jposo
January 26, 2022, 11:38pm
1
Hi, I'm new to OpenWrt. I installed OpenWrt to my old TP-Link TL-WR941N/ND v5 successfully, everything works fine except, my main router (ISP) devices can't access the devices under OpenWrt router but my devices from OpenWrt can access devices from main router.
R1 ip: 192.168.254.254
R2 ip: 192.168.1.1
R1 LAN port1 => R2 WAN port
The IP of my openwrt from R1 is 192.168.254.143, I can ping and remote the devices from R2 to R1, but can't ping and remote devices from R1 to R2.
What I want to achieve is both router devices should be able to communicate.
You don't have a route to the R2 network in your R1 routing table. You need a static route:
192.168.1.0/24 via 192.168.254.143
You also need to make sure the R2 firewall allows wan > lan forwarding and that masquerading is disabled on the wan zone.
jposo
January 27, 2022, 12:49am
3
Thanks for the reply, I followed what you. added static route in R1 and allow forwarding from WAN to LAN and disable masquerading, however I still don't get a ping reply from R1 to R2.
R1 route
br0 192.168.1.0 192.168.254.143 255.255.255.0
R2 firewall
Check the local firewalls on your hosts. Windows, for example, does not allow connections from other subnets unless explicitly allowed.
jposo
January 27, 2022, 10:57am
5
I tried disabling the firewall on R2 workstation but still no ping reply, is there a firewall that I need to turn off in OpenWrt?
Please copy the output of the following commands and post it here using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
1 Like
jposo
January 27, 2022, 9:07pm
7
here's the output, also disabling masquerading in WAN makes my R2 workstation unable to communicate to R1.
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd33:ae50:4347::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0t'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option mtu_fix '1'
option forward 'ACCEPT'
option network 'wan wan6'
option input 'ACCEPT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config forwarding
option dest 'lan'
option src 'wan'
config forwarding
option dest 'wan'
option src 'lan'
This suggests that there is an issue in the routing table of R1. Let's take another look at that.
jposo
January 27, 2022, 9:33pm
9
here's the routing table for R1
1
0.0.0.0
0.0.0.0
0.0.0.0
1_TR069_INTERNET_R_VID_3125
Static route
2
10.205.249.146
255.255.255.255
0.0.0.0
1_TR069_INTERNET_R_VID_3125
System
3
100.88.96.0
255.255.224.0
0.0.0.0
2_VOIP_R_VID_3781
System
4
192.168.1.0
255.255.255.0
192.168.254.143
br0
Static route
5
192.168.254.0
255.255.255.0
0.0.0.0
br0
System
That static route looks fine.
On R2 (the OpenWrt device), what is the output of
ifconfig
jposo
January 27, 2022, 9:46pm
11
here's the ifconfig
br-lan Link encap:Ethernet HWaddr
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::c6e9:84ff:fe32:fca/64 Scope:Link
inet6 addr: fd33:ae50:4347::1/60 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:899533 errors:0 dropped:0 overruns:0 frame:0
TX packets:1610639 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:52488783 (50.0 MiB) TX bytes:1912524645 (1.7 GiB)
eth0 Link encap:Ethernet HWaddr
inet addr:192.168.254.143 Bcast:192.168.254.255 Mask:255.255.255.0
inet6 addr: fe80::c6e9:84ff:fe32:fc9/64 Scope:Link
inet6 addr: fe80::c6e9:84ff:fe32:fc9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1610400 errors:0 dropped:0 overruns:0 frame:0
TX packets:894016 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1912441601 (1.7 GiB) TX bytes:59366724 (56.6 MiB)
Interrupt:4
eth1 Link encap:Ethernet HWaddr
inet6 addr: fe80::c6e9:84ff:fe32:fca/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:899542 errors:0 dropped:0 overruns:0 frame:0
TX packets:1610647 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:68680955 (65.4 MiB) TX bytes:1918968089 (1.7 GiB)
Interrupt:5
eth1.1 Link encap:Ethernet HWaddr
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:899542 errors:0 dropped:6 overruns:0 frame:0
TX packets:1610639 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:52489199 (50.0 MiB) TX bytes:1912524645 (1.7 GiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:257 errors:0 dropped:0 overruns:0 frame:0
TX packets:257 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:20824 (20.3 KiB) TX bytes:20824 (20.3 KiB)
That all looks good.
Check the firewall of R1 to ensure it doesn't have any rules that would drop packets destined for the 192.186.1.0/24 network. And check the firewalls on the local hosts to make sure they are either disabled or allow packets from other subnets.
Hegabo
January 27, 2022, 10:32pm
13
Well, if you are going to allow access from WAN side, bypassing firewall, then do you really need the router to do routing? Why not just connect to a LAN port instead?
That depends on the OP's intent. Yes, the network could be simplified by connecting via the LAN and making this device a dumb AP + switch, but if the OP wishes to have multiple subnets, the routing features are still necessary.
1 Like
jposo
January 27, 2022, 11:29pm
15
Correct, well I just want to use all of the ports on my R2 that is why I connected the R1 LAN port to R2 WAN port so that I still have 4 LAN ports available to my R2. I have 4 workstation(thin client) in my room, for idle games. Both routers on different room.
What is your goal, though? Do you want to have one contiguous network (essentially making R2 a dumb switch)? Or do you ant to have different subnets?
jposo
January 27, 2022, 11:35pm
17
I forgot to mention that R2 is connected to an AP (DHCP disabled), just for my Wifi.
R1 (192.168.254.254) => R1.1 (DHCP disabled) => R2 (192.168.1.1)
This may be material to your problem. Is that device acting as a dumb AP?
jposo
January 27, 2022, 11:41pm
19
Yes, R1.1 is just a dumb AP. but for some reasons I can't access the web page of that router.
My goal is to have the R1 workstation access my R2 workstation because I have a PLEX Server connected in R2.
The easiest way to do this is, as @Hegabo alluded to, to simply make R2 into a dumb AP/switch. This will remove all routing and firewall features and make your network one monolithic subnet. Is that your goal? Or do you want to have different subnets for different systems?