Okay awesome. Thanks! Fingers crossed.
OpenVPN (NordVPN) Setup and seemingly working on TP-Link C2600 but not connecting and proving VPN IP
sorry to be back with another question, but I just came up with a concern - When I had the ethernet connection from my router plugged into the WAN port, the OpenWRT router was wholly inaccessible.
What steps do I need to take in order to access the router when I connect to the WAN port?
As well, what should I specify for the Gateway on the LAN? I can only factor in the gateway of the main router, which is 192.168.1.254, but I can't suss out how that will factor going through different subnets?
Thanks again!
** Another edit, modified the Network file and changed the subnet of the LAN to 192.168.2.1 and rebooted, no access to the interface now. Connected the cable to the WAN port, still no dice =/
Connect to the wireless and I end up with no internet connection, I'm getting served a "169" IP address.
Everything worked prior to that. I just wasn't getting served under a VPN.
I don't know what else to do.
Updates.
I was able to regain access by manually assigning an IP address. So that's something.
Router can access the internet (going into Diagnostics and pinging openwrt works) but anything connected to the wireless just doesn't.
Tried adjusting the gateway to just be the OpenWRT router, no dice. Tried specifying Google DNS servers, no dice.
Seems like I'm not getting fed DHCP and even manually specifying the IP address and trying to modify the DNS settings per device does me no good unfortunately.
So even with all this going I can't fully even test if the VPN portion of things is working, SEEMS like it is based on the Traceroute, but if I can't connect and get internet doesn't help a ton unfortunately 
Even tested pinging devices on the primary subnet 192.168.1.XXX and that works great. Just CANNOT figure out why I'm not able to serve an IP address to connected wireless clients, and even with a static IP still no access to the internet.
To allow incoming connections from the WAN firewall zone to the device. By default everything is blocked.
Nothing, Openwrt gets the default gateway from the DHCP running on WAN interface.
Please post here the output of the following command, all in one line
cat /etc/config/network; cat /etc/config/firewall; cat /etc/config/wireless ; cat /etc/config/dhcp ; ip -4 addr ; ip -4 ro ; ip -4 ru
1 Like
Results:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd7d:3874:5a29::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
option dns '192.168.1.254 8.8.8.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'
config interface 'openvpn'
option proto 'none'
option ifname 'eth0'
option auto '1'
option type 'bridge'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'lan'
option forward 'DROP'
config zone
option name 'wan'
option output 'ACCEPT'
option network 'wan wan6'
option input 'DROP'
option forward 'DROP'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'vpn'
option output 'ACCEPT'
option network 'openvpn'
option input 'DROP'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
config forwarding
option dest 'vpn'
option src 'lan'
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
option htmode 'VHT80'
option country 'US'
option legacy_rates '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'psk2'
option key '6047256846'
config wifi-device 'radio1'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
option htmode 'HT20'
option country 'US'
option legacy_rates '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option ssid 'serenity'
option encryption 'psk2'
option key '6047256846'
option network 'lan'
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option nonwildcard '1'
option localservice '1'
option noresolv '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
list dhcp_option '6,103.86.96.100,103.86.99.100'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
valid_lft forever preferred_lft forever
10: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.1.69/24 brd 192.168.1.255 scope global eth0.2
valid_lft forever preferred_lft forever
13: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
inet 10.8.2.7/24 brd 10.8.2.255 scope global tun0
valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.8.2.1 dev tun0
default via 192.168.1.254 dev eth0.2 src 192.168.1.69
10.8.2.0/24 dev tun0 scope link src 10.8.2.7
104.200.132.172 via 192.168.1.254 dev eth0.2
128.0.0.0/1 via 10.8.2.1 dev tun0
192.168.1.0/24 dev eth0.2 scope link src 192.168.1.69
192.168.2.0/24 dev br-lan scope link src 192.168.2.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Also from my other thread, traceroute from the Diagnostics section on the router:
traceroute to openwrt.org (139.59.209.225), 30 hops max, 38 byte packets
1 10.8.2.1 3.027 ms
2 104.200.132.190 3.400 ms
3 104.200.132.142 2.673 ms
4 173.205.42.93 2.810 ms
5 154.24.61.69 3.453 ms
6 154.54.27.161 8.374 ms
7 64.86.123.93 160.234 ms
8 62.115.117.49 56.031 ms
9 *
10 62.115.112.245 146.032 ms
11 80.231.130.105 160.773 ms
12 80.231.154.142 175.105 ms
13 62.115.120.6 155.850 ms
14 195.219.87.13 167.036 ms
15 195.219.87.18 173.663 ms
16 139.59.209.225 163.435 ms
From my Windows 10 machine connected via either Wifi radio
tracert openwrt.org
Unable to resolve target system name openwrt.org.
