No routing in x86 machine

Hello Everyone!

Last time I found for very Good price pico-itx computer board in x86/x64 architecture with 2xGigabit Ethernet interfaces, so natural choice was to put Openwrt on it.

Surprisingly I faced no single issue during image restore to itx disk, and no issues during first startup.

The problem begins when I try to configure it, because I am super noob to Openwrt (former ddwrt user here) and probably I need some advices from more experienced users. So my problem is probably with routing between WAN and LAN interface.

Openwrt by default sets eth0 to be LAN interface and create bridge for it (it works with no issue I guess), WAN interface is attached to eth1. LAN interface is ststic, dhcp server for client works (So my computer connected to lan gets ipv4 with no issues), WAN also can get ipv4 and even ipv6 from dhcp server with no issues.

Temporarry I connect my itx board WAN to existing Network (Asus RT-AC1200G+, but I thing it's not problrmatic right now) LAN port. WAN gets IP with correct pool, I also changed LAN pool because it's the same like my current Network (So moved from 192.168.1.1 to 192.168.2.1). By my experience with any other router instead of ITX in current situation, there should be Network routed from my Network to Network behind ITX but it's not. Completed isolation.

After several attempts with routing tables and rules, I was able to see my LAN devices but still no internet connection was estabilished.

So here starts my noob question: what should be configured (routing table/routing rules etc) in clean x86 distr to make it routing?

Regards!

this should work out of the box, even after you moved the lan subnet.

1 does your clients know about the lan subnet change ?
2 are you sure your lan and wan ports haven't been swapped, this can happen if the ports get detected in the reverse order, during (re)boot.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

Hi! Thanks for answer!

I tried for the last time, set fresh disk with out-of-box openWRT with one upgrade... The WAN cable.. Previously I used one srap-cable which allows me only 100mbps (4wires out of 8), and now I used full cable, seriously no idea why it wasn't working... Nevermind, First problem is now solved - ITX works with my current router (and works surprisingly well), now next step:

The next problem is when I am sure that my ITX works with my current network, I wish to remove my current router and place that ITX instead of it. When my ITX is connected to router LAN - everything works fine, but when I connect ITX directly to modem (arris tg2482 set in BRIDGE mode - because I don't need another subnetwork and port forwarding is problematic...) it works not so good (actually it does not work). There is my broker name recieved (check last line in output), there is autoconf ipv4. In conditions with different router - right now it should work! First think in my mind - to low TTL... what do You think?

/tmp/resolv.* /tmp/resolv.*/*
{
        "kernel": "5.10.161",
        "hostname": "OpenWrt",
        "system": "Intel(R) Atom(TM) CPU  E3827  @ 1.74GHz",
        "model": "X983",
        "board_name": "Atom",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.3",
                "revision": "r20028-43d71ad93e",
                "target": "x86/64",
                "description": "OpenWrt 22.03.3 r20028-43d71ad93e"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd84:061e:a780::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.2.1'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option hostname '*'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    inet XX.XXX.XX.XXX/21 brd XX.XXX.XX.XXX scope global eth1
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
default via XX.XXX.XX.XXX dev eth1  src XX.XXX.XX.XXX
XX.XXX.XX.XXX/21 dev eth1 scope link  src XX.XXX.XX.XXX
192.168.2.0/24 dev br-lan scope link  src 192.168.2.1
broadcast XX.XXX.XX.XXX dev eth1 table local scope link  src XX.XXX.XX.XXX
local XX.XXX.XX.XXX dev eth1 table local scope host  src XX.XXX.XX.XXX
broadcast XX.XXX.XX.XXX dev eth1 table local scope link  src XX.XXX.XX.XXX
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.2.0 dev br-lan table local scope link  src 192.168.2.1
local 192.168.2.1 dev br-lan table local scope host  src 192.168.2.1
broadcast 192.168.2.255 dev br-lan table local scope link  src 192.168.2.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
lrwxrwxrwx    1 root     root            16 Jan  3 00:24 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Feb 13 15:24 /tmp/resolv.conf
-rw-r--r--    1 root     root           118 Jan  1  2014 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root           118 Jan  1  2014 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver 192.168.198.250
nameserver 192.168.200.250
nameserver 192.168.197.250
search telpol.net.pl
root@OpenWrt:~#

The gigabit Ethernet specification requires 8-wire cable. There is nothing in the specification requiring detection of 4-wire cable and fallback to 100 Mb. Connecting two gigabit devices with a 4-wire cable often results in no link.

