No internet from clients, but works fine from OpenWrt

I am installing OpenWrt on Linksys WRT1200AC as a router. i.e. it sits behind my ISP router (192.168.1.x) and I am using it route traffic to another network (192.168.0.x). There is a static route on my ISP router to send traffic to the OpenWrt device. No firewall rules and firewall is disabled.

I can ping internet from OpenWrt, but not from clients on the 192.168.0.x network. From the clients on 192.168.0.x network, I can ping the ISP router (192.168.1.1) and any device on the 192.168.1.x network.

Any idea what I did wrong?

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb2:4672:7ab8::/48'
        option ula_prefix 'fdb2:4672:7ab8::/48'

        option ula_prefix 'fdb2:4672:7ab8::/48'
root@OpenWrt:/etc/config# cat network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb2:4672:7ab8::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.1'
        option igmp_snooping '1'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.1.2'
        option gateway '192.168.1.1'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config include
        option path '/etc/firewall.user'

It seems that your ISP router has a rule to masquerade only traffic, coming from network 192.168.1.0/24. When you ping a public IP address from the OpenWrt router, the request comes from 192.168.1.2. When you ping from a client PC, the request comes from network 192.168.0.0/24 and the masquerading rule in the ISP router doesn’t work.

If you have access to the ISP router, you could edit the masquerading rule changing the source network to 192.168.0.0/23.
Otherwise, you could masquerade the traffic coming from 192.168.0.0/24 behind 192.168.1.2 in your OpenWrt router.

If you need transparent routing between 192.168.0.0/24 and 192.168.1.0/24, you should play with the firewall rules.

3 Likes