LAN interface not working

Greetings folks. Am a novice here, and have done extensive research on my problems but I'm just lost. This is pretty painful, but I think i've made progress, I'm hoping you guys can get me over the finish line.

My current config is as follows:

ATT BG210 Gateway, which cannot be removed. I have put it in passthrough mode, removed packet filtering rules and firewall from the gateway, and set the passthrough to hand off the IP to my OpenWRT NUC's MACID. Currently, the NUC is plugged into one of the 4 ethernet ports on the gateway, and is running OpenWRT ext4 combined eft v 23.05.2.

My NUC has 2 NIC ports. eth0, which is connected to gateway, is working and connected to the internet. Pings are successful with 0% packet loss. That's where my success ends. The second NIC eth1 does not work. No routing. I can't even connect to LUCI through that port connected directly to my PC. I can connect to LUCI through eth0 (and my gateway) though. When plugged in to eth1, LUCI says 'no link.'

These were the settings used to achieve internet access for eth0

br-lan
static address
ipv4 192.168.1.1
netmask 255.255.255.0
gateway 192.168.1.254
custom dns 192.168.1.254

This is how my status page looks

image1014×558 22.2 KB

There, my PC does have a DCHP lease, so it is partially working? I have my PC plugged into the gateway right now...its the only way I can talk to the NUC and the internet at the same time.

Obviously there's an issue with eth1 right? Its an integrated NIC so I'm not sure why it knows there's a NIC there but it doesn't work. What have I done wrong?

After I sort this out, I want to bypass the gateway entirely using using this EAP proxy trick but I'd like to at least just get the LAN side working first...

I have read about issues when the subnets overlap (gateway/modem and router), so I want to avoid any issues there - hoping to bypass the gateway entirely so I dont have to worry about that. Can you help me? I need very specific instructions as I am very new to this (but not afraid to put the work in).

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

I can't even seem to do that. its not accepting my password for some reason. windows ssh. i dont have linux.

try:

ssh root@192.168.1.1

Also, I seem to have partially got it working. What I did was goto Network > Interfaces > Devices and eth1 was not configured. So i configured it with default values. Then, I went into br-lan and added eth1 to the bridge ports so both eth0 and eth1. That seemed to work.

But I'm not entirely sure that its working properly because for a while there I couldn't access most websites, nor could OpenWRT ping. I reset the NUC and PC and now websites are working.

Alas, here is the info you requested:

"kernel": "5.15.137",
        "hostname": "OpenWrt",
        "system": "Intel(R) N100",
        "model": "GMKtec NucBox G2",
        "board_name": "gmktec-nucbox-g2",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "x86/64",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"

Network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd8e:eb55:342f::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option ip6assign '60'
        option gateway '192.168.1.254'
        option dns '192.168.1.254'
        option netmask '255.255.255.0'

config interface 'WAN'
        option proto 'dhcp'
        option device 'eth0'

config interface 'WAN6'
        option proto 'dhcpv6'
        option device 'eth0'
        option reqaddress 'try'
        option reqprefix 'auto'

config device
        option name 'eth0'

config device
        option name 'eth1'

DHCP:

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

Firewall:

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

This looks like you're using it as a dumb AP (or some other device behind another router). As such, you must disable the DHCP server on the lan interface.

add this line to the lan dhcp server:

        option ignore '1'

Otherwise, basically eth0 and eth1 will both be on the lan interface, as you have already figured.

What is the purpose of this device?

What do you mean by dumb ap?

I want the NUC to handle all routing, firewall, sqm/qos. I cant just remove the gateway though because it handshakes with the ONT. So I put the gateway/modem in passthrough mode so the NUC can handle router features. Did I do it wrong?

I turned off DCHP on the modem. Set IP passthrough/bridge to the NUC's MAC. So it should just be handing off a single IP address.

I should note, I now have everything, including my computer and smart switch on the NUC now, and all have internet access and DHCP leases.

So my topology is: ONT > BG210 (bridge mode) > NUC > Smart Switch > all my stuff plugged in.

By bridging eth0 and eth1, your device is not routing -- it is literally just going to pass the upstream connection through transparently.

What is upstream of this device? You have configured your lan interface with a gateway and dns that seems to reference an upstream router... is that the intent?

If you want to route behind another router, you need to have a different subnet on your lan relative to the upstream, but it is not clear exactly what your topology is and what is upstream of this device.

yes, the upstream "router" is the gateway (which is configured to bridge mode). These gateway/dns settings were the only way i could get the NUC to have any internet access at all (on the wan side, eth0 to be specific, otherwise it would not ping). Also, if i were to try to plug in the NUC directly to my ONT, the handshake would fail. So the gateway must be upstream.

How can I change the subnet to achieve what you're describing? Appreciate the help, this is really helpful.

Well the gateway must be upstream until I figure out how to enable that EAP Proxy bypass, then I can plug the router directly into ONT and have nothing upstream but the NUC.

This doesn't appear to be in bridge mode -- if it was in bridge mode, it would not be working on a 192.168.1.0/24 network. Instead, it should just pass the IP address from AT&T directly to your next device.

Check the settings on that device again.

I believe it is on but I can't be too confident in any of this. The MAC is my NUC

What are the options in the allocation mode and passthrough mode dropdowns?

