Internet working on clients but not router itself and dns

cldtech · July 21, 2025, 10:04pm

Hi, all my local subnet have internet but the router itself doesn't.

Updating the package list gives me this in LuCl:

Downloading https://downloads.openwrt.org/releases/24.10.1/targets/ramips/mt7621/packages/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/24.10.1/targets/ramips/mt7621/packages/Packages.gz

Downloading https://downloads.openwrt.org/releases/24.10.1/packages/mipsel_24kc/base/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/24.10.1/packages/mipsel_24kc/base/Packages.gz

Downloading https://downloads.openwrt.org/releases/24.10.1/targets/ramips/mt7621/kmods/6.6.86-1-2a6d68f3ded425efc0850296e7f62d53/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/24.10.1/targets/ramips/mt7621/kmods/6.6.86-1-2a6d68f3ded425efc0850296e7f62d53/Packages.gz

Downloading https://downloads.openwrt.org/releases/24.10.1/packages/mipsel_24kc/luci/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/24.10.1/packages/mipsel_24kc/luci/Packages.gz

Downloading https://downloads.openwrt.org/releases/24.10.1/packages/mipsel_24kc/packages/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/24.10.1/packages/mipsel_24kc/packages/Packages.gz

Downloading https://downloads.openwrt.org/releases/24.10.1/packages/mipsel_24kc/routing/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/24.10.1/packages/mipsel_24kc/routing/Packages.gz

Downloading https://downloads.openwrt.org/releases/24.10.1/packages/mipsel_24kc/telephony/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/24.10.1/packages/mipsel_24kc/telephony/Packages.gz

Failed to send request: Operation not permitted
Failed to send request: Operation not permitted
Failed to send request: Operation not permitted
Failed to send request: Operation not permitted
Failed to send request: Operation not permitted
Failed to send request: Operation not permitted
Failed to send request: Operation not permitted
Collected errors:
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10.1/targets/ramips/mt7621/packages/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10.1/packages/mipsel_24kc/base/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10.1/targets/ramips/mt7621/kmods/6.6.86-1-2a6d68f3ded425efc0850296e7f62d53/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10.1/packages/mipsel_24kc/luci/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10.1/packages/mipsel_24kc/packages/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10.1/packages/mipsel_24kc/routing/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10.1/packages/mipsel_24kc/telephony/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

In the diagnostics tab:

PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=121 time=3.803 ms
64 bytes from 8.8.8.8: seq=1 ttl=121 time=3.609 ms
64 bytes from 8.8.8.8: seq=2 ttl=121 time=3.257 ms
64 bytes from 8.8.8.8: seq=3 ttl=121 time=3.201 ms
64 bytes from 8.8.8.8: seq=4 ttl=121 time=3.636 ms

--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 3.201/3.501/3.803 ms

ping: bad address 'openwrt.org'

traceroute: bad address 'openwrt.org'

;; connection timed out; no servers could be reached

nslookup: write to '127.0.0.1': Connection refused
nslookup: write to '::1': Connection refused

But openwrt.org works on clients. It seems like dnsmasq isn't even trying to resolve downloads.openwrt.org, i cant see it in the logs but if the connection is refused it seems logical.

Here's my config:

/etc/config/network


config globals 'globals'
	option packet_steering '1'

config device
	option name 'eth0'
	option ipv6 '0'

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config device
	option name 'lan1'
	option ipv6 '0'

config device
	option name 'lan2'
	option ipv6 '0'

config device
	option name 'lan3'
	option ipv6 '0'

config device
	option name 'lan4'
	option ipv6 '0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option ipv6 '0'
	option igmp_snooping '1'
	option igmpversion '3'
	option multicast '1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.0.0.1'
	option netmask '255.255.255.0'
	option ipv6 '0'
	option delegate '0'
	option dns_metric '0'
	option broadcast '10.0.0.255'
	list dns_search 'lan'

config device
	option name 'br-lan.1'
	option type '8021q'
	option ifname 'br-lan'
	option vid '1'
	option ipv6 '0'
	option multicast '1'
	option igmpversion '3'

config device
	option name 'br-lan.2'
	option type '8021q'
	option ifname 'br-lan'
	option vid '2'
	option ipv6 '0'
	option multicast '1'
	option igmpversion '3'

config device
	option name 'br-lan.3'
	option type '8021q'
	option ifname 'br-lan'
	option vid '3'
	option ipv6 '0'
	option multicast '1'
	option igmpversion '3'

