OpenWrt can ping internet but clients cannot

Hi OpenWrt-Experts out there,

[Sorry for the long text, but I hope this helps to better understand my lack of knowledge and the current technical situation...]

I'm a newbie in OpenWrt and obviously so far do not understand core concepts of networking configuration.

My goal is to implement a OpenWrt based solution for parental control at home. OpenWrt (Fritzbox 3370) is placed behind ISP router (Fritzbox 7390, connected via VDSL). Then I want to limit internet access on MAC level together with time limitations... I found some high-level articles about that and think that this target can be reached...

I already flashed FB3370 with "OpenWrt 19.07.3 r11063-85e04e9f46 / LuCI openwrt-19.07 branch git-20.136.49537-fb2f363" and are able to access web frontend and SSH.

OpenWrt: 192.168.0.96
ISP router FritzBox 7390: 192.168.0.97 (and fallback IP 169.254.1.1)
Port 1 of OpenWrt is connected to ISP router
Ports 2-4 of OpenWrt are connected to local clients (192.168.0.*)

Then I created 2 VLANs as FB3370 does not seem to have a dedicated UPLINK port.
#1 for lan
#2 for wan (--> FB7390)

So far OpenWrt can access LAN devices and vice versa. Local routing works.
Then I found out that I need a static route to enable OpenWrt to access the internet.
route: WAN/0.0.0.0/0.0.0.0/169.254.1.1

If I understood well the ISP router usually is in a different subnet than OpenWrt router. This is why I use the fallback IP 169.254.1.1 of ISP router for the moment.
I try leave the configuration of ISP router unchanged as long as possible until I know enough about OpenWrt to finish implementation soon.

Current problem:
Client devices cannot access internet.

I played around with further static routes but nothing worked so far. Several times I had to access OpenWrt by Failsafe-mode and revert changes in /etc/config/network by hand...

Could you please help me to better understand the relevant background I need to achieve the target?
(please point me to articles I can understand with my current limited knowledge)

Very helpful so far were those links:

• https://www.kammerath.net/internet-kindersicherung.html
• https://www.kuketz-blog.de/?s=openwrt

Thanks a lot in advance
Eva

@eva.luation, welcome to the community!

What does this mean???

You do realize that isn't a routable IP address, correct?

This depends on what you mean. If you made a WAN port and connected to the Fritz, they would be on the same subnet. You would be addressing LAN differently.

Since I believe I do have a somewhat similar setup I like to clarify your topology:
ISP <--> 7390 <--> 3370 <--> client
If so your ISP gives 7390 an external ip and it itself is dhcp server for the internal network (default 192.168.178.1?). Then you split the switch on the 3370 so you have a "pseudo wan port" and do the same thing again. Wan interface on 3370 gets "external ip" from the 7390 and creates in internal subnet where it is the dhcp server? Client get ips from 3370

If so it should mostly be firewall rules and not necessarily routing config in /etc/config/network.

Anyway you should avoid having from OpenWrts perspective the same subnet on the wan site and on the kan site. That might confuse the routing.

Hi,

thanks for the quick answers and further questions.
I did several more tests and changed some confusing points of my scenario above (i.e. fallback IP no longer used)

@Nocte: yes, my topology is ISP<->7390<->3370<->client
@lleachii: exchanged IP 169.254.1.1 by manually configured static IP 192.168.2.1 to avoid unusual special cases

I started with this confusing situation (7390 and 3370 in same subnet), changed then to 2 separate subnets 169.254.1 and 192.168.0 and now to 192.168.2 and 192.168.0
AFAIK this should now be "normal usecase", right.

7390 gets external IP from ISP dynamically
7390 itself has IP 192.168.2.1
3370 has 4 ports splitted into 2 VLANs
VLAN1 for clients: OpenWRT has static IP 192.168.0.96, clients get IPs via DHCP with /etc/hosts and /etc/ethers
VLAN2 for uplink to 7390: OpenWrt has static IP 192.168.2.2

Firewall should allow everything:
general setting: accept/accept/reject
LAN->WAN: accept/accept/accept
WAN->LAN: accept/accept/accept

From SSH console of OpenWRT:
I can

• ping own LAN IP address 192.168.0.96
• ping own WAN IP address 192.168.2.2
• ping 7390 IP adress 192.168.2.1
• ping local NAS server on 192.168.0.31
• nslookup www.openwrt.org works
• ping www.openwrt.org works
  -- ping to internet initially did not work; I had to create static route WAN/0.0.0.0/0.0.0.0/192.168.2.1

