Hi all,
I'm hoping to use a Raspberry pi 4 to improve WAN speeds with SQM now that I have gigabit fiber. I can't really take my internet down for long periods so I'm trying to do basic configuration by attaching it to my existing network - basically a double-NAT scenario. Also, I'm running openwrt virtually - so an RPi-4 running 32-bit Buster using nspawn to host the 32-bit, RPi-2 image of openwrt 19.07.
The basic topology is: Internet<->ONT<->OpenWRT router 1 (TP-1043nd)<->OpenWRT switch (TP-1043nd again - just used as a switch)<->Raspberry Pi<->back into the OpenWRT switch
I'm using 2 vlans for this. The TP-router connects vlan 11 (eth0.11 on the pi) to the internet. This is the Pi's WAN. The Pi should route this onto vlan 16 (eth0.16) and send it back out the same cable to the router which is also running an static interface on vlan 16 that is bridged to a wifi station.
In general most things seem to work - I was quite happy to see luci on my laptop's browser - first via a crossover cable and later via wifi on vlan16 once I had the topology described above.
The problem is my laptop connected to vlan16 can't see the IPv4 internet (The IPv6 internet, DHCP, and the local VLAN16 subnet work, but not the VLAN11 subnet, except for devices with interfaces in both). On my laptop, ping 8.8.8.8 fails. If I ssh into the pi-openwrt, then everything works: ping 8.8.8.8, ping test-ipv6.com as well as all the intranet devices I would expect to work.
I've been struggling with this for quite a few hours - comparing configuration files of the pi with those of my working router. About the only thing I can still think of is that raspberry os uses nftables and openwrt is using iptables. I'm not sure if that can cause any problems with firewall or NAT operation when running virtually - but it would still be odd that IPv4 works directly within openwrt.
Thanks for any suggestions!
My network, dhcp, and firewall config files are:
cat network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd14:37d8:915e::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'eth0.16'
option ipaddr '192.168.16.1'
config interface 'WAN'
option proto 'dhcp'
option ifname 'eth0.11'
config interface 'WAN6'
option ifname 'eth0.11'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
cat dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option start '25'
option limit '75'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
cat firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config forwarding
option dest 'lan'
option src 'wan'