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#upstream_dns_provider
# OpenWrt
uci -q delete network.lan.dns
uci commit network
/etc/init.d/network reload
uci -q delete dhcp.lan.dhcp_option
uci commit dhcp
/etc/init.d/dnsmasq restart
# PC
ipconfig /release
ipconfig /renew
tracert 8.8.8.8
tracert example.org
1 Like
Okay so did that and this was the reply after the dnsmasq restar command
udhcpc: started, v1.28.4
udhcpc: sending discover
udhcpc: no lease, failing
And after that still no internet access
Trace route:
Invalid host name or IP address. Please check your Server Name.
On the router trace route still works as per before
This error message is confusing.
ipconfig /all & route print
tracert 8.8.4.4
tracert google.com
Sorry that last one was taken from my phone.
Here's the results:
Windows IP Configuration
Host Name . . . . . . . . . . . . : DESKTOP-GK4S7NB
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : lan
Ethernet adapter Ethernet:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : C4-54-44-E8-05-11
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Local Area Connection* 1:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
Physical Address. . . . . . . . . : 12-10-B3-71-81-CC
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Local Area Connection* 16:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter #7
Physical Address. . . . . . . . . : 22-10-B3-71-81-CC
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Ethernet 2:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Windows Adapter V9
Physical Address. . . . . . . . . : 00-FF-86-07-91-A5
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Ethernet 3:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Kaspersky Security Data Escort Adapter
Physical Address. . . . . . . . . : 00-FF-9C-4A-9F-1D
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Wi-Fi:
Connection-specific DNS Suffix . : lan
Description . . . . . . . . . . . : Qualcomm Atheros AR956x Wireless Network Adapter
Physical Address. . . . . . . . . : 30-10-B3-71-81-CC
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : fd7d:3874:5a29::91b(Preferred)
Lease Obtained. . . . . . . . . . : Sunday, May 5, 2019 9:31:03 PM
Lease Expires . . . . . . . . . . : Thursday, June 12, 2155 3:59:41 AM
IPv6 Address. . . . . . . . . . . : fd7d:3874:5a29:0:3843:d161:bd7:4a30(Preferred)
Temporary IPv6 Address. . . . . . : fd7d:3874:5a29:0:554a:f91:37e5:7f77(Preferred)
Link-local IPv6 Address . . . . . : fe80::3843:d161:bd7:4a30%21(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.2.137(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, May 5, 2019 9:31:02 PM
Lease Expires . . . . . . . . . . : Monday, May 6, 2019 9:31:01 AM
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DHCPv6 IAID . . . . . . . . . . . : 120590515
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-D5-6C-6D-C4-54-44-E8-05-11
DNS Servers . . . . . . . . . . . : fd7d:3874:5a29::1
192.168.2.1
fd7d:3874:5a29::1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physical Address. . . . . . . . . : 30-10-B3-71-BE-3A
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
===========================================================================
Interface List
25...c4 54 44 e8 05 11 ......Realtek PCIe GBE Family Controller
27...12 10 b3 71 81 cc ......Microsoft Wi-Fi Direct Virtual Adapter
51...22 10 b3 71 81 cc ......Microsoft Wi-Fi Direct Virtual Adapter #7
13...00 ff 86 07 91 a5 ......TAP-Windows Adapter V9
17...00 ff 9c 4a 9f 1d ......Kaspersky Security Data Escort Adapter
21...30 10 b3 71 81 cc ......Qualcomm Atheros AR956x Wireless Network Adapter
15...30 10 b3 71 be 3a ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.137 55
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.2.0 255.255.255.0 On-link 192.168.2.137 311
192.168.2.137 255.255.255.255 On-link 192.168.2.137 311
192.168.2.255 255.255.255.255 On-link 192.168.2.137 311
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.2.137 311
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.2.137 311
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
21 311 fd7d:3874:5a29::/48 fe80::ee08:6bff:feba:fd40
21 311 fd7d:3874:5a29::/64 On-link
21 311 fd7d:3874:5a29::91b/128 On-link
21 311 fd7d:3874:5a29:0:3843:d161:bd7:4a30/128
On-link
21 311 fd7d:3874:5a29:0:554a:f91:37e5:7f77/128
On-link
21 311 fe80::/64 On-link
21 311 fe80::3843:d161:bd7:4a30/128
On-link
1 331 ff00::/8 On-link
21 311 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
tracert 8.8.4.4
Tracing route to 8.8.4.4 over a maximum of 30 hops
1 2 ms 3 ms 1 ms OpenWrt.lan [192.168.2.1]
2 OpenWrt.lan [192.168.2.1] reports: Destination protocol unreachable.```
tracert google.com
Unable to resolve target system name google.com.
