No internet connection / no traffic to laptop

ische · April 13, 2020, 9:35am

Hi there

I am trying to set up my Fritzbox4040 (FB4040) as a Firewall. I have installed OpenWRT and three Interfaces on the FB4040: WAN, LAN and WIFI.

My Problem: My Laptop (Linux OS) can‘t connect to Websites and it can not ping the Internet-Router (same Problem with other Laptop (Windows 10)).

The FB4040 itselfs is connected to the Internet: On LuCI → Network → Diagnostics, the FB4040 itselfs can Ping, Tracerout and Nslookup „openwrt.org“ without a problem.

WAN connected to my Internet Router, LAN connected to my Laptop via cable.

I cant seem to find where the problem is. Does it lie somewhere in the LAN to WAN forwarding settings?

My configuration-settings of the firewall and network (see below).

Any help would be appreciated.

WIFI: With the Laptop i can connect to the Wireless of the FB4040. But not to the Internet (same problem as on LAN): I can ping the WAN, LAN and WIFI-Interface, but not the Internet-Router or IP-Adresses on the Internet.

In the Firewall – Traffic Rules, i have put the rule „LAN Block all“ and „WIFI Block all“ so it should block all traffic, that is not allowed in rules in the Traffic Rules List.

If i deacitvate these Block all rules, and I ping my Internet-Router or a website, there is no ping response. All packets are lost. If i activate thesese Block all rules, the response is (from my lan interface): „destination port unreachable“. If i deactivate these Block all rules, i can not visit websites in the browser.

ping from laptop to internet-router output with firewall block all rule activated:

$ ping 192.168.178.1
PING 192.168.178.1 (192.168.178.1) 56(84) bytes of data.
From 192.168.200.1 icmp_seq=1 Destination Port Unreachable
From 192.168.200.1 icmp_seq=2 Destination Port Unreachable
From 192.168.200.1 icmp_seq=3 Destination Port Unreachable
From 192.168.200.1 icmp_seq=4 Destination Port Unreachable
^C
--- 192.168.178.1 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 7ms

ping from laptop to internet-router output on laptop with block all rule deactivated:

$ ping 192.168.178.1
PING 192.168.178.1 (192.168.178.1) 56(84) bytes of data.
^C
--- 192.168.178.1 ping statistics ---
13 packets transmitted, 0 received, 100% packet loss, time 247ms

My System
Hostname
OpenWrt
Model
AVM FRITZ!Box 4040
Architecture
ARMv7 Processor rev 5 (v7l)
Firmware Version
OpenWrt 19.07.1 r10911-c155900f66 / LuCI openwrt-19.07 branch git-20.029.45734-adbbd5c
Kernel Version
4.14.167

Internet-Router IP: 192.168.178.1

FB4040 WAN: 192.168.178.6
FB4040 LAN: 192.168.200.1
FB4040 WIFI: 192.168.150.1

My DNS Server (pihole): 192.168.178.7

my network config:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7f:443d:f98b::/48'

config interface 'lan'
	option ifname 'eth0'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '192.168.200.1/24'
	option netmask '255.255.255.0'
	option gateway '192.168.178.1'

config interface 'wan'
	option ifname 'eth1'
	option proto 'static'
	option netmask '255.255.255.0'
	option gateway '192.168.178.1'
	list ipaddr '192.168.178.6/24'
	list dns '192.168.178.7'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0'

config interface 'WIFI'
	option proto 'static'
	option gateway '192.168.178.1'
	option ip6assign '60'
	list ipaddr '192.168.150.1/24'
	option netmask '255.255.255.0'

my firewall config:


