No internet acces on lan devices, only router

Hello everyone.

First thing to say, i'm new to OpenWRT. I can manage ssh into it, linux cmmds etc, i'm okay.
This is my setup:
ZTE G5TS (5g modem in bridge mode, no dhcp, no wifi) ----->
Xiaomi Mi AIot AX3600 (openwrt installed, acting as main router).

OpenWRT router have stock config file (almost).

What happens right now:

• Router:

* have functioning ipv6
* can ping on ipv6
* doesn't have functioning ipv4
* can't ping on ipv4

• LAN Devices:

* doesn't have any connection at all, no ipv6 no ipv4 (ip's are assigned, but no internet connection)
* can't ping anything, no ipv6, no ipv4

I read on an LTE forum that changing subnet of the gateway should fix this issue. I changed subnet of ZTE, no luck. Reverted back. Changed subnet of Xiaomi, no luck. Tried default, no luck.

ZTE subnet - 192.168.0.x (router ip 192.168.0.1)
Xiaomi subnet - 192.168.1.x (router ip 192.168.1.1)

I added the function "modem" to be able to access the ZTE modem according to this tutorial https://openwrt.org/docs/guide-user/network/wan/access.modem.through.nat but it's not working. LuCI web ui says

Error: Network device is not present.

Pinging from LuCI ui to openwrt.org on ipv4 results this:

PING openwrt.org (64.226.122.113): 56 data bytes
ping: sendto: Network unreachable

On the overview page of LuCI, under network, i can see only an IPv6 Upstream.

Network config: https://pastebin.com/NwkhNC4Y
DHCP config: https://pastebin.com/w7MGeQ33
Firewall config: https://pastebin.com/15QLnjGa

ZTE ui config → https://imgur.com/a/Glr8ruc

The only way this setup works, is if I set Xiaomi WAN port to static and give it the 192.168.0.2 ip (zte uses 192.168.0.1). This is double NAT. I don't want double NAT.

Please post your configs directly into the forum:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Forget about OpenWrt for a while, connect your computer directly to ZTE G5TS and make sure you can access the Internet over IPv4 and/or IPv6.

If i connect the PC directly to the ZTE thru the port which ZTE is passing the bridging data, with default settings on ethernet adapter happens this:

no internet connection ipv4
can't ping ipv4
internet acces ipv6
can ping ipv6

If i do the same settings like on the openwrt route (static ip 192.168.0.2 / subnet 255.255.255.0 / gateway 192.168.0.1) ipv4 and ipv6 both work, can ping both type of ips.
So, seems like the problem is somewher on the ZTE part or ISP part. Am i right?

ubus call system board

{
        "kernel": "6.6.110",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Xiaomi AX3600",
        "board_name": "xiaomi,ax3600",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.4",
                "revision": "r28959-29397011cc",
                "target": "qualcommax/ipq807x",
                "description": "OpenWrt 24.10.4 r28959-29397011cc",
                "builddate": "1760891865"
        }
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'modem'
	option proto 'static'
	option device '@wan'
	option ipaddr '192.168.0.2'
	option netmask '255.255.255.0'

config interface 'wan6'
	option proto 'dhcpv6'
	option device 'wan'
	option reqaddress 'try'
	option reqprefix 'auto'
	option extendprefix '1'
	option norelease '0'
	option peerdns '0'

cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc@0/20000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option band '5g'
	option channel '36'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc@0/c000000.wifi'
	option band '5g'
	option channel '48'
	option htmode 'HE40'
	option country 'DE'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'Milky Way-5GHz'
	option encryption 'sae-mixed'
	option key '3bimmer21'
	option ocv '0'

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'platform/soc@0/c000000.wifi+1'
	option band '2g'
	option channel '1'
	option htmode 'HE20'
	option disabled '1'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ra_mininterval '10'
	option ra_maxinterval '300'
	option ra_reachabletime '600000'
	option ra_lifetime '600'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
	option piofolder '/tmp/odhcpd-piofolder'

cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'modem'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

Who is your carrier if you don't mind?

Please check on the PC (while it still connected to G5TS) and copy/paste the results here. Make sure you don't have your own DNS servers configured.

nslookup ipv4only.arpa.
ping openwrt.de
ping 64:ff9b::40be:3fde

This suggests that either your zte device is not proving ipv4 at all, or more likely that it requires a different configuration on the zte device itself and/or your client device (the computer at the moment, longer term your openwrt router).

My internet provider is O2 Germany. They also provide DSL. You may be right. Without anny ip/dns settings, dnsleaktest.com shows 2 servers:

O2 Deutschland
O2 Deutschland

So, I assumed that you want me to do this in the same state i wrote what you quotted me, which is with PC's ethernet adapter settings on auto.

nslookup ipv4only.arpa.

Server:  UnKnown
Address:  2a02:3018:0:40ff::aaaa

Non-authoritative answer:
Name:    ipv4only.arpa
Addresses:  192.0.0.170
          192.0.0.171

ping openwrt.de

Ping request could not find host openwrt.de. Please check the name and try again.

ping 64:ff9b::40be:3fde

Pinging 64:ff9b::40be:3fde with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 64:ff9b::40be:3fde:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

LTE ISPs generally don't provide a conventional routed prefix like landlines (should) do. To make v6 work within that limitation, set up IPv6 relay mode so the LAN devices get a v6 GUA (within the single /64 that the ISP routes to your line) and then they will be able to reach the v6 Internet.

You will need to find out the standard your ISP uses to provide access to the legacy v4 Internet on what appears to be a v6 only connection. It does not appear to be 464. Check the modem settings for any v4 compatibilty modes, and try setting the LTE connection itself to dual stack if it is on v6 only now.

It looks like the service you have is IPv6 only but the test results shows no support for 464xlat, etc.
As already mentioned you need to figure out what technique they use to provide IPv4 connectivity.

The only setting the router have, regarding ipv4 or v6, is in the APN, on the top post is a gallery with images from ZTE ui.

APN -> PDP Type: set to IPv4v6. Beside IPv4v6 i have another 2 options, which are IPv4 alone and IPv6 alone.

Regardin the standard of delivering ipv4, how can i find that? I need to ask them? Or is there anyway to find thru some cmds or something?

Their press release suggests that they initially provided dual-stack connectivity:
https://www.telefonica.de/news/corporate/2021/04/mehr-ip-adressen-und-endgeraete-im-netz-o2-kunden-nutzen-internet-protokolle-ipv4-und-ipv6-im-parallelbetrieb.htm

I would probably switch ZTE box back to router mode and check the status page for any mention of IPv4.

Didn’t need to switch it to router mode…

Basic Information

SIM Card Number
+49176******
IMEI
86933******
IMSI
262*********
Gateway IP Address
192.168.0.1
WAN IP Address
10.242.x.x
WAN IPv6 Address
2a02:3030:**********
Software Version
BD_MEDDEG5TSV1.0.0B07
Hardware Version
G5TSHW_1.0.0
CE-RED Version
EU20.001

That is dual-stack.
Not sure why IPv4 address was not passed to LAN in bridge mode.
Perhaps you need to keep DHCP server enabled on ZTE?

The zte device seems to be in router mode. If it is not providing a dhcp server, you need to set the client via static ip. Try 192.168.0.2/24 with gateway 192.168.0.1 and dns 192.168.0.1

I did't say from the first post, but I think you knew already that I'm behind CGNAT if it matters.

@AndrewZ
I pulled that data with ZTE box in bridge mode...
It have a DHCP option but was deactivated.

!!YOU WERE RIGHT!!
I just activated the DHCP on ZTE box. Now the WAN IP that ZTE shows, is the same ip in OpenWRT WAN interface, which is a "public" one 10.250..
I still have double NAT.
IPv6 doesn't work at all on lan devices, the ip addresses (I think) are alocated correct.
The router itself can ping an ipv6.

The IPv6 settings on DHCP interface LAN are in server mode.
RA Flags: managed config (M) | other config (O)

lan interface:

IPv4: 192.168.1.1/24
IPv6: 2a02:3038:2ee:*::1/64

wan6 interface:

IPv6: 2a02:3038:2ee:*:*:*:*:*/128
IPv6: 2a02:3038:2ee:*:*:*:*:*/64
IPv6-PD: 2a02:3038:2ee:*::/64

test-ipv6.com on lan devices shows:

No IPv6 address detected

traceroute shows:

Tracing route to google.com [142.251.36.238]
over a maximum of 30 hops:

  1     3 ms     2 ms     2 ms  OpenWrt.lan [192.168.1.1]
  2     6 ms     6 ms     2 ms  192.168.0.1
  3    74 ms    32 ms    31 ms  10.0.*.*

I configured the DNS manually because i don't like to see O2 in my DNS-es.
As you can see, there is not interogation for ipv6 DNS, even though there are 2 DNS servers from Cisco/OpenDNS configured in OpenWRT in the same way like ipv4 DNS.
dnsleaktest.com shows:

@psherman
Yeah, I said from the beggining, this is (was actually) the only way that worked.

Questions:

1. Can i get rid of the double NAT?
2. Can IPv6 work on this setup/config?

No.

See IPv6 doesn't work for connected devices - #4 by AndrewZ
If there is no real Prefix Delegation in place and you have exactly the same prefix mentioned several times on wan6, then you need to perform some extra configuration steps:
How to enable ipv6 in Openwrt - #129 by foxtokyo

@AndrewZ
I tried both, the last link works but it's unstable.

ping -6 google.c

Pinging google.c [2a00:1450:4005:800::200e] with 32 bytes of data:
Reply from 2a00:1450:4005:800::200e: time=94ms
Reply from 2a00:1450:4005:800::200e: time=43ms
Reply from 2a00:1450:4005:800::200e: time=33ms
Request timed out.

Ping statistics for 2a00:1450:4005:800::200e:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 33ms, Maximum = 94ms, Average = 56ms

Test ipv6 shows ok 10/10 but no website (only ipv6) works.

nslookup ipv6.google.c

DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 2a02:3030:e4:1b73::1

DNS request timed out.
timeout was 2 seconds.
Non-authoritative answer:
Name: ipv6.l.google.c
Address: 2a00:1450:4005:804::200e
Aliases: ipv6.google.c

I think it's something about DNS-es. If i put a custom DNS like Google or Cloudflare, ipv6 won't work. With the option 'dns advertised by peer' checked (which is O2 deutschland) works but it's instable. You can see above the nslookup, at first it hanged.

Another thing, my pc have this ipv6 local
fe80::a072:18db:f506:8aad%14
and if i ping it from router doesn't work. The ping from router only works if instead of 14 i put br-lan.

ip addr show

shows that it's id 43 actually, with id 43 the ping works

Look what’s happening.

The ZTE box “receive” a reboot every night at a random hour from O2. It’s not their device, they probably disconnect me from network. Idk

After over 24h of working the Openwrt gives me too many ipv6 ip’s. I think this it’s not right.

Lan:

Protocol: Static address
Uptime: 1d 0h 39m 27s
MAC: 28:D1:27:4D:83:DD
RX: 514.65 MB (3896909 Pkts.)
TX: 31.65 GB (22060026 Pkts.)
IPv4: 192.168.1.1/24
IPv6: 2a02:3038:*:74a9::1/64
IPv6: 2a02:3030:*:d019::1/64
IPv6: 2a02:3037:*:9b01::1/64

Wan6

Protocol: DHCPv6 client
Uptime: 1h 12m 12s
MAC: 28:D1:27:70:96:AF
RX: 78.42 GB (55025308 Pkts.)
TX: 1.81 GB (9875619 Pkts.)
IPv6: 2a02:3037:*:*:*:*:*:82/128
IPv6: 2a02:3037:*:*:*:*:*:96af/64
IPv6: 2a02:3030:*:*:*:*:*:96af/64
IPv6: 2a02:3038:*:*:*:*:*:96af/64
IPv6-PD: 2a02:3030:*:d019::/64
IPv6-PD: 2a02:3037:*:9b01::/64
IPv6-PD: 2a02:3038:*:74a9::/64