OpenWrt behind FritzBox suddenly stopped working

Hi there,

inspired by an article in a german computer magazine, I installed OpenWRT on a FritzBox 4040 as cascaded router in my network. Worked quite good.

Setup:
WAN <-> FritzBox 6490 (fritz os 07.10) <-> FritzBox 4040 (OpenWRT) <-> Internal LAN/Wifi
Static Route for the internal LAN ip range via dhcp reserved OpenWRT wan IP on the FritzBox

Suddenly, after a firmware upgrade to the latest fritzos version on the external router, the Internet connection stopped working for all devices in the internal network. Connected to the 6490, internet access still works.
Because it won't be the first time that some weird configuration of mine would break the connection, I also updated OpenWRT on the 4040 from 18.06.02 to 18.06.04 without keeping the configuration.

Afterwards, I set all firewall settings for General and Wan Zone to accept and disabled Masq and MSS.

As basic setup this usually worked before.

But still clients connected to the OpenWRT router can't get access to the Internet.

Some tests I made:

  • OpenWRT can ping 8.8.8.8
  • OpenWRT can resolve domains (External router as NS)
  • OpenWRT can update package list and install packages using opkg
  • Client on FritzBox 6490 can access Internet
  • Client on OpenWRT can resolve domains (OpenWRT as NS)
  • Client on OpenWRT cannot ping 8.8.8.8
  • Tracepath for clients on OpenWRT stops on the OpenWRT Router
    $ tracepath 8.8.8.8
    1?: [LOCALHOST] pmtu 1500
    1: OpenWrt.lan 1.662ms
    1: OpenWrt.lan 0.608ms
    2: no reply
    3: no reply

Do you have any Idea on further diagnosis or tipps to solve this problem?

Check from OpenWrt:

uci show network; uci show firewall; uci show dhcp
ip a; ip r; ip ru; iptables-save

In the meantime I added my previous DHCP host config and my second wifi for IoT devices.
No changes for the internet connectivity.

