From LEDE.lan (192.168.0.1) icmp_seq=3 Destination Port Unreachable

MarkP2015 · February 28, 2018, 7:02pm

LEDE/LuCI (now, I guess, OpenWRT) IP is 192.168.0.1

Cable is plugged into WAN port to Internet (via unmanaged switch).

Cable from LEDE router LAN port plugged into computer (Linux Ubuntu).

FWIW, LEDE/LuCI is configged for non-Luci OpenVPN by following post written for/to me from board admin with superior FU at https://cryptostorm.org/viewtopic.php?f=37&t=4480. Second to last post. Elsewhere on the 'net the problem lays in the firewall not forwarding, but what solution there is uses Windows commands.

I made an ethernetwork (named: Ethernet connection 1) for the Luci router with

IP: 192.168.1.11
B'cast 192.168.1.255
Subnet 255.255.255.0

Using that allows me to ssh into the Luci router, but there is no Internet.

anon57995562 · February 28, 2018, 7:38pm

SSH in to the router and run the following...

cat /etc/config/network

cat /etc/config/firewall

Post the results.

MarkP2015 · February 28, 2018, 8:02pm

From LEDE.lan (192.168.0.1) icmp_seq=3 Destination Port Unreachable

LEDE/LuCI (now, I guess, OpenWRT) IP is 192.168.0.1

Cable is plugged into WAN port to Internet (via unmanaged switch).

Cable from LEDE router LAN port plugged into computer (Linux Ubuntu).

FWIW, LEDE/LuCI is configged for non-Luci OpenVPN by following post written for/to me from board admin with superior FU at https://cryptostorm.org/viewtopic.php?f=37&t=4480.

I made an ethernetwork (named: Ethernet connection 1) for the Luci router with

IP: 192.168.1.11
B'cast 192.168.1.255
Subnet 255.255.255.0

Using that allows me to ssh into the Luci router, but there is no Internet.

jwoods said:

cat /etc/config/network

cat /etc/config/firewall

mark@Lexington:~$ ssh root@192.168.0.1
root@192.168.0.1's password: 


BusyBox v1.25.1 () built-in shell (ash)

     _________
    /        /\      _    ___ ___  ___
   /  LE    /  \    | |  | __|   \| __|
  /    DE  /    \   | |__| _|| |) | _|
 /________/  LE  \  |____|___|___/|___|                      lede-project.org
 \        \   DE /
  \    LE  \    /  -----------------------------------------------------------
   \  DE    \  /    Reboot (17.01.2, r3435-65eec8bd5f)
    \________\/    -----------------------------------------------------------

root@LEDE:~# cat /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd12:7b17:b457::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.0.1'

config interface 'wan'
	option ifname 'eth0'
	option proto 'dhcp'
	option peerdns '0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config interface 'wan6'
	option ifname 'eth0'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6'

config interface 'csvpntun'
	option proto 'none'
	option ifname 'tun0'

.

root@LEDE:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'vpnfirewall'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'csvpntun'

config forwarding
	option src 'lan'
	option dest 'vpnfirewall'

anon57995562 · February 28, 2018, 8:40pm

Should be -

option dns '8.8.8.8 8.8.4.4'

I think this should be -

option dest 'wan'

I don't use IPv6 so can't verify.

JW0914 · February 28, 2018, 9:00pm

Please post code and log output within code boxes

mk24 · February 28, 2018, 9:08pm

First does it work without a VPN? It is important that your Internet connection is through an address outside any address ranges used in the LAN. If you plug the WAN cable into a cable or DSL modem/router that is still routing, it may give you a 192.168.0.x address or 192.168.1.x and that will not work.

I'm not sure how the VPN is supposed to work with only one network. Usually you would set up something like "vpnusers" with a DHCP server and two firewall zones to forward and NAT into the VPN tunnel, completely isolated from the LAN and WAN. Users who connect to a particular wifi AP or Ethernet port (set up with VLANs) would be directed into the VPN with zero configuration on their machine.

Check logs and ifconfig to see what addresses are in use. Again, kill OpenVPN and make sure you can route ordinarily to the Internet through 192.168.0.1. Then start up OpenVPN and make sure it logs in to the server and connects, this should give the tun0 interface an IP address.

MarkP2015 · February 28, 2018, 10:00pm

For
JW0914

According to the VPN service, Cryptostorm, they do not offer IVP6 service.

For
mk24

I'm inexperienced in this. Please give me a day or two to work with what you have given me today. I tried changing the openwrt router's IP to: 192.168.11.1 per

but it's not working. And that's most odd, as this is how I got the router to work to install LEDE/LuCI. I've not changed any of the modem/router/wifi settings.