Hi there
I am trying to set up my Fritzbox4040 (FB4040) as a Firewall. I have installed OpenWRT and three Interfaces on the FB4040: WAN, LAN and WIFI.
My Problem: My Laptop (Linux OS) can‘t connect to Websites and it can not ping the Internet-Router (same Problem with other Laptop (Windows 10)).
The FB4040 itselfs is connected to the Internet: On LuCI → Network → Diagnostics, the FB4040 itselfs can Ping, Tracerout and Nslookup „openwrt.org“ without a problem.
WAN connected to my Internet Router, LAN connected to my Laptop via cable.
I cant seem to find where the problem is. Does it lie somewhere in the LAN to WAN forwarding settings?
My configuration-settings of the firewall and network (see below).
Any help would be appreciated.
WIFI: With the Laptop i can connect to the Wireless of the FB4040. But not to the Internet (same problem as on LAN): I can ping the WAN, LAN and WIFI-Interface, but not the Internet-Router or IP-Adresses on the Internet.
In the Firewall – Traffic Rules, i have put the rule „LAN Block all“ and „WIFI Block all“ so it should block all traffic, that is not allowed in rules in the Traffic Rules List.
If i deacitvate these Block all rules, and I ping my Internet-Router or a website, there is no ping response. All packets are lost. If i activate thesese Block all rules, the response is (from my lan interface): „destination port unreachable“. If i deactivate these Block all rules, i can not visit websites in the browser.
ping from laptop to internet-router output with firewall block all rule activated:
$ ping 192.168.178.1
PING 192.168.178.1 (192.168.178.1) 56(84) bytes of data.
From 192.168.200.1 icmp_seq=1 Destination Port Unreachable
From 192.168.200.1 icmp_seq=2 Destination Port Unreachable
From 192.168.200.1 icmp_seq=3 Destination Port Unreachable
From 192.168.200.1 icmp_seq=4 Destination Port Unreachable
^C
--- 192.168.178.1 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 7ms
ping from laptop to internet-router output on laptop with block all rule deactivated:
$ ping 192.168.178.1
PING 192.168.178.1 (192.168.178.1) 56(84) bytes of data.
^C
--- 192.168.178.1 ping statistics ---
13 packets transmitted, 0 received, 100% packet loss, time 247ms
My System
Hostname
OpenWrt
Model
AVM FRITZ!Box 4040
Architecture
ARMv7 Processor rev 5 (v7l)
Firmware Version
OpenWrt 19.07.1 r10911-c155900f66 / LuCI openwrt-19.07 branch git-20.029.45734-adbbd5c
Kernel Version
4.14.167
Internet-Router IP: 192.168.178.1
FB4040 WAN: 192.168.178.6
FB4040 LAN: 192.168.200.1
FB4040 WIFI: 192.168.150.1
My DNS Server (pihole): 192.168.178.7
my network config:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd7f:443d:f98b::/48'
config interface 'lan'
option ifname 'eth0'
option proto 'static'
option ip6assign '60'
list ipaddr '192.168.200.1/24'
option netmask '255.255.255.0'
option gateway '192.168.178.1'
config interface 'wan'
option ifname 'eth1'
option proto 'static'
option netmask '255.255.255.0'
option gateway '192.168.178.1'
list ipaddr '192.168.178.6/24'
list dns '192.168.178.7'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0'
config interface 'WIFI'
option proto 'static'
option gateway '192.168.178.1'
option ip6assign '60'
list ipaddr '192.168.150.1/24'
option netmask '255.255.255.0'
my firewall config:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option log '1'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'wan'
option log '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'wifi'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option network 'WIFI'
config forwarding
option dest 'wan'
option src 'wifi'
config rule
option dest_port '53'
option src 'lan'
option name 'LAN DNS'