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option log '1'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option network 'wan'
	option log '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'wifi'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option network 'WIFI'

config forwarding
	option dest 'wan'
	option src 'wifi'

config rule
	option dest_port '53'
	option src 'lan'
	option name 'LAN DNS'
	option target 'ACCEPT'
	option proto 'tcp udp'

config rule
	option dest_port '53'
	option src 'wifi'
	option name 'WIFI DNS'
	option target 'ACCEPT'
	option proto 'tcp udp'

config rule
	option dest_port '67-68'
	option src 'lan'
	option name 'LAN DHCP'
	option target 'ACCEPT'
	option proto 'udp'

config rule
	option dest_port '67-68'
	option src 'wifi'
	option name 'WIFI DHCP'
	option target 'ACCEPT'
	option proto 'udp'

config rule
	option dest_port '80 443'
	option src 'lan'
	option name 'LAN HTTP,  HTTPS'
	option dest 'wan'
	option target 'ACCEPT'
	option proto 'tcp'

config rule
	option dest_port '80 443'
	option src 'wifi'
	option name 'WIFI HTTP, HTTPS'
	option dest 'wan'
	option target 'ACCEPT'
	option proto 'tcp'

config rule
	option dest_port '25 465 993 4190'
	option src 'lan'
	option name 'LAN SMTPS, IMAPS, Sivie'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'tcp'

config rule
	option dest_port '25 465 993 4190'
	option src 'wifi'
	option name 'WIFI SMTPS, IMAPS, Sivie'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'tcp'

config rule
	option dest_port '22 7777'
	option src 'lan'
	option name 'LAN SSH'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'tcp'

config rule
	option dest_port '22 7777'
	option src 'wifi'
	option name 'WIFI SSH'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'tcp'

config rule
	option dest_port '123'
	option name 'LAN NTP'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'udp'
	option src 'lan'

config rule
	option dest_port '123'
	option src 'wifi'
	option name 'WIFI NTP'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option dest_port '1194'
	option src 'lan'
	option name 'LAN OpenVPN'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option dest_port '1194'
	option src 'wifi'
	option name 'WIFI OpenVPN'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option dest_port '51820'
	option src 'lan'
	option name 'LAN Wirequard'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option dest_port '51820'
	option src 'wifi'
	option name 'WIFI Wireguard'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option dest_port '5222'
	option src 'lan'
	option name 'LAN XMPP'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'tcp'

config rule
	option dest_port '5222'
	option src 'wifi'
	option name 'WIFI XMPP'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'tcp'

config rule
	option dest_port '11371'
	option src 'lan'
	option name 'LAN OpenPGP-Schlüsselserver'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'tcp'

config rule
	option dest_port '11371'
	option src 'wifi'
	option name 'WIFI OpenPGP-Schlüsselserver'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'tcp'

config rule
	option src 'lan'
	option name 'LAN Samba-Share KANN PORT NICHT EINSTELLEN'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'all'
	list dest_ip '192.168.178.1'
	option enabled '0'

config rule
	option src 'wifi'
	option name 'WIFI Samba-Share KANN PORT NICHT EINSTELLEN'
	option dest 'wan'
	list dest_ip '192.168.178.1'
	option target 'ACCEPT'
	list proto 'all'
	option enabled '0'

config rule
	option name 'LAN allow ping versuch 11.4.2020'
	option limit '1000/second'
	option family 'ipv4'
	option target 'ACCEPT'
	option dest 'wan'
	option proto 'icmp'
	option src 'lan'

config rule
	option src 'wifi'
	option name 'WIFI allow ping versuch 11.4.2020'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'icmp'
	option family 'ipv4'

config rule
	option src 'lan'
	option name 'LAN Block all'
	option dest 'wan'
	option target 'REJECT'
	list proto 'all'

config rule
	option src 'wifi'
	option name 'WIFI Block all'
	option dest 'wan'
	option target 'REJECT'
	list proto 'all'

trendy · April 13, 2020, 10:56am

When you paste console output always use preformatted text (the </> button). Otherwise the text is hard to read.
Remove this from lan and WIFI interfaces.

You already have a lan->wan forwarding so all those firewall rules to allow traffic from lan are pointless. Same for the extra wifi->wan forwardings.
There is no wifi<->lan forwarding, but this might be intentional.

ische · April 13, 2020, 1:26pm

Hi trendy

Thanks a lot for your advices.

I removed the option gateway from lan an WIFI interfaces. Unfortunately the result is the same as before. I cant open Websites and I cant ping the Internet-Router.