config device
	option name 'br-lan.4'
	option type '8021q'
	option ifname 'br-lan'
	option vid '4'
	option ipv6 '0'
	option multicast '1'
	option igmpversion '3'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	option ipv6 '0'
	list ports 'lan1:t'
	list ports 'lan2:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	option ipv6 '0'
	list ports 'lan1:t'
	list ports 'lan3:u*'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	option ipv6 '0'

config interface 'vlan1'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '10.0.1.1'
	option netmask '255.255.255.0'
	option igmp_snooping '1'
	option ipv6 '0'
	option delegate '0'
	list dns_search 'vlan'
	option dns_metric '0'
	option broadcast '10.0.1.255'

config interface 'vlan2'
	option device 'br-lan.2'
	option proto 'static'
	option ipaddr '10.0.2.1'
	option netmask '255.255.255.0'
	option igmp_snooping '1'
	option ipv6 '0'
	option delegate '0'
	list dns_search 'vlan2'
	list dns_search 'vlan'
	option broadcast '10.0.2.255'

config interface 'vlan3'
	option device 'br-lan.3'
	option proto 'static'
	option ipaddr '10.0.3.1'
	option netmask '255.255.255.0'
	option igmp_snooping '1'
	option ipv6 '0'
	option delegate '0'
	list dns_search 'vlan3'
	option dns_metric '0'
	option broadcast '10.0.3.255'

config interface 'vlan4'
	option device 'br-lan.4'
	option proto 'static'
	option ipaddr '10.0.4.1'
	option netmask '255.255.255.0'
	option ipv6 '0'
	option delegate '0'
	option broadcast '10.0.4.255'
	option dns_metric '0'

config device
	option name 'phy0-ap0'
	option ipv6 '0'
	option multicast '1'
	option multicast_router '1'

config device
	option name 'phy0-ap1'
	option ipv6 '0'
	option multicast '1'
	option multicast_router '1'

config device
	option name 'phy0-ap2'
	option ipv6 '0'
	option multicast '1'
	option multicast_router '1'

config device
	option name 'phy0-ap3'
	option ipv6 '0'
	option multicast '1'
	option multicast_router '1'

config device
	option name 'phy1-ap0'
	option ipv6 '0'
	option multicast '1'
	option multicast_fast_leave '1'

config device
	option name 'phy1-ap1'
	option ipv6 '0'
	option multicast '1'
	option multicast_router '1'

config device
	option name 'phy1-ap2'
	option ipv6 '0'
	option multicast '1'
	option multicast_router '1'

config device
	option name 'phy1-ap3'
	option ipv6 '0'
	option multicast '1'
	option multicast_router '1'

config device
	option name 'wan'
	option ipv6 '0'
	option multicast '1'

config device
	option name 'wan.40'
	option type '8021q'
	option ifname 'wan'
	option vid '40'
	option mtu '1500'
	option ipv6 '0'

config device
	option name 'pppoe-ebox'
	option mtu '1492'
	option ipv6 '0'

config interface 'vlan40'
	option proto 'none'
	option device 'wan.40'
	option ipv6 '0'
	option dns_metric '0'
	option metric '1'
	option delegate '0'

config interface 'ebox'
	option device 'wan.40'
	option proto 'pppoe'
	option force_link '1'
	option username 'lb531@pppoe.ebox.net'
	option password 'YHJxrZhHhF'
	option pppd_options 'mtu 1492'
	option ipv6 'auto'
	option mtu '1492'
	option delegate '0'
	option sourcefilter '0'
	option peerdns '0'
	list dns '9.9.9.9'
	list dns '149.112.112.10'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option dns_metric '0'
	option metric '1'

/etc/config/dhcp

config dnsmasq
	option authoritative '1'
	option domainneeded '1'
	option localservice '1'
	option expandhosts '1'
	option readethers '1'
	option filterwin2k '1'
	option filter_aaaa '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option rebind_protection '0'
	option nocache '1'
	option ednspacket_max '1232'
	option logqueries '1'
	option local '/lan/vlan/vlan2/vlan3/'
	option nonegcache '1'
	option allservers '1'
	list notinterface 'ebox'
	list notinterface 'loopback'
	list notinterface 'vlan40'
	list interface 'lan'
	list interface 'vlan1'
	list interface 'vlan2'
	list interface 'vlan3'
	list interface 'vlan4'
	option logdhcp '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'vlan1'
	option interface 'vlan1'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list dhcp_option '15,vlan1'

config dhcp 'vlan2'
	option interface 'vlan2'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list dhcp_option '15,vlan2'

config dhcp 'vlan3'
	option interface 'vlan3'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list dhcp_option '15,vlan3'

config dhcp 'vlan4'
	option interface 'vlan4'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config dhcp 'ebox'
	option interface 'ebox'
	option ignore '1'

config dhcp 'vlan40'
	option interface 'vlan40'
	option ignore '1'

