Luci added static route not working

ip route add 100.64.0.0/32 via 172.20.0.100
this works, but in luci


It does not work, why can't do it on luci so it can survive reboots?

After you chose save did you also choose save and apply?

Yes I did, also did /etc/init.d/network reload even rebooted the router, but ip route did not show the one that I add at luci. only works when add with ip route add.

Got me then; please provide these outputs:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like
user@OpenWrt:~$ ubus call system board
Command failed: Not found
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd6d:9dda:a8a8::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option delegate '0'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option peerdns '0'
        list dns '2001:4860:4860::8888'
        list dns '2001:4860:4860::8844'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4:t*'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan1'

config interface 'mgmt'
        option proto 'static'
        option device 'br-lan.10'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '11'
        list ports 'lan4:t'

config interface 'iot'
        option proto 'static'
        option device 'br-lan.11'
        option ipaddr '192.168.11.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '12'
        list ports 'lan4:t'

config interface 'kid'
        option proto 'static'
        option device 'br-lan.12'
        option ipaddr '192.168.12.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '21'
        list ports 'lan4:t'

config interface 'guest'
        option proto 'static'
        option device 'br-lan.21'
        option ipaddr '192.168.21.1'
        option netmask '255.255.255.0'

config device
        option type 'bridge'
        option name 'br-tailnet'

config interface 'tailnet'
        option proto 'none'
        option device 'br-tailnet'

config interface 'wwan'
        option proto 'dhcp'
        option hostname '*'

config interface 'docker'
        option device 'docker0'
        option proto 'none'
        option auto '0'

config device
        option type 'bridge'
        option name 'docker0'

I used luci deleted the route, but it's the same luci generated just like the openwrt example route config

config defaults
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding 'lan_iot'
        option src 'lan'
        option dest 'iot'

config forwarding 'lan_tailnet'
        option src 'lan'
        option dest 'tailnet'

config zone 'mgmt'
        option name 'mgmt'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'mgmt'

config rule 'mgmt_all'
        option name 'Allow-Mgmt-All'
        option src 'mgmt'
        option dest '*'
        option proto 'all'
        option target 'ACCEPT'

config zone 'iot'
        option name 'iot'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'DROP'
        list network 'iot'

config forwarding 'iot_wan'
        option src 'iot'
        option dest 'wan'

config zone 'kid'
        option name 'kid'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'kid'

config forwarding 'kid_wan'
        option src 'kid'
        option dest 'wan'

config forwarding 'kid_iot'
        option src 'kid'
        option dest 'iot'

config forwarding 'kid_tailnet'
        option src 'kid'
        option dest 'tailnet'

config zone 'guest'
        option name 'guest'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        list network 'guest'

config forwarding 'guest_wan'
        option src 'guest'
        option dest 'wan'

config rule 'guest_dns'
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option dest_port '53'
        option dest_ip '192.168.21.1'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-Guest'
        option src 'guest'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'
        option dest_ip '192.168.21.1'

config zone 'tailnet'
        option name 'tailnet'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'tailnet'

config forwarding 'tailnet_wan'
        option src 'tailnet'
        option dest 'wan'

config zone 'docker'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option name 'docker'
        list network 'docker'

config forwarding
        option src 'docker'
        option dest 'wan'

Other things I don't think is relavent.

I've also did dmesg and logread -f with disable route and enable route no thing out of ordinary and no errors.

This is the platform and hardward I'm on.

All I, really, wanted was the board call.
The rest were standard calls in case anyone else wanted them.

Your ubus failure tells me you are not running official OpenWRT.

I'm using the official build, just the image builder so I can add some software and some uci-defaults.

List them.
Let's see if they are affecting write privileges.

If you don't see how they may, don't bother to reply why you don't think it will help.
Just don't reply.

There are two things here that are really odd..

First, as already noted is the fact that the ubus call failed -- that's not normal.
Second, the user@openwrt -- that's also not standard. Did you change that for the purposes of posting (it would be expected to be root) and/or did you make changes to the system to use additional users?

2 Likes

The route type should be unicast, not local.

2 Likes

It's legitimate OpenWrt to me from the version shown in his screen shot.

git log 6637af95aa
commit 6637af95aa9085c8367ce8184b0fe6917365c3d3
Author: Hauke Mehrtens <hauke@hauke-m.de>
Date:   Sat Oct 7 21:07:20 2023 +0200

    bsdiff: Add patches for CVEs
    
    Add two patches from Debian fixing CVEs in the bsdiff application.
    CVE-2014-9862: Heap vulnerability in bspatch
    CVE-2020-14315: Memory Corruption Vulnerability in bspatch

Iā€™m not questioning the legitimacy of this build, but rather trying to understand why those particular things are as they are. It might help to gain some context of the config itself.

Silly question, why are you using /32 here and /24 in luci? Does ip route add 100.64.0.0/24 via 172.20.0.100
work in luci?
And is your wan IPv4 address from the 100.x.x.x range as wellm by chance?

It's 24, I must did typo wrong. The wan is not in cgnat.

1 Like

Well I did created another user using uci-default the first time, normally would be root. But in luci the permission would be root when set configs.

So the reason I'm setting the static route is that I'm using tailscale in a docker container the subnet is 172.20.0.0/24 there is a adguardhome container ip 172.20.0.3, in which I would like to get the client IP instead of coming all from the tailscale container ip 172.20.0.100 so I disabled the tailscale's snat, which in turn need back route for this to work, and I use ip route add it did work, and adguardhome do get real IP from the client, but since I added the route using cmd, It will be gone after reboot, anyway the article for tailscale Site-to-site networking.

The image was build with

make image PROFILE="linksys_e8450-ubi" PACKAGES="-wpad-basic-mbedtls wpad-openssl -luci-ssl-nginx luci kmod-usb-storage block-mount kmod-fs-ext4 e2fsprogs shadow sudo kmod-tun kmod-nft-bridge" FILES="files"

There are some uci-default there to set up the wifi and create a user some other custom settings.

And I do use extroot for storage expand.

Sorry, as I quoted you it appeared you were in agreement with @LilRedDog.
I put the failed ubus call down to a privilege issue and used getver.sh to verify the build from the commit.

Are you saying you have or had two users with different write permissions, or any divergent permissions?