When you replace your router on cable Internet (in bridge mode), the cable company will see a different MAC address from your router and may refuse to serve it. Generally this can be resolved by unplugging the cable modem for 30 minutes to clear the old MAC out of their system.

Correct, modem reboot is required and I allways do it. I changed Network device connected to it i think maybe 5 Times this year (new devices, no switching few several times) and it allways works....

Right now when I use ping command via SSH, 96% of packages are lost So there is WAN communication with internet but not stable...

Still no idea how to convince openwrt to work with my modem... Something is missing... Any ideas how to find that?

Have you tried to ask your ISP if they see anything weird from their side?

Yes - They say that everything is OK, and also did not block anything - full possibility to extend your network....

First you should log into the modem and check your signal levels and error counts.

Remember that 8.8.8.8 is intended to be a DNS server, it will drop pings when it is loaded. A better place on the Internet to ping is the cable company's first router on their end of the cable, which you can discover with a traceroute.

If pinging to the modem (192.168.100.1) is inconsistent, there is likely still a problem with the Ethernet hardware.

Some Intel e1000e chips have a bug which causes a periodic drop of all data for several seconds every few minutes. There is a workaround for this bug.

So, I think modem creates vlan, because normally ITX recieves WAN address 82.XX.XX.XXX which is normal for that kind of connection (that's my output IP from ISP), and same time, modem should be reachable at 192.168.100.1:5540. The problem is that from different router or directly connected to it I can reach modem but with openwrt NO. Very strange

My network interface in ITX is: 2 x Intel® I210-IT Gigabit Ethernet Controller

Ordinarily the default route will properly send attempts to access 192.168.100.1 via the wan port, and the modem will pick them up, but sometimes you need a specific route and network for the modem. Try adding this:

config interface 'modem'
   option proto 'static'
   option device '@wan'
   option ipaddr '192.168.100.2/24'

First thing I would do would be

tcpdump -v -i eth1

and watch what exactly is going across the WAN interface. I'd look specifically for DHCP packets...

So after executing tcpdump for eth1 i got:

