OpenWrt - PI4 with cable modem as a bridge. No internet

H,
I am trying to do a very simple basic OpenWRT on PI4, and can't get it working.
PI4 build is "openwrt-bcm27xx-bcm2711-rpi-4-ext4-factory".

I added USB3 adapter to create a "multi-homed" PI4, added UPNP package and Lucy, created two interfaces - "lan/eth0" with static IP, and "wan/eth1" with DHCP client.

DNSMask is turned off (I don't think it matters).
Ethernet port of PI ("lan") is connected to the unmanaged switch, USB3 adapter ("wan") is connected to the port 1 of Arris TG162S cable modem.
Modem is set to bridge mode.

If I connect my laptop to the same port on Arris, it gets its IP, DNS and gateway settings, and I get internet connectivity.

After I modified OpenWRT interface setting for wan interface (turned "broadcast" on and made it use cable modem MAC) it gets IP from the internet provider, but that's all. I can't ping any IP address (i.e. 8.8.8.8) from Web "Diagnostics", or from ssh terminal, obviously dns queries fail as well.

Route returns

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default        AAA.BBB.49.1    0.0.0.0         UG    0      0        0 eth1
AAA.BBB.49.0    *               255.255.255.0   U     0      0        0 eth1
192.168.XXX.0    *               255.255.255.0   U     0      0        0 br-lan

when both interfaces are connected to the bridge, "wan" gets its address from my local DHCP server, and I can ping it via either "lan" or "wan" ip address, so USB3 adapter seems to work.

It is my first OpenWRT installation, and probably it is something very simple and stupid

Any ideas ?

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

192.168 and FDXX IPs are private, no need to hide them.

Aside from the necessary configuration files mentioned by trendy, I'd start small and from scratch again.

• flash the current OpenWrt again, don't retain settings or anything else
• make sure that the WAN USB ethernet card is working and has all necessary drivers installed
• don't install any optional packages (no UPnP, nothing aside from the necessary ethernet drivers)
• keep the configuration at its defaults as much as possible (dhcp client on WAN)
• leave dnsmasq/ odhcpd enabled (for LAN)
• switch the cable modem off for 15 minutes, then switch it on again - let it fully boot up and sync with the line (~3-5 minutes)
• only now physically connect your RPi's WAN with the cable modem

Test it, provide the debugging info mentioned above.

Hi,
I can't have a whole household disconnected from internet, so I reverted to previous setup (Arris as a router), and those commands were run then PI4 is connected to my network via "lan"/eth0 interface, and its wan port is disconnected.
If it is not good enough, I'll rerun them when PI4 is connected to the Arris in modem mode, as in my initial try.

root@OpenWrt:~# ubus call system board; \
> uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.*
/tmp/resolv.* /tmp/resolv.*/*
{
        "kernel": "5.4.97",
        "hostname": "OpenWrt",
        "model": "Raspberry Pi 4 Model B Rev 1.2",
        "board_name": "raspberrypi,4-model-b",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r15734-6934d30cf8",
                "target": "bcm27xx/bcm2711",
                "description": "OpenWrt SNAPSHOT r15734-6934d30cf8"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd74:a7bd:d427::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option ipaddr '192.168.10.254'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option peerdns '0'
        list dns '192.168.10.244'