root@OpenWrt:~# uci show network; uci show firewall; uci show dhcp
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd47:82bf:4b2d::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.10.1'
network.wan=interface
network.wan.ifname='eth1'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.ifname='eth1'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='1 2 3 4 0'
network.iot=interface
network.iot.type='bridge'
network.iot.proto='static'
network.iot.netmask='255.255.252.0'
network.iot.ipaddr='192.168.252.1'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='ACCEPT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].forward='ACCEPT'
firewall.@zone[1].network='wan wan6'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].name='iot'
firewall.@zone[2].network='iot'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='ACCEPT'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[0].src='lan'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='lan'
firewall.@forwarding[1].src='iot'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].dest='wan'
firewall.@forwarding[2].src='iot'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].dest='iot'
firewall.@forwarding[3].src='lan'
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].domain='fdb.fuermann.net'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_management='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
dhcp.@host[0]=host
dhcp.@host[0].name='sw01'
dhcp.@host[0].dns='1'
dhcp.@host[0].mac='78:d2:94:b3:a1:67'
dhcp.@host[0].ip='192.168.10.11'
dhcp.iot=dhcp
dhcp.iot.interface='iot'
dhcp.iot.start='50'
dhcp.iot.limit='400'
dhcp.iot.leasetime='48h'
dhcp.@host[1]=host
dhcp.@host[1].name='sw02'
dhcp.@host[1].dns='1'
dhcp.@host[1].mac='78:d2:94:2e:1f:18'
dhcp.@host[1].ip='192.168.10.12'
dhcp.@host[2]=host
dhcp.@host[2].name='sw03'
dhcp.@host[2].dns='1'
dhcp.@host[2].mac='78:d2:94:b3:a1:67'
dhcp.@host[2].ip='192.168.10.13'
dhcp.@host[3]=host
dhcp.@host[3].name='receiver'
dhcp.@host[3].dns='1'
dhcp.@host[3].mac='00:E0:36:E4:36:B0'
dhcp.@host[3].ip='192.168.251.34'
dhcp.@host[4]=host
dhcp.@host[4].dns='1'
dhcp.@host[4].mac='00:04:4B:86:D7:0B'
dhcp.@host[4].ip='192.168.251.49'
dhcp.@host[4].name='shield-lan'
dhcp.@host[5]=host
dhcp.@host[5].name='steam'
dhcp.@host[5].dns='1'
dhcp.@host[5].mac='E0:31:9E:2B:68:6C'
dhcp.@host[5].ip='192.168.251.50'
dhcp.@host[6]=host
dhcp.@host[6].name='store'
dhcp.@host[6].dns='1'
dhcp.@host[6].mac='24:5e:be:21:83:54'
dhcp.@host[6].ip='192.168.10.65'
dhcp.@host[7]=host
dhcp.@host[7].name='store'
dhcp.@host[7].dns='1'
dhcp.@host[7].mac='00:08:9B:C7:2D:D1'
dhcp.@host[7].ip='192.168.10.66'
dhcp.@host[8]=host
dhcp.@host[8].name='pi01'
dhcp.@host[8].dns='1'
dhcp.@host[8].mac='B8:27:EB:E7:65:A7'
dhcp.@host[8].ip='192.168.10.97'
dhcp.@host[9]=host
dhcp.@host[9].name='pi02'
dhcp.@host[9].dns='1'
dhcp.@host[9].mac='B8:27:EB:C7:2C:EC'
dhcp.@host[9].ip='192.168.10.98'
dhcp.@host[10]=host
dhcp.@host[10].name='pi03'
dhcp.@host[10].dns='1'
dhcp.@host[10].mac='B8:27:EB:3C:D0:68'
dhcp.@host[10].ip='192.168.10.99'
dhcp.@host[11]=host
dhcp.@host[11].name='pi04'
dhcp.@host[11].dns='1'
dhcp.@host[11].mac='b8:27:eb:18:d6:8c'
dhcp.@host[11].ip='192.168.10.100'
dhcp.@host[12]=host
dhcp.@host[12].name='leonard'
dhcp.@host[12].dns='1'
dhcp.@host[12].mac='8C:89:A5:D9:DB:D6'
dhcp.@host[12].ip='192.168.10.129'
dhcp.@host[13]=host
dhcp.@host[13].name='sheldon'
dhcp.@host[13].dns='1'
dhcp.@host[13].mac='54:04:A6:66:2A:0D'
dhcp.@host[13].ip='192.168.10.130'
dhcp.@host[14]=host
dhcp.@host[14].name='blackbook'
dhcp.@host[14].dns='1'
dhcp.@host[14].ip='192.168.10.137'
dhcp.@host[14].mac='F8:59:71:A7:C0:88'
dhcp.@host[15]=host