15:14:36.417740 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:c0:xx:xx:xx:cf (oui Unknown), length 300,                                                                                    xid 0x5d7ed745, Flags [none]
          Client-Ethernet-Address 00:c0:xx:xx:xx:cf (oui Unknown)
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: Request
            Requested-IP Option 50, length 4: xx.xxx.xx.xxx
            Server-ID Option 54, length 4: xx.xxx.xxx.xxx
            MSZ Option 57, length 2: 576
            Parameter-Request Option 55, length 8:
              Subnet-Mask, Default-Gateway, Domain-Name-Server, Hostname
              Domain-Name, BR, NTP, Classless-Static-Route
            Hostname Option 12, length 7: "OpenWrt"
            Vendor-Class Option 60, length 12: "udhcp 1.35.0"
15:14:36.521855 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 328)
    XX.XXX.80.1.67 > XX.XXX.84.238.68: BOOTP/DHCP, Reply, length 300, hops 2, xid 0x5d7ed745, Flags [none]
          Your-IP XX.XXX.XX.XX
          Server-IP 87.99.XX.XX
          Gateway-IP XX.XXX.XX.X
          Client-Ethernet-Address 00:xx:0x:xx:xx:xx (oui Unknown)
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: ACK
            Server-ID Option 54, length 4: xx.xx.xxx.xx
            Lease-Time Option 51, length 4: 43200
            Subnet-Mask Option 1, length 4: 255.255.248.0
            Default-Gateway Option 3, length 4: 83.xxx.xx.1
            Domain-Name-Server Option 6, length 12: 192.168.198.250,192.168.200.250,192.168.197.250
            Domain-Name Option 15, length 13: "telpol.net.pl"
15:14:36.713617 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has xx.xx.80.1 tell xx.xx.84.238, lengt                                                                                   h 28
15:14:36.724895 ARP, Ethernet (len 6), IPv4 (len 4), Reply xx.xxx.80.1 is-at 00:01:5c:b7:fa:46 (oui Unknow                                                                                   n), length 46
15:14:36.724929 IP (tos 0x0, ttl 127, id 43906, offset 0, flags [DF], proto TCP (6), length 52)
    xx.xxx.84.238.57419 > 4.28.136.54.80: Flags [S], cksum 0xcd1d (correct), seq 1579561741, win 64240, op                                                                                   tions [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:14:36.776302 IP6 (flowlabel 0xd37da, hlim 1, next-header UDP (17) payload length: 110) fe80::2c0:8ff:fe                                                                                   94:2ecf.546 > ff02::1:2.547: [bad udp cksum 0x3729 -> 0x4b4d!] dhcp6 solicit (xid=f4bb11 (elapsed-time 0)                                                                                    (option-request SIP-servers-domain SIP-servers-address DNS-server DNS-search-list SNTP-servers NTP-server                                                                                    AFTR-Name opt_67 opt_94 opt_95 opt_96 opt_82) (client-ID hwaddr type 1 00c008942ecf) (reconfigure-accept)                                                                                    (Client-FQDN) (IA_NA IAID:1 T1:0 T2:0) (IA_PD IAID:1 T1:0 T2:0))
15:14:36.859601 IP (tos 0x0, ttl 55, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    4.28.136.54.80 > XX.XXX.84.238.57419: Flags [S.], cksum 0xc890 (correct), seq 883280842, ack 157956174                                                                                   2, win 65535, options [mss 1460,nop,wscale 6,sackOK,eol], length 0
15:14:36.860838 IP (tos 0x0, ttl 127, id 43907, offset 0, flags [DF], proto TCP (6), length 40)
    XX.XXX.84.238.57419 > 4.28.136.54.80: Flags [.], cksum 0x045f (correct), ack 1, win 1026, length 0
15:14:36.860863 IP (tos 0x0, ttl 127, id 43908, offset 0, flags [DF], proto TCP (6), length 40)
    XX.XXX.84.238.57419 > 4.28.136.54.80: Flags [F.], cksum 0x045e (correct), seq 1, ack 1, win 1026, leng                                                                                   th 0
15:14:36.866359 IP (tos 0x0, ttl 64, id 2129, offset 0, flags [DF], proto UDP (17), length 67)
    XX.XXX.84.238.38432 > 192.168.198.250.53: 54495+ A? s07.upd.kaspersky.com. (39)
15:14:36.866416 IP (tos 0x0, ttl 64, id 31197, offset 0, flags [DF], proto UDP (17), length 67)
    XX.XXX.84.238.38432 > 192.168.200.250.53: 54495+ A? s07.upd.kaspersky.com. (39)
15:14:36.866445 IP (tos 0x0, ttl 64, id 12403, offset 0, flags [DF], proto UDP (17), length 67)
    XX.XXX.84.238.38432 > 192.168.197.250.53: 54495+ A? s07.upd.kaspersky.com. (39)
15:14:36.866576 IP (tos 0x0, ttl 64, id 2130, offset 0, flags [DF], proto UDP (17), length 67)
    XX.XXX.84.238.60988 > 192.168.198.250.53: 30422+ AAAA? s07.upd.kaspersky.com. (39)
15:14:36.866620 IP (tos 0x0, ttl 64, id 31198, offset 0, flags [DF], proto UDP (17), length 67)
    XX.XXX.84.238.60988 > 192.168.200.250.53: 30422+ AAAA? s07.upd.kaspersky.com. (39)
15:14:36.866661 IP (tos 0x0, ttl 64, id 12404, offset 0, flags [DF], proto UDP (17), length 67)
    XX.XXX.84.238.60988 > 192.168.197.250.53: 30422+ AAAA? s07.upd.kaspersky.com. (39)
15:14:36.882087 IP (tos 0x0, ttl 59, id 54067, offset 0, flags [none], proto UDP (17), length 139)
