How to disable WAN-->LAN forward.?

Hello.
I'm a almost new user in openwrt. So, I have a custom device with two ports: WAN (eth0), and LAN (eth1). I have a separated device that permanently connected to LAN port and communicates with platform using the custom protocol. But when I plug the cable from external router to the WAN port, I am able to get the Internet, but the local separated device goes to the wrong mode, due the LAN port cannot receive any data from this device.

When I tried to fix this I figured out the next:
When the LAN port (eth0) is empty, and I plug cable only to WAN, my console says:

[ 1595.243771] fsl-gianfar soc:ethernet@2d10000 eth0: Link is Up - 100Mbps/Full - flow control off
[ 1595.252506] br-lan: port 1(eth0) entered blocking state
[ 1595.257754] br-lan: port 1(eth0) entered forwarding state
[ 1595.643713] fsl-gianfar soc:ethernet@2d50000 eth1: Link is Up - 100Mbps/Full - flow control off
[ 1595.652416] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready

But the eth1 is empty! Why the WAN(eth0) takes the 'eth1' and "Link Up" it??? (Also both are "Link Down" when the WAN cable unplugs". I dont need this behaviour.
I need WAN and LAN are separated from each other. I read some topics about network setting, rules and configurations. But still I don't found any solution - How can I disable this WAN-->LAN pairing?
Thanks.

Let's see your config...

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

Chances are high that you have a el-cheapo plastic router, with only a single ethernet but multiple outlets. So technically the WAN and LAN port are the same device, only separated (internally) by VLAN IDs.

Furthermore the "blocking state" and "forwarding state" stuff is a Layer-2 protocol thingsy and has nothing to do with Layer-3 aka Routing, see https://en.wikipedia.org/wiki/Spanning_Tree_Protocol for details.

ubus call system board

{
        "kernel": "5.4.168",
        "hostname": "mender-ls1021a-cscan-openwrt",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "LS1021A CSCAN Board",
        "board_name": "cscan,ls1021a",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02-SNAPSHOT",
                "revision": "1.2.2-wa.-local",
                "target": "layerscape/armv7",
                "description": "OpenWrt 21.02-SNAPSHOT 1.2.2-webapp.-local"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.81.1'
        option netmask '255.255.255.0'
        option dns '8.8.8.8 8.8.4.4'
        option gateway '192.168.81.1'
        option ifname 'eth1'
        option disabled '0'

config interface 'wan'
        option proto 'dhcp'
        option disabled '1'

config interface 'wan2'
        option proto 'dhcp'
        option ifname 'eth0'
        option disabled '1'

config interface 'wan3'
        option ifname 'wwan0'
        option proto 'none'
        option dns '8.8.8.8 8.8.4.4'
        option disabled '1'

config interface 'wwan'
        option proto 'qmi'
        option device '/dev/cdc-wdm0'
        option modes 'umts'
        option username 'gdata'
        option password 'gdata'
        option ifname 'wwan0'
        option disabled '1'

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'soc/3500000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0'
        option htmode 'VHT80'
        option log_level '1'
        list hostapd_options 'ieee80211ac=1'
        list hostapd_options 'ieee80211h=0'
        list hostapd_options 'ieee80211d=0'
        list hostapd_options 'auth_algs=1'
        option cell_density '0'
        option legacy_rates '1'
        option disabled '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option encryption 'none'
        option key '12345678'
        option disabled '0'
        option ssid 'weBBoat_0A6E'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'sta'
        option network 'wan'
        option disabled '1'

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option dhcpleasemax '150'
        #option logqueries '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        list network 'wan2'
        list network 'wan3'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

Maybe this will clarify the situation.
Thanks.

This firmware is not provided by the official OpenWrt project. It is some heavily modified version of OpenWrt and therefore must be supported by the vendor/maintainer (likely the device vendor).

That said, your wan firewall rules are likely wrong -- typically input and forward are set to REJECT.

If that doesn't fix your issue, though, you'll need to contact the people who provided that firmware to you.

Thanks for reply.
I am not sure that they are the same. Hm. That one fact that I see two honest ethernet devices in
/sys/bus/platform/devices location

soc:ethernet@2d10000
soc:ethernet@2d50000

And when I plug/unplug only LAN (WAN is emty), i observe only eth1 is 'Link Up/ Link Down', not both as in case with WAN port.

