Internet working from the router, but not fom LAN devices (Asus RT-AX53u)

I've previously successfully installed and used OpenWRT on one of the old TP-LINKs, but decided it's time to upgrade the router. After careful research, I settled on Asus RT-AX53u. The installation was very simple (as compared to my old TP-LINK), however I'm having issues with setting up proper connectivity.

My desired network topology & configuration is very simple (and it's the one which my old TP-LINK with OpenWRT happens to be able to create and run as expected):

1. I have an non-OpenWRT router which is connected to my ISP.

2. Asus RT-AX53u (or TP-LINK) with OpenWRT is connected to it.

3. The rest of my machines are connected to Asus (or TP-LINK) via Ethernet (we'll forget WiFi for the moment to make it simple).

Here's a quick diagram:

            ISP
             |
      non-OpenWRT router
             |
            / \
        Asus   TP-LINK     <-- both run OpenWRT 23.05
        /   |  |   \
     PC1  PC2  PC3  PC4

note that PC3 and PC4 are actually the very same PCs as PC1 and PC2; also Asus and TP-LINK are not connected to non-openWRT router at the same time -- the diagram is just for illustration purposes.

As mentioned above, PC1 & PC2 don't have internet access, but it is possible to connect to the Asus router from them. PC3 & PC4 do have internet access.

Below are screenshots from Asus's luci's pages showing current configuration in detail:

luci_all_screens1280×5700 589 KB

Please forgive my ignorance of not knowing much about switches or VLANs. I know some of networking and I've also read that the switches configuration may be different on modern routers (they have a built-in driver?) but it turned out not quite very simple to figure out how to properly set it up in OpenWRT. It seems like it should not be difficult, so I tried to experiment and created VLANs in the "br-lan" device so that it looks much like my working TP-LINK. Sadly, the moment I add "wan" to "br-lan" and save it, router's connectivity with the internet disappears (before that, only LAN wasn't getting internet, but Asus was able to connect). When I try and add various VLAN, connectivity to Asus router itself disappears and I end up waiting for a rollback.

Perhaps I'm missing a simple thing here. All I want is a LAN that gets internet from the upstream non-OpenWRT -- and I know it works exactly like that on the older TP-LINK with OpenWRT. The only difference between TP-LINK and Asus OpenWRT's, it seems, is (as I mentioned above) that "Interface -> Switch" menu item is not present on the latter.

I would also prefer it to configure everything through luci. Reading this forum left me with the impression that there's quite a bit of discrepancy between what luci shows and what's in config files edited manually and I'm not sure why this is so. I'm also not sure how does one "commit" changes once files in /etc/config have been changed and, again, from what I've read, I couldn't quite say with certainty which command would do it in which case. It is therefore I think that it's best to try and configure things in one place - luci. Having said this, feel free to request the contents of my config files, I'll post them in case the screenshots don't provide enough information.

To sum it up: I need advice on how to make internet work for LAN members. Thank you.

Does yout provider router provide you with public IP address?

Yes it does. Also, I tried removing the non-OpenWRT router, replacing the MAC-address on the Asus and connecting directly to the ISP with it -- all works, in the sense that I was able to ping the internet from the Asus router if I connected to Asus via SSH (or via luci's "Diagnostics" page), but, once again, LAN devices end up not having internet access.

You set firewall to accept any input from the internet. Most likely your routers and whole network is permanently automatically compromised since.
Flash and reset both routers and check all connected devices for signs of compromise.

I wouldn't worry about that now -- it's a separate issue and I have a pretty good firewall configuration on my PCs. Besides, LAN devices aren't even getting any internet, so it's hard for them to get compromised: the only device on the 192.168.1.0/24 network able to talk to the internet is the Asus router itself, residing at 192.168.1.1. That's what I'd like to understand first -- how to fix internet connectivity for LAN -- before moving on. I would happily reset the router once I figured out the more important question of LAN <-> Internet connectivity.

Dis you set the gateway and dns on the wan interface?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

It appears that gateway and DNS are not set explicitly, no (screenshot provided below), but it also isn't set on the old TP-LINK router running OpenWRT where internet for LAN members works just fine.

