I have installed 24.10.1 on my edgerouterX up from 21.2. I had to go through the process of changing the flash layout but the wiki page was informative and all went well.
Major update so did not keep settings and started over.
step 1: Set lan ip range to 10.0.0.0/24. FAIL: dhcp works, routing works, no access to luci or ssh, not even ping. Spent a day troubleshooting with chatgpt. Nothing works.
could only login via the lan port but to the wan ip.
Is not DSA layout nor firewall or network config, uhttp config and dropbear also not bound to single interface.
Could not get it to work.
Tried to add a second ip range to lan, same issue.
Ok, thought i dont really need 10.0.0.0/24 i can make do with the standard range.
step 2: tailscale. installed fine. tailscale up: authentification url. login. all ok.
on the control pane everything seems ok. device is online.
checked in luci and in /etc/config/ no new interface created, no changes to the firewall, nothing.
tried to reboot. Nothing
It seems to me 24.10.x is not working on the edgerouterX.
Anyone with ideas on how to proceed?
Thinking of downgrading back to 21.x to have my functionality back.
This will lead you further astray. Avoid AI for this.
There are no widespread reported issues. Typically this is purely a config issue.
Let's look at the configs. If ssh doesn't work, you'll need serial. But it sounds like you can connect via the network...
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
I have just setup a asus RTAC85P in a different location and done the exact same things. It worked flawlessly from the start.
Here are 2 versions of the files you requested. The first set is running on the standard lan ip 192.168.1.1, the second freshly changed ip range via luci to 10.0.0.1. As described, i cannot reach the router anymore on 10.0.0.1 after the change (from various clients, after reboot of computers and after a browser cache clear).
Tailscale is installed an authenticated in both instances, but does not allow connections on the tailscale address. Tailscale is not automatically added to the firewall as it was on my ASUS.
192.168.1.1:
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.86",
"hostname": "OpenWrt",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "Ubiquiti EdgeRouter X",
"board_name": "ubnt,edgerouter-x",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.1",
"revision": "r28597-0425664679",
"target": "ramips/mt7621",
"description": "OpenWrt 24.10.1 r28597-0425664679",
"builddate": "1744562312"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd14:4014:4c61::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth2'
list ports 'eth3'
list ports 'eth4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '1'
option limit '200'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood 1
option input REJECT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
10.0.0.1:
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd14:4014:4c61::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth2'
list ports 'eth3'
list ports 'eth4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '10.0.0.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '1'
option limit '200'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood 1
option input REJECT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
DHCP and routing work just fine in the latter. ping, ssh and luci to the router do not except to the external wan ip from an internal lan port.
The start value of 1 means that it overlaps the router's address. This is not allowed. Chance it to 2 or really anything higher (also pay attention to the limit if you set start to >55).
I suspect the problem is with tailscale and its addressing/routes. Try disabling tailscale (or removing it entirely, temporarily). If you have a conflict via an overlapping address or route, it will cause problems.
OpenWrt doesn't 'automatically' add networks to the firewall. You need to specify that yourself based on the trust level and intent of that network.
I have exactly the same symptoms directly after a fresh hard reset. So dhcp start 100 limit 150 and the tailscale package not even installed.
I can generate those config files also if you like, I'll just hard reset the thing for the 7th time.
If no-one else has this can it be I flashed a faulty image? I downloaded it directly using the upgrade procedure to 24.10 (to change the flash layout). I have reflashed with the latest stable sysupgrade from the openwrt site to no avail.
I have tried also to add a second ip range and leave the default in tact. That worked in that ssh and luci remained reachable on 192.168.1.1 but never on 10.0.0.1.
I have checked /etc/config/uhttp and /etc/config/dropbear, they are not bound to an address but listen on all.
yes i did put the plug in the socket and i do know where the on button is
I get that there are quite a lot of people asking stupid questions here. I have had that issue of course, but this goes a lot deeper than that i'm afraid.
we're not able read minds or guess as to what you've done (or possibly not done), so even if it seems silly, it's important to ask.
We have users of all skill levels here, and thus we cannot know where any individual is in their journey of network administration knowledge.
Even for the most experienced users (in the OpenWrt context or really any other), sometimes it's the most obvious/silly things that are forgotten/overlooked. So when these things are brought up, it shouldn't be assumed to be an insult to your knowledge or abilities.
And to clarify (this is so that I can understand the specific experiments/symptoms, please confirm or correct):
you are able to connect to the ER-X at 192.168.1.1 in the default configuration?
after you change the lan IP address to 10.0.0.1/24 (all else default, no tailscale, no other changes), you can no longer connect to the ER-X using the 10.0.0.1 address? Instead, you can only reach it at 192.168.178.10?
Your computer (from which you are attempting access) is connected to the lan side of the ER-X
Your computer has obtained an address in the 10.0.0.0/24 subnet when you attempt to access the ER-X (after changing the lan IP of OpenWrt)
Your computer has no other network connections -- wifi is off, no other ethernet.
There are no other connections to the ER-X except the upstream 192.168.178.0/24 network
Is all of that correct?
Some followups:
What OS is your computer?
Have you tried another ethernet connected computer or have you tried booting a different OS on the one you've been using for the test (for example, a live USB stick of Ubuntu)?
Have you tried disconnecting the upstream (ER-X) wan such that the only connection to the ER-X is the computer?
Have you confirmed that the ER-X's address change was successful (depending on the method, there is an auto-rollback function that could be getting in the way).
In the meantime...
you're currently using 24.10.1, but 24.10.4 is now available. I'd recommend that you perform an upgrade and reset the device to defaults during the upgrade (i.e. uncheck the "keep settings" box or use the -n parameter when upgrading). Then...
with only the single connection between your computer and your ER-X (i.e. no upstream or other downstream connections on the ER-X, no wifi or other connections on the computer)...
verify that you're able to get access to 192.168.1.1 as expected from the lan side
login and change only the lan IP (nothing else)
apply the changes and make sure your computer gets a new lease on the new subnet.
I have just:
Updated to 24.10.4. Do not keep the settings.
Disconnected everything from the router except for 1 cable connecting my laptop lan to eth1 (eth0 on the routers is configured as WAN).
connected to 192.168.1.1 and changed the lan ip via luci to 10.0.0.1 and applied.
My laptop got new dhcp lease: 10.0.0.185.
I have no connectivity to the router on 10.0.0.1 or on 192.168.1.1. Ping, ssh luci all time out.
With no upstream the router has no wan ip, so i don't know how to test if that loophole still works.
The problem you are experiencing just doesn't seem to make sense...
Don't get me wrong, I do believe you are seeing this strange behavior, but I just can't explain it -- in large part because if this was a common issue we would have seen numerous reports of this.
Go ahead and plug in the upstream and then see if you can reach it via the wan address (accessing from the lan side).
Ok, I get connectivity back on the wan 192.168.178.10.
Agreed this defies logic.
In getting the latest firmware I had to go through the firmware selector. That gives the possibility to script changes at first boot.
Would it make sense to change the ip-range in a script there?
That doesn't solve the issue I had with tailscale not correctly ibtegrati g but maybe I can do that manually.
I was thinking of downgrading back to 21.x but that involves going back to edgeOS because of the flash layout. And I don't know if my bootloader checks for tftp. That might mean using a serial connection. I probably could pull that of if I can find my usb-serial adapter.
I have just tried with a custom build via https://firmware-selector.openwrt.org modifying the first-boot script to change the ip to 10.0.0.1.
The firmware flashes and boots, no issues there. The router comes up and servers me a 10.0.0.0/24 ip, but is unreachable on 10.0.0.1, same as before. I can again reach it on the wan address....
I have tried to TFPT edgeOS firmware to the device. I put the device in recovery mode by pressing the reset button during power on. The TFTP functions just fine (bootloader is 1.1.3)
But: with the changed flash layout no EdgeOS firmware is accepted by the TFTP flash process.
So i'm currently stuck on 24.x with no way of going back unless i start mucking arround with serial access. I might try that.
Try setting a different LAN address, for example, 192.168.2.1. See if it's available. I'm asking because I use the ER-X as a router with a different LAN address pool then 192.168.1.1, and it works perfectly for me.
