To summarize, I have a Mercusys AC12G as my main router, and I'm testing a TL-WR842N v3 that I installed zerotier to be able to manage some IP Cameras (in a rural area with a different ISP) from my home, but no matter what I do, I can't get the LAN and WLAN to have access, but when I ping from the ssh, it has connection (I even installed packages), I already changed the LAN IP to 192.168.100.1/24 (main router 192.168.2.1/24), did anyone had this problem or can help me troubleshoot this? Note: I tested another router with stock firmware and it has internet connection on LAN and WLAN.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
/etc/config/network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdf9:9c7d:c5d0::/48'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.100.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0t'
config interface 'ZeroTier'
option ifname 'zt6ov2itqg'
option proto 'none'
/etc/config/wireless:
config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'platform/ahb/ahb:apb/18100000.wmac'
option htmode 'HT20'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
/etc/config/dhcp:
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
/etc/config/firewall:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option name 'Allow-ZeroTier-Inbound'
option src '*'
option target 'ACCEPT'
option proto 'udp'
option dest_port '9993'
config zone
option name 'vpn'
option network 'vpn ZeroTier'
option input 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option output 'ACCEPT'
config forwarding
option dest 'lan'
option src 'vpn'
config forwarding
option dest 'wan'
option src 'vpn'
config forwarding
option dest 'vpn'
option src 'lan'
This is an old method of defining a bridge, and is no longer valid.
It should look like this:
config device
option name 'br-lan'
option type 'bridge'
option device 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.100.1'
Try that, and let me know if that resolves things.
weird, I reinstalled openwrt, it came with the bridge like you posted, but when I use the OEM firmware, the internet works fine, I'll try some things, and post here any updates.
Update: yeah, seems it's really something to do with openwrt, as soon I installed the stock firmware, it worked fine, but when I changed to openwrt, internet on lan and wlan stopped working...
How are you connecting the devices together? Please post the current (default?) configs.
Well, my main router is connected to the wan port, and all the configs rn are the default configs of openwrt, except for the lan ip address (192.168.1.1 to 192.168.100.1)
I'll post the configs that you asked me below:
/etc/config/network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd7a:e40e:8456::/48'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.100.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0t'
/etc/config/wireless:
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11g'
option path 'platform/ahb/ahb:apb/18100000.wmac'
option htmode 'HT20'
option channel 'auto'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option encryption 'none'
option ssid 'OPW'
/etc/config/dhcp:
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
/etc/config/firewall:
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fc00::/6
option dest_ip fc00::/6
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
# option src lan
# option src_ip 192.168.45.2
# option dest wan
# option proto tcp
# option target REJECT
# block a specific mac on wan
#config rule
# option dest wan
# option src_mac 00:11:22:33:44:66
# option target REJECT
# block incoming ICMP traffic on a zone
#config rule
# option src lan
# option proto ICMP
# option target DROP
# port redirect port coming in on wan to lan
#config redirect
# option src wan
# option src_dport 80
# option dest lan
# option dest_ip 192.168.16.235
# option dest_port 80
# option proto tcp
# port redirect of remapped ssh port (22001) on wan
#config redirect
# option src wan
# option src_dport 22001
# option dest lan
# option dest_port 22
# option proto tcp
### FULL CONFIG SECTIONS
#config rule
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 80
# option dest wan
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
# option target REJECT
#config redirect
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 1024
# option src_dport 80
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
Those are my current settings, only changes were that I changed LAN IP and WiFi Name
Everything looks fine...
- What is the output of
ifconfig? - if you ssh into the OpenWrt router, what do you get when you ping the following:
- 192.168.2.1 (I'm assuming this is the upstream gateway address, if not, modify accordingly)
- 8.8.8.8
- google.com
- from a computer connected to the OpenWrt router, repeat those ping tests and report those, too.
1 Like
Update: apparently, from my pc, I can´t ping google or 8.8.8.8, but I can ping my gateway (192.168.2.1)
ifconfig:
br-lan Link encap:Ethernet HWaddr 98:DE:D0:DF:D5:92
inet addr:192.168.100.1 Bcast:192.168.100.255 Mask:255.255.255.0
inet6 addr: fe80::9ade:d0ff:fedf:d592/64 Scope:Link
inet6 addr: fd7a:e40e:8456::1/60 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:38343 errors:0 dropped:0 overruns:0 frame:0
TX packets:13730 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4894493 (4.6 MiB) TX bytes:2156270 (2.0 MiB)
eth0 Link encap:Ethernet HWaddr 98:DE:D0:DF:D5:92
inet6 addr: fe80::9ade:d0ff:fedf:d592/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:38403 errors:0 dropped:0 overruns:0 frame:0
TX packets:13750 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5591649 (5.3 MiB) TX bytes:2213162 (2.1 MiB)
Interrupt:5
eth0.1 Link encap:Ethernet HWaddr 98:DE:D0:DF:D5:92
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:38354 errors:0 dropped:11 overruns:0 frame:0
TX packets:13730 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4894999 (4.6 MiB) TX bytes:2156270 (2.0 MiB)
eth1 Link encap:Ethernet HWaddr 98:DE:D0:DF:D5:93
inet addr:192.168.2.110 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::9ade:d0ff:fedf:d593/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:34730 errors:0 dropped:0 overruns:0 frame:0
TX packets:29312 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5501904 (5.2 MiB) TX bytes:4984643 (4.7 MiB)
Interrupt:4
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:66 errors:0 dropped:0 overruns:0 frame:0
TX packets:66 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5346 (5.2 KiB) TX bytes:5346 (5.2 KiB)
wlan0 Link encap:Ethernet HWaddr 98:DE:D0:DF:D5:92
inet6 addr: fe80::9ade:d0ff:fedf:d592/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:1924 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:268952 (262.6 KiB)
pings:
PING 192.168.2.1 (192.168.2.1): 56 data bytes
64 bytes from 192.168.2.1: seq=3 ttl=64 time=0.525 ms
64 bytes from 192.168.2.1: seq=6 ttl=64 time=0.545 ms
64 bytes from 192.168.2.1: seq=7 ttl=64 time=0.431 ms
64 bytes from 192.168.2.1: seq=8 ttl=64 time=0.423 ms
64 bytes from 192.168.2.1: seq=9 ttl=64 time=0.412 ms
64 bytes from 192.168.2.1: seq=10 ttl=64 time=0.470 ms
64 bytes from 192.168.2.1: seq=11 ttl=64 time=0.413 ms
64 bytes from 192.168.2.1: seq=12 ttl=64 time=0.421 ms
64 bytes from 192.168.2.1: seq=13 ttl=64 time=0.439 ms
^C
--- 192.168.2.1 ping statistics ---
14 packets transmitted, 9 packets received, 35% packet loss
round-trip min/avg/max = 0.412/0.453/0.545 ms
-----------------------------------------------------------------------------------
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=1 time=19.391 ms
64 bytes from 8.8.8.8: seq=2 ttl=1 time=21.719 ms
64 bytes from 8.8.8.8: seq=3 ttl=1 time=19.637 ms
64 bytes from 8.8.8.8: seq=4 ttl=1 time=21.973 ms
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 4 packets received, 20% packet loss
round-trip min/avg/max = 19.391/20.680/21.973 ms
-------------------------------------------------------------------------------
PING google.com (142.251.132.14): 56 data bytes
64 bytes from 142.251.132.14: seq=0 ttl=1 time=21.166 ms
64 bytes from 142.251.132.14: seq=1 ttl=1 time=21.188 ms
64 bytes from 142.251.132.14: seq=2 ttl=1 time=18.571 ms
64 bytes from 142.251.132.14: seq=3 ttl=1 time=21.130 ms
^C
--- google.com ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 18.571/20.513/21.188 ms
Something is seriously wrong. This likely means some reply traffic is dying before it reaches your client.
This is commonly due to a routing loop.
3 Likes
The above ping tests suggest that the network is operating properly. Were these from the OpenWrt router or from a computer behind it?
EDIT: I didn't notice the TTL -- good catch @lleachii ! This will make it that much more critical to understand if this is the OpenWrt router or a computer that is a client of the router.
From the router. I posted an update on the above post, and ping to 8.8.8.8 cannot work on my pc, but ping to the gateway does.
What do you get when you do the same pings from a computer connected directly to the upstream router?
Ummm...in that pic...where's your default route to the gateway at 192.168.2.1???
BTW, you are on the wrong page, browse to Status > Rouites, not Network > Static Routes
IIRC, 192.168.2.1 is the router upstream of the OpenWrt router (which is connected via the WAN port to the 192.168.2.1's LAN port).
This latest result is from the upstream router? (not connected to the OpenWrt router at all)?
If so, your problem is not related to OpenWrt -- something is wrong with your upstream device.
**ping 192.168.2.1**
Firing 192.168.2.1 with 32 bytes of data:
Response from 192.168.2.1: bytes=32 time<1ms TTL=64
Response from 192.168.2.1: bytes=32 time<1ms TTL=64
Response from 192.168.2.1: bytes=32 time<1ms TTL=64
Response from 192.168.2.1: bytes=32 time<1ms TTL=64
Ping statistics for 192.168.2.1:
Packets: sent = 4, received = 4, lost = 0 (0% loss
loss),
Approximate a round number of times in milliseconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
**ping google.com**
Firing google.com [142.251.128.46] with 32 bytes of data:
Response from 142.251.128.46: bytes=32 time=20ms TTL=1
Response from 142.251.128.46: bytes=32 time=22ms TTL=1
Response of 142.251.128.46: bytes=32 time=22ms TTL=1
Response from 142.251.128.46: bytes=32 time=22ms TTL=1
Ping statistics for 142.251.128.46:
Packets: sent = 4, received = 4, lost = 0 (0% loss
loss),
Approximate a round number of times in milliseconds:
Minimum = 20ms, Maximum = 22ms, Average = 21ms
**ping 8.8.8.8**
Firing 8.8.8.8 with 32 bytes of data:
Response of 8.8.8.8: bytes=32 time=21ms TTL=1
Response of 8.8.8.8: bytes=32 time=19ms TTL=1
Response of 8.8.8.8: bytes=32 time=20ms TTL=1
Response of 8.8.8.8: bytes=32 time=21ms TTL=1
Ping statistics for 8.8.8.8:
Packets: sent = 4, received = 4, lost = 0 (0% loss
loss),
Approximate a round number of times in milliseconds:
Minimum = 19ms, Maximum = 21ms, Average = 20ms
Based on the fact that a direct connection to your main router (192.168.2.0/24 network) is showing a TTL of 1 for your pings to Google, something is seriously wrong at that layer.
1 Like
Maybe... resetting my main router can help?