dhcp.@host[15].name='blackbook-lan'
dhcp.@host[15].dns='1'
dhcp.@host[15].mac='54:E1:AD:36:AA:CA'
dhcp.@host[15].ip='192.168.10.138'
dhcp.@host[16]=host
dhcp.@host[16].name='blackbook-tb'
dhcp.@host[16].dns='1'
dhcp.@host[16].mac='00:50:B6:8C:B8:B5'
dhcp.@host[16].ip='192.168.10.139'
dhcp.@host[17]=host
dhcp.@host[17].name='redbook'
dhcp.@host[17].dns='1'
dhcp.@host[17].mac='00:28:F8:A0:EF:B5'
dhcp.@host[17].ip='192.168.10.141'
dhcp.@host[18]=host
dhcp.@host[18].name='s7quest'
dhcp.@host[18].dns='1'
dhcp.@host[18].mac='AC:5F:3E:5E:D4:DD'
dhcp.@host[18].ip='192.168.10.193'
dhcp.@host[19]=host
dhcp.@host[19].name='s7maggy'
dhcp.@host[19].dns='1'
dhcp.@host[19].mac='8C:F5:A3:6D:D4:CC'
dhcp.@host[19].ip='192.168.10.194'
dhcp.@host[20]=host
dhcp.@host[20].name='schlupp'
dhcp.@host[20].dns='1'
dhcp.@host[20].ip='192.168.255.209'
dhcp.@host[20].mac='7C:49:EB:9F:A4:2C'
dhcp.@domain[0]=domain
dhcp.@domain[0].name='mqtt'
dhcp.@domain[0].ip='192.168.10.65'
dhcp.media=dhcp
dhcp.media.interface='media'
dhcp.media.start='10'
dhcp.media.limit='200'
dhcp.media.leasetime='24h'
dhcp.media.ra='server'
dhcp.media.dhcpv6='server'
dhcp.media.ra_management='1'
dhcp.media.force='1'
dhcp.@host[21]=host
dhcp.@host[21].name='print-hp'
dhcp.@host[21].dns='1'
dhcp.@host[21].mac='40:A8:F0:B4:90:92'
dhcp.@host[21].ip='192.168.10.209'
dhcp.@host[22]=host
dhcp.@host[22].name='redbook-lan'
dhcp.@host[22].dns='1'
dhcp.@host[22].mac='54:E1:AD:05:FB:C7'
dhcp.@host[22].ip='192.168.10.142'
dhcp.@domain[1]=domain
dhcp.@domain[1].name='store'
dhcp.@domain[1].ip='192.168.10.65'
root@OpenWrt:~# ip a; ip r; ip ru; iptables-save
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
    link/ether f0:b0:14:77:4e:c0 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether f0:b0:14:77:4e:c1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.2/24 brd 192.168.0.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 2a02:810d:340:7d80:f2b0:14ff:fe77:4ec1/64 scope global dynamic 
       valid_lft 7058sec preferred_lft 1787sec
    inet6 fe80::f2b0:14ff:fe77:4ec1/64 scope link 
       valid_lft forever preferred_lft forever
21: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether f0:b0:14:77:4e:c0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.1/24 brd 192.168.10.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd47:82bf:4b2d::1/60 scope global 
       valid_lft forever preferred_lft forever
    inet6 2a02:810d:340:7d9c::1/62 scope global dynamic 
       valid_lft 7068sec preferred_lft 3468sec
    inet6 fe80::f2b0:14ff:fe77:4ec0/64 scope link 
       valid_lft forever preferred_lft forever
31: br-iot: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether f2:b0:14:77:4e:c2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.252.1/22 brd 192.168.255.255 scope global br-iot
       valid_lft forever preferred_lft forever
    inet6 fe80::f0b0:14ff:fe77:4ec2/64 scope link 
       valid_lft forever preferred_lft forever
32: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether f0:b0:14:77:4e:c2 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::f2b0:14ff:fe77:4ec2/64 scope link 
       valid_lft forever preferred_lft forever
33: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-iot state UP qlen 1000
    link/ether f2:b0:14:77:4e:c2 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::f0b0:14ff:fe77:4ec2/64 scope link 
       valid_lft forever preferred_lft forever
34: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether f0:b0:14:77:4e:c3 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::f2b0:14ff:fe77:4ec3/64 scope link 
       valid_lft forever preferred_lft forever
