New requests from LAN appear to be blocked

redhoss80 · October 15, 2020, 1:39am

Hello and thanks for taking the time to read. I have a problem that I haven't been able to find the solution for yet. I have configured a GL-X750 router with LTE connection and one connection to my LAN router. It's a simple enough setup and the double-NAT doesn't concern me. What's odd is that I can ping from the LTE IP to Google and I can ping from the LAN IP of the OpenWRT router (GL-X750) to Google or any other IP. If I try to ping a different IP address from the WAN interface of my LAN router connected to the OpenWRT router, it times out. However, if I ping the IP that was successful from the OpenWRT router, it succeeds from the router. Example below.

Ping from OpenWRT router LTE interface:

root@GL-X750:~# ping www.google.com
PING www.google.com (172.217.9.68): 56 data bytes
64 bytes from 172.217.9.68: seq=0 ttl=112 time=40.126 ms
64 bytes from 172.217.9.68: seq=1 ttl=112 time=68.515 ms
64 bytes from 172.217.9.68: seq=2 ttl=112 time=50.057 ms
64 bytes from 172.217.9.68: seq=3 ttl=112 time=89.736 ms
64 bytes from 172.217.9.68: seq=4 ttl=112 time=77.524 ms
64 bytes from 172.217.9.68: seq=5 ttl=112 time=56.013 ms

Ping from OpenWRT router LAN interface:

root@GL-X750:~# ping -I 192.168.8.1 www.google.com
PING www.google.com (172.217.4.228) from 192.168.8.1: 56 data bytes
64 bytes from 172.217.4.228: seq=0 ttl=113 time=50.585 ms
64 bytes from 172.217.4.228: seq=1 ttl=113 time=137.361 ms
64 bytes from 172.217.4.228: seq=2 ttl=113 time=81.299 ms

Ping from LAN router to a new IP:

 sudo ping -I eth0 www.google.com
PING www.google.com (172.217.4.68) from 192.168.8.198 eth0: 56(84) bytes of data.
^C
--- www.google.com ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3001ms

Ping from LAN router to the IP that was successful from the OpenWRT router:

sudo ping -I eth0 172.217.4.228
PING 172.217.4.228 (172.217.4.228) from 192.168.8.198 eth0: 56(84) bytes of data.
64 bytes from 172.217.4.228: icmp_req=1 ttl=112 time=164 ms
64 bytes from 172.217.4.228: icmp_req=2 ttl=112 time=84.9 ms
64 bytes from 172.217.4.228: icmp_req=3 ttl=112 time=77.8 ms
64 bytes from 172.217.4.228: icmp_req=4 ttl=112 time=134 ms
^C
--- 172.217.4.228 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 77.897/115.658/164.878/35.937 ms

This leads me to believe that I'm missing something on the firewall side and new connections aren't being allowed but I can't figure it out. As you'll see from the output below, I've tried to open the firewall completely. I've also had this happen with the default firewall rules.

oot@GL-X750:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config include
        option path '/etc/firewall.user'
        option reload '1'

config include 'gls2s'
        option type 'script'
        option path '/var/etc/gls2s.include'
        option reload '1'

config include 'glfw'
        option type 'script'
        option path '/usr/bin/glfw.sh'
        option reload '1'

config include 'glqos'
        option type 'script'
        option path '/usr/sbin/glqos.sh'
        option reload '1'

config include 'mwan3'
        option type 'script'
        option path '/var/etc/mwan3.include'
        option reload '1'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option name 'LAN'
        option network 'lan'
        option forward 'ACCEPT'

config zone
        option output 'ACCEPT'
        option name 'WAN'
        option masq '1'
        option network 'modem_1_1_2'
        option forward 'ACCEPT'
        option input 'ACCEPT'

config forwarding
        option dest 'LAN'
        option src 'WAN'

config forwarding
        option dest 'WAN'
        option src 'LAN'

config rule
        option target 'ACCEPT'
        option src 'LAN'
        option name 'any'
        option family 'ipv4'
        option proto 'all'
        option dest 'WAN'

config rule
        option enabled '1'
        option target 'ACCEPT'
        option src 'WAN'
        option name 'any wan'
        option family 'ipv4'
        option proto 'all'
        option dest 'LAN'

root@GL-X750:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdde:6d6e:22e7::/48'

config interface 'lan'
        option ifname 'eth1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option hostname 'GL-X750-6fc'
        option ipaddr '192.168.8.1'
        option type 'bridge'

config interface 'guest'
        option ifname 'guest'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.9.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'modem_1_1_2'
        option ifname '3g-modem'
        option service 'umts'
        option apn 'VZWINTERNET'
        option proto '3g'
        option device '/dev/ttyUSB3'
        option metric '40'
        option disabled '0'

psherman · October 15, 2020, 3:12am

What version of OpenWrt are you using? If you are using the firmware directly from GLI-NET, you should ask in their support forums since they may have customized elements of OpenWrt that would be relevant to your question (things that differ from pure/official OpenWrt can make the help here less useful since we don't know the nuances of their changes, and some of the advice from here might even break things on their custom version).

Assuming you're using official OpenWr: You have a few things going on that you should look at:
What are all those scripts doing? (gls2s, glfw, glqos)? Also, you have mwan3 installed -- is that intentional?

You absolutely do not want your WAN to be accepting on input or forward. Those should be reject.
You do not want forwarding from WAN to LAN.