Help with Fastweb FTTH (Italy)

Hallo everyone,

I'm new to this forum and, well, new to OpenWrt.
As you can "bet" from the object my provider is Fastweb; I have an FTTH 1000/200 and I was lucky enough to not have an sfp embedded into the router sent to me by the provider. I got rid of their router almost immediately in favour of a Fritz!Box and a media converter: i was able to configure it with the FBeditor in order to clone the MAC address of the original modem and setting the vendor class identifer to "askey_HW_ES1_SW_0.00.47/dslforum.org".

After several years I have decided to try OpenWrt, mostly for study purpose: I did install the Damian Perera build OpenWrt for RPi 4 on my raspberry, added a (working)USB to ETH adapter with the goal to use it as a small and (hopefully) powerful router.

Currently i have eth0 serving the WAN interface: everything has default value but the WAN vendorid option and the eth0 MAC, cloned from the Fastweb router.
Doing so i was able to receive the address from my provider: the openWRT webgui also shows my public IP; some traffic is happening but i'm not able to connect to internet.
I didn't try to connect any device, i tried opkg to list updates from the repositories receiving a connection error message. I suspect it could be a DNS problem, but I'm able to configure them just for the LAN interface (eth1); I don't know if and where to specify the DNS for the WAN.

Find below my network config:

cat /etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd1a:a335:b0cf::/48'
option packet_steering '1'

config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'

config interface 'wan'
option proto 'dhcp'
option peerdns '0'
option device 'eth0'
option hostname '*'
option vendorid 'askey_HW_ES1_SW_0.00.47/dslforum.org'
option defaultroute '0'

config interface 'lan'
option proto 'static'
option device 'eth1'
list ipaddr '10.0.0.252/24'
list dns '1.1.1.1'

config device
option name 'eth1'

config device
option name 'wlan0'

config device
option name 'eth0'
option macaddr 'cloned MAC'

Do you have any suggestion?
Thanks in advance :slight_smile:
kaneda79

yes ,if you have option peerdns '0' specify that on wan interface like you did on lan interface, also you can delete that on lan interface

Thank you bricco, I did as you say but no joy.

System log confirm that the submitted vendor ID and MAC are correct. I receive the static public ip; openwrt reads the custome nameservers from /tmp/resolv.conf.d/resolv.conf.auto, but then i see ADDRCHANGE EVENT:bound IP:my-public-IP DNS:62.101.93.101 83.103.25.250 SERVER:10.254.3.250 DURATION:28800.
DNS are being changed with the ones used by Fastweb during the IP request.
Finally the request ends with: daemon.warn dnsmasq[1]: no servers found in /tmp/resolv.conf.d/resolv.conf.auto, will retry

This is the system log with the useful events:

Fri Sep 23 14:31:20 2022 daemon.notice netifd: Interface 'wan' is enabled
Fri Sep 23 14:31:20 2022 daemon.notice netifd: Interface 'wan' is setting up now
Fri Sep 23 14:31:20 2022 kern.info kernel: [ 1588.218096] bcmgenet fd580000.ethernet: configuring instance for external RGMII (RX delay)
Fri Sep 23 14:31:20 2022 kern.info kernel: [ 1588.226670] bcmgenet fd580000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx
Fri Sep 23 14:31:20 2022 kern.info kernel: [ 1588.235088] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
Fri Sep 23 14:31:20 2022 daemon.notice netifd: wan (19566): udhcpc: started, v1.35.0
Fri Sep 23 14:31:20 2022 daemon.notice netifd: wan (19566): udhcpc: broadcasting discover
Fri Sep 23 14:31:20 2022 daemon.notice netifd: wan (19566): udhcpc: broadcasting select for my-public-IP, server 10.254.3.250
Fri Sep 23 14:31:21 2022 daemon.notice netifd: wan (19566): udhcpc: lease of my-public-IP obtained from 10.254.3.250, lease time 28800
Fri Sep 23 14:31:21 2022 daemon.notice netifd: Interface 'wan' is now up
Fri Sep 23 14:31:21 2022 daemon.info dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto
Fri Sep 23 14:31:21 2022 daemon.info dnsmasq[1]: using nameserver 8.8.8.8#53
Fri Sep 23 14:31:21 2022 daemon.info dnsmasq[1]: using nameserver 8.8.4.4#53
Fri Sep 23 14:31:21 2022 daemon.info dnsmasq[1]: using only locally-known addresses for test
Fri Sep 23 14:31:21 2022 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Fri Sep 23 14:31:21 2022 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Fri Sep 23 14:31:21 2022 daemon.info dnsmasq[1]: using only locally-known addresses for local
Fri Sep 23 14:31:21 2022 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Fri Sep 23 14:31:21 2022 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Fri Sep 23 14:31:21 2022 daemon.info dnsmasq[1]: using only locally-known addresses for lan
Fri Sep 23 14:31:21 2022 user.notice UDHCPC.USER: ADDRCHANGE EVENT:bound IP:my-public-IP DNS:62.101.93.101 83.103.25.250 SERVER:10.254.3.250 DURATION:28800
Fri Sep 23 14:31:21 2022 user.notice firewall: Reloading firewall due to ifup of wan (eth0)
Fri Sep 23 14:31:21 2022 user.notice nlbwmon: Reloading nlbwmon due to ifup of wan (eth0)
Fri Sep 23 14:33:13 2022 daemon.warn dnsmasq[1]: no servers found in /tmp/resolv.conf.d/resolv.conf.auto, will retry.

I noticed that trying to access the public IP from another network i reach the Openwrt login page (http).
I can't ping domains or plain IPs on the network, but ping works with other public ips in the same subnet of mine (that is really strange: i thought it was a /31 or /29, not a /24).

I Keep thinking the problem is connected to DNS

The DHCP server which you don't control will continue to advertise the ISP's DNS, but OpenWrt ignores it if you have peerdns set to 0. You must then configure alternative DNS in the wan section, if you want the dnsmasq system to work (LAN devices are always free to submit DNS directly to any external server) Don't set any DNS in the lan section.

The external DNS that dnsmasq is ultimately going to use can be found in the file /tmp/resolv.conf.d/resolv.conf.auto.

Exactly what is the network problem? Can you ping well known sites by numeric IP (e.g. 8.8.8.8)? Can you ping them by name (e.g. dns.google)

1 Like

hi mk24,

thanks for your answer.
The problem is I cannot navigate on internet. what i mean that even an opkg update from my openwrt fails for a lack of connection.
I had to configure the vendorid and clone the mac address of the router supplied by my provider in order to obtain my static public IP. This part is successful, but navigation is not happening.

As you see in my network config output custom DNS are set on the WAN. LAN has no DNS declared

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd1a:a335:b0cf::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0'
        option defaultroute '0'
        option vendorid 'askey_HW_ES1_SW_0.00.47/dslforum.org'
        option hostname '*'
        option peerdns '0'
        list dns '9.9.9.9'
        list dns '1.1.1.1'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option device 'eth1'
        option ipaddr '10.0.0.252'

config device
        option name 'eth1'

config device
        option name 'eth0'
        option macaddr '<cloned-MAC>'

resolv.conf.auto shows (only) the correct DNS

cat  /tmp/resolv.conf.d/resolv.conf.auto

# Interface wan
nameserver 9.9.9.9
nameserver 1.1.1.1

Ping by numeric IP fails with the message: ping: sendto: Network unreachable

Ping by name fails with: ping: bad address

But pinging an external IP in the same subnet of my public static IP works.

Using the numeric IP for pings etc completely bypasses DNS.

DHCP should have installed a default route to one of the ISP's routers. Check this with the route command. Usually that router will return pings. If you run a traceroute to 8.8.8.8 (or any IP) see how far it progresses.

If you can ping things on the ISP's end of the fiber but can't reach the Internet that means the ISP has not authorized you.

1 Like

@mk24 you were right, the problem is connected to the
routes.

I know nothing about routing and I have started using openwrt in order to study basic routing.

route command says:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric     Ref    Use Iface
<my-public-IP>     *               255.255.255.0   U     0      0        0      eth0
10.0.0.0                *               255.255.255.0   U     0      0        0      eth1

I have added the following options to /etc/config/network

config route
        option interface 'wan'
        option target '0.0.0.0/0'
        option gateway '0.0.0.0

now route command says:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric     Ref    Use Iface
default                  *                0.0.0.0              U     0      0        0      eth0
<my-public-IP>     *               255.255.255.0   U     0      0        0      eth0
10.0.0.0                *               255.255.255.0   U     0      0        0      eth1

Those options have solved the internet navigation problem, but as I am a newby when it comes to routing, I am concerned about security. Should I use a more restrictive route? Or the route is correct and I have to configure restrictive rules firewall side?

The default route 0.0.0.0 means that every IP that isn't one of the router's LANs goes out the WAN port for the ISP to deal with. Usually it is targeted at the ISP's router, which you would receive by DHCP. But that isn't always necessary depending on how the ISP works.

There isn't a security issue since these are outgoing requests. Unsolicited incoming packets are going to be blocked by the firewall.

1 Like

That's nice!

Well, this conclude this topic so, @mk24 and @bricco1981 thank you very much for your help :slight_smile: