Destination Host Unreachable to Access Modem in Bridge mode

Installing and Using OpenWrt Network and Wireless Configuration
1

Hey guys.

I am unable to access the administration panel of my ISP modem (FGA2232TIB) which is configured in bridge mode. I receive a message: Destination Host Unreachable when trying to ping from a local host connected to the router via wifi.

The TX/RX of the modem interface seems ok, but I still can't reach it. Would anyone have any idea what might be going on?

Modem: 192.168.1.1
Router: 100.0.0.100

config and test
config and test1920×1624 179 KB

$ cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd6:3b72:cc75::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config device
	option name 'lan1'
	option macaddr 'c4:41:1e:d0:09:f4'

config device
	option name 'lan2'
	option macaddr 'c4:41:1e:d0:09:f4'

config device
	option name 'lan3'
	option macaddr 'c4:41:1e:d0:09:f4'

config device
	option name 'lan4'
	option macaddr 'c4:41:1e:d0:09:f4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '100.0.0.100'
	option netmask '255.255.255.0'
	option delegate '0'

config device
	option name 'wan'
	option macaddr 'c4:41:1e:d0:09:f4'

config interface 'bridge'
	option proto 'pppoe'
	option device 'wan'
	option username 'changeme'
	option password 'changeme'
	option ipv6 '0'
	option sourcefilter '0'
	option delegate '0'

config interface 'modem'
	option proto 'static'
	option device 'wan'
	option ipaddr '192.168.1.100'
	option netmask '255.255.255.0'
	option delegate '0'

config device
	option type '8021q'
	option ifname 'wan'
	option vid '100'
	option name 'wan.100'
	option ipv6 '0'
	option mtu '1500'

$ cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option family 'ipv4'
	list network 'modem'
	list network 'bridge'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option family 'ipv4'
	option target 'ACCEPT'
	list icmp_type 'echo-request'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option target 'DNAT'
	option name 'Intercept-DNS'
	option src 'lan'
	option src_dport '53

$ cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'slvs.lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	list server '100.0.0.100#5353'
	option noresolv '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4

$ ip route show

default via xxx.xxx.xxx.xxx dev pppoe-bridge
100.0.0.0/24 dev br-lan scope link  src 100.0.0.100
xxx.xxx.xxx.xxx dev pppoe-bridge scope link  src xxx.xxx.xxx.xxx
192.168.1.0/24 dev wan scope link  src 192.168.1.100

