I'm pulling what little hair I have left as I think I'm missing something dumb. But, I can't get devices on the LAN to connect to the Internet. From Luci diagnostics I can ping, traceroute and nslookup just fine. From the computer on the LAN, I get a correctly DHCP assigned IP and it correctly lists the OpenWRT router as the DNS. However, I cannot ping, traceroute or nslookup anything including the OpenWRT router itself. I also cannot load Luci from the computer on the LAN. Bizarrely though, DNS queries are being reported in the System Log (I enabled that option). I don't know what I've done wrong!
It is a double NAT setup on purpose and the external subnet is 10.100.100.1/24.
uci export network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config device
option name 'eth0'
option macaddr '5a:11:b5:cc:6f:cf'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
option ipv6 '0'
option delegate '0'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
list dns '2606:4700:4700::1111'
list dns '2606:4700:4700::1001'
option auto '0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
option ipv6 '0'
config device
option name 'eth1'
option macaddr '5a:11:b5:cc:6f:d0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ip6assign '60'
option delegate '0'
option ipv6 '0'
list ipaddr '10.72.238.1/24'
config interface 'docker'
option device 'docker0'
option proto 'none'
option auto '0'
config device
option type 'bridge'
option name 'docker0'
config interface 'vpn'
option proto 'none'
option device 'tun0'
list dns '1.1.1.1'
list dns '1.0.0.1'
option delegate '0'
config device
option name 'tun0'
option ipv6 '0'
uci export dhcp
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option confdir '/tmp/dnsmasq.d'
option local '/vpn/'
option domain 'vpn'
option rebind_protection '0'
option logqueries '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config domain
option name 'rscwealthstream.vpn'
option ip '10.72.238.1'
uci export firewall
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option fullcone '1'
option forward 'ACCEPT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'vpn'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option fullcone4 '1'
option fullcone6 '1'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
config rule
option name 'Reject-IPv6'
option family 'ipv6'
option src 'wan'
option dest '*'
option target 'REJECT'
config zone 'docker'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'docker'
list network 'docker'
config rule
option name 'Allow-SSH'
list proto 'tcp'
option src 'wan'
option dest_port '22'
option target 'ACCEPT'
config rule
option name 'Allow-OpenVPN'
list proto 'udp'
option src 'wan'
option dest_port '7314'
option target 'ACCEPT'
config rule
option name 'Allow-LuCI'
list proto 'tcp'
option src 'wan'
option dest_port '80'
option target 'ACCEPT'
config rule
option name 'Allow-LuCI-https'
list proto 'tcp'
option src 'wan'
option dest_port '443'
option target 'ACCEPT'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'vpn'
option masq '1'
config forwarding
option src 'vpn'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'vpn'
config forwarding
option src 'vpn'
option dest 'wan'
config rule
option name 'Allow LAN to Router'
option src 'lan'
option target 'ACCEPT'
try changing the firewall wan forward and/or input to accept see what happens then
You've got a bunch of stuff going on here...
Let's start here:
is the VPN configuration running on the OpenWrt router a server or client?
No, please don't do this (as a general thing), as it will not help. It is actually dangerous to do this as it exposes the router directly to the internet.
In the specific case of this thread, it will not likely be a problem since the OP mentioned that the router in question is behind another router. But the general idea is that the wan zone input rule should be set to reject in most scenarios. And changing this will not fix an internet connectivity issue, ever.
he/she mentioned double nat
The zone forward rule will also not change anything here, and should almost always be reject for the wan zone.
While that does mean that the zone input rule doesn't likely present a security issue in most double-nat cases, we don't know for sure that the upstream network is indeed trusted (consider a public/hotel/cafe wifi -- that would be nat'd and would not be trusted).
Further, the input and forward rules do not affect internet connectivity in any way whatsoever.
Thank you for taking a look!
I'm running an OpenVPN server on the OpenWRT router. I can successfully connect to the VPN getting a 10.72.237.x IP and can ping the OpenWRT router at 10.72.238.1 and 10.72.237.1 as well as load Luci on both of those addresses as well. I cannot ping the computer connected to the OpenWRT LAN though.
uci export openvpn
package openvpn
config openvpn 'VPNServer'
option config '/etc/openvpn/VPNServer.ovpn'
option enabled '1'
VPNServer.ovpn
mode server
server 10.72.237.0 255.255.255.0
route 10.72.238.0 255.255.255.0
port 7314
proto udp
dev tun0
topology subnet
verb 4
mute 10
log '/tmp/openvpn.log'
status '/var/log/openvpn.log'
persist-key
persist-tun
user openvpn
group openvpn
ca '/etc/easy-rsa/pki/ca.crt'
cert '/etc/easy-rsa/pki/issued/server.crt'
dh '/etc/easy-rsa/pki/dh.pem'
key '/etc/easy-rsa/pki/private/server.key'
script-security 2
tmp-dir /dev/shm
auth-user-pass-verify /etc/config/ovpnauth/openvpn_otp_auth.py via-file
auth-gen-token 43200
reneg-sec 3600
keepalive 10 60
client-to-client
duplicate-cn
username-as-common-name
push "persist-key"
push "persist-tun"
push "topology subnet"
push "route 10.72.238.0 255.255.255.0"
push "dhcp-option DNS 10.72.238.1"
push "dhcp-option DOMAIN-SEARCH vpn"
remove the vpn network from the lan zone.
remove the fullcone lines from the wan zone.
Turn off masquerading on the vpn zone.
remove this rule entirely.
Reboot the router and try again,
Made the listed changes and rebooted the router. Unfortunately no change in functionality.
