No internet on lan ports side when wifi is on wan side and acts as gw

nass · April 3, 2022, 8:32pm

Hi all,
I have an old and failthful linksys wrt54gl . I currently need to share internet in my home network over my mobile phone's hotspot.
The plan is use the wrt54gl wifi in client mode; connect (as dhcp client) to my mobile phone and then share the internet from wrt54gl lan ports (the WAN is not used in this setup).
I have no luci installed - just telnet , uci and config files . In my configuration - which I attach below I can ping from within wrt54gl anything on the internet side. Any attached computer will also receive an ip from the lan-side dhcp server running on wrt54gl. But from the laptop I cannot ping or access anything on the internet. And I can no longer wrap my head around what I have done wrong. Is it the intranet/extranet names I've used in terms of lan/(w)wan? Is it the masquerading (I believe it is necessary in my setup because no one on the mobile phone's side knows the subnet behind wrt54gl) ? Is it something else?

Thank you in advance for your help!

# cat firewall
config forwarding
        option src "lan"
        option dest "wwan"
config forwarding
        option src "wwan"
        option dest "lan"
config forwarding
        option src "lan"
        option dest "lan"
config zone
        option name "wwan"
        option network "extranet"
        option input "ACCEPT"
        option output "ACCEPT"
        option forward "ACCEPT"
        option masq "1"
        option mtu_fix "1"
config zone
        option name "lan"
        option network "intranet"
        option input "ACCEPT"
        option output "ACCEPT"
        option forward "ACCEPT"

# cat network

config 'switch' 'eth0'

config 'interface' 'loopback'
        option 'ifname' 'lo'
        option 'proto' 'static'
        option 'ipaddr' '127.0.0.1'
        option 'netmask' '255.0.0.0'

config 'interface' 'intranet'
        option 'ifname' 'eth0.0'
        option 'type' 'bridge'
        option 'proto' 'static'
        option 'netmask' '255.255.255.0'
        option 'ipaddr' '192.168.231.117'

config 'interface' 'extranet'
#       option 'ifname' 'eth0.2'
        option 'proto' 'dhcp'

config 'switch_vlan' 'eth0_0'
        option 'device' 'eth0'
        option 'vlan' '0'
        option 'ports' '0 1 2 3 5'

config 'switch_vlan' 'eth0_2'
        option 'device' 'eth0'
        option 'vlan' '2'
        option 'ports' '4 5'

# cat dhcp

config 'dnsmasq'
        option 'domainneeded' '1'
        option 'boguspriv' '1'
        option 'localise_queries' '1'
        option 'nonegcache' '0'
        option 'authoritative' '1'
        option 'readethers' '1'
        option 'leasefile' '/tmp/dhcp.leases'
        option 'resolvfile' '/tmp/resolv.conf.auto'
        option 'local' '/lan/'
        option 'expandhosts' '1'
        option 'localservice' '1'
        option 'nowildcard' '1'
        option 'domain' 'intranet'

config 'dhcp'
        option 'interface' 'intranet'
        option 'limit' '32'
        option 'leasetime' '60m'
        option 'ra' 'server'
        option 'ra_management' '1'
        list 'dhcp_option' '3,192.168.231.117'
        list 'dhcp_option' '6,192.168.231.117'
        option 'start' '160'

config 'dhcp'
        option 'interface' 'extranet'
        option 'ignore' '1'
        option 'ra' 'disabled'

# cat wireless

config 'wifi-device' 'wl0'
        option 'type' 'broadcom'

config 'wifi-iface'
        option 'device' 'wl0'
        option 'hidden' '0'
        option 'encryption' 'none'
        option 'disabled' '0'
        option 'ssid' 'my mobile hotspot'
        option 'network' 'extranet'
        option 'mode' 'sta'
        option 'bssid' 'EE:D0:9F:FF:1D:9A'

# ifconfig
br-lan    Link encap:Ethernet  HWaddr 00:21:29:A1:E7:CD
          inet addr:192.168.231.117  Bcast:192.168.231.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:523 errors:0 dropped:0 overruns:0 frame:0
          TX packets:97 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:44285 (43.2 KiB)  TX bytes:14093 (13.7 KiB)

eth0      Link encap:Ethernet  HWaddr 00:21:29:A1:E7:CD
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:526 errors:0 dropped:0 overruns:0 frame:0
          TX packets:102 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:56011 (54.6 KiB)  TX bytes:20526 (20.0 KiB)
          Interrupt:4

