No Internet from behind the router

Thomas_Mo · December 29, 2022, 1:23pm

Hello,
I am new at this forum. A few weeks ago I flashed a Fritzbox 4040 with the newest OpenWrt-Firmware.
All looks fine but my clients aren't able to reach the internet.
My setting

My network config

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd4c:c988:6198::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option proto 'static'
        option ip6assign '60'
        option ipaddr '192.168.200.1'
        option device 'eth0'
        option netmask '255.255.255.0'
        option gateway '192.168.150.1'
        list dns '192.168.150.1'

config interface 'wan'
        option device 'eth1'
        option proto 'static'
        option ipaddr '192.168.150.5'
        option netmask '255.255.255.0'
        list dns '192.168.150.1'
        option gateway '192.168.150.1'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0'

My firewall config

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'lan'
        option log '1'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option output 'ACCEPT'
        list network 'wan'
        list network 'wan6'
        option log '1'
        option input 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'HTTP, HTTPS'
        list proto 'tcp'
        option src 'lan'
        option dest_port '80 443'
        option target 'ACCEPT'
        option dest 'wan'

config rule
        option name 'SMTPS, IMAPS, Sieve'
        list proto 'tcp'
        option src 'lan'
        option dest 'wan'
        option dest_port '25 465 993 4190'
        option target 'ACCEPT'

config rule
        option name 'SSH'
        list proto 'tcp'
        option src 'lan'
        option dest 'wan'
        option dest_port '22 7777'
        option target 'ACCEPT'

config rule
        option name 'NTP'
        list proto 'udp'
        option src 'lan'
        option dest 'wan'
        option dest_port '123'
        option target 'ACCEPT'

config rule
        option name 'OpenVPN'
        list proto 'udp'
        option src 'lan'
        option dest 'wan'
        option dest_port '1194'
        option target 'ACCEPT'

config rule
        option name 'Wireguard'
        list proto 'udp'
        option src 'lan'
        option dest 'wan'
        option dest_port '51820'
        option target 'ACCEPT'

config rule
        option name 'XMPP'
        list proto 'tcp'
        option src 'lan'
        option dest 'wan'
        option dest_port '5222'
        option target 'ACCEPT'

config rule
        option name 'OpenPGP-Schlüsselserver'
        list proto 'tcp'
        option src 'lan'
        option dest 'wan'
        option dest_port '11371'
        option target 'ACCEPT'

config rule
        option name 'Block all'
        option src 'lan'
        option dest 'wan'
        list proto 'all'
        option target 'REJECT'

From the OpenWrt-Router I can get to the internet.
But from the clients behind the OpenWrt-Router i got this

ping -c 6 139.59.209.225
PING 139.59.209.225 (139.59.209.225) 56(84) bytes of data.
From 192.168.200.1 icmp_seq=1 Destination Port Unreachable

I guess I have to define static routes at "routing" ... but dont know how.

Who can give me a hint?

Greetings from Hamburg
Thomas

maurer · December 29, 2022, 2:18pm

please post your /etc/config/firewall

ulmwind · December 29, 2022, 2:24pm

It looks like there is no forwarding rule lan->wan.
See section

config forwarding
        option src              lan
        option dest             wan

in /etc/config/firewall, as @maurer has written.

trendy · December 29, 2022, 2:55pm

Remove gateway and dns from lan interface.

In the firewall configuration these two are contradicting.

If you don't want to allow forwarding from lan to wan, you could leave the default

and delete the forwarding from lan to wan. Then allow the flows you want.

Thomas_Mo · December 29, 2022, 3:48pm

Thanks for your comments.

I removed the gateway and dns from lan interface. The result is the same.

Is the reason for not reaching the internet at the traffic rules? Or is the hint from trendy only more smart?

What is necessary? Config forwarding or config static routes?

mk24 · December 29, 2022, 4:22pm

This is basic lan->wan operation except for the symmetric routing.

You can use entirely default configuration in the 4040 except remove masquerade from the wan zone. Also the 4040 should have a static WAN address or a DHCP reservation in the 7590.

Then as you have done, configure a static route in the 7590 to reach 192.168.200.0/24 via the 4040's 192.168.150.X IP.

A final tweak would be to add wan->lan forwarding to the 4040 so .200 machines can be reached from the .150 side, and open ports 22 and / or 80 so the 4040 can be logged into from the .150 network.

After that is all working then you may want to add some deny rules to prevent certain traffic.

Thomas_Mo · December 29, 2022, 4:50pm

Ok. I got

the static addresses of the 4040 are ok
the static route on the 7590 is ok

A port forwarding or a static route on the 4040 is necessary?

mk24 · December 29, 2022, 4:58pm

No additional routes are needed there since configuring 192.168.150.0 as the WAN installs a route to that network. But the 7590 does not know about the .200 network unless you set a route in it.