config interface 'wan'
        option proto 'dhcp'
        option delegate '0'
        option ifname 'eth1'
        option hostname '*'
        option macaddr 'F8:A0:97:E6:40:2E'
        option broadcast '1'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option dhcpv6 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ignore '1'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.10.254/24 brd 192.168.10.255 scope global br-lan
       valid_lft forever preferred_lft forever
192.168.10.0/24 dev br-lan scope link  src 192.168.10.254
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.10.0 dev br-lan table local scope link  src 192.168.10.254
local 192.168.10.254 dev br-lan table local scope host  src 192.168.10.254
broadcast 192.168.10.255 dev br-lan table local scope link  src 192.168.10.254
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd74:a7bd:d427::1/60 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::dea6:32ff:fe9f:7e16/64 scope link
       valid_lft forever preferred_lft forever
fd74:a7bd:d427::/64 dev br-lan  metric 1024
unreachable fd74:a7bd:d427::/48 dev lo  metric 2147483647
fe80::/64 dev br-lan  metric 256
local ::1 dev lo table local  metric 0
anycast fd74:a7bd:d427:: dev br-lan table local  metric 0
local fd74:a7bd:d427::1 dev br-lan table local  metric 0
anycast fe80:: dev br-lan table local  metric 0
local fe80::dea6:32ff:fe9f:7e16 dev br-lan table local  metric 0
multicast ff00::/8 dev br-lan table local  metric 256
0:      from all lookup local
32766:  from all lookup main
4200000001:     from all iif lo lookup unspec 12
4200000005:     from all iif br-lan lookup unspec 12
lrwxrwxrwx    1 root     root            16 Feb 11 22:58 /etc/resolv.conf -> /tmp/resolv.conf
lrwxrwxrwx    1 root     root            35 Feb 13 10:33 /tmp/resolv.conf -> /tmp/resolv.conf.d/resolv.conf.auto
-rw-r--r--    1 root     root             0 Feb 13 10:47 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root             0 Feb 13 10:47 resolv.conf.auto
==> /etc/resolv.conf <==

==> /tmp/resolv.conf <==

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
root@OpenWrt:~#

I posted configuration output in my previous reply. If nothing helps I'll start from fresh tonight (can't play with internet when the whole family is at home).
I don't think the problem is with the modem, as my laptop can connect through it to internet when it is in bridge mode, and PI4 gets correct IP/gateway settings on its WAN interface.
The problem is "inside" OpenWRT configuration.

Meanwhile I did some experiment with alternative configuration (I hoped the problem would reproduce itself, but instead I get another problem).
I created a separate network (192.168.11.0), connected PI4 lan port to it with static IP, and connected its WAN port to my home network, with hope that either it won't work at all, or will work flawlessly.

The reality was more complicated
Computer connected to the lan (both as static IP and with DHCP - when I enable DHCP on OpenWRT) connects and can ping everything (my home network, and internet).
Internet pings are frequently timed out, pings to my home network are very fast (<1ms).
DNS queries work.
Same behavior is observed when doing "diagnostic" from Lucy web interface.
When I try to open any site on the computer connected to the lan, it times out or opens very slow.
Changes relative to my original setup - upnp disabled, dnsmask and odhcpd started (or stopped, it doesn't matter).
Tried to put "wan" IP of PI4 into DMZ of my router - didn't change anything.

All connectivity is over wired network
This "test" configuration serves no practical purposes, but enables me to conduct experiments without taking internet down. I post "debug info" for this configuration, but honestly I am not sure it is worth to explore, as behavior is different compared to PI4-bridge combination.

root@OpenWrt:~# ubus call system board; \
> uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.*
/t
{
        "kernel": "5.4.97",
        "hostname": "OpenWrt",
        "model": "Raspberry Pi 4 Model B Rev 1.2",
        "board_name": "raspberrypi,4-model-b",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r15734-6934d30cf8",
                "target": "bcm27xx/bcm2711",
                "description": "OpenWrt SNAPSHOT r15734-6934d30cf8"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd74:a7bd:d427::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option peerdns '0'
        list dns '192.168.10.244'
        option ipaddr '192.168.11.254'

config interface 'wan'
        option proto 'dhcp'
        option delegate '0'
        option ifname 'eth1'
        option hostname '*'
        option macaddr 'F8:A0:97:E6:40:2E'
        option broadcast '1'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option dhcpv6 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ra_management '1'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    inet 192.168.10.238/24 brd 192.168.10.255 scope global eth1
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.11.254/24 brd 192.168.11.255 scope global br-lan
       valid_lft forever preferred_lft forever
default via 192.168.10.250 dev eth1  src 192.168.10.238
192.168.10.0/24 dev eth1 scope link  src 192.168.10.238
192.168.11.0/24 dev br-lan scope link  src 192.168.11.254
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.10.0 dev eth1 table local scope link  src 192.168.10.238
local 192.168.10.238 dev eth1 table local scope host  src 192.168.10.238
broadcast 192.168.10.255 dev eth1 table local scope link  src 192.168.10.238
broadcast 192.168.11.0 dev br-lan table local scope link  src 192.168.11.254
local 192.168.11.254 dev br-lan table local scope host  src 192.168.11.254
broadcast 192.168.11.255 dev br-lan table local scope link  src 192.168.11.254
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::faa0:97ff:fee6:402e/64 scope link
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd74:a7bd:d427::1/60 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::dea6:32ff:fe9f:7e16/64 scope link
       valid_lft forever preferred_lft forever
fd74:a7bd:d427::/64 dev br-lan  metric 1024
unreachable fd74:a7bd:d427::/48 dev lo  metric 2147483647
fe80::/64 dev br-lan  metric 256
fe80::/64 dev eth1  metric 256
local ::1 dev lo table local  metric 0
anycast fd74:a7bd:d427:: dev br-lan table local  metric 0
local fd74:a7bd:d427::1 dev br-lan table local  metric 0
anycast fe80:: dev br-lan table local  metric 0
anycast fe80:: dev eth1 table local  metric 0
local fe80::dea6:32ff:fe9f:7e16 dev br-lan table local  metric 0
local fe80::faa0:97ff:fee6:402e dev eth1 table local  metric 0
multicast ff00::/8 dev br-lan table local  metric 256
multicast ff00::/8 dev eth1 table local  metric 256
0:      from all lookup local
32766:  from all lookup main
4200000001:     from all iif lo lookup unspec 12
4200000003:     from all iif eth1 lookup unspec 12
4200000006:     from all iif br-lan lookup unspec 12
lrwxrwxrwx    1 root     root            16 Feb 11 22:58 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Feb 13 11:35 /tmp/resolv.conf
-rw-r--r--    1 root     root            96 Feb 13 11:35 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root            96 Feb 13 11:35 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1
head: /t: No such file or directory
root@OpenWrt:~# mp/resolv.* /tmp/resolv.*/*
-ash: mp/resolv.*: not found

Remove this from LAN. It belongs in WAN if you wanted to override the DHCP-supplied DNS server IP, but when testing you should not override.

I'm not sure if that's even a legal setting. A few cable companies do not like when you send a hostname.

Also remove the IPv6 related configs from dhcp/lan.

Re DNS - I tried to remove them, but it doesn't change anything (I am talking about a test setup). The IP is of my DNS server, and is the same that is handed to "wan" interface as part of DHCP.

Re hostname '*' - I think it is automatically entered by Lucy interface. I set "do not set hostname" option. Anyway, in test setup it doesn't matter, as wan interface gets all correct settings from my main DHCP server.

Now, I see very strange behavior of traacert:

From desktop, connected to the main lan:

Tracing route to www.google.com [216.58.212.196]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  gtw.home [192.168.10.250]
  2    24 ms    13 ms    15 ms  10.24.2.1
  3     *        *        *     Request timed out.
  4    15 ms    15 ms    16 ms  172.17.4.222
  5     *        *        *     Request timed out.
  6    16 ms    28 ms    13 ms  bras-mrk02-core-inter-ctx.012.net.il [212.199.139.77]
  7    13 ms    23 ms    14 ms  82.102.132.77
  8    20 ms    13 ms    23 ms  82.102.132.78
  9    80 ms    86 ms   102 ms  edge-fra-01-so-2-1-0-2-0.ip4.012.net.il [80.179.166.25]
 10    73 ms    81 ms    71 ms  72.14.212.234
 11    87 ms    80 ms    78 ms  108.170.251.209
 12    95 ms    80 ms    80 ms  209.85.252.214
 13    81 ms    79 ms    79 ms  209.85.142.96
 14    84 ms    81 ms    85 ms  209.85.142.167
 15    80 ms    77 ms   102 ms  216.239.58.2
 16    79 ms    81 ms    88 ms  108.170.246.129
 17    73 ms    71 ms    70 ms  209.85.248.241
 18    77 ms    82 ms    75 ms  ams16s21-in-f4.1e100.net [216.58.212.196]

Trace complete.

from laptop, connected (wired) to the PI4, which has its "wan" interface on my lan

