Half-bridged modem access works until restart

afl023 · December 10, 2020, 3:23am

I have a Huawei E5186 configured in its bridge mode (really, a half-bridge) and connected to the WAN interface of OpenWRT on my TP-Link Archer D7.
OpenWRT version: OpenWrt SNAPSHOT r15109-c71500fd45 / LuCI Master git-20.332.74200-03c77da
(support for the Archer D7 is not in a stable release yet)

It happily grants a DHCP lease for its WAN IP address to OpenWRT and works fine.

I want to able to access the modem configuration page at 192.168.8.1 (to view signal data). I've followed the instructions on the forum and here: https://openwrt.org/docs/guide-user/network/wan/access.modem.through.nat
And created the interface "modemaccess":

config interface 'modemaccess'
        option proto 'static'
        option ifname 'eth0.2'
        option ipaddr '192.168.8.2'
        option netmask '255.255.255.0'
        option metric '500'
        option force_link '0'
        option auto '0'

Which works initially... (but note that if I follow its advice to disable masquerading on the modemaccess interface, it doesn't work, so I left that out).

However, if I reboot the router, or disconnect the wan cable and reconnect it, it can no longer use the internet, but CAN still access the modem interface at 192.168.8.1. If I disable the modemaccess interface, the internet returns. If I then re-enable the modemaccess interface, I can use both. It seems that the modemaccess interface must always be restarted after the wan interface.

I've tried giving the modemaccess interface a huge metric as you see above but this doesn't help.

Please note I am no longer physically located where the OpenWRT installation is- I am accessing it through a wireguard tunnel.

uci export network

package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdf8:5c78:c118::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.10.1'
        list dns '192.168.10.1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.0.0.1'
        list dns '1.1.1.1'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '2 1 6t'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'REDACTED'
        list addresses '192.168.9.250/24'

config wireguard_wg0
        option description 'albia'
        option public_key 'REDACTED'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_host 'REDACTED'
        option endpoint_port 'REDACTED'
        option preshared_key 'REDACTED'
        list allowed_ips '192.168.9.0/24'

config interface 'modemaccess'
        option proto 'static'
        option ifname 'eth0.2'
        option ipaddr '192.168.8.2'
        option netmask '255.255.255.0'
        option metric '500'
        option force_link '0'
        option auto '0'

uci export firewall

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan wg0'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'modemaccess wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

trendy · December 10, 2020, 11:53am

Better stick with the wiki instructions and remove these options

afl023 · December 10, 2020, 9:19pm

Tried that, makes no difference. (auto '0' just means don't start it on boot, if I start it on boot I have no internet until I restart the interface)

mk24 · December 10, 2020, 9:26pm

I'd be more inclined to think this is a problem with the VPN.

When the WAN is dhcp / IP (and there's not a general VPN override) you really don't need to define a modemaccess network, since the default route to any network the router doesn't know about is via the WAN port. Simply going to 192.168.8.1 will be routed through like any Internet access, and since the modem listens to that IP a page will be served by the modem. The concept of a modemaccess network is most useful with a pppoe wan because otherwise plain IP packets won't appear at the WAN port.

What does your routing table look like, both when Internet works and when it does not?

afl023 · December 10, 2020, 10:35pm

The VPN is just for remote access to the router- it's not set up to tunnel all internet traffic through it. So yes, I agree, I shouldn't need the modemaccess interface at all, because the default route pushes things over the WAN interface anyway. But I tried that first, and without the modemaccess interface, I cannot access the modem at 192.168.8.1.

It was a tricky ask seeing I only have remote access at the moment. If it has no internet access how would I get back in? So I made it start the modemaccess interface on boot- i.e. the no internet situation. Then in the startup script I slept a bit, recorded the route, and stopped the modemaccess interface, and recorded the route again. Thankfully it worked and I got back in.

It's a 4G modem and doesn't get a real public IP, because of carrier grade NAT, but that shouldn't matter.

