gateway interface (192.168.1.254) as seen below:
becky@ubuntu:~$ ping 192.168.1.254
PING 192.168.1.254 (192.168.1.254) 56(84) bytes of data.
^C
--- 192.168.1.254 ping statistics ---
70 packets transmitted, 0 received, 100% packet loss, time 70656ms
becky@ubuntu:~$ ping 192.168.1.70
PING 192.168.1.70 (192.168.1.70) 56(84) bytes of data.
^C
--- 192.168.1.70 ping statistics ---
21 packets transmitted, 0 received, 100% packet loss, time 20464ms
Have you verified that the upstream router is working right now? Plug a computer directly into the main router.
Yes, I am writing to you from another machine connected directly into my upstream router working with no issues, among other devices directly connected to it again with no issues. The only problems are with OpenWRT LAN bridge.
Best action is to upgrade to the latest openwrt (link earlier). Do not keep settings. When it is done, change the lan ip and try again.
Ok, I'll give that a try and report back. Thanks for such prompt help, I really appreciate it!
Just FYI I experienced the exact same problem, however, when I manually obtained a new DHCP lease from the LAN interface everything worked which is extremely strange, I'm not sure why that's the case. Prior to this, I was just unplugging/replugging in my ethernet cable, but it must have been using a cached lease. I am very confused why this would have solved the problem - but I just wanted to let you (and other users) know what solved it. Thanks again for all your help!