Asus_RT-AX-53u_Network_Interfaces_wan_Advanced1323×1123 81.5 KB

Also, I'm not exactly sure, but had something been wrong with settings on the "wan" interface wouldn't that mean that Asus router itself wouldn't be able to ping anything on the internet? Just to be sure that detail isn't left unnoticed, I'll repeat: Asus router running OpenWRT is able to access internet (I was able, for instance, to download additional OpenWRT packages). However LAN members connected to the router cannot access internet.

Now the output of ubus and the contents of the files you requested:

~# ubus call system board
{
	"kernel": "5.15.150",
	"hostname": "[REDACTED]",
	"system": "MediaTek MT7621 ver:1 eco:4",
	"model": "ASUS RT-AX53U",
	"board_name": "asus,rt-ax53u",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23809-234f1a2efa",
		"target": "ramips/mt7621",
		"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
	}
}

~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '[REDACTED]'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	option acceptlocal '1'
	option arp_accept '1'
	option macaddr '[REDACTED]'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option delegate '0'

config device
	option name 'lan1'
	option acceptlocal '1'

~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HE20'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '10'
	option limit '10'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'wan'
	option interface 'wan'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'MYPC'
	list mac '[REDACTED]'
	option ip '192.168.1.2'
	option leasetime 'infinite'

~# cat /etc/config/firewall 

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'DROP'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'DROP'
	list network 'lan'

config zone
	option name 'wan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option mtu_fix '1'
	list network 'wan'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

Notice I did change option input 'DROP' for wan Firewall settings according to the advice posted above.

just reset this device. by default NAT works
some frantic clicking in firewall's first page did the damage.

I actually did reset it a few times and none of them it worked -- by default LAN ends up having no access to the internet, while the router itself does have it. I'll try and do it again, of course, unless anyone else has better ideas?

Update: I can confirm with 100% certainty that after resetting OpenWRT installation on the Asus router -- the internet is still not available for LAN devices. I haven't changed any of the settings. The difference from the settings I posted above was wan6 interface, but it did not appear to have an associated IPv6 address anyway, because IPv6 is disabled upstream. Thus, the issue remains.

What is the address of the isp router? Do you have a subnet overlap? Try changing the lan ip of the openwrt router to 192.168.5.1 and try again. Make sure the computers connected to the openwrt device get new dhcp leases.

https://openwrt.org/faq/change_lan_ip

The address of the ISP router is 192.168.0.1 while Asus OpenWrt address is 192.168.1.1 -- they don't have any network overlap. You can see that on the screenshots I posted with the first message. As I mentioned previously, I had also experimented and removed the ISP router, replacing it with Asus OpenWrt (changed MAC to the ISP router, of course) -- same issue: Asus OpenWrt was able to access the internet, but connected devices were not.

Connected devices do show up in DHCP lease. In fact I don't know how they would not show up there, because how else would I be able to access the Asus router via luci or SSH?

If you cannot set provider router into pass-throough mode then you can still use OpenWRT albeit without NAT to extend your wifi network.

https://openwrt.org/docs/guide-user/network/wifi/dumbap

this happens when you d(sable lan to wan forwarding

@brada4 - You've highlighted the lan zone forward rule, and above it you mentioned disabling the lan > wan forwarding. Are you saying that the zone forward rule is responsible for the issue? (it isn't)

Glad you know so well, for me if forward_lan drops packet it is KO.

To be clear, the zone forward policy affects only the default forwarding between two or more networks that exist in the same zone (i.e. intra-zone forwarding).

It does not affect inter-zone forwarding (for example, lan > wan).

If you insist ok, works as intended no idea what op is complaining about.

@qounterclock - please try resetting to defaults and then trying again.

If it doesn't work, don't make any changes and then please post all the config files as requested (I want to make sure that the defaults are correct). And I'll have some additional tests for you to run if it's not working.

I must admit this had nothing to do with OpenWrt. I had /etc/resolv.conf file on my OS which pointed to the wrong ip-address. As soon as I set it to the ip address of the Asus OpenWrt router, everything worked just fine. Marking this thread as SOLVED.