Here's a snip from the syslog showing it renewing its WAN IP from the modem:

Fri Dec 11 09:21:46 2020 daemon.notice netifd: wan (2212): udhcpc: sending renew to 192.168.8.1
Fri Dec 11 09:21:46 2020 daemon.notice netifd: wan (2212): udhcpc: lease of 10.222.177.112 obtained, lease time 300

Routes with modemaccess starting on boot- i.e. no internet:

default via 10.64.64.1 dev eth0.2  src 10.222.177.112 
10.64.64.1 dev eth0.2 scope link  src 10.222.177.112 
192.168.8.0/24 dev eth0.2 scope link  src 192.168.8.2 
192.168.10.0/24 dev br-lan scope link  src 192.168.10.1

Routes after modemaccess interface taken down, no access to modem at 192.168.8.1, internet comes back, as you can see it's found the VPN endpoint IP from the dyndns name I have set up, and the wireguard interface has come up:

default via 10.64.64.1 dev eth0.2  src 10.222.177.112 
10.64.64.1 dev eth0.2 scope link  src 10.222.177.112 
VPN_ENDPOINT_IP_REDACTED via 10.64.64.1 dev eth0.2 
192.168.9.0/24 dev wg0 scope link 
192.168.10.0/24 dev br-lan scope link  src 192.168.10.1

Routes after modemaccess interface brought back up again, internet still working, access to the modem at 192.168.8.1 also working:

default via 10.64.64.1 dev eth0.2  src 10.222.177.112 
10.64.64.1 dev eth0.2 scope link  src 10.222.177.112 
VPN_ENDPOINT_IP_REDACTED via 10.64.64.1 dev eth0.2 
192.168.8.0/24 dev eth0.2 scope link  src 192.168.8.2 
192.168.9.0/24 dev wg0 scope link 
192.168.10.0/24 dev br-lan scope link  src 192.168.10.1

Probably a workaround (I haven't tried yet) would be to make an ifup script for the wan interface that restarts the modemaccess interface.

trendy · December 11, 2020, 11:38am

From routing perspective there doesn't seem to be anything wrong, in all cases you have the default route via the ISP. Let's see the whole picture here:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; \
ping -c 3 1.1.1.1; ping -c 3 one.one.one.one

Run this with modemaccess starting on boot.

afl023 · December 11, 2020, 11:49pm

## ubus call system board
{
	"kernel": "5.4.80",
	"hostname": "OpenWrt",
	"system": "Qualcomm Atheros QCA9558 ver 1 rev 0",
	"model": "TP-Link Archer D7 v1",
	"board_name": "tplink,archer-d7-v1",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r15109-c71500fd45",
		"target": "ath79/generic",
		"description": "OpenWrt SNAPSHOT r15109-c71500fd45"
	}
}

## uci export network
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf8:5c78:c118::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.10.1'
	list dns '192.168.10.1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.0.0.1'
	list dns '1.1.1.1'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '2 1 6t'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'REDACTED'
	list addresses '192.168.9.250/24'

config wireguard_wg0
	option description 'REDACTED'
	option public_key 'REDACTED'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option endpoint_host 'REDACTED'
	option endpoint_port 'REDACTED'
	option preshared_key 'REDACTED'
	list allowed_ips '192.168.9.0/24'

config interface 'modemaccess'
	option proto 'static'
	option ifname 'eth0.2'
	option ipaddr '192.168.8.2'
	option netmask '255.255.255.0'
	option force_link '0'


## uci export wireless
package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0'
	option htmode 'VHT80'
	option country 'AU'
	option channel '56'
	option noscan '1'
	option legacy_rates '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'REDACTED'
	option encryption 'psk2+ccmp'
	option key 'REDACTED'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/ahb/18100000.wmac'
	option country 'AU'
	option htmode 'HT40'
	option noscan '1'
	option legacy_rates '0'
	option channel '5'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'REDACTED'
	option encryption 'psk2+ccmp'
	option key 'REDACTED'


## uci export dhcp
package dhcp

config dnsmasq
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option domainneeded '1'

config dhcp 'lan'
	option interface 'lan'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'


## uci export firewall
package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan wg0'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'modemaccess wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'


## head -n -0 /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

## ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.10.1/24 brd 192.168.10.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.8.2/24 brd 192.168.8.255 scope global eth0.2
       valid_lft forever preferred_lft forever
    inet 10.123.207.26/32 brd 255.255.255.255 scope global eth0.2
       valid_lft forever preferred_lft forever