$ ping 192.168.178.1
PING 192.168.178.1 (192.168.178.1) 56(84) bytes of data.
From 192.168.200.1 icmp_seq=1 Destination Port Unreachable
From 192.168.200.1 icmp_seq=2 Destination Port Unreachable
From 192.168.200.1 icmp_seq=3 Destination Port Unreachable
^C
--- 192.168.178.1 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 5ms

Do you have any other ideas?

psherman · April 13, 2020, 3:59pm

Your networks are all defined incorrectly. This field should not have the CIDR notation, just an address (the netmask field is used, instead). So it should be list ipaddr '192.168.200.1'for your LAN, and you need to make similar adjustments for the Wifi, and WAN networks.

You said you removed the gateway from the LAN and Wifi networks, so that is good. The DNS is not an issue for your ping test to the main router, but are you using another host such as a PiHole for your DNS? If so, this should be fine (as long as the address is correct), but otherwise remove it or change it to the correct DNS.

You need to remove all of your firewall rules below the wifi > wan forwarding, as @trendy suggested. In particular, there are two rules that are going to actively block everything -- remove these or you'll never have a working configuration:

config rule
	option src 'lan'
	option name 'LAN Block all'
	option dest 'wan'
	option target 'REJECT'
	list proto 'all'

config rule
	option src 'wifi'
	option name 'WIFI Block all'
	option dest 'wan'
	option target 'REJECT'
	list proto 'all'

If understand the firewall rules you've setup, it appears that you may be setting this router up for controlled access out to the WAN (essentially whitelisting certain things, blocking all else). If this is the case, these rules may make sense to have, but you should start with a 'clean' configuration and then build from there. Describe your goals in terms of firewall rules/allowances/blocks and we can help you set those up properly.

mk24 · April 13, 2020, 5:29pm

The order of rules in /etc/config/firewall is important-- if you're going to selectively allow things those rules need to be first, then a "block all" at the end to catch what is not allowed. Or just set the default as "REJECT" in the zone, which ends up compiled to a "block all" at the end.

And yes what @psherman said, start with the defaults then add stuff a little at a time until you break it. A basic (not real secure) guest network is just to add a "guest" zone and a forwarding from guest to wan. You don't have to define extra routes or gateways at all.
CIDR notation instead of ipaddr + netmask is legal in /etc/config/network.

ische · April 14, 2020, 8:03pm

Hi guys

Thank you very much for all the replys an the help.

I just removed all firewall rules, i implemented myself. Then I removed in the LuCI→ Network → Interface Settings from LAN, WIFI and WAN the „/24“. The number of the IP Adresses are the same as before (LAN 192.168.200.1, WIFI 192.168.150.1, WAN 192.168.178.6).

But now, i have another problem. I can not connect to the FB4040 anymore. Even after rebooting the FB4040 (several times) i can not connect to the LuCI Portal IP 192.168.200.1.

Also via Terminal „ssh root@192.168.200.1“ i can not reach it.

When my Network-Settings for the connection Ipv4 settings on my Laptop are set to „automatic DHCP“, the laptop doesen‘t seem to find the network (it doesnt stop searching).

When i set the Connection IPv4 settings on my laptop the method „manual“ and set as Adress „192.168.200.5“, Netmask „255.255.255.0“ and gateway to „192.168.200.1“: the laptop findes the network. But i can not connect to the router via LuCI (webbrowser 192.168.200.1) or via ssh.
The same happens if i put „32“ in Netmask.

If I remember correctly, after deleting the „/24“ in the Interface-Settings from LAN, WIFI and WAN, in the main „Interfaces“ Windows (where you see these three Interfaces), instead of the IP and /24 in the end, there was an „/32“. Example for WIFI Interface: 192.168.150.1/32.

what am i doing wrong? how can i connect to the router now?

Sorry for the newb-questions. I feel a little bit like a beatle that fell on its back an can not turn any more ;-). And thank you in advance for your help.

psherman · April 14, 2020, 9:05pm

it is hard to say what went wrong, but the best route would likely be failsafe recovery. From there, you can view the config files (you can post them here) and edit them to correct any errors, or you can simply reset to defaults by issuing the command firstboot and then rebooting the router.

trendy · April 14, 2020, 10:26pm

Well, since he removed the /24 mask, the interface assigned automatically the /32 and cannot be reached anymore from ipv4.
@ische luckily for you there is ipv6 which should not be affected. You can verify that your PC has an IP fd7f:443d:f98b:.... and most likely the router is fd7f:443d:f98b::1

ische · April 19, 2020, 4:10pm

Hi guys

Thanks a lot for your help. I used failsafe and was able to change the network settings, so now i am again able to connect to the router via LuCi.

@psherman: You are right, I use a Pihole, that handles my DNS (192.168.178.7)
@psherman and mk24: Concerning the Firewall-Rules i added: My goal / target is to build a firewall like described here: https://www.kuketz-blog.de/firewall-kontrolle-ausgehender-datenverkehr-openwrt-teil6/
In my opinion a very good blog, written in german.

As you adviced, in network config, i deleted the gateway line in LAN and WIFI Interfaces and I deleted the "/24" CIDR from all Interfaces (see network config file below).

As you adviced, in firewall config, i disabled all the traffic rules I have written myself, and i will try to reenable them one by one, once i am able to connect to the internet via my laptops (see firewall config file below).

I still cant ping my Internet-Router (192.168.178.1) and cant open Websites via my Laptop (not on WLAN and not on LAN).

See the ping "responses" here:
Connected via LAN:

$ ping 192.168.178.1
PING 192.168.178.1 (192.168.178.1) 56(84) bytes of data.
From 192.168.1.89 icmp_seq=1 Destination Host Unreachable
From 192.168.1.89 icmp_seq=2 Destination Host Unreachable
From 192.168.1.89 icmp_seq=3 Destination Host Unreachable
From 192.168.1.89 icmp_seq=4 Destination Host Unreachable
From 192.168.1.89 icmp_seq=5 Destination Host Unreachable
^C
--- 192.168.178.1 ping statistics ---
7 packets transmitted, 0 received, +5 errors, 100% packet loss, time 119ms
pipe 4

ping "response" connected via WLAN:

PING 192.168.178.1 (192.168.178.1) 56(84) bytes of data.
^C
--- 192.168.178.1 ping statistics ---
11 packets transmitted, 0 received, 100% packet loss, time 230ms

The LAN and WIFI Interfaces i can ping without any problem (from Laptop). Also i can ping my Internet-Router from my OpenWRT Router.

Do you have an idea, what i need to change?

My Network config:


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7f:443d:f98b::/48'

config interface 'lan'
	option ifname 'eth0'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '192.168.200.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option ifname 'eth1'
	option proto 'static'
	option gateway '192.168.178.1'
	list dns '192.168.178.7'
	list ipaddr '192.168.178.6'
        option netmask '255.255.255.0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0'

config interface 'WIFI'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '192.168.150.1'
        option netmask '255.255.255.0'

My Firewall config:


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option log '1'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option network 'wan'
	option log '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'wifi'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option network 'WIFI'

config forwarding
	option dest 'wan'
	option src 'wifi'

config rule
	option dest_port '53'
	option src 'lan'
	option name 'LAN DNS'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option enabled '0'

config rule
	option dest_port '53'
	option src 'wifi'
	option name 'WIFI DNS'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option enabled '0'

config rule
	option dest_port '67-68'
	option src 'lan'
	option name 'LAN DHCP'
	option target 'ACCEPT'
	option proto 'udp'
	option enabled '0'

config rule
	option dest_port '67-68'
	option src 'wifi'
	option name 'WIFI DHCP'
	option target 'ACCEPT'
	option proto 'udp'
	option enabled '0'

config rule
	option dest_port '80 443'
	option src 'lan'
	option name 'LAN HTTP,  HTTPS'
	option dest 'wan'
	option target 'ACCEPT'
	option proto 'tcp'
	option enabled '0'

config rule
	option dest_port '80 443'
	option src 'wifi'
	option name 'WIFI HTTP, HTTPS'
	option dest 'wan'
	option target 'ACCEPT'
	option proto 'tcp'
	option enabled '0'