/etc/config/firewall


config default
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'
	option log '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option family 'ipv4'
	option log '1'
	option mtu_fix '1'
	list network 'lan'
	list device 'br-lan'

config zone
	option name 'vlan1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option log '1'
	option masq_allow_invalid '1'
	option mtu_fix '1'
	list network 'vlan1'
	list device 'br-lan.1'

config zone
	option name 'vlan2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option log '1'
	option family 'ipv4'
	option masq_allow_invalid '1'
	option mtu_fix '1'
	list network 'vlan2'
	list device 'br-lan.2'

config zone
	option name 'vlan3'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	option log '1'
	option family 'ipv4'
	list network 'vlan3'
	list device 'br-lan.3'

config zone
	option name 'vlan4'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	option log '1'
	option family 'ipv4'
	list network 'vlan4'
	list device 'br-lan.4'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option family 'ipv4'
	option mtu_fix '1'
	list network 'ebox'
	list network 'vlan40'
	option masq_allow_invalid '1'
	list device 'wan'
	list device 'wan.40'
	list device 'pppoe-ebox'
	option log '1'

config rule
	option dest 'wan'
	option name 'allow-router-ro-wan'
	option family 'ipv4'
	list proto 'all'
	option target 'ACCEPT'

config rule
	option name 'allow-vlan1-to-router'
	option src 'vlan1'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'all'

config rule
	option name 'allow-router-to-vlan1'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'all'
	option dest 'vlan1'

config rule
	option name 'allow-vlan2-to-router'
	option src 'vlan2'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'all'

config rule
	option name 'allow-router-to-vlan2'
	option target 'ACCEPT'
	option dest 'vlan2'
	option family 'ipv4'
	list proto 'all'

config defaults
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'
	option synflood_protect '1'

config forwarding
	option src 'lan'
	option dest 'vlan2'

config forwarding
	option src 'vlan3'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'vlan3'

config rule
	option src 'vlan2'
	option dest 'vlan1'
	option name 'allow-vlan2-to-vlan1'
	option family 'ipv4'
	option target 'ACCEPT'
	list proto 'all'

config rule
	option src 'vlan1'
	option dest 'vlan2'
	option name 'allow-vlan1-to-vlan2'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'all'

config rule
	option src 'wan'
	option name 'allow-wan-multicast'
	option family 'ipv4'
	list dest_ip '224.0.0.0/4'
	option target 'ACCEPT'
	list proto 'udp'
	list proto 'icmp'

config rule
	option src 'wan'
	option family 'ipv4'
	list dest_ip '239.255.255.250/32'
	option target 'DROP'
	option name 'drop-wan-side-services'
	list proto 'all'

config forwarding
	option src 'lan'
	option dest 'vlan1'

config forwarding
	option src 'lan'
	option dest 'vlan4'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'vlan2'
	option dest 'lan'

config forwarding
	option src 'vlan2'
	option dest 'vlan1'

config forwarding
	option src 'vlan1'
	option dest 'lan'

config forwarding
	option src 'vlan1'
	option dest 'vlan2'

config forwarding
	option src 'vlan1'
	option dest 'wan'

config forwarding
	option src 'vlan2'
	option dest 'wan'

config forwarding
	option src 'vlan3'
	option dest 'wan'

config forwarding
	option src 'vlan4'
	option dest 'lan'

config forwarding
	option src 'vlan4'
	option dest 'wan'

config forwarding
	option src 'wan'
	option dest 'lan'

psherman · July 21, 2025, 10:07pm

There may be a number of issues here... certainly some things that are not normally found in the configs.

What is the output of:

ubus call system board

brada4 · July 21, 2025, 10:10pm

It looks like two config/firewall concatenated.

frollic · July 21, 2025, 10:14pm

do you by any chance use AGH ?
in that case read AdGuard Home, opkg and ping on router not working - #7 by frollic.

brada4 · July 21, 2025, 10:16pm

You disabled 127.1/::1 listeners.

cldtech · July 21, 2025, 10:47pm

Damn it! And i had look at that before! Thanks!

psherman · July 21, 2025, 10:50pm

Sounds like you may have a solution. But I want to call out that you've got a lot of stuff in here that maybe wrong and even dangerous. For example this:

The above rule is absolutely not default and not normal. When the upstream network is the internet, this should never be set this way.

This is one of many issues I see in your config.

brada4 · July 21, 2025, 10:56pm

masquerade on all interfaces kind of begs for full reset too.