    192.168.198.250.53 > XX.XXX.84.238.60988: 30422 0/1/0 (111)
15:14:36.882848 IP (tos 0x0, ttl 60, id 8986, offset 0, flags [none], proto UDP (17), length 139)
    192.168.197.250.53 > XX.XXX.84.238.60988: 30422 0/1/0 (111)
15:14:36.883037 IP (tos 0xc0, ttl 64, id 58335, offset 0, flags [none], proto ICMP (1), length 167)
    XX.XXX.84.238 > 192.168.197.250: ICMP XX.XXX.84.238 udp port 60988 unreachable, length 147
        IP (tos 0x0, ttl 60, id 8986, offset 0, flags [none], proto UDP (17), length 139)
    192.168.197.250.53 > XX.XXX.84.238.60988: 30422 0/1/0 (111)
15:14:36.883464 IP (tos 0x0, ttl 62, id 50430, offset 0, flags [none], proto UDP (17), length 139)
    192.168.200.250.53 > XX.XXX.84.238.60988: 30422 0/1/0 (111)
15:14:36.883594 IP (tos 0xc0, ttl 64, id 39078, offset 0, flags [none], proto ICMP (1), length 167)
    XX.XXX.84.238 > 192.168.200.250: ICMP XX.XXX.84.238 udp port 60988 unreachable, length 147
        IP (tos 0x0, ttl 62, id 50430, offset 0, flags [none], proto UDP (17), length 139)
    192.168.200.250.53 > XX.XXX.84.238.60988: 30422 0/1/0 (111)
15:14:36.901714 IP (tos 0x0, ttl 60, id 8991, offset 0, flags [none], proto UDP (17), length 83)
    192.168.197.250.53 > XX.XXX.84.238.38432: 54495 1/0/0 s07.upd.kaspersky.com. A 80.239.170.187 (55)
15:14:36.909714 IP (tos 0x0, ttl 62, id 50435, offset 0, flags [none], proto UDP (17), length 83)
    192.168.200.250.53 > XX.XXX.84.238.38432: 54495 1/0/0 s07.upd.kaspersky.com. A 80.239.174.62 (55)
15:14:36.909793 IP (tos 0xc0, ttl 64, id 39080, offset 0, flags [none], proto ICMP (1), length 111)
    XX.XXX.84.238 > 192.168.200.250: ICMP XX.XXX.84.238 udp port 38432 unreachable, length 91
        IP (tos 0x0, ttl 62, id 50435, offset 0, flags [none], proto UDP (17), length 83)
    192.168.200.250.53 > XX.XXX.84.238.38432: 54495 1/0/0 s07.upd.kaspersky.com. A 80.239.174.62 (55)
15:14:40.866859 IP (tos 0x0, ttl 64, id 31460, offset 0, flags [DF], proto UDP (17), length 70)
    XX.XXX.84.238.60200 > 192.168.200.250.53: 16046+ PTR? 54.136.28.4.in-addr.arpa. (42)
15:14:41.203199 IP (tos 0x0, ttl 127, id 11073, offset 0, flags [DF], proto TCP (6), length 52)
    XX.XXX.84.238.57425 > 80.239.197.106.80: Flags [S], cksum 0x164e (correct), seq 339126719, win 64240,                                                                                    options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:14:41.264033 IP (tos 0x0, ttl 127, id 60066, offset 0, flags [DF], proto TCP (6), length 52)
    XX.XXX.84.238.57430 > 40.115.3.253.443: Flags [S], cksum 0x0800 (correct), seq 3135568344, win 64240,                                                                                    options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:14:41.369794 IP (tos 0x0, ttl 127, id 53664, offset 0, flags [DF], proto TCP (6), length 52)
    XX.XXX.84.238.57431 > 195.122.177.184.443: Flags [S], cksum 0xb6d5 (correct), seq 1978222394, win 6424                                                                                   0, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:14:41.445690 IP (tos 0x0, ttl 127, id 9981, offset 0, flags [none], proto TCP (6), length 576)
    XX.XXX.84.238.57423 > 185.136.68.153.443: Flags [P.], cksum 0xbb3d (correct), seq 3287765292:328776582                                                                                   8, ack 1718621330, win 64400, length 536
15:14:41.600010 IP (tos 0x0, ttl 127, id 9982, offset 0, flags [DF], proto TCP (6), length 52)
    XX.XXX.84.238.57432 > 185.136.68.153.443: Flags [S], cksum 0x6c4b (correct), seq 619796941, win 64240,                                                                                    options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:14:41.829373 IP (tos 0x0, ttl 127, id 41285, offset 0, flags [none], proto TCP (6), length 254)
    XX.XXX.84.238.57424 > 20.42.73.24.443: Flags [P.], cksum 0x1a75 (correct), seq 1940800362:1940800576,                                                                                    ack 1420965381, win 1029, length 214
15:14:42.047699 58:60:d8:ed:db:1f (oui Unknown) > Broadcast, RRCP-0x23 query
15:14:42.366107 IP (tos 0x0, ttl 127, id 43326, offset 0, flags [DF], proto TCP (6), length 52)
    XX.XXX.84.238.57427 > 130.117.190.213.443: Flags [S], cksum 0x0f6b (correct), seq 2106727144, win 6424                                                                                   0, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:14:42.366445 IP (tos 0x0, ttl 127, id 26427, offset 0, flags [DF], proto TCP (6), length 52)
    XX.XXX.84.238.57428 > 20.42.65.92.443: Flags [S], cksum 0x0ece (correct), seq 388786711, win 65160, op                                                                                   tions [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:14:42.531965 IP (tos 0x0, ttl 127, id 17531, offset 0, flags [DF], proto TCP (6), length 52)
^C    XX.XXX.84.238.57418 > 94.75.236.122.80: Flags [S], cksum 0x17a9 (correct), seq 414281604, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

