I am having an issue where the LAN side of the box is passing DHCP requests up the WAN side instead of processing it itself. I'm sure there is a config somewhere I'm missing, but I can't figure out what it is. Below are the settings I'm using. Thanks!
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd18:0640:804c::/48'
network.globals.packet_steering='1'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth1 eth2'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.force_link='1'
network.lan.ipaddr='10.10.10.10'
network.wan=interface
network.wan.ifname='eth0'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.ifname='eth0'
network.wan6.proto='dhcpv6'
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].server='1.1.1.1'
dhcp.@dnsmasq[0].confdir='/tmp/dnsmasq.d'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_slaac='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
Did you want dhcprelay? Or your seeing dhcprelay behavior and don't want to? The latter sounds like a switch issue...
The only unusual thing is the packet steering in this configuration. Which router is that and which OpenWrt version is it running?
This is a Itus Network's Octeon III SoC (mips64). It isn't out the realm that I'm missing packages (I had to compile bridge-utils into the image, for example). It is running a self-compiled OpenWrt 4.19.115 mips64 GNU/Linux. I use the packet_steering because it's a multi-core CPU
eth0 is WAN
Network layout:
DLink's network is 192.168.5.0/24
The laptop connects to one of the br-lan ports (eth1/eth2) and sends DHCP a request from the Shield. Instead, it appears to be relaying the request to the Dlink's network (the laptop is being assigned a 192.168.5.0/24 IP.
Aside from the network collision zone, everything works fine. I have full access to the Internet through the shield, but I can't access luCi because the network isn't part of the 10.10.10.0/24.
Here is the complete uci show listing:
root@OpenWrt:/# uci show
adblock.global=adblock
adblock.global.adb_enabled='1'
adblock.global.adb_forcedns='0'
adblock.global.adb_safesearch='0'
adblock.global.adb_mail='0'
adblock.global.adb_backup='1'
adblock.global.adb_maxqueue='4'
adblock.global.adb_sources='adaway' 'adguard' 'disconnect' 'yoyo' 'oisd_nl' 'youtube'
adblock.global.adb_dns='dnsmasq'
adblock.global.adb_trigger='wan'
adblock.global.adb_report='1'
adblock.global.adb_repiface='br-lan'
adblock.global.adb_dnsfilereset='1'
adblock.global.adb_dnsflush='1'
adblock.global.adb_fetchutil='uclient-fetch'
adblock.global.adb_debug='1'
adblock.global.adb_backupdir='/etc/adblock'
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].server='1.1.1.1'
dhcp.@dnsmasq[0].confdir='/tmp/dnsmasq.d'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_slaac='1'
dhcp.lan.dhcpv4='server'
dhcp.lan.dynamicdhcp='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
dropbear.@dropbear[0]=dropbear
dropbear.@dropbear[0].PasswordAuth='on'
dropbear.@dropbear[0].RootPasswordAuth='on'
dropbear.@dropbear[0].Port='22'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-so'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
fstab.@global[0]=global
fstab.@global[0].anon_swap='0'
fstab.@global[0].anon_mount='0'
fstab.@global[0].auto_swap='1'
fstab.@global[0].auto_mount='1'
fstab.@global[0].delay_root='5'
fstab.@global[0].check_fs='0'
fstab.@mount[0]=mount
fstab.@mount[0].target='/mnt/mmcblk1p1'
fstab.@mount[0].uuid='0043-53BE'
fstab.@mount[0].enabled='0'
fstab.@mount[1]=mount
fstab.@mount[1].target='/'
fstab.@mount[1].uuid='b40188e3-4cae-43be-a339-6e2d0b4a8c92'
fstab.@mount[1].enabled='0'
fstab.@mount[2]=mount
fstab.@mount[2].target='/mnt/mmcblk1p3'
fstab.@mount[2].uuid='65e8b550-2a1a-4882-b290-6d3081eda2a8'
fstab.@mount[2].enabled='0'
fstab.@mount[3]=mount
fstab.@mount[3].target='/mnt/mmcblk1p4'
fstab.@mount[3].uuid='483fc6fb-3825-4b0f-97b8-810d65f5146d'
fstab.@mount[3].enabled='0'
luci.main=core
luci.main.lang='auto'
luci.main.resourcebase='/luci-static/resources'
luci.main.ubuspath='/ubus/'
luci.main.mediaurlbase='/luci-static/openwrt2020'
luci.flash_keep=extern
luci.flash_keep.uci='/etc/config/'
luci.flash_keep.dropbear='/etc/dropbear/'
luci.flash_keep.openvpn='/etc/openvpn/'
luci.flash_keep.passwd='/etc/passwd'
luci.flash_keep.opkg='/etc/opkg.conf'
luci.flash_keep.firewall='/etc/firewall.user'
luci.flash_keep.uploads='/lib/uci/upload/'
luci.languages=internal
luci.sauth=internal
luci.sauth.sessionpath='/tmp/luci-sessions'
luci.sauth.sessiontime='3600'
luci.ccache=internal
luci.ccache.enable='1'
luci.themes=internal
luci.themes.Bootstrap='/luci-static/bootstrap'
luci.themes.OpenWrt2020='/luci-static/openwrt2020'
luci.apply=internal
luci.apply.rollback='90'
luci.apply.holdoff='4'
luci.apply.timeout='5'
luci.apply.display='1.5'
luci.diag=internal
luci.diag.dns='openwrt.org'
luci.diag.ping='openwrt.org'
luci.diag.route='openwrt.org'
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd18:0640:804c::/48'