eth0.0    Link encap:Ethernet  HWaddr 00:21:29:A1:E7:CD
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:523 errors:0 dropped:0 overruns:0 frame:0
          TX packets:97 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:46377 (45.2 KiB)  TX bytes:14481 (14.1 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:4 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:516 (516.0 B)  TX bytes:516 (516.0 B)

wl0       Link encap:Ethernet  HWaddr 00:21:29:A1:E7:CF
          inet addr:192.168.43.149  Bcast:192.168.43.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:254 errors:0 dropped:0 overruns:0 frame:4602
          TX packets:393 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:19119 (18.6 KiB)  TX bytes:44943 (43.8 KiB)
          Interrupt:2 Base address:0x5000

with the above setup I can "nslookup" and get a response on my laptop from the internet side, but ping will fail. So I added "tcpdump" to see what was going on at the packet level.


# tcpdump -vvni wl0 icmp
tcpdump: listening on wl0, link-type EN10MB (Ethernet), capture size 65535 bytes
00:05:01.278414 IP (tos 0x0, ttl 127, id 63104, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.231.182 > 142.250.187.142: ICMP echo request, id 1, seq 243, length 40
00:05:06.237187 IP (tos 0x0, ttl 127, id 63105, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.231.182 > 142.250.187.142: ICMP echo request, id 1, seq 244, length 40
00:05:11.236072 IP (tos 0x0, ttl 127, id 63106, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.231.182 > 142.250.187.142: ICMP echo request, id 1, seq 245, length 40

looks like the icmp packets leave my lan and properly get forwarded to the mobile hotspot - but there is no response - not sure why that is. I also do not see the masquerading done in these packets even though the option is enabled (maybe it is done after the packet sniffing stage?) . If you have any idea where my setup is misconfigured, please let me know.

trendy · April 3, 2022, 8:56pm

Masquerade is not working, try a service firewall restart and post here the output as well as iptables-save -c -t nat

nass · April 3, 2022, 9:01pm

oh this is interesting now, I have no "service" executable, nor "iptables-save" or "iptables" for that matter.
I am running

Backfire (10.03.1, r29592)

Is there some packet that I am missing from the openwrt ?

# opkg list-installed
base-files - 43.32-r29592
busybox - 1.15.3-3.4
dnsmasq - 2.55-6.1
kernel - 2.4.37.9-1
kmod-brcm-wl - 2.4.37.9+4.150.10.5.3-9
kmod-diag - 2.4.37.9-7.1
kmod-switch - 2.4.37.9-4
kmod-wlcompat - 2.4.37.9+4.150.10.5.3-9
libc - 0.9.30.1-43.32
libgcc - 3.4.6-43.32
libncurses - 5.7-2
libopenssl - 0.9.8r-1
libpcap - 1.0.0-2
libpcre - 8.11-2
libpthread - 0.9.30.1-43.32
librt - 0.9.30.1-43.32
libuci - 12012009.7-4
lighttpd - 1.4.28-2
lighttpd-mod-fastcgi - 1.4.28-2
mtd - 13
nano - 2.2.6-1
netcat - 0.7.1-2
nvram - 7
opkg - 576-2
perl - 5.10.0-5
tcpdump - 4.1.1-2
uci - 12012009.7-4
wget - 1.13.4-1
wireless-tools - 29-4
wlc - 4.150.10.5.3-9
zlib - 1.2.3-5

EDIT:
i managed to install iptables (still no service executable):
opkg upgrade iptables
but now iptables-save -c -t nat returns :

# iptables-save -c -t nat
iptables-save v1.4.6: Cannot initialize: Table does not exist (do you need to insmod?)

not sure which module to insert though

EDIT2:
I installed iptables-mod-nat and so the iptables-save command now shows:

# iptables-save -c -t nat
# Generated by iptables-save v1.4.6 on Sat Jan  1 00:10:09 2000
*nat
:PREROUTING ACCEPT [345:59235]
:POSTROUTING ACCEPT [229:30125]
:OUTPUT ACCEPT [56:4013]
COMMIT
# Completed on Sat Jan  1 00:10:09 2000

also it may be of interest to state that I have no /etc/init.d/firewall file.

trendy · April 3, 2022, 9:34pm

Sorry but this is ancient version and cannot help you. Key components seem to be missing, like the iptables. You can try to do a /etc/init.d/firewall restart instead of the service but I doubt it will run without iptables properly setup.

nass · April 3, 2022, 9:52pm

makes sense. how would I install the /etc/init.d/firewall script ?

could you paste its contents here?

nass · April 3, 2022, 10:34pm

ok so I found some iptables firewall script and applied it manually. It was key that you mentioned that masquerading wasn't working. Thanks @trendy .
This is by no means a secure firewall. It allows everything through, but the masquerading works

#!/bin/sh

/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P FORWARD ACCEPT
/usr/sbin/iptables -P OUTPUT ACCEPT

/usr/sbin/iptables -t nat -P PREROUTING ACCEPT
/usr/sbin/iptables -t nat -P POSTROUTING ACCEPT
/usr/sbin/iptables -t nat -P OUTPUT ACCEPT
/usr/sbin/iptables -t mangle -P PREROUTING ACCEPT
/usr/sbin/iptables -t mangle -P OUTPUT ACCEPT

/usr/sbin/iptables -F
/usr/sbin/iptables -t nat -F
/usr/sbin/iptables -t mangle -F

/usr/sbin/iptables -X
/usr/sbin/iptables -t nat -X
/usr/sbin/iptables -t mangle -X

#/usr/sbin/iptables -P INPUT DROP
#/usr/sbin/iptables -P OUTPUT DROP
#/usr/sbin/iptables -P FORWARD DROP

/usr/sbin/iptables -A INPUT -i lo -j ACCEPT

/usr/sbin/iptables -A INPUT --fragment -p ICMP -j DROP
/usr/sbin/iptables -A INPUT -p ICMP -s 0/0 --icmp-type 8 -j DROP
/usr/sbin/iptables -A INPUT -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

/usr/sbin/iptables -A INPUT -p ALL -d 244.0.0.1 -j DROP

/usr/sbin/iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
/usr/sbin/iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -p ALL -o lo -j ACCEPT
#/usr/sbin/iptables -A OUTPUT -p ALL -s <lan server ip> -j ACCEPT
/usr/sbin/iptables -A OUTPUT -p ALL -o br0 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -p ALL -o vlan1 -j ACCEPT

/usr/sbin/iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
/usr/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
/usr/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
/usr/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
/usr/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
/usr/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST,SYN,RST -j DROP
/usr/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL SYN,FIN,SYN,FIN -j DROP

/usr/sbin/iptables -I FORWARD -i vlan1 -s 10.0.0.0/8 -j DROP
/usr/sbin/iptables -I FORWARD -i vlan1 -s 172.16.0.0/12 -j DROP
#/usr/sbin/iptables -I FORWARD -i vlan1 -s 192.168.0.0/16 -j DROP
/usr/sbin/iptables -I FORWARD -i vlan1 -s 127.0.0.0/8 -j DROP

/usr/sbin/iptables -A FORWARD -p tcp -i br0 -j ACCEPT
/usr/sbin/iptables -A FORWARD -i vlan1 -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -A FORWARD -i vlan2 -m state --state ESTABLISHED,RELATED -j ACCEPT

/usr/sbin/iptables -A INPUT -p udp -s 0/0 --dport 137 -j DROP
/usr/sbin/iptables -A INPUT -p udp -s 0/0 --dport 138 -j DROP

/usr/sbin/iptables -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp -s 0/0 --dport 23 -j ACCEPT

/usr/sbin/iptables -I INPUT -i vlan1 -s 10.0.0.0/8 -j DROP
/usr/sbin/iptables -I INPUT -i vlan1 -s 172.16.0.0/12 -j DROP
/usr/sbin/iptables -I INPUT -i vlan1 -s 192.168.0.0/16 -j DROP
/usr/sbin/iptables -I INPUT -i vlan1 -s 127.0.0.0/8 -j DROP

#/usr/sbin/iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 80 -j DNAT --to <web server ip>:80
#/usr/sbin/iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -d <internet ip> -j DNAT --to <web server ip>:80
#/usr/sbin/iptables -t nat -A POSTROUTING -s <web server ip> -p tcp --dport 80 -o vlan1 -j SNAT --to <internet ip>:80
#/usr/sbin/iptables -t nat -A POSTROUTING -s <web server ip> -p tcp --dport 80 -o br0 -j SNAT --to <internet ip>:80
#/usr/sbin/iptables -A FORWARD -i vlan1 -p tcp --dport 80 -d <web server ip> -j ACCEPT

/usr/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
/usr/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE

lleachii · April 5, 2022, 12:21pm

Why don't you upgrade to a newer version - with an image without LuCI?

tmomas · April 5, 2022, 12:29pm

16MB Ram and 4MB flash are not really encouraging to update to a newer OpenWrt release.

lleachii · April 5, 2022, 12:34pm

I agree: