Network unreachable without WAN bridge

I recently set up OpenWrt on a brand new NBG6817. Unfortunately with the default config it was shipped there's no internet access. So I had to update the config and that's what I came up with in the end.

/etc/config/network

config interface 'loopback'                    
        option ifname 'lo'                     
        option proto 'static'                  
        option ipaddr '127.0.0.1'              
        option netmask '255.0.0.0'             
                                               
config globals 'globals'                       
        option ula_prefix 'xxxx:xxxx:xxxx::/48'
                                          
config interface 'lan'                    
        option type 'bridge'              
        option ifname 'eth1.1'            
        option proto 'static'             
        option ipaddr '192.168.1.1'       
        option netmask '255.255.255.0'    
        option delegate '0'               
                                          
config device 'lan_eth1_1_dev'            
        option name 'eth1.1'              
        option macaddr 'xx:xx:xx:xx:xx:xx'
                                          
config interface 'wan'                    
        option proto 'dhcp'               
        option peerdns '0'                
        option macaddr 'xx:xx:xx:xx:xx:xx'
        option hostname 'Router'      
        list dns '1.1.1.1'                
        list dns '1.0.0.1'                
        option delegate '0'               
        option ifname 'eth0.2'            
        option type 'bridge'              
                                          
config device 'wan_eth0_2_dev'            
        option name 'eth0.2'              
        option macaddr 'xx:xx:xx:xx:xx:xx'

config switch                             
        option name 'switch0'             
        option reset '1'                  
        option enable_vlan '1'            
                                          
config switch_vlan                        
        option device 'switch0'           
        option vlan '1'                   
        option vid '1'                    
        option ports '6t 1 2 3 4'         
                                          
config switch_vlan                        
        option device 'switch0'           
        option vlan '2'                   
        option ports '0t 5'               
        option vid '2'

/etc/config/firewall

config defaults
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'
        option output 'ACCEPT'
        option input 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'lan'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
config rule                           
        option name 'Allow-Ping'      
        option src 'wan'              
        option proto 'icmp'           
        option icmp_type 'echo-request'
        option family 'ipv4'           
        option target 'ACCEPT'         
        option enabled '0'             
                                       
config rule                            
        option name 'Allow-IGMP'       
        option src 'wan'               
        option proto 'igmp'            
        option family 'ipv4'           
        option target 'ACCEPT'         
                                       
config rule                            
        option name 'Allow-DHCPv6'     
        option src 'wan'               
        option proto 'udp'             
        option src_ip 'fc00::/6'       
        option dest_ip 'fc00::/6'      
        option dest_port '546'         
        option family 'ipv6'           
        option target 'ACCEPT'         
        option enabled '0'             
                                       
config rule                            
        option name 'Allow-MLD'        
        option src 'wan'               
        option proto 'icmp'            
        option src_ip 'fe80::/10'      
        list icmp_type '130/0'         
        list icmp_type '131/0'         
        list icmp_type '132/0'         
        list icmp_type '143/0'
        option family 'ipv6'          
        option target 'ACCEPT'         
        option enabled '0'             
                                       
config rule                            
        option name 'Allow-ICMPv6-Input'
        option src 'wan'                
        option proto 'icmp'             
        list icmp_type 'echo-request'   
        list icmp_type 'echo-reply'     
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'         
        list icmp_type 'time-exceeded'          
        list icmp_type 'bad-header'             
        list icmp_type 'unknown-header-type'    
        list icmp_type 'router-solicitation'    
        list icmp_type 'neighbour-solicitation' 
        list icmp_type 'router-advertisement'   
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'                 
        option family 'ipv6'                    
        option target 'ACCEPT'                  
        option enabled '0'                      
                                                
config rule                                     
        option name 'Allow-ICMPv6-Forward'      
        option src 'wan'                        
        option dest '*'                         
        option proto 'icmp'                     
        list icmp_type 'echo-request'           
        list icmp_type 'echo-reply'             
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'         
        list icmp_type 'time-exceeded'          
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'    
        option limit '1000/sec'                 
        option family 'ipv6'                    
        option target 'ACCEPT'                  
        option enabled '0'                      
                                                
config rule                                     
        option name 'Allow-IPSec-ESP'           
        option src 'wan'                        
        option dest 'lan'                       
        option proto 'esp'                      
        option target 'ACCEPT'                  
        option enabled '0'                      
                                                
config rule                                     
        option name 'Allow-ISAKMP'              
        option src 'wan'                        
        option dest 'lan'                       
        option dest_port '500'                  
        option proto 'udp'                      
        option target 'ACCEPT'                  
        option enabled '0'                      
                                                
config include                                  
        option path '/etc/firewall.user'

ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet6 xxxx::xxxx:xxxx:xxxx:xxxx/64 scope link 
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 xxxx::xxxx:xxxx:xxxx:xxxx/64 scope link 
       valid_lft forever preferred_lft forever
8: eth1.1@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
12: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet6 xxxx::xxxx:xxxx:xxxx:xxxx/64 scope link 
       valid_lft forever preferred_lft forever
29: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet6 xxxx::xxxx:xxxx:xxxx:xxxx/64 scope link 
       valid_lft forever preferred_lft forever
32: br-wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet xx.xx.xx.xx/20 brd xx.xx.xx.255 scope global br-wan
       valid_lft forever preferred_lft forever
    inet6 xxxx::xxxx:xxxx:xxxx:xxxx/64 scope link 
       valid_lft forever preferred_lft forever
33: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-wan state UP qlen 1000
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff

There was no connection to the internet from the router itself until I set the WAN interface to 'bridge' mode, even though there's only one device chosen which is VLAN 2 (eth0.2). In all the other guides and videos there's no bridge on this interface, so I'm not sure if I'm doing everything right. I even thought that the reason for this might be that my router has two CPU on the Switch page (aka eth0 and eth1) and all the LAN ports are connected to eth1 while the WAN port is connected to eth0 only.

It would be great if anyone could provide me with good guides/literature to start with for better understanding on how this should work and the correct way to configure my router. Thanks!

I assume that the two list dns entries are optional, following your personal preferences and not actually required.

macaddr and hostname suggest to me that you're using a cable ISP, which locks onto the MAC address of your router for (weak-) authentification and preventing multiple logins. hostname is rarely required to be reported to the ISP (I'd even call this a bug), but some ISPs still insist on this and trying to teach them sanity is rather futile (I'd still try to re-confirm if it's really necessary, as it's just pointless).

If you look down further down, to the wan_eth0_2_dev configuration stanza, this would be the place to define the MAC address of your WAN interface - I assume that the MAC address added there differs from the one you're trying to set via macaddr in the wan interface stanza directly above. Assuming my hunch above is correct would actually confirm what is happening here, you would be trying to set two a MAC address for your wan interface at two different places, competing against each other and wan_eth0_2_dev finally winning. What you then get by creating a bridge (with only a single bridge member, the wan interface), would be adding a virtual interface on top of the physical one - and you can now successfully define the MAC address expected by your ISP for this upper, virtual, interface (the bridge, not the physical bridge member below).

In other words, I expect the following to work:

config interface 'wan'                        
        option ifname 'eth0.2'
        option proto 'dhcp'           
        option delegate '0'   
                                          
config device 'wan_dev'           
        option name 'eth0.2'        
        option macaddr '60:31:97:XX:XX:XX'   # <-- insert the MAC address here, only here

…and you probably don't really need to set any MAC address override, if you take both the modem and the router offline (powering off hard) and wait ~15 minutes, before powering them on again - most cable ISPs should release the DHCP lease that way and accept your router's real MAC address from there on.

Disclaimer: I've only glanced over your firewall configuration and expect (hope!) that there weren't any fundamental, potentially problematic changes.

Yes, you were absolutely right! Thank you very much.

I assume that the two list dns entries are optional, following your personal preferences and not actually required.

Yes, my ISP pushes a DNS server via DHCP with some sites blocked based on the local government restrictions, so it's a simple countermeasure.

and you probably don't really need to set any MAC address override, if you take both the modem and the router offline (powering off hard) and wait ~15 minutes

Correct, I'm sure this should work, but I didn't change it for a lot of time so kinda used to overriding it on the each peace of the new equipment I get into the house (:

Also thank you for the detailed explanation of how and why it was working with the bridge, I really appreciate this.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.