Main router can't access OpenWrt network

Hi, I'm new to OpenWrt. I installed OpenWrt to my old TP-Link TL-WR941N/ND v5 successfully, everything works fine except, my main router (ISP) devices can't access the devices under OpenWrt router but my devices from OpenWrt can access devices from main router.

R1 ip: 192.168.254.254
R2 ip: 192.168.1.1

R1 LAN port1 => R2 WAN port

all

The IP of my openwrt from R1 is 192.168.254.143, I can ping and remote the devices from R2 to R1, but can't ping and remote devices from R1 to R2.

What I want to achieve is both router devices should be able to communicate.

You don't have a route to the R2 network in your R1 routing table. You need a static route:
192.168.1.0/24 via 192.168.254.143

You also need to make sure the R2 firewall allows wan > lan forwarding and that masquerading is disabled on the wan zone.

Thanks for the reply, I followed what you. added static route in R1 and allow forwarding from WAN to LAN and disable masquerading, however I still don't get a ping reply from R1 to R2.

R1 route
br0 192.168.1.0 192.168.254.143 255.255.255.0

R2 firewall

Check the local firewalls on your hosts. Windows, for example, does not allow connections from other subnets unless explicitly allowed.

I tried disabling the firewall on R2 workstation but still no ping reply, is there a firewall that I need to turn off in OpenWrt?

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall
1 Like

here's the output, also disabling masquerading in WAN makes my R2 workstation unable to communicate to R1.


root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd33:ae50:4347::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0t'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option mtu_fix '1'
        option forward 'ACCEPT'
        option network 'wan wan6'
        option input 'ACCEPT'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config forwarding
        option dest 'lan'
        option src 'wan'

config forwarding
        option dest 'wan'
        option src 'lan'

This suggests that there is an issue in the routing table of R1. Let's take another look at that.

here's the routing table for R1

1 0.0.0.0 0.0.0.0 0.0.0.0 1_TR069_INTERNET_R_VID_3125 Static route
2 10.205.249.146 255.255.255.255 0.0.0.0 1_TR069_INTERNET_R_VID_3125 System
3 100.88.96.0 255.255.224.0 0.0.0.0 2_VOIP_R_VID_3781 System
4 192.168.1.0 255.255.255.0 192.168.254.143 br0 Static route
5 192.168.254.0 255.255.255.0 0.0.0.0 br0 System

That static route looks fine.

On R2 (the OpenWrt device), what is the output of
ifconfig

here's the ifconfig

br-lan    Link encap:Ethernet  HWaddr 
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::c6e9:84ff:fe32:fca/64 Scope:Link
          inet6 addr: fd33:ae50:4347::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:899533 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1610639 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:52488783 (50.0 MiB)  TX bytes:1912524645 (1.7 GiB)

eth0      Link encap:Ethernet  HWaddr 
          inet addr:192.168.254.143  Bcast:192.168.254.255  Mask:255.255.255.0
          inet6 addr: fe80::c6e9:84ff:fe32:fc9/64 Scope:Link
          inet6 addr: fe80::c6e9:84ff:fe32:fc9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1610400 errors:0 dropped:0 overruns:0 frame:0
          TX packets:894016 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1912441601 (1.7 GiB)  TX bytes:59366724 (56.6 MiB)
          Interrupt:4

eth1      Link encap:Ethernet  HWaddr 
          inet6 addr: fe80::c6e9:84ff:fe32:fca/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:899542 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1610647 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:68680955 (65.4 MiB)  TX bytes:1918968089 (1.7 GiB)
          Interrupt:5

eth1.1    Link encap:Ethernet  HWaddr 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:899542 errors:0 dropped:6 overruns:0 frame:0
          TX packets:1610639 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:52489199 (50.0 MiB)  TX bytes:1912524645 (1.7 GiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:257 errors:0 dropped:0 overruns:0 frame:0
          TX packets:257 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:20824 (20.3 KiB)  TX bytes:20824 (20.3 KiB)

That all looks good.

Check the firewall of R1 to ensure it doesn't have any rules that would drop packets destined for the 192.186.1.0/24 network. And check the firewalls on the local hosts to make sure they are either disabled or allow packets from other subnets.

Well, if you are going to allow access from WAN side, bypassing firewall, then do you really need the router to do routing? Why not just connect to a LAN port instead?

That depends on the OP's intent. Yes, the network could be simplified by connecting via the LAN and making this device a dumb AP + switch, but if the OP wishes to have multiple subnets, the routing features are still necessary.

1 Like

Correct, well I just want to use all of the ports on my R2 that is why I connected the R1 LAN port to R2 WAN port so that I still have 4 LAN ports available to my R2. I have 4 workstation(thin client) in my room, for idle games. Both routers on different room.

What is your goal, though? Do you want to have one contiguous network (essentially making R2 a dumb switch)? Or do you ant to have different subnets?

I forgot to mention that R2 is connected to an AP (DHCP disabled), just for my Wifi.

R1 (192.168.254.254) => R1.1 (DHCP disabled) => R2 (192.168.1.1)

This may be material to your problem. Is that device acting as a dumb AP?

Yes, R1.1 is just a dumb AP. but for some reasons I can't access the web page of that router.

My goal is to have the R1 workstation access my R2 workstation because I have a PLEX Server connected in R2.

The easiest way to do this is, as @Hegabo alluded to, to simply make R2 into a dumb AP/switch. This will remove all routing and firewall features and make your network one monolithic subnet. Is that your goal? Or do you want to have different subnets for different systems?