My ISP has placed their modem in bridge mode and I use my Linksys WRT1200AC for all the needs of managing my home network. It is connected to the modem through its WAN port. However, I am not able to get through to the Internet. OpenWRT installation on my router (version 21.02.3) is pretty much in its default state with just a few interventions on my part. I have installed DDNS and uHTTPd, set up my WiFi, defined a few static LAN addresses in the DHCP server part of the LAN interface and that's it. The WAN interface is set as a DHCP client and correctly receives the ISP's public IP address. All seems to work well but I cannot reach anything on the Internet, not even through pinging the known public IP addresses. The identical router running DD-WRT does not have the same problem and provides expected access to the Internet. What am I missing or doing wrong in my settings of the OpenWRT?
what's the error you're getting on the WRT1200AC, when you try to ping 8.8.8.8, or any other IP.
It times out.
post your
/etc/config/network
/etc/config/firewall
use the </> tag (top of post window) for C&Ped cli output.
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; \
ping -c 3 1.1.1.1 ; nslookup openwrt.org
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd60:ab44:67ef::/48'
config device
option name 'br-lan'
option type 'bridge'
option acceptlocal '1'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ip6assign '60'
list dns '1.1.1.1'
list dns '1.0.0.1'
list dns '2606:4700:4700::1111'
list dns '2606:4700:4700::1001'
option force_link '0'
list ipaddr '10.0.0.2/24'
option gateway '0.0.0.0'
config device
option name 'wan'
option macaddr '-----------'
config interface 'wan'
option proto 'dhcp'
option hostname '*'
option broadcast '1'
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
option device 'wan'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
===================================================================================
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
Look at your default gateway, which is on the main status page and in the routing table (CLI command route or ip route show). This should be an IP address that is off site-- it is the ISP's first router on the other end of your cable or fiber. Attempt to ping that IP. If that works the ISP is probably blocking you from the Internet because your router has a different MAC address than the last one.
{
"kernel": "5.4.188",
"hostname": "OpenWRT",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT1200AC",
"board_name": "linksys,wrt1200ac",
"release": {
"distribution": "OpenWrt",
"version": "21.02.3",
"revision": "r16554-1d4dea6d4f",
"target": "mvebu/cortexa9",
"description": "OpenWrt 21.02.3 r16554-1d4dea6d4f"
}
}
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option expandhosts '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option authoritative '1'
config dhcp 'lan'
option interface 'lan'
option dhcpv4 'server'
option leasetime '24h'
option ra 'server'
option dhcpv6 'server'
list dns '2606:4700:4700::1111'
list dns '2606:4700:4700::1001'
option limit '50'
option start '10'
option ndp 'hybrid'
list ra_flags 'none'
config dhcp 'wan'
option interface 'wan'
option leasetime '12h'
option start '10'
option limit '50'
option dynamicdhcp '0'
option ignore '1'
list ra_flags 'none'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'Printer-Wired'
option dns '1'
option mac '*******'
option ip '10.0.0.35'
config host
option name 'NAS'
option dns '1'
option mac '*******'
option ip '10.0.0.11'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet ****************/22 brd ************scope global wan
valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 10.0.0.2/24 brd 10.0.0.255 scope global br-lan
valid_lft forever preferred_lft forever
default via **************** dev wan src ******************
10.0.0.0/24 dev br-lan scope link src 10.0.0.2
88.207.56.0/22 dev wan scope link src 88.207.57.114
broadcast 10.0.0.0 dev br-lan table local scope link src 10.0.0.2
local 10.0.0.2 dev br-lan table local scope host src 10.0.0.2
broadcast 10.0.0.255 dev br-lan table local scope link src 10.0.0.2
broadcast **************** dev wan table local scope link src *******************
local ************* dev wan table local scope host src ***************
broadcast ****************** dev wan table local scope link src ***********************
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
lrwxrwxrwx 1 root root 16 Apr 16 14:59 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 36 Apr 26 19:13 /tmp/resolv.conf
-rw-r--r-- 1 root root 172 Apr 26 19:13 /tmp/resolv.conf.d/resolv.conf.auto
/tmp/resolv.conf.d:
-rw-r--r-- 1 root root 172 Apr 26 19:13 resolv.conf.auto
==> /etc/resolv.conf <==
nameserver 127.0.0.1
nameserver ::1
==> /tmp/resolv.conf <==
nameserver 127.0.0.1
nameserver ::1
==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error
==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface lan
nameserver 1.1.1.1
nameserver 1.0.0.1
nameserver 2606:4700:4700::1111
nameserver 2606:4700:4700::1001
# Interface wan
nameserver 1.1.1.1
nameserver 1.0.0.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
--- 1.1.1.1 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
;; connection timed out; no servers could be reached
Remove from lan interface:
list dns '1.1.1.1'
list dns '1.0.0.1'
list dns '2606:4700:4700::1111'
list dns '2606:4700:4700::1001'
option gateway '0.0.0.0'
Yes that will break things. option gateway 0.0.0.0 is completely wrong. option gateway is never needed on a main router that is configured by DHCP from the ISP.
If you want to use custom DNS servers, that goes in the wan section. But only set those after confirming the Internet is accessible with the ISP default DNS servers.
Thanks guys, but that did not help. I also tried with leaving the default gateway empty, that did not help either.
I'd also remove the broadcast and hostname from wan interface.
or just reset the whole thing, see if it works then, and start applying your customizing afterwards.
Thanks again! Resetting the whole thing and starting from scratch is one of the first things I did. Unfortunately didn't help. Strangely, if I plug in the cable into one of the modem's unbridged ports I do get out to the Internet. Not so with the DD-WRT version - that has to go to the bridged port. I have checked my main network settings between OpenWRT and DD-WRT and they seem to be the same.
check if the WAN port MAC is the same running Openwrt, as in DD-WRT.
It isn't. I have two identical routers. Both are Linksys WRT1200AC. One has DD-WRT and the other has OpenWRT. In my testing I have always used only one at a time.
Ah, I thought it was the same device, and you reflashed it.
In that case, copy the WAN MAC of the working DD-WRT router, and assign it (MAC override) to the WAN port of the openwrt unit.
Now THAT WORKED!! Now all works as it should. Thanks a million!
Could you please explain what is behind this situation?
When you use the bridged port, the MAC address of your router is transmitted all the way to the cable company DHCP and AAA servers. The company remembers the MAC and sort of locks to it. As it was locked to that of the dd-wrt router you needed to clone the MAC into the other router so that the cable company will serve it.
In most cases if you take the modem completely off-line by cutting the power for 30 minutes, the MAC lock will reset. In other cases you need to call the company and ask them to register a new MAC.
Great! Thanks a lot for your kind help.