option target 'ACCEPT'
option proto 'tcp udp'
config rule
option dest_port '53'
option src 'wifi'
option name 'WIFI DNS'
option target 'ACCEPT'
option proto 'tcp udp'
config rule
option dest_port '67-68'
option src 'lan'
option name 'LAN DHCP'
option target 'ACCEPT'
option proto 'udp'
config rule
option dest_port '67-68'
option src 'wifi'
option name 'WIFI DHCP'
option target 'ACCEPT'
option proto 'udp'
config rule
option dest_port '80 443'
option src 'lan'
option name 'LAN HTTP, HTTPS'
option dest 'wan'
option target 'ACCEPT'
option proto 'tcp'
config rule
option dest_port '80 443'
option src 'wifi'
option name 'WIFI HTTP, HTTPS'
option dest 'wan'
option target 'ACCEPT'
option proto 'tcp'
config rule
option dest_port '25 465 993 4190'
option src 'lan'
option name 'LAN SMTPS, IMAPS, Sivie'
option dest 'wan'
option target 'ACCEPT'
list proto 'tcp'
config rule
option dest_port '25 465 993 4190'
option src 'wifi'
option name 'WIFI SMTPS, IMAPS, Sivie'
option dest 'wan'
option target 'ACCEPT'
list proto 'tcp'
config rule
option dest_port '22 7777'
option src 'lan'
option name 'LAN SSH'
option dest 'wan'
option target 'ACCEPT'
list proto 'tcp'
config rule
option dest_port '22 7777'
option src 'wifi'
option name 'WIFI SSH'
option dest 'wan'
option target 'ACCEPT'
list proto 'tcp'
config rule
option dest_port '123'
option name 'LAN NTP'
option dest 'wan'
option target 'ACCEPT'
list proto 'udp'
option src 'lan'
config rule
option dest_port '123'
option src 'wifi'
option name 'WIFI NTP'
option dest 'wan'
option target 'ACCEPT'
list proto 'udp'
config rule
option dest_port '1194'
option src 'lan'
option name 'LAN OpenVPN'
option dest 'wan'
option target 'ACCEPT'
list proto 'udp'
config rule
option dest_port '1194'
option src 'wifi'
option name 'WIFI OpenVPN'
option dest 'wan'
option target 'ACCEPT'
list proto 'udp'
config rule
option dest_port '51820'
option src 'lan'
option name 'LAN Wirequard'
option dest 'wan'
option target 'ACCEPT'
list proto 'udp'
config rule
option dest_port '51820'
option src 'wifi'
option name 'WIFI Wireguard'
option dest 'wan'
option target 'ACCEPT'
list proto 'udp'
config rule
option dest_port '5222'
option src 'lan'
option name 'LAN XMPP'
option dest 'wan'
option target 'ACCEPT'
list proto 'tcp'
config rule
option dest_port '5222'
option src 'wifi'
option name 'WIFI XMPP'
option dest 'wan'
option target 'ACCEPT'
list proto 'tcp'
config rule
option dest_port '11371'
option src 'lan'
option name 'LAN OpenPGP-Schlüsselserver'
option dest 'wan'
option target 'ACCEPT'
list proto 'tcp'
config rule
option dest_port '11371'
option src 'wifi'
option name 'WIFI OpenPGP-Schlüsselserver'
option dest 'wan'
option target 'ACCEPT'
list proto 'tcp'
config rule
option src 'lan'
option name 'LAN Samba-Share KANN PORT NICHT EINSTELLEN'
option dest 'wan'
option target 'ACCEPT'
list proto 'all'
list dest_ip '192.168.178.1'
option enabled '0'
config rule
option src 'wifi'
option name 'WIFI Samba-Share KANN PORT NICHT EINSTELLEN'
option dest 'wan'
list dest_ip '192.168.178.1'
option target 'ACCEPT'
list proto 'all'
option enabled '0'
config rule
option name 'LAN allow ping versuch 11.4.2020'
option limit '1000/second'
option family 'ipv4'
option target 'ACCEPT'
option dest 'wan'
option proto 'icmp'
option src 'lan'
config rule
option src 'wifi'
option name 'WIFI allow ping versuch 11.4.2020'
option dest 'wan'
option target 'ACCEPT'
list proto 'icmp'
option family 'ipv4'
config rule
option src 'lan'
option name 'LAN Block all'
option dest 'wan'
option target 'REJECT'
list proto 'all'
config rule
option src 'wifi'
option name 'WIFI Block all'
option dest 'wan'
option target 'REJECT'
list proto 'all'