DS-Lite working except for IPv4 only ICMP is possible

mono · November 13, 2019, 6:37pm

Hello,
I'm having some troubles with my DS-Lite Setup.
IPv6 is working fine as I'm currently and luckily using this forum
But I don't know why for IPv4 only ICMP is working. HTTP, SSH etc. is simply not working and every connection seems to timeout.
Perhaps it's just some bad firewall setting or I'm missing sth else out?

Here is what I have tried so far:

reset my router with firstboot
configured my WAN connection with PPPoE
uci set network.wan.ipv6=1 && uci set network.wan6.ifname=@wan

My setup:

Firmware: OpenWrt 18.06.4 r7808-ef686b7292
Hardware: TP-Link Archer C5 v1
Modem: Draytek Vigor 165 (VLAN 7 configured on the modem)

Thanks in advance,
Thomas

Some configs:
/etc/config/network:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd4d:29fd:233c::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.2.1'

config interface 'wan'
        option proto 'pppoe'
        option username '***********'
        option password '************'
        option ifname 'eth0'
        option ipv6 '1'

config interface 'wan6'
        option proto 'dhcpv6'
        option ifname '@wan'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch                                  
        option name 'switch0'    
        option reset '1'         
        option enable_vlan '1'   
                                 
config switch_vlan               
        option device 'switch0'       
        option vlan '1'          
        option ports '0t 2 3 4 5'  
        option vid '1'         
                               
config switch_vlan             
        option device 'switch0'                   
        option vlan '2'         
        option ports '1 6'  
        option vid '2'

/etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'
        option masq '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option network 'wan6 wan'
        option forward 'REJECT'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule                           
        option name 'Allow-Ping'       
        option src 'wan'               
        option proto 'icmp'            
        option icmp_type 'echo-request'
        option family 'ipv4'           
        option target 'ACCEPT'         
                                       
config rule                            
        option name 'Allow-IGMP'       
        option src 'wan'               
        option proto 'igmp'            
        option family 'ipv4'           
        option target 'ACCEPT'         
                                       
config rule                            
        option name 'Allow-DHCPv6'     
        option src 'wan'               
        option proto 'udp'             
        option src_ip 'fc00::/6'       
        option dest_ip 'fc00::/6'      
        option dest_port '546'         
        option family 'ipv6'           
        option target 'ACCEPT'         
                                       
config rule                            
        option name 'Allow-MLD'        
        option src 'wan'               
        option proto 'icmp'            
        option src_ip 'fe80::/10'      
        list icmp_type '130/0'         
        list icmp_type '131/0'         
        list icmp_type '132/0'         
        list icmp_type '143/0'         
        option family 'ipv6'           
        option target 'ACCEPT'

config rule                            
        option name 'Allow-ICMPv6-Input'
        option src 'wan'                
        option proto 'icmp'             
        list icmp_type 'echo-request'   
        list icmp_type 'echo-reply'     
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'         
        list icmp_type 'time-exceeded'          
        list icmp_type 'bad-header'             
        list icmp_type 'unknown-header-type'    
        list icmp_type 'router-solicitation'    
        list icmp_type 'neighbour-solicitation' 
        list icmp_type 'router-advertisement'   
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'                 
        option family 'ipv6'                    
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-ICMPv6-Forward'      
        option src 'wan'                        
        option dest '*'                         
        option proto 'icmp'                     
        list icmp_type 'echo-request'           
        list icmp_type 'echo-reply'             
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'         
        list icmp_type 'time-exceeded'          
        list icmp_type 'bad-header'             
        list icmp_type 'unknown-header-type'    
        option limit '1000/sec'                 
        option family 'ipv6'                    
        option target 'ACCEPT'

config rule                                     
        option name 'Allow-IPSec-ESP'           
        option src 'wan'                        
        option dest 'lan'                       
        option proto 'esp'                      
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-ISAKMP'              
        option src 'wan'                        
        option dest 'lan'                       
        option dest_port '500'                  
        option proto 'udp'                      
        option target 'ACCEPT'                  
                                                
config include                                  
        option path '/etc/firewall.user'

trendy · November 13, 2019, 7:22pm

Some realtime troubleshooting?
ip -4 addr; ip -4 ro; ip -4 ru; nslookup www.google.com

mono · November 14, 2019, 2:29pm

root@OpenWrt:~# ip -4 addr; ip -4 ro; ip -4 ru; nslookup www.google.com
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
12: ds-wan6_4@pppoe-wan: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN qlen 1
    inet 192.0.0.2 peer 192.0.0.1/32 brd 255.255.255.255 scope global ds-wan6_4
       valid_lft forever preferred_lft forever
default dev ds-wan6_4 scope link 
192.0.0.1 dev ds-wan6_4 scope link  src 192.0.0.2 
192.168.2.0/24 dev br-lan scope link  src 192.168.2.1 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:      www.google.com
Address 1: 172.217.18.100
Address 2: 2a00:1450:4001:81b::2004

Just let me know if you need more information.

trendy · November 14, 2019, 2:57pm

I didn't see that:
In firewall you have masquerade in lan zone, instead of wan.

mono · November 14, 2019, 4:36pm

Did enable masquerade for wan and disabled it for lan: No success.

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option network 'wan6 wan'
        option masq '1'
        option forward 'REJECT'

traceroute -4 google.com
traceroute to google.com (216.58.207.46), 30 hops max, 60 byte packets
 1  OpenWrt.lan (192.168.2.1)  0.756 ms  0.899 ms  1.334 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

ping -4 -n -c 3 google.com
PING google.com (216.58.207.46) 56(84) bytes of data.
64 bytes from 216.58.207.46: icmp_seq=1 ttl=56 time=10.5 ms
64 bytes from 216.58.207.46: icmp_seq=2 ttl=56 time=10.0 ms
64 bytes from 216.58.207.46: icmp_seq=3 ttl=56 time=10.3 ms

trendy · November 14, 2019, 10:32pm

It seems that your configuration is not correct.
Check here.

mono · November 29, 2019, 5:30pm

Sorry for the late response. I'm still renovating my new flat and didn't have the time to test further.
But know it seems to work. The trick was to set following option: network.wan6.encaplimit_dslite='ignore'
Thanks for your help.

system · December 9, 2019, 5:30pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.