It looks like the problem may be that you've added a block rule to the firewall. After removing masquerade, an otherwise completely default firewall will work here for 192.168.200.0 to have access to the Internet.

trendy · December 29, 2022, 6:35pm

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

ulmwind · December 29, 2022, 8:02pm

There is no masquerading for wan zone, set masq equaling 1.

Thomas_Mo · December 29, 2022, 11:32pm

Thanks.
On the 7590 is a static route, so the .200-network is known.

Masquerading is deactivated for LAN and WAN.

Here is the pasted output

{
	"kernel": "5.10.146",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 5 (v7l)",
	"model": "AVM FRITZ!Box 4040",
	"board_name": "avm,fritzbox-4040",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.2",
		"revision": "r19803-9a599fee93",
		"target": "ipq40xx/generic",
		"description": "OpenWrt 22.03.2 r19803-9a599fee93"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd4c:c988:6198::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option proto 'static'
	option ip6assign '60'
	option ipaddr '192.168.200.1'
	option device 'eth0'
	option netmask '255.255.255.0'

config interface 'wan'
	option device 'eth1'
	option proto 'static'
	option ipaddr '192.168.150.5'
	option netmask '255.255.255.0'
	list dns '192.168.150.1'
	option gateway '192.168.150.1'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0'

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option start '200'
	option limit '55'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'XXXXX'
	option dns '1'
	option mac '00:E0:4C:C8:BD:D3'
	option ip '192.168.200.50'

config host
	option name 'XXXXX'
	option dns '1'
	option mac '18:03:73:89:1e:22'
	option ip '192.168.200.51'

config host
	option name 'XXXXX'
	option dns '1'
	option mac '18:03:73:a3:fc:c1'
	option ip '192.168.200.52'

config host
	option name 'XXXXX'
	option dns '1'
	option mac 'A0:CE:C8:CA:96:8E'
	option ip '192.168.200.53'

config host
	option name 'XXXXX'
	option dns '1'
	option mac 'A0:CE:C8:CA:95:61'
	option ip '192.168.200.54'

config host
	option name 'XXXXX'
	option dns '1'
	option mac '34:E6:D7:3C:72:9D'
	option ip '192.168.200.55'

config host
	option name 'XXXXX'
	option dns '1'
	option mac 'A0:36:BC:2D:1B:56'
	option ip '192.168.200.56'

config host
	option name 'XXXXX'
	option dns '1'
	option mac '84:1B:77:69:77:F6'
	option ip '192.168.200.60'

config host
	option name 'XXXXX'
	option dns '1'
	option mac 'ac:72:89:a0:fe:ce'
	option ip '192.168.200.61'

config host
	option name 'XXXXX'
	option dns '1'
	option mac '5C:E4:2A:48:B1:CE'
	option ip '192.168.200.62'

config host
	option name 'XXXXX'
	option dns '1'
	option mac 'A4:C3:F0:9B:44:F7'
	option ip '192.168.200.63'

config host
	option name 'XXXXX'
	option dns '1'
	option mac 'A4:C3:F0:9B:13:8D'
	option ip '192.168.200.64'

config host
	option name 'XXXXX'
	option dns '1'
	option mac '60:57:18:71:47:D8'
	option ip '192.168.200.65'

config host
	option name 'XXXXX'
	option dns '1'
	option mac 'F8:1A:2B:3E:53:CE'
	option ip '192.168.200.70'

config host
	option name 'XXXXX'
	option dns '1'
	option mac '3c:dc:bc:7b:26:8b'
	option ip '192.168.200.71'

config host
	option name 'XXXXX'
	option dns '1'
	option mac '44:78:3e:5c:f0:10'
	option ip '192.168.200.72'

config host
	option name 'XXXXX'
	option dns '1'
	option mac 'D4:11:A3:9B:90:C1'
	option ip '192.168.200.73'

config host
	option name 'XXXXX'
	option dns '1'
	option mac 'B0:6F:E0:73:9E:42'
	option ip '192.168.200.74'

config host
	option name 'XXXXX'
	option dns '1'
	option mac '6C:DD:BC:87:57:7B'
	option ip '192.168.200.75'

config host
	option name 'XXXXX'
	option dns '1'
	option mac '40:40:a7:b6:62:09'
	option ip '192.168.200.80'

config host
	option name 'XXXXX'
	option dns '1'
	option mac '90:21:81:30:48:34'
	option ip '192.168.200.82'

config host
	option name 'XXXXX'
	option dns '1'
	option mac 'E8:6D:CB:09:02:52'
	option ip '192.168.200.83'

config host
	option name 'XXXXX'
	option dns '1'
	option mac 'c0:3f:d5:66:67:ca'
	option ip '192.168.200.100'

config host
	option name 'XXXXX'
	option dns '1'
	option mac '00:09:34:40:43:31'
	option ip '192.168.200.120'

config host
	option name 'XXXXX'
	option dns '1'
	option mac '00:09:34:40:7B:79'
	option ip '192.168.200.121'

