Internet access from second router, but not from ISP router

Here is my current setup:

FiberHome HG6245D (192.168.1.0/24)
   |  192.168.1.1
   | 
   |  192.168.1.2
Asus AC68U (192.168.2.0/24)

I have an EdgeRouter-X with OpenWRT 21.02. I set its LAN network to 192.168.10.0/24; the ER-X itself has an address of 192.168.10.1. Connecting it to the HG6245D (ISP router), here is what happens:

• Getting an address via DHCP on the 192.168.1.0/24 network/using static IP is ok. Pinging 192.168.1.1 using the LuCI network utilities works.
• A device connected to the ER-X is able to get an address via DHCP from the 192.168.10.0/24 network. Using static IP is ok as well. From the same device, pinging 192.168.10.1 and 192.168.1.1 both work.
• The same device is not able to ping google.com. Pinging google.com using the LuCI network utilities does not work as well. The device has no access to the internet.

However, connecting the ER-X to the AC68U (and getting an address from the 192.168.2.0/24), internet works.

Any ideas on what could be wrong/ how I can debug this?

It's not clear if you've used DHCP or static IP on the ER-X WAN... your statement is a bit confusing/contradictory. If you setup with a static IP, you also need to assign the gateway (192.168.1.1) and DNS (192.168.1.1 or a public DNS).

If that isn't the issue, we need to see your ER-X configuration to know for sure.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

Hi @psherman, sorry for the confusion. What I meant is I tried with both DHCP and static IP. I'm currently using DHCP now.

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fdef:fa2d:f159::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.10.1'

config interface 'wan'
        option device 'eth3'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth3'
        option proto 'dhcpv6'

config interface 'tailscale'
        option device 'tailscale0'
        option proto 'none'

config interface 'zerotier'
        option proto 'none'
        option device <redacted>

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option noresolv '1'
        option cachesize '1000'
        option rebind_protection '0'
        option port '5353'
        list server '192.168.10.1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,192.168.10.1'
        list dhcp_option '3,192.168.10.1'
        list dns 'fdef:fa2d:f159::1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config domain
        option name 'ap0'
        option ip '192.168.10.100'

config domain
        option name 'ap1'
        option ip '192.168.10.101'

config host
        option name 'ap0'
        option dns '1'
        option mac <redacted>
        option ip '192.168.10.100'

config host
        option name 'ap1'
        option dns '1'
        option mac <redacted>
        option ip '192.168.10.101'

config host
        option dns '1'
        option mac <redacted>
        option name 'ap2'
        option ip '192.168.10.102'

config domain
        option name 'ap2'
        option ip '192.168.10.102'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config rule
        option name 'Allow-ZeroTier-Inbound'
        list proto 'udp'
        option src '*'
        option dest_port '9993'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'zerotier'
        list network 'tailscale'

config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'vpn'

config forwarding
        option src 'vpn'
        option dest 'wan'

As you can see, I have both Tailscale and Zerotier setup. Both of these also work when the ER-X is connected behind the AC68U.

New info. I am able to ping IPv6 addresses using the LuCI network utilities when it is behind the ISP router. I tested it with Google's DNS servers 8.8.8.8 and 2001:4860:4860::8888.

What about the computers that sit behind the ER-X?

If they don't work, you might try disabling the VPNs and restoring a lan > wan forwarding rule. At that point, you'll be able to determine if it is a VPN routing issue or if it is something lower down. You can also take a backup and reset the device to defaults, test again, and then selectively restore the various settings from the backup.

What about the computers that sit behind the ER-X?

Doesn't work for devices behind the ER-X.

If they don't work, you might try disabling the VPNs and restoring a lan > wan forwarding rule. At that point, you'll be able to determine if it is a VPN routing issue or if it is something lower down. You can also take a backup and reset the device to defaults, test again, and then selectively restore the various settings from the backup.

I've reset the ER-X using the soft factory reset method, and it still shows the same behavior - internet ok when behind the AC68U, not ok when behind the ISP router. I have not changed anything except the LAN network address.

let's see the config from the ER-X in the near-default state.

Also, does the ER-X itself have a connection to the internet, or is it also not working?