config rule
	option dest_port '25 465 993 4190'
	option src 'lan'
	option name 'LAN SMTPS, IMAPS, Sivie'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'tcp'
	option enabled '0'

config rule
	option dest_port '25 465 993 4190'
	option src 'wifi'
	option name 'WIFI SMTPS, IMAPS, Sivie'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'tcp'
	option enabled '0'

config rule
	option dest_port '22 7777'
	option src 'lan'
	option name 'LAN SSH'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'tcp'
	option enabled '0'

config rule
	option dest_port '22 7777'
	option src 'wifi'
	option name 'WIFI SSH'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'tcp'
	option enabled '0'

config rule
	option dest_port '123'
	option name 'LAN NTP'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'udp'
	option src 'lan'
	option enabled '0'

config rule
	option dest_port '123'
	option src 'wifi'
	option name 'WIFI NTP'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'udp'
	option enabled '0'

config rule
	option dest_port '1194'
	option src 'lan'
	option name 'LAN OpenVPN'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'udp'
	option enabled '0'

config rule
	option dest_port '1194'
	option src 'wifi'
	option name 'WIFI OpenVPN'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'udp'
	option enabled '0'

config rule
	option dest_port '51820'
	option src 'lan'
	option name 'LAN Wirequard'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'udp'
	option enabled '0'

config rule
	option dest_port '51820'
	option src 'wifi'
	option name 'WIFI Wireguard'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'udp'
	option enabled '0'

config rule
	option dest_port '5222'
	option src 'lan'
	option name 'LAN XMPP'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'tcp'
	option enabled '0'

config rule
	option dest_port '5222'
	option src 'wifi'
	option name 'WIFI XMPP'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'tcp'
	option enabled '0'

config rule
	option dest_port '11371'
	option src 'lan'
	option name 'LAN OpenPGP-Schlüsselserver'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'tcp'
	option enabled '0'

config rule
	option dest_port '11371'
	option src 'wifi'
	option name 'WIFI OpenPGP-Schlüsselserver'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'tcp'
	option enabled '0'

config rule
	option src 'lan'
	option name 'LAN Samba-Share KANN PORT NICHT EINSTELLEN'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'all'
	list dest_ip '192.168.178.1'
	option enabled '0'

config rule
	option src 'wifi'
	option name 'WIFI Samba-Share KANN PORT NICHT EINSTELLEN'
	option dest 'wan'
	list dest_ip '192.168.178.1'
	option target 'ACCEPT'
	list proto 'all'
	option enabled '0'

config rule
	option name 'LAN allow ping versuch 11.4.2020'
	option limit '1000/second'
	option family 'ipv4'
	option target 'ACCEPT'
	option dest 'wan'
	option proto 'icmp'
	option src 'lan'
	option enabled '0'

config rule
	option src 'wifi'
	option name 'WIFI allow ping versuch 11.4.2020'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'icmp'
	option family 'ipv4'
	option enabled '0'

config rule
	option src 'lan'
	option name 'LAN Block all'
	option dest 'wan'
	option target 'REJECT'
	list proto 'all'
	option enabled '0'

config rule
	option src 'wifi'
	option name 'WIFI Block all'
	option dest 'wan'
	option target 'REJECT'
	list proto 'all'
	option enabled '0'

Thank you all for your patience and help.

mk24 · April 19, 2020, 4:22pm

You've removed masquerading from wan. That will break the network unless you have configured a route in 192.168.178.1 so it knows to get back to the 192.168.200.0/24 network via 192.168.178.6. Most home setups do not do it that way, NAT is used instead.

ische · April 19, 2020, 7:16pm

Thanks.

But that route is set on my internet-router, or at least it should be (see screenshot, the two routes to 192.168.178.6).

psherman · April 19, 2020, 7:32pm

Why do you have 2 routes there per network. There should only be 1 each - from your configuration, it should be gateway 192.168.178.6

ische · April 29, 2020, 7:32pm

As psherman mentioned, the 2 routes were the problem in the end. When i changed the cofiguration, it workt.

Tanks very much, guys for the great help and all your hints.

system · May 9, 2020, 7:32pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.