network.globals.packet_steering='1'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth1 eth2'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.force_link='1'
network.lan.ipaddr='10.10.10.10'
network.wan=interface
network.wan.ifname='eth0'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.ifname='eth0'
network.wan6.proto='dhcpv6'
rpcd.@rpcd[0]=rpcd
rpcd.@rpcd[0].socket='/var/run/ubus.sock'
rpcd.@rpcd[0].timeout='30'
rpcd.@login[0]=login
rpcd.@login[0].username='root'
rpcd.@login[0].password='$p$root'
rpcd.@login[0].read='*'
rpcd.@login[0].write='*'
snort.snort=snort
snort.snort.interface='eth0:br-lan'
snort.snort.alert_module='alert_full'
snort.snort.config_dir='/etc/snort'
system.@system[0]=system
system.@system[0].hostname='OpenWrt'
system.@system[0].ttylogin='0'
system.@system[0].log_size='64'
system.@system[0].urandom_seed='0'
system.@system[0].zonename='America/New York'
system.@system[0].timezone='EST5EDT,M3.2.0,M11.1.0'
system.ntp=timeserver
system.ntp.enabled='1'
system.ntp.enable_server='0'
system.ntp.server='0.openwrt.pool.ntp.org' '1.openwrt.pool.ntp.org' '2.openwrt.pool.ntp.org' '3.openwrt.pool.ntp.org'
ucitrack.@network[0]=network
ucitrack.@network[0].init='network'
ucitrack.@network[0].affects='dhcp' 'radvd'
ucitrack.@wireless[0]=wireless
ucitrack.@wireless[0].affects='network'
ucitrack.@firewall[0]=firewall
ucitrack.@firewall[0].init='firewall'
ucitrack.@firewall[0].affects='luci-splash' 'qos' 'miniupnpd'
ucitrack.@olsr[0]=olsr
ucitrack.@olsr[0].init='olsrd'
ucitrack.@dhcp[0]=dhcp
ucitrack.@dhcp[0].init='dnsmasq'
ucitrack.@dhcp[0].affects='odhcpd'
ucitrack.@odhcpd[0]=odhcpd
ucitrack.@odhcpd[0].init='odhcpd'
ucitrack.@dropbear[0]=dropbear
ucitrack.@dropbear[0].init='dropbear'
ucitrack.@httpd[0]=httpd
ucitrack.@httpd[0].init='httpd'
ucitrack.@fstab[0]=fstab
ucitrack.@fstab[0].exec='/sbin/block mount'
ucitrack.@qos[0]=qos
ucitrack.@qos[0].init='qos'
ucitrack.@system[0]=system
ucitrack.@system[0].init='led'
ucitrack.@system[0].exec='/etc/init.d/log reload'
ucitrack.@system[0].affects='luci_statistics' 'dhcp'
ucitrack.@luci_splash[0]=luci_splash
ucitrack.@luci_splash[0].init='luci_splash'
ucitrack.@upnpd[0]=upnpd
ucitrack.@upnpd[0].init='miniupnpd'
ucitrack.@ntpclient[0]=ntpclient
ucitrack.@ntpclient[0].init='ntpclient'
ucitrack.@samba[0]=samba
ucitrack.@samba[0].init='samba'
ucitrack.@tinyproxy[0]=tinyproxy
ucitrack.@tinyproxy[0].init='tinyproxy'
uhttpd.main=uhttpd
uhttpd.main.redirect_https='1'
uhttpd.main.home='/www'
uhttpd.main.rfc1918_filter='1'
uhttpd.main.max_requests='3'
uhttpd.main.max_connections='100'
uhttpd.main.cert='/etc/uhttpd.crt'
uhttpd.main.key='/etc/uhttpd.key'
uhttpd.main.cgi_prefix='/cgi-bin'
uhttpd.main.script_timeout='60'
uhttpd.main.network_timeout='30'
uhttpd.main.http_keepalive='20'
uhttpd.main.tcp_keepalive='1'
uhttpd.main.ubus_prefix='/ubus'
uhttpd.main.listen_http='10.10.10.10:80'
uhttpd.main.listen_https='10.10.10.10:443'
uhttpd.main.lua_prefix='/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
uhttpd.defaults=cert
uhttpd.defaults.days='730'
uhttpd.defaults.bits='2048'
uhttpd.defaults.country='ZZ'
uhttpd.defaults.state='Somewhere'
uhttpd.defaults.location='Unknown'
uhttpd.defaults.commonname='OpenWrt'
You could assign a secondary IP to your laptop NIC on 10.10.10.0/24. This might edit you access LuCI. If it does, then this could indicate that your laptop is in fact connected to the LAN but the DHCP is passing through somehow. But if you can't access the router from 10.10.10.0/24 then somehow you are connected to the WAN not the LAN!
I can manually assign the 10.10.10.0/24 network and then access luCi, but I then lose access to the WAN. It's like it's in a transparent gateway mode, but nothing I can find tells me why it's like that in the settings.
1 Like
What does brctl show give?
bridge name bridge id STP enabled interfaces
br-lan 7fff.2c265f8004a5 no eth1
eth2
I'm sure I'm missing something simple and critical, but I can't figure it out
Interesting.
If I disable snort and reboot, it seems to work as intended..
This is a snort issue..
Thanks all! I appreciate the help.
Grommish:
This is a snort issue..
Make sensehttps://wiki.archlinux.org/index.php/Snort
Snort will bridge the two interfaces for you, you will not need to configure this.
2 Likes
Well, before I post a new topic, I'll try here so I don't have to go over the background
The snort issue I'll have to look into, but I suspect the snort issue is a consequence of a deeper issue.
If I have snort disabled, the downstream machine picks up the proper DHCP address, but the DNS is inaccessible (set properly in the DHCP), but either is refusing the connection or blocking it in some other way).
From the downstream laptop, if I ping the IP it's fine, but any DNS resolution is no go.
system
May 15, 2020, 11:37pm
14
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
Thanks for all the help everyone!