35: wlan1-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-iot state UP qlen 1000
    link/ether f2:b0:14:77:4e:c3 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::f0b0:14ff:fe77:4ec3/64 scope link 
       valid_lft forever preferred_lft forever
default via 192.168.0.1 dev eth1  src 192.168.0.2 
192.168.0.0/24 dev eth1 scope link  src 192.168.0.2 
192.168.10.0/24 dev br-lan scope link  src 192.168.10.1 
192.168.252.0/22 dev br-iot scope link  src 192.168.252.1 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
# Generated by iptables-save v1.6.2 on Sat Aug 17 14:08:42 2019
*nat
:PREROUTING ACCEPT [5494:603528]
:INPUT ACCEPT [1231:81116]
:OUTPUT ACCEPT [1744:123757]
:POSTROUTING ACCEPT [5379:512206]
:postrouting_iot_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_iot_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_iot_postrouting - [0:0]
:zone_iot_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i br-iot -m comment --comment "!fw3" -j zone_iot_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o br-iot -m comment --comment "!fw3" -j zone_iot_postrouting
-A zone_iot_postrouting -m comment --comment "!fw3: Custom iot postrouting rule chain" -j postrouting_iot_rule
-A zone_iot_prerouting -m comment --comment "!fw3: Custom iot prerouting rule chain" -j prerouting_iot_rule
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Sat Aug 17 14:08:42 2019
# Generated by iptables-save v1.6.2 on Sat Aug 17 14:08:42 2019
*mangle
:PREROUTING ACCEPT [237391:32273241]
:INPUT ACCEPT [184427:16368809]
:FORWARD ACCEPT [51813:15655527]
:OUTPUT ACCEPT [175236:25854567]
:POSTROUTING ACCEPT [227050:41510422]
COMMIT
# Completed on Sat Aug 17 14:08:42 2019
# Generated by iptables-save v1.6.2 on Sat Aug 17 14:08:42 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [248:16517]
:OUTPUT ACCEPT [0:0]
:forwarding_iot_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_iot_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_iot_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_iot_dest_ACCEPT - [0:0]
:zone_iot_forward - [0:0]
:zone_iot_input - [0:0]
:zone_iot_output - [0:0]
:zone_iot_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i br-iot -m comment --comment "!fw3" -j zone_iot_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i br-iot -m comment --comment "!fw3" -j zone_iot_forward
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o br-iot -m comment --comment "!fw3" -j zone_iot_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_iot_dest_ACCEPT -o br-iot -m comment --comment "!fw3" -j ACCEPT
-A zone_iot_forward -m comment --comment "!fw3: Custom iot forwarding rule chain" -j forwarding_iot_rule
-A zone_iot_forward -m comment --comment "!fw3: Zone iot to lan forwarding policy" -j zone_lan_dest_ACCEPT
-A zone_iot_forward -m comment --comment "!fw3: Zone iot to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_iot_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_iot_forward -m comment --comment "!fw3" -j zone_iot_dest_ACCEPT
-A zone_iot_input -m comment --comment "!fw3: Custom iot input rule chain" -j input_iot_rule
-A zone_iot_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_iot_input -m comment --comment "!fw3" -j zone_iot_src_ACCEPT
-A zone_iot_output -m comment --comment "!fw3: Custom iot output rule chain" -j output_iot_rule
-A zone_iot_output -m comment --comment "!fw3" -j zone_iot_dest_ACCEPT
-A zone_iot_src_ACCEPT -i br-iot -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to iot forwarding policy" -j zone_iot_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_ACCEPT -i eth1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Sat Aug 17 14:08:42 2019
root@OpenWrt:~# 