$ tcpdump -evni any host 192.168.1.1

tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
09:39:50.728508 phy1-ap0 P   ifindex 39 a4:83:e7:9f:88:ae ethertype IPv4 (0x0800), length 104: (tos 0x0, ttl 64, id 42444, offset 0, flags [none], proto ICMP (1), length 84)
    100.0.0.160 > 192.168.1.1: ICMP echo request, id 47664, seq 0, length 64
09:39:50.728508 br-lan In  ifindex 38 a4:83:e7:9f:88:ae ethertype IPv4 (0x0800), length 104: (tos 0x0, ttl 64, id 42444, offset 0, flags [none], proto ICMP (1), length 84)
    100.0.0.160 > 192.168.1.1: ICMP echo request, id 47664, seq 0, length 64
09:39:50.728838 wan   Out ifindex 3 c4:41:1e:d0:09:f4 ethertype ARP (0x0806), length 48: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.1 tell 192.168.1.100, length 28
09:39:51.579878 phy1-ap0 P   ifindex 39 a4:83:e7:9f:88:ae ethertype IPv4 (0x0800), length 104: (tos 0x0, ttl 64, id 33926, offset 0, flags [none], proto ICMP (1), length 84)
    100.0.0.160 > 192.168.1.1: ICMP echo request, id 47664, seq 1, length 64
09:39:51.579878 br-lan In  ifindex 38 a4:83:e7:9f:88:ae ethertype IPv4 (0x0800), length 104: (tos 0x0, ttl 64, id 33926, offset 0, flags [none], proto ICMP (1), length 84)
    100.0.0.160 > 192.168.1.1: ICMP echo request, id 47664, seq 1, length 64
09:39:51.800912 wan   Out ifindex 3 c4:41:1e:d0:09:f4 ethertype ARP (0x0806), length 48: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.1 tell 192.168.1.100, length 28
09:39:52.630897 phy1-ap0 P   ifindex 39 a4:83:e7:9f:88:ae ethertype IPv4 (0x0800), length 104: (tos 0x0, ttl 64, id 31218, offset 0, flags [none], proto ICMP (1), length 84)
    100.0.0.160 > 192.168.1.1: ICMP echo request, id 47664, seq 2, length 64
09:39:52.630897 br-lan In  ifindex 38 a4:83:e7:9f:88:ae ethertype IPv4 (0x0800), length 104: (tos 0x0, ttl 64, id 31218, offset 0, flags [none], proto ICMP (1), length 84)
    100.0.0.160 > 192.168.1.1: ICMP echo request, id 47664, seq 2, length 64
09:39:52.840876 wan   Out ifindex 3 c4:41:1e:d0:09:f4 ethertype ARP (0x0806), length 48: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.1 tell 192.168.1.100, length 28
09:39:53.444356 phy1-ap0 P   ifindex 39 a4:83:e7:9f:88:ae ethertype IPv4 (0x0800), length 104: (tos 0x0, ttl 64, id 319, offset 0, flags [none], proto ICMP (1), length 84)
    100.0.0.160 > 192.168.1.1: ICMP echo request, id 47664, seq 3, length 64
09:39:53.444356 br-lan In  ifindex 38 a4:83:e7:9f:88:ae ethertype IPv4 (0x0800), length 104: (tos 0x0, ttl 64, id 319, offset 0, flags [none], proto ICMP (1), length 84)
    100.0.0.160 > 192.168.1.1: ICMP echo request, id 47664, seq 3, length 64
09:39:54.447054 phy1-ap0 P   ifindex 39 a4:83:e7:9f:88:ae ethertype IPv4 (0x0800), length 104: (tos 0x0, ttl 64, id 4852, offset 0, flags [none], proto ICMP (1), length 84)
    100.0.0.160 > 192.168.1.1: ICMP echo request, id 47664, seq 4, length 64
09:39:54.447054 br-lan In  ifindex 38 a4:83:e7:9f:88:ae ethertype IPv4 (0x0800), length 104: (tos 0x0, ttl 64, id 4852, offset 0, flags [none], proto ICMP (1), length 84)
    100.0.0.160 > 192.168.1.1: ICMP echo request, id 47664, seq 4, length 64
09:39:54.447300 wan   Out ifindex 3 c4:41:1e:d0:09:f4 ethertype ARP (0x0806), length 48: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.1 tell 192.168.1.100, length 28
09:39:55.480884 wan   Out ifindex 3 c4:41:1e:d0:09:f4 ethertype ARP (0x0806), length 48: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.1 tell 192.168.1.100, length 28
09:39:56.520891 wan   Out ifindex 3 c4:41:1e:d0:09:f4 ethertype ARP (0x0806), length 48: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.1 tell 192.168.1.100, length 28
2

100.0.0.0/12 is not an RFC1918 namespace and mustn't be used for your lan.

3

I changed the network to 10.0.0.0/24 but the previous error scenario still persists.
Ping from router(10.0.0.10)/client(10.0.0.159) does not reach the modem address: 192.168.1.1 even with the adjusted route: 10.0.0.0/24 dev br-lan scope link src 10.0.0.10

Router

PING 192.168.1.1 (192.168.1.1): 56 data bytes
^C
--- 192.168.1.1 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

* Failed to connect to 192.168.1.1 port 80 after 3152 ms: Error
curl: (7) Failed to connect to 192.168.1.1 port 80 after 3152 ms: Error

Client

PING 192.168.1.1 (192.168.1.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
92 bytes from 192.168.1.100: Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 6efc   0 0000  3f  01 4065 10.0.0.159  192.168.1.1

92 bytes from 192.168.1.100: Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 faef   0 0000  3f  01 b471 10.0.0.159  192.168.1.1

92 bytes from 192.168.1.100: Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 0083   0 0000  3f  01 aede 10.0.0.159  192.168.1.1

Request timeout for icmp_seq 2
92 bytes from 192.168.1.100: Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 300c   0 0000  3f  01 7f55 10.0.0.159  192.168.1.1


--- 192.168.1.1 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss

*   Trying 192.168.1.1:80...
* connect to 192.168.1.1 port 80 from 10.0.0.159 port 52826 failed: Network is unreachable
* Failed to connect to 192.168.1.1 port 80 after 4301 ms: Couldn't connect to server
* Closing connection
curl: (7) Failed to connect to 192.168.1.1 port 80 after 4301 ms: Couldn't connect to server
4

I've tried taking this approach with NAT, but nothing seems to work for able to access the modem page.