## ip -4 ro li tab all
default via 10.64.64.1 dev eth0.2  src 10.123.207.26 
10.64.64.1 dev eth0.2 scope link  src 10.123.207.26 
192.168.8.0/24 dev eth0.2 scope link  src 192.168.8.2 
192.168.10.0/24 dev br-lan scope link  src 192.168.10.1 
local 10.123.207.26 dev eth0.2 table local scope host  src 10.123.207.26 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.8.0 dev eth0.2 table local scope link  src 192.168.8.2 
local 192.168.8.2 dev eth0.2 table local scope host  src 192.168.8.2 
broadcast 192.168.8.255 dev eth0.2 table local scope link  src 192.168.8.2 
broadcast 192.168.10.0 dev br-lan table local scope link  src 192.168.10.1 
local 192.168.10.1 dev br-lan table local scope host  src 192.168.10.1 
broadcast 192.168.10.255 dev br-lan table local scope link  src 192.168.10.1 

## ip -4 ru
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 

## ls -l /etc/resolv.conf /tmp/resolv.conf /tmp/resolv.conf.d /tmp/resolv.conf.d/resolv.conf.auto
lrwxrwxrwx    1 root     root            16 Nov 30 21:39 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Dec 12 09:43 /tmp/resolv.conf
-rw-r--r--    1 root     root            94 Dec 12 09:43 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root            94 Dec 12 09:43 resolv.conf.auto

## head -n -0 /etc/resolv.conf /tmp/resolv.conf /tmp/resolv.conf.d /tmp/resolv.conf.d/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface lan
nameserver 192.168.10.1
# Interface wan
nameserver 1.0.0.1
nameserver 1.1.1.1

## ping -c 3 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes

--- 1.1.1.1 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

## ping -c 3 one.one.one.one

afl023 · December 11, 2020, 11:53pm

Just for fun I did the exact same commands after restarting modemaccess. The only changes were pings working, and the first two ip commands:

# ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.10.1/24 brd 192.168.10.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 10.123.207.26/32 brd 255.255.255.255 scope global eth0.2
       valid_lft forever preferred_lft forever
    inet 192.168.8.2/24 brd 192.168.8.255 scope global eth0.2
       valid_lft forever preferred_lft forever
10: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    inet 192.168.9.250/24 brd 192.168.9.255 scope global wg0
       valid_lft forever preferred_lft forever

# ip -4 ro li tab all
default via 10.64.64.1 dev eth0.2  src 10.123.207.26 
10.64.64.1 dev eth0.2 scope link  src 10.123.207.26 
WG.ENDPOINT.IP.REDACTED via 10.64.64.1 dev eth0.2 
192.168.8.0/24 dev eth0.2 scope link  src 192.168.8.2 
192.168.9.0/24 dev wg0 scope link 
192.168.10.0/24 dev br-lan scope link  src 192.168.10.1 
local 10.123.207.26 dev eth0.2 table local scope host  src 10.123.207.26 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.8.0 dev eth0.2 table local scope link  src 192.168.8.2 
local 192.168.8.2 dev eth0.2 table local scope host  src 192.168.8.2 
broadcast 192.168.8.255 dev eth0.2 table local scope link  src 192.168.8.2 
broadcast 192.168.9.0 dev wg0 table local scope link  src 192.168.9.250 
local 192.168.9.250 dev wg0 table local scope host  src 192.168.9.250 
broadcast 192.168.9.255 dev wg0 table local scope link  src 192.168.9.250 
broadcast 192.168.10.0 dev br-lan table local scope link  src 192.168.10.1 
local 192.168.10.1 dev br-lan table local scope host  src 192.168.10.1 
broadcast 192.168.10.255 dev br-lan table local scope link  src 192.168.10.1

I think the only relevant thing here is the different order of the multihomed ip addresses on eth0.2- when it's not working 192.168.8.2 is first, when it is working it's second.

So on a hunch I tried to rename modemaccess to zzmodemaccess so it's initialised last during boot. But I messed it up and broke remote access. So now I have to wait till at least Monday before I can restore remote access.

trendy · December 12, 2020, 5:23pm

Remove this.

One thing you can try is to use option ifname '@wan' in modemaccess interface.

afl023 · December 12, 2020, 11:21pm

Ok thanks, will try both once I have remote access again.

afl023 · December 14, 2020, 8:27pm

Using the alias name option ifname '@wan' worked a dream! Thank you!

system · December 24, 2020, 8:27pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.