Network Issue - devices not reachable

Hello All,
I am curious to know few things. Below is my network diagram.

  1. I have divided network into 2 parts. One is 5G and second is 2G. This is achieved using 2 openwrt router. Recently I upgraded both to latest and I guess I am missing some setting hence asking this question. right side (192.) is main network and second router is connected by Lan cable so has 2 address. 192.168.1.225 and router home page 10.0.0.1 On both IP address I can reach on the openwrt home page of second router from 192 network. If I move my laptop to 10* network still can reach by using 10.0.0.1 IP. idea here is from 10* network one should not see what it is in 192* network, but from 192 every thing should be visible. Basically second network limited on speed etc.

  1. On main router, there is entry on router to reach devices on 10* network,

  1. On 10* router firewall rule is set to block traffic.

  1. This was working until I updated my firmware, some how few devices are not reachable from 192 network, and some times it works but no idea. Here is trace output

image

question 1) - So wanted to know how is this possible. One device can be reached and second device can not be reached.

question 2) Second network has dual network windows server machine. On lan Its connected and reachable via IP address but not via machine name, but some times not reachable via machine name. what could be issue. I have given static address for all devices.

Any hint will be helpful.

Before I ask detail questions about the current configuration, I'll ask this:

Why do you have two routers performing routing?

Since both are running OpenWrt, the generally preferred method is to use a single device as the main router, and then use the other as a simple bridged AP (i.e. no routing). Most devices can run multiple SSIDs such that you can have independent wifi for each network, all on the same devices.

Second router is dedicated to media traffic. It has 6 4K IP cameras all these are risky (china).. easy to control bandwidth. Yes this can be achieved by multiple SSID but lets have dedicated processor...to handle local trafic.

It is still more efficient to have one router handling all the routing. Proper firewall rules will isolate the networks as desired, and you can keep all of the cameras on a single AP if you want (I assume they're wifi connected?).

Yes.. All are wifi. But I am curious .. It was working until last month properly. For some other camera of same manufacture, It works. I feel strange ...

Well, we can look at your configs to understand what might be happening. But I would recommend rearchtecting the design of the network.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Here is output of second router (10* network). - I am assuming my traceroute command shows, main router is reaching until gateway 192.168.1.225

ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "AlexaXXXXXX",
        "system": "MediaTek MT7628AN ver:1 eco:2",
        "model": "Xiaomi Mi Router 4C",
        "board_name": "xiaomi,mi-router-4c",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ramips/mt76x8",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}

cat /etc/config/network


config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.0.0.1'
        option ip6table 'default'
        list ip6class 'local'
        option ipv6 '0'
        option delegate '0'

config device
        option name 'eth0.2'
        option macaddr 'XXXXXXXXXXXXXXX'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'
        option type 'bridge'
        option ipv6 '0'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '4 2 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 6t'

cat /etc/config/wireless

 
config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11g'
        option path 'platform/10300000.wmac'
        option cell_density '0'
        option country 'US'
        option htmode 'HT40'
        option channel '9'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option encryption 'psk2'
        option disassoc_low_ack '0'
        option ssid 'XXXXXXXXXXXXX'
        option key 'XXXXXXXXXXX'

cat /etc/config/dhcp

I have so many devices.. removed unwanted devices, Here one device reachable and second is not reachable.

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option logqueries '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

 
config domain
        option ip '10.0.0.163'
        option name 'Camera2K'

config host
        option ip '10.0.0.213'
        option mac 'XXXXXXXXXXXXXXXX'

config domain
        option name 'Camera4KF2'
        option ip '10.0.0.213'

config host
        option ip '10.0.0.163'
        option mac 'XXXXXXXXXXX'

cat /etc/config/firewall


config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option output 'ACCEPT'
        option masq '0'
        option mtu_fix '1'
        option input 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config rule
        option name 'BlockMaster'
        option target 'DROP'
        option src 'lan'
        list proto 'all'
        list src_ip '10.0.0.0/24'
        list dest_ip '192.168.1.0/24'
        option dest 'wan'

config forwarding
        option src 'wan'
        option dest 'lan'

 

Please see, rule block master, It is for restricting from 10 to 192 network entry.*

remove the bridge line from here -- it doesn't belong there:

Remove the masq line:

Notably, the lan of this device (which you suggest is untrusted) has access to the router itself. Untrusted networks should usually not have that ability. This is one advantage of using the method I'm recommending where the main router handles all the routing and the second device is just a simple bridged AP.

Reboot the router after you make these changes and test to see if it works. If not, post the config from the main router.

After these changes and restart.. Nothing changed.

Below is Configuration from main router.

network -

please pay attention to route ...


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'XXXXXXXXXXXXX::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config route
	option interface 'lan'
	option target '10.0.0.0/24'
	option gateway '192.168.1.225'

config rule
	option in 'lan'
	option src '192.168.1.1/24'
	option out 'lan'
	option dest '10.0.0.1/24'
	option lookup 'local'


Wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HE20'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
	option channel 'auto'
	option band '5g'
	option htmode 'HE80'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'XXXXXXXXXXXXXXXXX'
	option encryption 'sae-mixed'
	option key 'XXXXXXXXXXXXX'

dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'
	option logqueries '1'
	option logdhcp '1'
	option logfacility 'USER'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'disabled'
	option ra 'disabled'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'XXXXXXXXXXXXXX'
	option ip '192.168.1.205'
	option mac '00:93:37:02:92:A7'

config domain
	option name 'XXXXXXXXXXX'
	option ip '192.168.1.205'

config host
	option name 'SecondRouter'
	option ip '192.168.1.225'
	option mac 'XXXXXXXXXXXXXXXXXXX'

Firewall


config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option network 'lan wan 10.0.0.0/24'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow-Ports-8081-8090'
	option src 'lan'
	list src_ip '192.168.1.1/24'
	option dest 'lan'
	list dest_ip '10.0.0.104'
	option dest_port '8080-8090'
	option target 'ACCEPT'


Remove this rle:

The network here is wrong... remove that line:

and replace it with:

	list network 'wan'

And then remove this rule:

Also verify that the second router is indeed at 192.168.1.205.
From the second router, let's see the output of:

ifstatus wan | grep address

In your reply point wise - 1) Done.
2) The network here is wrong... remove that line , which line ?

  1. and replace it with:
	list network 'wan

is this for point #2 ?

  1. Removed rule.

In the firewall wan zone.

Address for second router is 192.168.1.225, and 205 is windows server as mentioned in first post.

With change below.. nothing happened.

 config zone
	option name 'wan'	
	list network 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

Try disabling the Windows firewall on that host, then try again. You can re-enable it after the experiment.

  1. I tried that no change. If firewall is the issue, then how come other device is able to respond on tracert.

Here is gateway address mentioned in first post, I am sorry, I have not able to clear out.

image

image

Let's take a look at the latest complete configs from both devices.

1 Like

Looking at this image... is there any way for us to check log or generate log on whats happening in both router and what is difference ... does openwrt has debug settings etc ?

You can use tcpdump/wireshark to do this, but let's look at those configs.

BTW, the traceroute results highly suggest that the problem is on the 10.0.0.213 host since you are able to reach another host on the same subnet.

1 Like

Yes .. you are right. but within 10.* network it works perfect