d0nkey
October 15, 2024, 11:41am
1
I maybe miss checkbox somewhere, router inside has internet (pings fine) but no internet over lan
network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd00:57a5:4d64::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '10.1.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option type '8021q'
option ifname 'wan'
option vid '2'
option name 'wan.2'
config interface 'wan'
option proto 'pppoe'
option device 'wan.2'
option username 'xyz'
option password 'xyz'
option ipv6 'auto'
route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.20.25.235 0.0.0.0 UG 0 0 0 pppoe-wan
10.1.1.0 * 255.255.255.0 U 0 0 0 br-lan
10.20.25.235 * 255.255.255.255 UH 0 0 0 pppoe-wan
firewall is turned off
brada4
October 15, 2024, 11:47am
2
d0nkey:
firewall is turned off
That is the reason no NAT is working?
1 Like
d0nkey
October 15, 2024, 12:39pm
3
ok, restarted router, that starts firewall I assume, here is its settings:
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
d0nkey
October 15, 2024, 12:51pm
4
Actually, I maybe found the problem, I deleted original wan interface, and created new one, that seems affected firewall zones and as a result NAT, I went to zones and re-selected wan in wan zone and traffic started to flow.
Thanks for pointing me in this direction.
1 Like
brada4
October 15, 2024, 1:03pm
5
I woud suggest to reset device to defaults, just because of fact of ever disabling firewall.
1 Like
brada4
October 15, 2024, 4:53pm
6
Or if you want to restore wan - go to firewall zone WAN and add wwwan network.