206 packets captured
1284 packets received by filter
1047 packets dropped by kernel
root@OpenWrt:~#

I skip few minutes before my modem booted up and catch only moment when ITX gets WAN address, before that moment actually nothing changed

I can't create interface via SSH...

A cable modem that is bridging will pass your router's DHCP request to a server at the cable company (not inside the modem), which will return a reply to (usually) assign a public IP address. That all seems to be working. I thought the issue here was there is some Internet connection but it is slow and drops a lot.

Use a text editor on /etc/config/network and add the block of 4 lines that I posted. Then from a computer on the LAN try to open the cable modem's webgui.

From what I can see, it is working. For example:
Response from ISP DNS:

15:14:36.901714 IP (tos 0x0, ttl 60, id 8991, offset 0, flags [none], proto UDP (17), length 83)
    192.168.197.250.53 > XX.XXX.84.238.38432: 54495 1/0/0 s07.upd.kaspersky.com. A 80.239.170.187 (55)

Response from a web server:

15:14:36.859601 IP (tos 0x0, ttl 55, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    4.28.136.54.80 > XX.XXX.84.238.57419: Flags [S.], cksum 0xc890 (correct), seq 883280842, ack 1579561742, win 65535, options [mss 1460,nop,wscale 6,sackOK,eol], length 0

There are a lot of queries though which go answered. But this is not something we can help. Your ISP should investigate as well what is going on.

Yeah, that's what I see, too.

In the first couple of verbose lines, the DHCPv4 request goes out and is responded to, followed by the ARP "whois" for the gateway.

Then the router initiates connection to HTTP on a Level 3 host in Denver, CO USA (4.28.136.54).

A DHCPv6 request goes out from some Seco Srl device (phone, IoT?), it gets no reply in this trace, so I assume IPv6 is not implemented by the ISP (but Level 3 has a full dual-stack, so it must be the local ISP).

The next three packets look like the ACK sequence for the Level 3 website.

A whole bunch of DNS requests go out, basically a dig s07.upd.kaspersky.com @192.168.198.250 (weird that ISP is supplying RFC 1918 address for their DNS server). The replies start coming back, just as @trendy notes.

But intermixed are some ICMP packets that I don't recognize, router -> DNS host, but appear to be blocked on the router end.*

15:14:36.883594 IP (tos 0xc0, ttl 64, id 39078, offset 0, flags [none], proto ICMP (1), length 167)
    XX.XXX.84.238 > 192.168.200.250: ICMP XX.XXX.84.238 udp port 60988 unreachable, length 147
        IP (tos 0x0, ttl 62, id 50430, offset 0, flags [none], proto UDP (17), length 139)
    192.168.200.250.53 > XX.XXX.84.238.60988: 30422 0/1/0 (111)

In any case, this is followed by 8 or 9 HTTP/HTTPS connections being initiated by the router and the trace cuts off before we see any replies.

In the middle of those is that Broadcast, RRCP-0x23 query, which is probably a switch loop-back detection packet or something along those lines (the MAC is for an Arris device, and the message is typical of Realtek switch messages).

Edit: * - Oh, I see, it's just the DNS server refusing ICMP...

The default DNS (192.168.200.XXX) cames from my modem, I ask about it why they look weird but there was nothing wrong for my ISP broker in that...

The funny thing is that I switched off preffered DNS in modem settings but it still appears

Private IP address for DNS is not an issue.

These are also fine, router got an answer from one DNS and stopped waiting for the answers from the other two DNSes. When the answer came, the port was closed and the ICMP was returned.