Gateway (aka default route) is something outside your router, it is the next router on the way to the Internet. How is this network designed to reach the Internet? Is the next router to the Internet on the lan or is it on another interface?

1 Like

Thanks for a hint. I have a full access to the source code. Only today we found this issue, and I still try to find something at the weekend.
If I understood you right I need to do experiment with chanfing 'option input' and 'option forward' from 'ACCEPT' to 'REJECT' below. Right?

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        list network 'wan2'
        list network 'wan3'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'

I have the next connection diagram:

1. WiFi (from provider) ---> Home Router --->(cable) OpenWrt-Device(WAN port - eth0)
2.  SmartCard Scanner ----> (cable) OpenWrt-Device(LAN port - eth1)

As I mentioned above this stack should work separately. But when the WAN is connected to the Internet, out Scanner goes to undefined states. I see that RX counter in eth1 doesn't changes. My OWrt device is not able to receive data from the Scanner. This issue exactly related with WAN-->LAN pairing. I m sure. When the WAN is disconnected all works fine.
Thanks.

I see. After re read your first post again I see they are two interfaces/devices. However the blocking and forwarding state are still related to STP. Why the other port gets triggered I don't know but it's still rooted in what a bridge does if STP is enabled. If you know for sure you will never by accident create a physical cable loop feel free to just disable STP and do your test again and see what happens/how the devices will behave.

If the upstream network is not trusted, these should absolutely be REJECT. REJECT is the default state (for OpenWrt).

As @mk24 said, remove the gateway from your lan interface definition.

But I'll state again that this is something heavily modified compared to the official OpenWrt... so all bets are off as to the ability for us to help you solve the problem given that it is so significantly different (even the configs you share have major syntax differences relatvie to what is allowed in recent OpenWrt versions).

2 Likes

There is also quite a bit in the config that is just plain wrong. wan2 is the proper way to connect by Ethernet to an upstream network, wan and wan3 should be deleted.

If the wan IP subnet overlaps the lan, routing will not work. The wan needs to be something outside 192.168.81.0/24.

Does the Scanner "call home" to some cloud service which then configures it improperly for your use case?

Yes... but it's so much more than that...

For example, in the interface definitions, the use if ifname and bridge has been deprecated for a long time, but is still present here. There is no disabled option in pure OpenWrt either [EDIT: see below].... these are just a few indications that whatever is running here is not even remotely the same as OpenWrt. So while there is likely a lot of opportunity for misconfiguration by the OP, we're also looking at a black box.

https://openwrt.org/docs/guide-user/network/network_configuration?s=disabled#common_options

1 Like

ah... cool. Thanks. I don't think I've ever seen it in use, but good to know it is actually valid to use the disabled option.

1 Like

Yes. This image are modified, but I switched off all addons, deleted anything from 'files' section, deleted all added scripts, and rebuilt OpwnWRT as clear image. Now I see another network and firewall configs in /etc/configs that are used by default. My openwrt is " OpenWrt 21.02-SNAPSHOT" version. And in firewall config now I see:

config defaults
        option syn_flood        1
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

But the problem still occurs. In ifconfig output the 'wan' dissappeared, but plugging cable to eth0 causes pairing of eth1. Thanks

Just in case I repeat myself. What you see in the log is related to STP. It has nothing to do with WiFi, or the firewall, or DHCP. On Openwrt STP is disabled by default so if you now use a plain Openwrt you should at least do not see the blocking and forwarding state change.
And from your last posted network config we can see that eth0 and eth1 are not attached to the same bridge.
But still, depending on your hardware there is maybe a reason why one port gets an event trigger when the other port is unplugged or gets plugin.

STP is switched off. At current state I'm not sure, but I went to DTS and have some doubts that it's valid configuration. Now I 'll try to figure out whether my DTS is valid.

&mdio0 {
	sgmii_phy0: ethernet-phy@0 {
		reg = <0x0>;
	};
	sgmii_phy2: ethernet-phy@2 {
		reg = <0x2>;
	};
	/* SGMII PCS for enet0 */
	tbi0: tbi-phy@1f {
		reg = <0x1f>;
		device_type = "tbi-phy";
	};
};

&mdio1 {
	/* SGMII PCS for enet1 */
	tbi1: tbi-phy@1f {
		reg = <0x1f>;
		device_type = "tbi-phy";
	};
};

Did you use source code downloaded directly from openwrt.org? Or did it come from some other source?