Cant ping openwrt router from wan

Installing and Using OpenWrt Network and Wireless Configuration
1

As far as i know Openwrt allows ping from WAN and seems it should work according to that rule

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

but not working in my setup. RTN-14U running OpenWrt 22.03.2 r19803-9a599fee93
I can't ping openwrt either from client1 or upstream_router.

upstream_router 192.168.1.1(Internet)
              /           \
  client1_machine          openwrt_router
  192.168.1.166           wan_IP: 192.168.1.20

Openwrt router getting ip via LAN cable inserted to WAN port and internet connection from upstream_router. I also added rule for ssh and web connection from wan but also no access.

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'
	option input 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow-Admin'
	option src 'wan'
	option proto 'tcp'
	option dest_port '22 80 443'
	option target 'ACCEPT'
2

Did you renumber the OpenWrt's LAN to something other than 192.168.1.0/24 - to prevent conflict with the same numbering on its WAN side?

3

I only changed router default lan address for internal network 192.168.1.110

Screenshot 2022-11-04 at 12.06.34
Screenshot 2022-11-04 at 12.06.341778×1200 182 KB

Screenshot 2022-11-04 at 12.05.09
Screenshot 2022-11-04 at 12.05.091940×1084 149 KB

Screenshot 2022-11-04 at 12.02.05
Screenshot 2022-11-04 at 12.02.052034×1198 182 KB

Screenshot 2022-11-04 at 11.59.39
Screenshot 2022-11-04 at 11.59.391926×1068 267 KB

4

Well, that's your problem - that needs to be fixed. You can't use the same numbering on WAN and LAN. The router doesn't know to route. The OpenWrt thinks 192.168.1.0/24 is on LAN - so it'll never try to reach 192.168.1.1, nor any other 192.168.1.x IP on WAN.

Try changing LAN to e.g.: 192.186.2.1/24

1 Like
5

Yes it's right.
Both you LAN and WAN networks have the same IP range, i.e. 192.168.1.x/24. The router can't perform its work.

if you choose to keep the upstream router to 192.168.1.1/24. Than connect the clients to OpenWrt router.

Furthermore to be able to ping from WAN, you also need a rule to the upstream router. Also consider that allowing such ping is not secure.

1 Like
6

The OP has masquerade enabled, no rule is needed except to enable WAN ping.

1 Like
7

I didn't noticed.
You have looked very carefuylly to the picture :wink:

8

You right, i have changed openwrt lan ip to 192.186.2.1 and now can ping and web access from 192.168.1.0 network.

Screen Shot 2022-11-04 at 12.35.36
Screen Shot 2022-11-04 at 12.35.36875×584 43.3 KB

p.s. Hmm, before i have assumed it may work as part of the same network.

9

Then you wan't a dumb AP or switch. There's threads and a Wiki for doing that.

11

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.