From client (windows 10 laptop with IP 192.168.0.67)

• ping 192.168.0.96 (OpenWrt LAN VLAN) works
• ping 192.168.2.2 (OpenWrt WAN VLAN) works
• nslookup www.openwrt.org works
  BUT
• no ping to internet
• no ping to IP 192.168.2.1 of 7390

Played around with several additional static routes like

• LAN/192.168.2.0/255.255.255.0/192.168.2.2
• LAN/192.168.2.1/255.255.255.255/192.168.2.2
  No changes.

@Nocte: Could you help me to check this? What information should I provide?
Just had a look at the traffic rules but don't understand much of that.
Beside this I have no port forwards, NAT rules or custom rules. Should I have some?

Thanks a lot for your help!!
Greetings
Eva

P.S.:
When looking at Network->Interfaces
LAN is green while WAN is red. Does this matter?
From SSH WAN is working as I can nslookup and ping openwrt.org

@Nocte: It was the missing NAT in the firewall configuration!

Just created this rule "protocol ANY, outbound WAN, source ANY, destination ANY, ACCEPT"
and now I can reach out 7390 and internet!

Thanks a lot!!!

Now the challenge of "parental control rules" can begin

Glad you gotit working.

(I'm wondering why some of these default configs were missing in the first place.) The original zone rules shoulda did this.

s**t - wanted to get rid of some unnecessary test configuration and it is broken again

Still have the NAT rule active
Deleted the static routes as I thought they are now unnessesary - big mistake
Recreated rule WAN/0.0.0.0/0.0.0.0/192.168.2.1 => internet on OpenWrt works again
But no luck with LAN clients.

Do you have a similar configuration and could help me? Do you also need static routes?

Greetings
Eva

is this a valid static route to enable LAN to route internet requests via 192.168.2.1 to ISP?

LAN/192.168.2.0/255.255.255.0/192.168.2.2
also tried with 192.168.2.1/255.255.255.255 and exchanged the gateway by 192.168.2.1 and 192.168.0.96
nothing works... getting crazy. I am very convinced that it already worked with one of those rules...

@eva.luation
First of all sorry for my messed up syntax and semantic you cited before. Probably was to late yesterday evening.

To get this out of the way. The color of a firewall zone is a hash of its name. So the color changes if you start the zone name with an upper case latter compared to a lower case latter. Apart from the configuration of the zones it only depends on what color you like. I was wondering about that in the past myself

Coming to your setup.
It sure worked with one configurations but it is always everything together what needs to work and what breaks a lot . So lets the debugging begin.

First of all we do assume the 7390 is working as expected and routing all its clients traffic via default route into the internet. And we assume the 3370 is such a client. (You do have a non standard configuration on your 7390 so please try to very if possible). If that is given your 3370 only needs to consider the 7390 as its wan uplink. That should work by using your "special wan port on 3370" and configuring the respective virtual interface as protocol dhcp client and putting it in the wan firewall zone. That is supposed to work with a fresh OpenWrt default install.

As soon as you establish a lan link between 3370 and 7390 your 3370 should request an ip from 7390 and behave like every other client in 7390s lan. but crucially the 3370 should have set the 7390 as its default gateway. Verify by ssh into 3370 and run ip route which should show the default route at the top and should display the 7390s ip and the interface you have configured on 3370 for wan. Sorry for these confusing numbers.

If you still have issues please do a minimal setup as described here and provide /etc/conf/network and /etc/conf/firewall. Remember to hide mac and ip addresses and use "formatted text" here in the post

@Nocte
Thanks a lot for helping!

ok, will ignore the coloring as GEEN/RED has nothing to do with WORKING/NOT WORKING...

SUCCESS!

Made those changes and now it works:

• found some inconsistent names in /etc/config/network ("wan" vs. "WAN")
• changed NAT rule to "protocol ANY, wan, source ANY, target ANY, MASQUERADE" (formerly ACCEPT)
• removed all static routes except "wan/0.0.0.0/0.0.0.0/192.168.2.1"
• rebooted OpenWrt

Many many thanks for the help!

Great ! I am happy that helped.

But some word of caution here.