uci set firewall.@zone[1].device="tun0"
uci commit firewall
service firewall restart
uci -q delete network.openvpn
uci commit network
service network restart
No change. Had to reboot the router to get internet access back there after that last command, but no change on my connected devices, well not entirely true, here's the tracert output from windows now:
tracert 8.8.4.4
Tracing route to 8.8.4.4 over a maximum of 30 hops
1 1 ms * * OpenWrt.lan [192.168.2.1]
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * OpenWrt.lan [192.168.2.1] reports: Destination protocol unreachable.
Trace complete.
The tracert to google is the same:
tracert google.com
Unable to resolve target system name google.com.
# PC
nslookup example.org 192.168.2.1
nslookup example.org
1 Like
nslookup openwrt.org 192.168.2.1
Server: OpenWrt.lan
Address: 192.168.2.1
*** OpenWrt.lan can't find openwrt.org: Query refused
nslookup openwrt.org
Server: OpenWrt.lan
Address: fd7d:3874:5a29::1
*** OpenWrt.lan can't find openwrt.org: Query refused
Windows Tracert:
tracert 8.8.4.4
Tracing route to 8.8.4.4 over a maximum of 30 hops
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 OpenWrt.lan [192.168.2.1] reports: Destination protocol unreachable.
Also still showing that there's no "internet connectivity" when connecting via wifi in windows
# OpenWrt
uci -q delete dhcp.@dnsmasq[0].noresolv
uci commit dhcp
service dnsmasq restart
# PC
nslookup example.org
1 Like
Okay, so I'm seeing some positive changes!
Still no connectivity BUT:
tracert 8.8.4.4
Tracing route to google-public-dns-b.google.com [8.8.4.4]
over a maximum of 30 hops:
1 * * * Request timed out.
2 * OpenWrt.lan [192.168.2.1] reports: Destination protocol unreachable.
Trace complete.
tracert google.com
Tracing route to google.com [172.217.6.46]
over a maximum of 30 hops:
1 <1 ms * * OpenWrt.lan [192.168.2.1]
2 * OpenWrt.lan [192.168.2.1] reports: Destination protocol unreachable.
Trace complete.
nslookup openwrt.org
Server: OpenWrt.lan
Address: fd7d:3874:5a29::1
Non-authoritative answer:
Name: openwrt.org
Addresses: 2a03:b0c0:3:d0::1af1:1
139.59.209.225
Let's see the updated diagnostics:
# OpenWrt
ip a; ip r; ip ru; iptables-save; sysctl net.ipv4 | grep -e forward
uci set firewall.@zone[1].masq="1"
uci set firewall.@zone[1].mtu_fix="1"
uci commit firewall
service firewall restart
done, rebooting and refreshing my connection now
ip a; ip r; ip ru; iptables-save; sysctl net.ipv4 | grep -e forward
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether ec:08:6b:ba:fd:41 brd ff:ff:ff:ff:ff:ff
inet6 fe80::ee08:6bff:feba:fd41/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether ec:08:6b:ba:fd:40 brd ff:ff:ff:ff:ff:ff
inet6 fe80::ee08:6bff:feba:fd40/64 scope link
valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether ec:08:6b:ba:fd:40 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
valid_lft forever preferred_lft forever
inet6 fd7d:3874:5a29::1/60 scope global
valid_lft forever preferred_lft forever
inet6 fe80::ee08:6bff:feba:fd40/64 scope link
valid_lft forever preferred_lft forever
8: eth1.1@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
link/ether ec:08:6b:ba:fd:40 brd ff:ff:ff:ff:ff:ff
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether ec:08:6b:ba:fd:41 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.69/24 brd 192.168.1.255 scope global eth0.2
valid_lft forever preferred_lft forever
inet6 fe80::ee08:6bff:feba:fd41/64 scope link
valid_lft forever preferred_lft forever
10: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
link/ether ec:08:6b:ba:fd:40 brd ff:ff:ff:ff:ff:ff
inet6 fe80::ee08:6bff:feba:fd40/64 scope link
valid_lft forever preferred_lft forever
11: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
link/ether ec:08:6b:ba:fd:3f brd ff:ff:ff:ff:ff:ff
inet6 fe80::ee08:6bff:feba:fd3f/64 scope link
valid_lft forever preferred_lft forever
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
link/[65534]
inet 10.8.3.17/24 brd 10.8.3.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::172a:8539:b6fb:9882/64 scope link
valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.8.3.1 dev tun0
default via 192.168.1.254 dev eth0.2 src 192.168.1.69
10.8.3.0/24 dev tun0 scope link src 10.8.3.17
104.200.132.172 via 192.168.1.254 dev eth0.2
128.0.0.0/1 via 10.8.3.1 dev tun0
192.168.1.0/24 dev eth0.2 scope link src 192.168.1.69
192.168.2.0/24 dev br-lan scope link src 192.168.2.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
# Generated by iptables-save v1.6.2 on Sun May 5 23:54:11 2019
*nat
:PREROUTING ACCEPT [2114:161566]
:INPUT ACCEPT [35:2866]
:OUTPUT ACCEPT [168:12958]
:POSTROUTING ACCEPT [1135:47117]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_vpn_postrouting -m comment --comment "!fw3: Custom vpn postrouting rule chain" -j postrouting_vpn_rule
-A zone_vpn_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_vpn_prerouting -m comment --comment "!fw3: Custom vpn prerouting rule chain" -j prerouting_vpn_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Sun May 5 23:54:11 2019
# Generated by iptables-save v1.6.2 on Sun May 5 23:54:11 2019
*mangle
:PREROUTING ACCEPT [3178:358085]
:INPUT ACCEPT [1105:200041]
:FORWARD ACCEPT [1673:97824]
:OUTPUT ACCEPT [2144:308366]
:POSTROUTING ACCEPT [2146:309022]
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sun May 5 23:54:11 2019
# Generated by iptables-save v1.6.2 on Sun May 5 23:54:11 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpn_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpn_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_dest_DROP - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_dest_DROP - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_DROP - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_DROP - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_DROP -o br-lan -m comment --comment "!fw3" -j DROP
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpn forwarding policy" -j zone_vpn_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_DROP
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3: Custom vpn forwarding rule chain" -j forwarding_vpn_rule
-A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_DROP
-A zone_vpn_input -m comment --comment "!fw3: Custom vpn input rule chain" -j input_vpn_rule
-A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_DROP
-A zone_vpn_output -m comment --comment "!fw3: Custom vpn output rule chain" -j output_vpn_rule
-A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_wan_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_DROP -o tun0 -m comment --comment "!fw3" -j DROP
-A zone_wan_dest_DROP -o eth0.2 -m comment --comment "!fw3" -j DROP
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_DROP
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_DROP
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_DROP -i tun0 -m comment --comment "!fw3" -j DROP
-A zone_wan_src_DROP -i eth0.2 -m comment --comment "!fw3" -j DROP
COMMIT
# Completed on Sun May 5 23:54:11 2019
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.br-lan.forwarding = 1
net.ipv4.conf.br-lan.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.2.forwarding = 1
net.ipv4.conf.eth0.2.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth1.1.forwarding = 1
net.ipv4.conf.eth1.1.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.conf.wlan0.forwarding = 1
net.ipv4.conf.wlan0.mc_forwarding = 0
net.ipv4.conf.wlan1.forwarding = 1
net.ipv4.conf.wlan1.mc_forwarding = 0
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0
tracert 8.8.4.4
Tracing route to google-public-dns-b.google.com [8.8.4.4]
over a maximum of 30 hops:
1 1 ms * * OpenWrt.lan [192.168.2.1]
2 OpenWrt.lan [192.168.2.1] reports: Destination protocol unreachable.
Trace complete.
nslookup openwrt.org 192.168.2.1
Server: OpenWrt.lan
Address: 192.168.2.1
Non-authoritative answer:
Name: openwrt.org
Addresses: 2a03:b0c0:3:d0::1af1:1
139.59.209.225
uci set firewall.@forwarding[0].dest="wan"
uci commit firewall
/etc/init.d/firewall restart
1 Like