Could use some help, OpenWrt on x86. Main Fuse tripped

woeisme_again · February 3, 2023, 7:43am

Network came back up as normal. Router can received WAN IP from fiber modem and seems alright. From the main router I go to a 8 port gigabit POE switch (HP) then from there the unifi WAP and other assorted machines.

However after this all clients cannot connect to the internet, weirdly they receive dhcp addresses fine but cannot connect or communicate with the router (192.168.1.1). I suspend something wonky with the br-lan interface but everything SEEMS normal and nothing out of place.

Strangely if I connect externally via the wireguard VPN I CAN access LuCI web interface normally, not sure what is broken here tbh.

Any obvious things I'm missing to check would be greatly appreciated

The main router is a Fitlet1 x86 fanless SFF machine with openwrt 21.02.01
Switch is a HP OfficeConnect 1920S with POE
WAP is a unifi 6 lite reflashed with openwrt

psherman · February 3, 2023, 7:47am

Not much to go on here. How about some configs? A topology diagram? Test methods? Does the problem exist on WiFi and Ethernet? What about if you plug a device directly into the router (bypassing the switch)?

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

woeisme_again · February 3, 2023, 7:59am

Hey @psherman thanks for the rapid response.

/etc/config/network
followed by dhcp and firewall, I'll leave out wireless for now as I'm not as concerned about getting that back online yet ( and suspect it's working fine, it's an external WAP)

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'eth1'
	list ports 'eth2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth3'
	option peerdns '0'

config interface 'wg0'
	option proto 'wireguard'
	option listen_port '51820'
	list addresses '192.168.2.1/24'
	option private_key 'BLANKED'

config wireguard_wg0
	option public_key 'BLANKED'
	option persistent_keepalive '25'
	list allowed_ips '192.168.2.2/32'
	option description 'a20e'
	option route_allowed_ips '1'

config wireguard_wg0
	option description 'X1'
	option public_key 'BLANKED'
	option persistent_keepalive '25'
	option route_allowed_ips '1'
	list allowed_ips '192.168.1.0/24'
	list allowed_ips '192.168.2.3/32'

slh · February 3, 2023, 8:00am

First check would be trying to connect to the router via ssh (maybe over wireguard), to get a look and dmesg/ logread, as well as checking the overlay for config corruption (/overlay/upper/).

Then debug your issue methodically, can the router (over ssh) ping (e.g) google by name, by IP - can you get website contents (wget -O- http://google.com).

Next step, disconnect switch/ AP and put a computer directly at your router's lan port, do you get a DHCP lease, are IP, gateway & DNS correct, can you ping the router and google and site contents.

Check AP (directly to your router's lan port) and switch individually (directly to your router's lan port) and check again how your computer connected to either of those behaves.

Rinse and repeat, until you know what exactly is misbehaving - and debug that further.

woeisme_again · February 3, 2023, 8:02am

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list local_dns_server '8.8.8.8'
	list server '9.9.9.9'
	list server '9.9.9.10'
	list server '1.1.1.1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	list ra_flags 'none'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'win7'
	option dns '1'
	option mac 'BLANKED'
	option ip '192.168.1.152'
	option leasetime 'infinite'

config host
	option name 'bilbo'
	option dns '1'
	option mac 'BLANKED'
	option ip '192.168.1.125'
	option leasetime 'infinite'

config host
	option dns '1'
	option mac 'BLANKED'
	option ip '192.168.1.3'
	option leasetime 'infinite'
	option name 'HP-1920s'

config host
	option name 'bilbo'
	option duid 'BLANKED'
	option mac 'BLANKED

config host
	option name 'box'
	option duid 'BLANKED'
	option mac 'BLANKED'
	option ip '192.168.1.226'
	option leasetime 'infinite'

config domain
	option name 'box'
	option ip '192.168.1.226'

config domain
	option name 'win7'
	option ip '192.168.1.152'

config domain
	option name 'bilbo'
	option ip '192.168.1.125'

config host
	option ip '192.168.1.235'
	option mac 'BLANKED'
	option name 'Voxel'
	option dns '1'
	option leasetime 'infinite'

config domain
	option name 'Voxel'
	option ip '192.168.1.235'

config dhcp 'wg0'
	option interface 'wg0'
	list ra_flags 'none'

psherman · February 3, 2023, 8:02am

This is wrong and should be removed. Restart the router when that is done. .

woeisme_again · February 3, 2023, 8:08am

is it possible to comment out those lines with # instead ?

psherman · February 3, 2023, 8:10am

Why comment it out? It doesn’t belong, best to delete. Easy to add back (one line) if you actually want to later.

lleachii · February 3, 2023, 8:12am

Yes.*

*- I think they'll dissappear anyways when commented out. As @psherman noted, not sure why keep something not needed.

woeisme_again · February 3, 2023, 8:12am

it's in more than one place and I believe was added for wireguard configuration

lleachii · February 3, 2023, 8:13am

What's in more than one place?

psherman · February 3, 2023, 8:13am

I only see it in one place. Did you not give complete configs?

woeisme_again · February 3, 2023, 8:17am

I think I misunderstood you mean mean all occurances of list allowed-ips

commented out the one line now and am rebooting

woeisme_again · February 3, 2023, 8:21am

okay internet on clients is now back. that's progress.

and.....LuCI access restored as well!

so was it that one line then?

Could you explain to me what that was causing to happen?

psherman · February 3, 2023, 8:26am

Allowed ips has to do with the traffic that should go though the tunnel — basically the destination addresses. By setting that on this side, you created a routing conflict where the traffic that should have gone to the actual lan devices couldn’t be properly routed because of a conflict about where it the traffic should go (local or though the tunnel).

You should delete the line so that it can’t be accidentally uncommented and cause problems in the future.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

woeisme_again · February 3, 2023, 8:28am

that makes perfect sense upon further explanation.

I sincerely thank you for the help, I was feeling really frustrated by this time and wasn't making any progress fixing it all last night, I definitely should have asked for help sooner. I'll delete the line now that I understand better what it does.

system · February 13, 2023, 8:28am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.