Idealy that route should be put in place by OpenWrt and not manually as "default"

You are talking about NAT rules a lot. Maybe that is necessary for you but I don't have any. Only ticket the masquerading box in Lucis firewall tab for wan zone.

The naming here for interfaces / devices / labels is really something else and gets me all the time. Try to only change the things you need to get something working and then ideally according to documentation.

All in all I enjoy your enthusiastic way of tackling issues by trying something out. That is really good. But if you "go to production" keep changes to a minimum and try to understand them well. Otherwise I ensure you that you will encounter undesired side effects in the future. Or even worse you don't encounter them but they are there anyway...

If you happy with your solution consider marking it as solved and maybe change the title to include SOLVED as well so reference show this state too.

perhaps I deleted it by accident in early phases of "get to know OpenWrt"...

I read a lot about NAT, Double NAT and how to avoid. I also played around with this and perhaps changed this checkbox.
I would appreciate to get rid of this internal NAT to be able to reach local devices from ISP router and OpenWrt at the same time and possibility of using VPN but wanted to address this at a later time...

Clear. Thanks for the warning.

Again, thanks a lot!

Could not find out how to edit the title to include "SOLVED". Have to search later for it.

Okay. I thought there would be some meaning to the second network / nating. Just read up on dump access points and walk your way through. You don't want OpenWrt to handle anything you just want to use it as some kind of layer 2 "switch extender". Apart from that... get rid of nating completaly by using ipv6
So what you probably do is deleting your pseudo wan port and just using one of the default switches ports and set the lan interface protocol from static to dhcp and disable dhcp serving. Caution!. If you do this without thinking your router looses its ip and will not be reachable anymore without getting one from somewhere else (your main router for example). If you mess anything up you will need to go in fail save mode.
But in the end that should be pretty much what you want.

I personally use statically configured backup port similar to what you have done with the wan port:

config interface 'backup'
        option ifname 'eth0.2'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option ip6hint '4'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '4 6t'
        option vid '2'

Then you can configure a static address on your device and connect to that ip on your configured wan port

And for that you should be able to find some kind of pencil symbol next to the name of the post where you can change it.

Not sure if the "dump access point" is really my solution.

The bigger scenario why I want to introduce OpenWrt into my home network is

• assign static IPs via DHCP to every own devices in LAN/WLAN
• control outbound network traffic for every device based on MAC
• limit online times
• introduce WHITE/BLACK lists, individually for groups of MAC adresses
• ideally filter non-childsafe content (but with SSL I don't see a realistic chance to achieve this)
• still able to use VPN with my smartphone and access devices on internal network

So far I used built-in child protection functions and black list of FritzBox 7390 for this but it is far to easy to bypass.
I've read that many of those point can be achieved with OpenWrt.
I think a IP6-only solution will not fit into my home network. Not sure if every device is able to deal with it, i.e. tasmota wifi plugs, surveillance cameras and similar stuff.

Did I misunderstood your suggestion?

good idea.

no pencil there. I also cannot edit this first post anymore. Perhaps my "grade" is still too low...

Alright. So what you actually really want is having your whole network managed by OpenWrt with your custom config. But sure you need to start somewhere. So I think you are doing kind of good so far.
Regarding ipv6 unfortunately the whole internet is not at the point yet where using ipv6 only is sufficient. But I suggest you have a look into it and try to at least set up a dual stack config at home so that your devices get a global ipv6 address and are able to use the internet (might be difficult behind an ISP router though...)

Have a look at this. If you cant do this it might be due to you being new in the forum.

Vielen Dank für die vielen Tipps. Das hilft mir sehr!

Noch habe ich die Konzepte hinter IPv6 nicht verstanden und werde wohl ohne IPv6 starten, um mir keine Sicherheitslöcher für die Internetsperren der Kinder einzuhandeln. Muss noch herausfinden, wie ich IPv6 zum WAN abschalte.

Das Sperren des Internet für einzelne Devices anhand der Uhrzeit mache ich derzeit über traffic rules. Hier gibt es aber wohl auch Packages, die das ggf. eleganter regeln.

Ich habe noch viel zu lernen und bin gespannt, wie weit ich komme.

Nochmals vielen Dank für Deine wertvolle Zeit! Vielleicht treffen wir uns ja demnächst nochmal bei einem weiteren hilfesuchenden Forumsbeitrag von mir...

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.