No internet when using DHCP client for WAN port (BT Home Hub 5a > Virgin Hub 3.0 Modem mode)

I am using a BT Home Hub 5A with OpenWrt 21.02.0 r16279-5cc0535800.

I have set up my Virgin Hub 3.0 in modem mode. I connected port 1 of the hub to the WAN port of the BT Home Hub 5A.

I read the steps in the PDF installation manual, section 9.3 regarding usage of the red WAN port via eth0.2 for the BT Home Hub 5a, "Quick DHCP client setup for WAN port", and I selected eth0.2 as the device for the WAN interface.

The Virgin Hub 3.0 seems to be sending me back a public IP, but I can't connect to any websites.

What might be causing this problem? Is there anything I need to change in LAN, to make sure requests to external IPs are sent to WAN correctly?

Thanks

SSH in to the router and run the following...

cat /etc/config/network

cat /etc/config/dhcp

cat /etc/config/firewall

Post the results using preformatted text...

OpenWRT Posting Icons

Hi, I posted the results below.

Thanks

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf2:1411:4b96::/48'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option annex 'a'
	option tone 'av'
	option ds_snr_offset '0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config device
	option name 'eth0.1'
	option macaddr '8c:10:d4:09:85:78'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'dsl0'
	option macaddr '8c:10:d4:09:85:79'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth0.2'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0 1 2 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option ports '5 6t'

config interface 'SMART_24'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option device 'wlan1'
root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'SMART_ETH'
	option interface 'SMART_ETH'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config dhcp 'SMART_24'
	option interface 'SMART_24'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config dhcp 'LAN_wifi'
	option interface 'LAN_wifi'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config dhcp 'SMART_5'
	option interface 'SMART_5'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config host
	option name 'C100_70CAA4'
	option ip '192.168.3.127'
	option mac 'C0:06:C3:70:CA:A4'

config host
	option name 'IPCAM'
	option ip '192.168.3.183'
	option mac 'E0:09:BF:76:18:58'
root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option mtu_fix '1'
	list network 'wan'
	option forward 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'SMART'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'SMART_24'

config rule
	option name 'lan to smart port 8000'
	option src 'lan'
	option dest 'SMART'
	option dest_port '8000'
	option target 'ACCEPT'

config rule
	option name 'smart no wan'
	option src 'SMART'
	option dest 'wan'
	option target 'DROP'

config rule
	option name 'smart router dhcp'
	option src 'SMART'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'smart no router'
	option src 'SMART'
	option target 'DROP'

config rule
	option name 'smart no outgoing'
	option src 'SMART'
	option dest '*'
	option target 'DROP'

config rule
	option name 'lan to smart port 80'
	option src 'lan'
	option dest 'SMART'
	option dest_port '80'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'dhcp incoming smart'
	option dest 'SMART'
	option target 'ACCEPT'
	option dest_port '80'
	option enabled '0'

config rule
	option name 'smart no incoming'
	option dest 'SMART'
	option target 'DROP'
	option src '*'
	option enabled '0'

config redirect
	option target 'DNAT'
	option name 'zm'
	option src 'wan'
	option src_dport '80'
	option dest 'lan'
	option dest_ip '192.168.1.224'
	option dest_port '80'

A quick check reveals that masquerading is not enabled on your wan zone (firewall). This would cause the problem you are seeing. I didn't check everything, but this should be fixed and tested first.

EDIT: I am seeing other issues that I'd recommend fixing, but they aren't related to your main issue.... I'll make those recommendations in another comment.

2 Likes

Success! Thank you.

I disabled masquerading earlier today as I saw somewhere that it might fix the problem, but perhaps they meant the opposite (I am not sure what it does in all honesty)

I have re-enabled it, and it seems to have solved the problem, even though oddly I did have it enabled earlier and had the same issue - perhaps something I changed after, or a reboot, fixed it, but I wouldn't have noticed as I had this setting disabled.

In your dhcp config, you have several dhcp scopes that don't have associated networks... this is one of them

The others are SMART_5 and LAN_wifi.

In your firewall, it appears that you are trying to limit what the SMART network zone can do, especially with respect to accessing the router itself. As such, set input to reject or drop (currently it is set to accept). Then, you can remove the firewall rule "smart no router"

You don't need the following rules:

  • smart no wan (you have not enabled forwarding from smart > wan, so it is not allowed anyway, this rule is not necessary)
  • smart no outgoing (this is actually broader than the above rule, but again, you have not allowed forwarding from smart to any other zones, so again, this is already not allowed)
  • smart no incoming (similar, you have not enabled forwarding from any zones to smart, so this is not necessary because it is not enabled in the first plce)
  • dhcp incoming smart (this one is actually wrong -- port 80 is for http, but it is not enabled so it is not relevant)

Finally, on the redirect "zm" rule -- be careful about exposing port 80 to the internet on any devices... if the host at 192.168.1.224 isn't properly hardened, it will get compromised. A VPN is a preferred method of access and far more secure. This obviously depends on what is being hosted on that web server, why it is being exposed to the wan, and if VPN or other options are possible for the remote clients.

Great. Glad to see you're up and running again.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

Thanks very much.

I'll go through your post in detail tomorrow and fix the issues, as it's late here - I shall sleep better knowing the WAN issue is resolved though. Thanks for being so helpful!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.