Need help with LEDE configuration

Hello!
I'm currently trying to set up OpenWRT on my router (Xiaomi Mi 3G), but got stuck on a weird problem. I can't get any traffic in or out besides TCP on ports 80 and 443, even after i configured required firewall rules.

I'm running OpenWrt SNAPSHOT r6744-751746c

The router is connected directly to the ISP, and the IP is provided via DHCP

cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd44:7226:d41c::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '78:11:dc:4d:31:28'

config interface 'wan'
        option ifname 'eth0.2'
        option metric '10'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 6t'
cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option target 'ACCEPT'
        option src_port '1194'
        option name 'Allow-UDP-1194'
        option src '*'
        option dest '*'
        option proto 'tcp udp'

Pls post output ssh 'ifconfig -a' command on router. Are you sure wan interface connect to isp correctly ?

ifconfig -a
br-lan    Link encap:Ethernet  HWaddr 78:11:DC:4D:31:28
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fd44:7226:d41c::1/60 Scope:Global
          inet6 addr: fe80::7a11:dcff:fe4d:3128/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:44862 errors:0 dropped:0 overruns:0 frame:0
          TX packets:51985 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:9147676 (8.7 MiB)  TX bytes:39971351 (38.1 MiB)

eth0      Link encap:Ethernet  HWaddr 78:11:DC:4D:31:27
          inet6 addr: fe80::7a11:dcff:fe4d:3127/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:715551 errors:1481 dropped:26 overruns:0 frame:0
          TX packets:95764 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:100248444 (95.6 MiB)  TX bytes:49236065 (46.9 MiB)
          Interrupt:20

eth0.1    Link encap:Ethernet  HWaddr 78:11:DC:4D:31:28
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:45050 errors:0 dropped:0 overruns:0 frame:0
          TX packets:51985 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:9158622 (8.7 MiB)  TX bytes:39971351 (38.1 MiB)

eth0.2    Link encap:Ethernet  HWaddr 78:11:DC:4D:31:27
          inet addr:10.251.255.34  Bcast:10.251.255.255  Mask:255.255.0.0
          inet6 addr: fe80::7a11:dcff:fe4d:3127/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:658330 errors:0 dropped:19530 overruns:0 frame:0
          TX packets:32584 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:77661176 (74.0 MiB)  TX bytes:7827049 (7.4 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:1361 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1361 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:196918 (192.3 KiB)  TX bytes:196918 (192.3 KiB)

wlan0     Link encap:Ethernet  HWaddr 78:11:DC:4D:31:29
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wlan1     Link encap:Ethernet  HWaddr 78:11:DC:4D:31:2A
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Yes, it does connect because i can download opkg packages, and open sites in browser.

I see your isp using proxy with private address 10.x.x.x. I'm guess your isp block all ports except 80,443.

That might be it. However, everything was working properly on stock firmware. Can ISP somehow detect non-stock firmware and block based on that?

I don't think so. The stock Xiaomi fw based on openwrt.
I see eth0 mac address is 78:11:DC:4D:31:27, but eth0.1 (br-lan) is :28 ??
Maybe your isp block based on mac address, try swapping eth0.2 (wan) mac from :27 to :28. Or try revert stock-fw to confirm interface mac address.

The WAN port is eth0.2
My provider is indeed blocking based on MAC, that's why i called them when i updated, because i got a no-access redirect with the :28 MAC that was on stock FW.

Can you please link to a guide on how to revert back to stock?

cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00080000 00020000 "Bootloader"
mtd1: 00040000 00020000 "Config"
mtd2: 00040000 00020000 "Bdata"
mtd3: 00040000 00020000 "Factory"
mtd4: 00040000 00020000 "crash"
mtd5: 00040000 00020000 "crash_syslog"
mtd6: 00040000 00020000 "reserved0"
mtd7: 00400000 00020000 "kernel_stock"
mtd8: 00400000 00020000 "kernel"
mtd9: 07580000 00020000 "ubi"

You can also "force" your "old" MAC by editing your config

1 Like

From the wiki:
Recovery to stock

Assuming you used the above installation instructions you will have a stock kernel image in system 1. If it can be booted then it may be used to perform a stock firmware recovery, thus erasing LEDE completely. From a 'working' LEDE state (even failsafe)

Failsafe only:

run: mount_root
run: sh /etc/uci-defaults/30_uboot-envtools
Then do the steps for 'All'

All:

run: fw_setenv flag_try_sys2_failed 1
run: reboot

The board will reboot into system 1 (stock basic kernel) and wait with system red light slowly blinking for a FAT formatted usb stick with a recovery image to be inserted. Press and hold the reset button for around 1 second. Status LED will turn yellow during recovery and blue when recovery complete.

https://wiki.openwrt.org/toh/xiaomi/mir3g

1 Like

Recovery Image is just a regular Firmware file, or something more specific?

Please mind that this page on the old wiki is only for archival purposes. It will not be updated in the future.
The new link is almost the same, just the leading "wiki" is missing:
https://openwrt.org/toh/xiaomi/mir3g

Yep, just using regular .bin file.

@tmomas
Tks, I'm just googled. But doesn't see new link from openwrt supported devices page.

1 Like

I've tested it with another router, and it's definitely not an ISP issue, because connection is working properly.
I'm gonna revert back to stock. What config files should i look at and back up to find out what's wrong?

After i just returned back home, everything works properly.
Maybe it was an ISP issue from the beginning.
My question still stands:

I’m gonna revert back to stock. What config files should i look at and back up to find out what’s wrong?

I do not have a xiaomi router so I'm not sure what they changed.
But their router is based on openwrt, you can consider the following files: /etc/config/network;wireless;firewall;dhcp;system

Cheer.

1 Like

Thank you for your help. It was indeed just an ISP issue.

If your issue is solved, please consider marking the topic as [Solved].