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option fullcone '1'
option forward 'ACCEPT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
config rule
option name 'Reject-IPv6'
option family 'ipv6'
option src 'wan'
option dest '*'
option target 'REJECT'
config zone 'docker'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'docker'
list network 'docker'
config rule
option name 'Allow-SSH'
list proto 'tcp'
option src 'wan'
option dest_port '22'
option target 'ACCEPT'
config rule
option name 'Allow-OpenVPN'
list proto 'udp'
option src 'wan'
option dest_port '7314'
option target 'ACCEPT'
config rule
option name 'Allow-LuCI'
list proto 'tcp'
option src 'wan'
option dest_port '80'
option target 'ACCEPT'
config rule
option name 'Allow-LuCI-https'
list proto 'tcp'
option src 'wan'
option dest_port '443'
option target 'ACCEPT'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'vpn'
config forwarding
option src 'vpn'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'vpn'
config forwarding
option src 'vpn'
option dest 'wan'
remove fullcone from here too
What is the output of the following:
ubus call system board
ifconfig
route
Just noticed this:
and here...
and here:
No change. But I suspect looking at route the issue is that 10.72.237.2 is the gateway for 10.72.238.0 and/or the interface is tun0. Dunno how that happened nor how to fix it though.
ubus call system board
{
"kernel": "5.10.110",
"hostname": "RSCWealthStreamVPN",
"system": "ARMv8 Processor rev 0",
"model": "FriendlyElec NanoPi R5C",
"board_name": "friendlyelec,nanopi-r5c",
"release": {
"distribution": "OpenWrt",
"version": "22.03.4",
"revision": "r20123-38ccc47687",
"target": "rockchip/armv8",
"description": "OpenWrt 22.03.4 r20123-38ccc47687"
}
}
ifconfig
br-lan Link encap:Ethernet HWaddr 5A:11:B5:CC:6F:D0
inet addr:10.72.238.1 Bcast:10.72.238.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1164 errors:0 dropped:0 overruns:0 frame:0
TX packets:44 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:144461 (141.0 KiB) TX bytes:7270 (7.0 KiB)
docker0 Link encap:Ethernet HWaddr 02:42:45:67:89:6A
inet addr:172.17.0.1 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
eth0 Link encap:Ethernet HWaddr 5A:11:B5:CC:6F:CF
inet addr:10.100.100.10 Bcast:10.100.100.255 Mask:255.255.255.0
inet6 addr: fe80::5811:b5ff:fecc:6fcf/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3280 errors:0 dropped:0 overruns:0 frame:0
TX packets:1766 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:73135625 (69.7 MiB) TX bytes:825927 (806.5 KiB)
Interrupt:126
eth1 Link encap:Ethernet HWaddr 5A:11:B5:CC:6F:D0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1164 errors:0 dropped:0 overruns:0 frame:0
TX packets:44 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:144473 (141.0 KiB) TX bytes:7270 (7.0 KiB)
Interrupt:158
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:644 errors:0 dropped:0 overruns:0 frame:0
TX packets:644 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:52130 (50.9 KiB) TX bytes:52130 (50.9 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.72.237.1 P-t-P:10.72.237.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:906 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 B) TX bytes:164576 (160.7 KiB)
route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.100.100.1 0.0.0.0 UG 0 0 0 eth0
10.72.237.0 * 255.255.255.0 U 0 0 0 tun0
10.72.238.0 10.72.237.2 255.255.255.0 UG 0 0 0 tun0
10.100.100.0 * 255.255.255.0 U 0 0 0 eth0
172.17.0.0 * 255.255.0.0 U 0 0 0 docker0
uci export network
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config device
option name 'eth0'
option macaddr '5a:11:b5:cc:6f:cf'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
option ipv6 '0'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
list dns '2606:4700:4700::1111'
list dns '2606:4700:4700::1001'
option auto '0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
option ipv6 '0'
config device
option name 'eth1'
option macaddr '5a:11:b5:cc:6f:d0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ip6assign '60'
option ipv6 '0'
list ipaddr '10.72.238.1/24'
config interface 'docker'
option device 'docker0'
option proto 'none'
option auto '0'
config device
option type 'bridge'
option name 'docker0'
config interface 'vpn'
option proto 'none'
option device 'tun0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config device
option name 'tun0'
option ipv6 '0'
uci export firewall
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
config rule
option name 'Reject-IPv6'
option family 'ipv6'
option src 'wan'
option dest '*'
option target 'REJECT'
config zone 'docker'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'docker'
list network 'docker'
config rule
option name 'Allow-SSH'
list proto 'tcp'
option src 'wan'
option dest_port '22'
option target 'ACCEPT'
config rule
option name 'Allow-OpenVPN'
list proto 'udp'
option src 'wan'
option dest_port '7314'
option target 'ACCEPT'
config rule
option name 'Allow-LuCI'
list proto 'tcp'
option src 'wan'
option dest_port '80'
option target 'ACCEPT'
config rule
option name 'Allow-LuCI-https'
list proto 'tcp'
option src 'wan'
option dest_port '443'
option target 'ACCEPT'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'vpn'
config forwarding
option src 'vpn'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'vpn'
config forwarding
option src 'vpn'
option dest 'wan'
Remove this from the OpenVPN configuration
Yep, that did it! Thank you, thank you, thank you.
I kept push "route 10.72.238.0 255.255.255.0" in the OpenVPN Config and everything seems to be working. Should that push line remain or not?
Also, would you recommend I keep all of the other changes you noted above in place as well?
Snuffy2:
Yep, that did it!
Awesome. I had glossed over it before (because I saw the push one), but that additional route didn’t belong - I should have caught that earlier.
Yes. The push statement is correct. Keep it.
Yes. I would.
1 Like
system
June 27, 2023, 2:26am
17
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.