MF286D: No LAN to WAN access

Hi,
After installation - router has access to WAN (tested LTE and WiFi client), but if I connect my laptop to LAN port - I can only access router itself, but can't access internet.
I did search the internet for that issue and even have done some changes, but it didn't help.
If somoeone could look into my configs and check what's wrong - would be great. My head will explode soon if I won't find the solution.

Here is my config:

cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'DROP'
	list network 'lan'

config zone
	option name 'wan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option mtu_fix '1'
	option masq '1'
	list network 'Lebara'
	list network 'wan'
	list network 'wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdb0:c9d6:d535::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option force_link '0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'Lebara'
	option proto 'qmi'
	option device '/dev/cdc-wdm0'
	option apn 'uk.lebara.mobi'
	option auth 'both'
	option username 'wap'
	option password 'wap'
	option pdptype 'ipv4'

config device
	option type 'bridge'
	option name 'br-wan'
	list ports 'wan'
	list ports 'wwan0'
	option mtu '1500'

config rule
	option in 'lan'
	option out 'wan'

Thanks :slight_smile:

This doesn't look right... why is this here and how did it get there?

you are missing a forwarding rule from lan > wan on the firewall...

config forwarding
	option src 'lan'
	option dest 'wan'

2 Likes

Thanks for quick reply.

In terms of first my "br-wan" device - I want to bridge LTE wan interface to one of the ethernet ports - the one marked as LAN/WAN. In OpenWRT it's by default configured as "wan" - that's why bridge is between "wan" and "wwan0" (thich is LTE).
Why I wan't this? I want to achieve effect of modem/bridge mode. With stock firmware I had simple switch in config for that, but here it seams to be much more complicated.

In terms of forwarding rule - where in luci can it be set ?

Thanks :slight_smile:

You have marked my earlier response as the solution -- does this mean you already found the location in LuCI?

If not...

Network > Firewall > Zones > "Edit" button on the lan zone > "Allow forward to destination zones" > add wan

I've marked it as solution because I guess I can change it in the file or with uci, asked for luci because I was looking for that earlier, and I thought I already done it with luci, but actually I've set something else instead.

Anyway, solution works :slight_smile:
Thanks

PS.
OpenWRT has very specific way of setup, its logic is not interfering with my brain cells as good as let say - OpenSense. Also manuals are very complicated - every even single guide is referring to other manuals and those are referring others.
In result, to do simple things, I had to read not only simple list of actions I would expect, but I had to spend hours digging in documentation, because whoever wrote list of action instead of mentioning command - wrote only do it as is mentioned in that manual. And the manual says, to do that you have to one ore thing, but it is mentioned in another manual.

A few thoughts...

Routers and firewalls are a bit like languages or other things that become solidified knowledge in that there are other options that require you to re-learn/change perspective. For example, I am a Canon camera shooter... I think Nikon makes excellent cameras, too, but everything is reversed relative to what I'm used to so it requires a lot of mental energy for me to use a Nikon (focus, zoom, aperture, shutter speed, and ISO controls all spin the other dierction for the same effect as on Canon). The same may be true here where you're just used to the pfsense way of doing things. I remember when I was leanring how to use Ubiquiti EdgeMax routers -- a big difference between OpenWrt and EdgeMax is that the firewall will allow routing (unrestricted in both directions) if you setup a new network until you specificy rules otherwise, whereas OpenWrt does not allow routing until you setup firewall rules to allow it. Neither is right or wrong, they are just are examples of changing perspective based on different approaches. In time, the OpenWrt methods will make sense if you continue to use this system.

I find that, in general, the documentation is quite good. But, keep in mind that this is an open source project that is purely based on volunteer efforts. Nobody is paid to write or maintain documentation, so it is a best effort and sometimes things become stale or have references that require the user to read more than "just do these three things."

But, the good news is that this is a community effort and you can certainly jump in to help. You can write wiki articles, or correct ones that have errors or are unclear. Your efforts would certainly be appreciated.

2 Likes

I don't complain about OpenWRT - just don't feel confident when I'm setting it up as I do when I do Tomato, AsusWRT, OpenSense, or even DD-WRT (which is big mess in general).

In terms of cameras, I'm using Pentax, and never had even experience with Canon or Nikon - maybe once I held some older Canon at CEX, but finally the sensitivity won - Pentax had at that time much better sensors - less noise at higher ISO. And because I was in the astrophotography at that time, I decided Pentax. Pentax had also interesting feature to use image stabilising system in conjunction with GPS module to track the Sky for longer exposure.

In terms of documentation - I don't say documentation is bad. It is just overwhelming and if someone is not playing with OpenWRT every day, he may get lost.

Well, the default configuration of OpenWrt is the standard routing mode config, complete with the forward rule that was missing when you shared your config. So, in most situations, the standard getting started documentation is all that is necessary for a user to be up and running in a few mins. But openwrt does allow you to do very advanced things, too, so you may have changed a few things relative to the defaults without directly understanding the way that those configs work within openwrt specifically.

Thanks for link, but in my case it would be waste of time - I assume this device will serve me maybe just month maybe two :slight_smile:

I've installed it as it is - double NAT is not that bad - I'm behind CG-NAT anyway, so no DDNS can be done anyway.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.