config host
	option name 'XXXXX'
	option dns '1'
	option mac '00:22:61:d2:fd:1c'
	option ip '192.168.200.132'

config host
	option name 'XXXXX'
	option dns '1'
	option mac 'f8:46:1c:bf:fa:02'
	option ip '192.168.200.140'

config host
	option name 'XXXXX'
	option dns '1'
	option mac '5c:84:3c:47:c0:7b'
	option ip '192.168.200.141'

config host
	option name 'XXXXX'
	option dns '1'
	option mac '54:84:7b:00:1a:8e'
	option ip '192.168.200.31'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'lan'
	option log '1'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option output 'ACCEPT'
	list network 'wan'
	list network 'wan6'
	option log '1'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'HTTP, HTTPS'
	list proto 'tcp'
	option src 'lan'
	option dest_port '80 443'
	option target 'ACCEPT'
	option dest 'wan'

config rule
	option name 'SMTPS, IMAPS, Sieve'
	list proto 'tcp'
	option src 'lan'
	option dest 'wan'
	option dest_port '25 465 993 4190'
	option target 'ACCEPT'

config rule
	option name 'SSH'
	list proto 'tcp'
	option src 'lan'
	option dest 'wan'
	option dest_port '22 7777'
	option target 'ACCEPT'

config rule
	option name 'NTP'
	list proto 'udp'
	option src 'lan'
	option dest 'wan'
	option dest_port '123'
	option target 'ACCEPT'

config rule
	option name 'OpenVPN'
	list proto 'udp'
	option src 'lan'
	option dest 'wan'
	option dest_port '1194'
	option target 'ACCEPT'

config rule
	option name 'Wireguard'
	list proto 'udp'
	option src 'lan'
	option dest 'wan'
	option dest_port '51820'
	option target 'ACCEPT'

config rule
	option name 'XMPP'
	list proto 'tcp'
	option src 'lan'
	option dest 'wan'
	option dest_port '5222'
	option target 'ACCEPT'

config rule
	option name 'OpenPGP-Schlüsselserver'
	list proto 'tcp'
	option src 'lan'
	option dest 'wan'
	option dest_port '11371'
	option target 'ACCEPT'

config rule
	option name 'Block all'
	option src 'lan'
	option dest 'wan'
	list proto 'all'
	option target 'REJECT'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    inet 192.168.200.1/24 brd 192.168.200.255 scope global eth0
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    inet 192.168.150.5/24 brd 192.168.150.255 scope global eth1
       valid_lft forever preferred_lft forever
default via 192.168.150.1 dev eth1 
192.168.200.0/24 dev eth0 scope link  src 192.168.200.1 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.150.0 dev eth1 table local scope link  src 192.168.150.5 
local 192.168.150.5 dev eth1 table local scope host  src 192.168.150.5 
broadcast 192.168.150.255 dev eth1 table local scope link  src 192.168.150.5 
broadcast 192.168.200.0 dev eth0 table local scope link  src 192.168.200.1 
local 192.168.200.1 dev eth0 table local scope host  src 192.168.200.1 
broadcast 192.168.200.255 dev eth0 table local scope link  src 192.168.200.1 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default

Greetings
Thomas

psherman · December 29, 2022, 11:36pm

The following rule will prevent any devices on the lan from connecting upstream (via the OpenWrt wan). The rule should probably be removed unless this is actually the goal.

There are a bunch of additional rules that are probably unnecessary if this rule is indeed removed.

Thomas_Mo · December 30, 2022, 1:18am

Thanks, that's right.
I will check it tomorrow.
The last traffic rule is the last bastion.
The packets are blocked and logged.
That`s the problem to reach the internet.

trendy · December 30, 2022, 10:42am

The problem is that you are testing with ping which uses icmp, but you have not allowed it in the rules from lan to wan. Eventually the Block all rule will block the ping, hence the unreachable message that you see. The rest should be working, like browsing.

mindwolf · January 2, 2023, 3:35am

Thomas_Mo:

config interface 'lan'
        option proto 'static'
        option ip6assign '60'
        option ipaddr '192.168.200.1'    ←
        option device 'eth0'
        option netmask '255.255.255.0'
        option gateway '192.168.150.1'    ← 
        list dns '192.168.150.1'

config interface 'wan'
        option device 'eth1'
        option proto 'static'
        option ipaddr '192.168.150.5'   
        option netmask '255.255.255.0'
        list dns '192.168.150.1'
        option gateway '192.168.150.1'

Your lan ip and gateway are not in the same subnet for any special reason?

psherman · January 2, 2023, 3:53am

In this case, it's actually not a problem... the gateway specified in the lan interface is actually the gateway on the wan interface. When left unspecified, the lan will actually use the default route, which will be (in the absence of other gateways or VPNs) the one on the wan.

However, I would suggest that the OP removes the gateway from the lan interface definition because it is not necessary and may actually cause issues down the line.

trendy · January 2, 2023, 7:01am

OP already removed that.