Off, Passthrough, or Default Server (I believe this is a DMZ).

Here are the descriptions in case it helps:

Allocation Mode:
Off: The default server and IP Passthrough features are both disabled.
Default Server: Allows the device to forward all externally initiated IP traffic (TCP and UDP protocols only) to a default host on the LAN. You might need this if you cannot anticipate what port number or packet protocol an in-bound application might use. For example, some network games select arbitrary port numbers when a connection is opened. Or you might want all unsolicited traffic to go to a specific LAN host.
Passthrough: Allows the device's public IP address to be assigned to a single LAN client. There may be situations where Passthrough is not allowed.
Default Server Internal Address: The IP Address of the device to receive the unexpected or unknown traffic. Format must be nnn.nnn.nnn.nnn.

Passthrough Mode: The method in which the WAN IP address will be assigned to the selected LAN client.
DHCPS-dynamic: The WAN IP address will be handed out by the device's DHCP server to the first LAN client that requests a DHCP lease. It may be helpful, after the device has obtained a WAN IP address, to cycle the desired LAN client's interface or reboot it. On disabling this feature, you should reboot the LAN client.
DHCPS-fixed: The WAN IP address will be handed out by the device's DHCP server to the LAN client whose MAC address has been specified. It may be helpful, after the device has obtained a WAN IP address, to cycle the LAN client's interface or reboot it. On disabling this feature, you should reboot the LAN client.
Manual: A LAN client must be manually configured with the device's assigned WAN IP address and gateway information.
Passthrough Fixed MAC Address: When Passthrough Mode is DHCPS-fixed, this is the MAC of the selected LAN client. The Manual Entry must be in xx:xx:xx:xx:xx:xx (hexadecimal) format.

Passthrough DHCP Lease: When Passthrough Mode is DHCPS, this is the duration of the lease that will be handed out by the device to the LAN client.

Wanted to share this as well. I had manually disabled DHCP on the BG210, even though I setup passthrough mode, I wanted to be sure. It was on before, so I set the NUC to be outside of the DHCP range. Unsure if this is correct. Ive been doing a lot of trial and error.

image954×1162 85.3 KB

You need to engage this in the pass-through mode.

And your configuration on your router should look like this:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option ip6assign '60'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0'

EDIT: note that the wan must be lowercase in order to be consistent with the default firewall rules)

Hey thanks. That might've worked, but I will admit I am a bit confused on why the DHCP server needs to be on (in dynamic) in the gateway instead of fixed ip passthrough. Serious question. Don't I want the NUC handling all of that? Forgive my ignorance.

Also, after enabling the settings you provided, I can no longer access my gateway's GUI from the NUC's eth1. How can I fix that?

This is why i'm confused per some ATT bg210 threads:

"Note that if there is more that one device connected to your Gateway, setting the Passthrough Mode to "DHCPS-Dynamic" means that any device that makes a DHCP request of your gateway may find itself in IP Passthrough mode. Using "DHCPS-Fixed" allows you to control what device gets IP Passthrough mode so that you can be sure it your computer, router, whatever."

And in order to enable that feature, I had to plug my PC directly into the gateway, alongside the NUC. So my concern there is that passthrough could get messed up.

Depending on the ISP and the services offered, ISPs will provide IPs to the customers in one of 3 ways:

• DHCP - the ISP issues an IP address to your equipment via an upstream DHCP server (that the ISP controls). The customer router's WAN connection is automatically configured. This is very common in residential services.
• Static IP - the ISP provides the customer with a static (non-changing) IP address. The user must specifically enter the information provided by the ISP (IP, subnet mask, gateway, dns) into the wan interface of the router. This is very uncommon for residential ISPs (even those that do give static IPs often do this using a DHCP reservation on their end and then they have the customer use DHCP client for their router).
• PPPoE - this is a different type of connection protocol with authentication (username and password) -- the pppoe server will then provide the addresses automatically. This used to be common with DSL in the US, but much less so now. It is still common in other parts of the world.

In your case, AT&T gives you a DHCP assigned address.By setting the DHCPS mode, you're allowing the AT&T headend provide your router an address via DHCP. If you set manual, you'd have to be issued specific information directly from AT&T (uncommon, you'd know it if you had a static IP).

We may have forgotten to re-enable the DHCP server on the lan.
I assume you have a keyboard and display connected to your NUC?
edit the /etc/config/dhcp file -- remove the line from the lan DHCP server that says:

        option ignore '1'

I apologize if i'm off here, but I suspect we might be talking about two totally different things. Basically everyone suggests DHCP fixed for this as it is the only way to ensure the right device gets the passthrough. It really should have nothing to do with your address only getting 1 IP address as long as that 1 IP address is getting handed off to the router to handle LAN ips for the rest of the network? Correct me if i'm wrong here.

Here's a thread for reference: https://forums.att.com/conversations/att-fiber-equipment/ip-passthrough-options-more-details-please/5f6f8210917fbb38adbb888b

ATT Rep: The IP Passthrough feature allows a single PC on the LAN to have the Router’s public address
assigned to it. It also provides Port Address Translation (PAT)–Network Address Port Translation
(NAPT) via the same public IP address for all other hosts on the private LAN subnet.