To avoid double NAT, set up FritzBox 6490:

  • Create a static DHCP lease for the MAC address of the OpenWrt WAN interface or configure the WAN interface statically.
  • Add a static route to 192.168.10.0/24 via the IP address of the OpenWrt WAN interface.

Otherwise, you can just enable the masqurading for the WAN firewall zone on OpenWrt.

I already have a static DHCP lease and static routes configured on my 6490.
My hope was, I could get it working again without double NAT as it worked before.

In the meantime I tried to get a firmware downgrade for the 6490 back to the version it worked before.
But for cable routers AVM still has no service downloads for endusers that run their own routers.
So I requested assistance from AVM customer service.

We'll see ...

1 Like

Just spotted something else that might be of interest.

My laptop is the only device, that is able to access the internet from behind the OpenWRT router.
But only when using the the network connection of the connected Lenovo USB-C dock.
Not via wifi and not by direct network connection to the router (as all other devices in the network)

Checking outputs of ip a and route, the only difference I could spot on client side is a way lower route metric on USB-C connection.

USB-C DOCK
quest@blackbook:~ $ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: wlp4s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether ba:2d:23:05:22:99 brd ff:ff:ff:ff:ff:ff
4: enp0s31f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether 54:e1:ad:36:aa:ca brd ff:ff:ff:ff:ff:ff
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 9a:ad:01:09:ff:e8 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
6: enp12s0u1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:50:b6:8c:b8:b5 brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.139/24 brd 192.168.10.255 scope global dynamic noprefixroute enp12s0u1
       valid_lft 43188sec preferred_lft 43188sec
    inet6 2a02:810d:340:7d9c::7e6/128 scope global dynamic noprefixroute 
       valid_lft 5505sec preferred_lft 1905sec
    inet6 fd47:82bf:4b2d::7e6/128 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fd47:82bf:4b2d:0:d817:42fc:7ff3:5cbb/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 2a02:810d:340:7d9c:b4c9:27a5:aa88:3ab2/64 scope global dynamic noprefixroute 
       valid_lft 5504sec preferred_lft 1904sec
    inet6 fe80::ecf9:6a2d:ae4:647f/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
quest@blackbook:~ $ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         OpenWrt.fdb.fue 0.0.0.0         UG    100    0        0 enp12s0u1
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.10.0    0.0.0.0         255.255.255.0   U     100    0        0 enp12s0u1

DIRECT CABLE
quest@blackbook:~ 😖 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: wlp4s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether b6:0b:62:a1:73:7b brd ff:ff:ff:ff:ff:ff
4: enp0s31f6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 54:e1:ad:36:aa:ca brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.138/24 brd 192.168.10.255 scope global dynamic noprefixroute enp0s31f6
       valid_lft 43077sec preferred_lft 43077sec
    inet6 2a02:810d:340:7d9c::67e/128 scope global dynamic noprefixroute 
       valid_lft 6863sec preferred_lft 3263sec
    inet6 fd47:82bf:4b2d::67e/128 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fd47:82bf:4b2d:0:9c54:9d3c:bdec:b664/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 2a02:810d:340:7d9c:44be:cf3f:51e0:b6d3/64 scope global dynamic noprefixroute 
       valid_lft 6863sec preferred_lft 3263sec
    inet6 fe80::44e1:6291:8849:44fd/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 9a:ad:01:09:ff:e8 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
6: enp12s0u1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:50:b6:8c:b8:b5 brd ff:ff:ff:ff:ff:ff
quest@blackbook:~ $ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         OpenWrt.fdb.fue 0.0.0.0         UG    20100  0        0 enp0s31f6
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.10.0    0.0.0.0         255.255.255.0   U     100    0        0 enp0s31f6

WIFI
quest@blackbook:~/Projekte/misc/owrt config/etc/config $ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: wlp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether f8:59:71:a7:c0:88 brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.137/24 brd 192.168.10.255 scope global dynamic noprefixroute wlp4s0
       valid_lft 43193sec preferred_lft 43193sec
    inet6 2a02:810d:340:7d9c::166/128 scope global dynamic noprefixroute 
       valid_lft 5443sec preferred_lft 1843sec
    inet6 fd47:82bf:4b2d::166/128 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fd47:82bf:4b2d:0:fac5:e9ab:b43b:3079/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 2a02:810d:340:7d9c:48e1:2628:abc1:1e94/64 scope global dynamic noprefixroute 
       valid_lft 5443sec preferred_lft 1843sec
    inet6 fe80::3e38:fdde:e7a2:ba95/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
4: enp0s31f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether 54:e1:ad:36:aa:ca brd ff:ff:ff:ff:ff:ff
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 9a:ad:01:09:ff:e8 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
6: enp12s0u1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:50:b6:8c:b8:b5 brd ff:ff:ff:ff:ff:ff
quest@blackbook:~/Projekte/misc/owrt config/etc/config $ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         OpenWrt.fdb.fue 0.0.0.0         UG    20600  0        0 wlp4s0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.10.0    0.0.0.0         255.255.255.0   U     600    0        0 wlp4s0

Verify the IP address of the configured static lease as well as the route gateway is 192.168.0.2.

Check from the laptop:

tracepath -4 -n example.org
tracepath -6 -n example.org

It likely uses IPv6 by default:
https://ipv6-test.com/

Try enable masq