I had a working setup. Don't know what happened, suspect a power cut messed up settings somehow.
I'm struggling getting setup right again. I'll explain briefly my goal first then drop network and firewall content - I reckon with that explaining what issues I have is pointless
I have router with OpenWrt and two raspberry pi's.
Router needs static IP on WAN.
LAN on router needs to be with static IP
WLAN needs to run DHPC
One Rpi is connected via lan port, the other is connected via wlan.
Rpi connected via WLAN needs to have static IP.
ssh (dropbear) needs to run on both LAN and WLAN.
I need to be able to ssh from one rpi to the other.
now, about my current, not working setup:
When I ssh to the router, I can ping the outside world. But not from the connected device, either via LAN or WAN.
/etc/config/network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fdad:ab4e:cd8b::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.88.1'
option broadcast '192.168.1.255'
config device
option name 'br-wlan'
option type 'bridge'
list ports 'wlan0'
list ports 'wlan1'
config interface 'wlan'
option device 'br-wlan'
option proto 'static'
option ipaddr '192.168.0.1'
option ip6assign '60'
option gateway '192.168.88.1'
option broadcast '192.168.0.255'
config interface 'wan'
option device 'wan'
option proto 'static'
option ipaddr '192.168.88.177'
option netmask '255.255.255.0'
option gateway '192.168.88.1'
option broadcast '192.168.88.255'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
/etc/config/firewall:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wlan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option forward 'ACCEPT'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan' option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
list proto 'tcp'
option src 'wan'
option src_dport '80'
option dest_ip '192.168.1.189'
option dest_port '80'
option name 'http'
config redirect
option dest 'lan'
option target 'DNAT'
list proto 'tcp'
option src 'wan'
option src_dport '8080'
option dest_ip '192.168.1.189'
option dest_port '8080'
option name 'http_alt'
config redirect
option dest 'lan'
option target 'DNAT'
list proto 'tcp'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.1.189'
option dest_port '443'
option name 'https'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'ssh'
list proto 'tcp'
option src 'wan'
option src_dport '33333'
option dest_ip '192.168.1.189'
option dest_port '33333'
@trendy: thanks for tips.
Thing is, when I remove those nothing changes. Connected devices still get no internet connection, I cannot ssh from one Rpi to the other.
Looking at the diagram, how are you separating the lan and wlan wired interfaces? Is there some managed switch separating the vlans? Because there is no vlan tagging on the OpenWrt, so both networks will be in the same broadcast domain.
Powerline adapters are usually bridges, so both interfaces will be on the same broadcast domain, so it doesn't seem trivial to separate lan and wlan on it.
One possible way is to keep the wlan part only on the OpenWrt router wifi, and everything else, including the powerline adapter will be on the same broadcast domain.
I'm not sure I follow. What I did now is set the powerline adapter to the same subnet (192.168.1.x). I'm not sure that's by the book, but solves one problem: devices are on the same subnet and so are able to communicate between themselves. Is there a better way?
What remains unsolved is routing or dns, as connected devices can't ping the outside and from the outside I can't ping devices on the network.
But router itself has connection to the outside.
I am missing something about OpenWrt DNS. When I leave it unset in Luci I can't ping the outside, when I set it to 8.8.8.8 I can ping from the router. But /etc/resolv.conf contains only:
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
Right. I don't think it's solved, but I could ping the outside, without intervention, from one of the RPis. From the other, and laptop, I can if I manually set route to 192.168.1.1.
As for the output of those commands:
root@OpenWrt:~# ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /
tmp/resolv.* /tmp/resolv.*/*
{
"kernel": "5.10.146",
"hostname": "OpenWrt",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "ASUS RT-AX53U",
"board_name": "asus,rt-ax53u",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "22.03.2",
"revision": "r19803-9a599fee93",
"target": "ramips/mt7621",
"description": "OpenWrt 22.03.2 r19803-9a599fee93"
}
}
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fdad:ab4e:cd8b::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option broadcast '192.168.1.255'
config interface 'wlan'
option device 'wlan'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
option broadcast '192.168.2.255'
config interface 'wan'
option device 'wan'
option proto 'static'
option ipaddr '192.168.88.177'
option netmask '255.255.255.0'
option gateway '192.168.88.1'
option broadcast '192.168.88.255'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
option channel '1'
option band '2g'
option htmode 'HE20'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'sae-mixed'
option key 'secret_key'
option network 'lan'
config wifi-device 'radio1'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
option channel '36'
option band '5g'
option htmode 'HE80'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option ssid 'OpenWrt'
option key 'secret_key'
option encryption 'sae-mixed'
option network 'lan'
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
list server '8.8.8.8'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option limit '150'
option leasetime '12h'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'pie'
option dns '1'
option mac 'B8:27:EB:6B:53:14'
option ip '192.168.1.189'
option leasetime '3600'
config host
option name 'rpi'
option dns '1'
option mac 'B8:27:EB:83:AB:D2'
option ip '192.168.1.177'
option leasetime '3600'
config host
option name 'hole'
option dns '1'
option mac '98:22:EF:E0:1A:FF'
option ip '192.168.1.106'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wlan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option forward 'ACCEPT'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
list proto 'tcp'
option src 'wan'
option src_dport '80'
option dest_ip '192.168.1.189'
option dest_port '80'
option name 'http'
config redirect
option dest 'lan'
option target 'DNAT'
list proto 'tcp'
option src 'wan'
option src_dport '8080'
option dest_ip '192.168.1.189'
option dest_port '8080'
option name 'http_alt'
config redirect
option dest 'lan'
option target 'DNAT'
list proto 'tcp'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.1.189'
option dest_port '443'
option name 'https'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'ssh'
list proto 'tcp'
option src 'wan'
option src_dport '666'
option dest_ip '192.168.1.189'
option dest_port '666'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.88.177/24 brd 192.168.88.255 scope global wan
valid_lft forever preferred_lft forever
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
default via 192.168.88.1 dev wan
192.168.1.0/24 dev br-lan scope link src 192.168.1.1
192.168.88.0/24 dev wan scope link src 192.168.88.177
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local scope link src 192.168.1.1
broadcast 192.168.88.0 dev wan table local scope link src 192.168.88.177
local 192.168.88.177 dev wan table local scope host src 192.168.88.177
broadcast 192.168.88.255 dev wan table local scope link src 192.168.88.177
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
lrwxrwxrwx 1 root root 16 Oct 14 22:44 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 47 Mar 21 10:50 /tmp/resolv.conf
-rw-r--r-- 1 root root 0 Mar 21 07:08 /tmp/resolv.conf.d/resolv.conf.auto
/tmp/resolv.conf.d:
-rw-r--r-- 1 root root 0 Mar 21 07:08 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1
==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error
==> /tmp/resolv.conf.d/resolv.conf.auto <==