Tracing route to www.google.com [216.58.212.196]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  OpenWrt.lan [192.168.11.254]
  2     2 ms     2 ms     2 ms  192.168.10.250
  3    35 ms    18 ms    18 ms  10.24.2.1
  4     *        *        *     Request timed out.
  5    15 ms    14 ms    11 ms  172.17.4.222
  6     *        *        *     Request timed out.
  7    40 ms    16 ms    36 ms  bras-mrk02-core-inter-ctx.012.net.il [212.199.139.77]
  8    13 ms    15 ms    23 ms  82.102.132.77
  9    16 ms    14 ms    14 ms  82.102.132.78
 10    81 ms    84 ms    81 ms  edge-fra-01-so-2-1-0-2-0.ip4.012.net.il [80.179.166.25]
 11    75 ms    65 ms    68 ms  72.14.212.234
 12    92 ms    84 ms    84 ms  108.170.251.209
 13    90 ms    89 ms    81 ms  209.85.252.214
 14   107 ms    96 ms    85 ms  209.85.142.96
 15    85 ms    84 ms    81 ms  209.85.142.167
 16   128 ms    79 ms   100 ms  216.239.58.2
 17    81 ms    82 ms    81 ms  108.170.246.129
 18    73 ms    77 ms    77 ms  209.85.248.241
 19    81 ms    80 ms     *     lhr25s27-in-f4.1e100.net [216.58.212.196]
 20    81 ms    79 ms     *     lhr25s27-in-f4.1e100.net [216.58.212.196]
 21    82 ms    80 ms     *     lhr25s27-in-f4.1e100.net [216.58.212.196]
 22    81 ms    78 ms     *     lhr25s27-in-f4.1e100.net [216.58.212.196]
 23    84 ms    82 ms     *     lhr25s27-in-f4.1e100.net [216.58.212.196]
 24    85 ms    97 ms     *     lhr25s27-in-f4.1e100.net [216.58.212.196]
 25    83 ms    83 ms     *     lhr25s27-in-f4.1e100.net [216.58.212.196]
 26    81 ms    82 ms     *     lhr25s27-in-f4.1e100.net [216.58.212.196]
 27    86 ms    82 ms     *     lhr25s27-in-f4.1e100.net [216.58.212.196]
 28    80 ms    81 ms     *     lhr25s27-in-f4.1e100.net [216.58.212.196]
 29    82 ms    84 ms     *     lhr25s27-in-f4.1e100.net [216.58.212.196]
 30    88 ms    84 ms     *     lhr25s27-in-f4.1e100.net [216.58.212.196]

note that it is cut-off by 30 hops limit.

More info:
If I remove custom DNS from lan interface, I can't get any name resolution from openwrt ssh terminal (that's expected).
If I set it to my DNS server which is on home lan (accessible via "wan" interface of PI4) - everything works.
If I set it to external DNS (8.8.8.8) - I can't get any name resolution again.

In all 3 scenarios external name queries (from computer connected to "lan" interface of PI4) work as expected (dnsmask on PI4 is enabled in all 3 cases).
I can ping 8.8.8.8 from openwrt ssh even if I don't have a name resolution.
Ping loss and browsing timeouts are not affected by all those experiments.

I haven't read the whole thing but chiming in here to say that most modems lock to the first MAC address they hear. It's no good to connect your laptop and make sure everything is working because that will lock your PI out of the modem. You have to do the cable modem dance... Turn off cable modem for at least 30 seconds... Unplug anything from it's ethernet port.... Plug cable modem power back in.... Wait 1 minute or so... Then plug PI ethernet in to cable modem. Cable modem will now lock to PI MAC address and you can proceed... Whenever you change which device is directly connected to cable modem you have to do this dance

Why did you set it up at such low value? The default is 4096.

Why did you set this in wan?

It was set by Lucy (or something else) or it is default in this build.
I have no idea what those values are and never modified them manually. Maybe it is result of some setting in Lucy that I did (unintentionally).

If you think it would help - tell me correct settings and I'll edit those files from ssh and then reboot.

Hi, thanks for the suggestion, will try it again, but honestly - I am sceptical. I connected laptop after trying to understand what is wrong with PI4 for ~15 minutes. PI4 sends Wan Mac of the modem, and gets Dhcp result. But thanks nevertheless.

Wiki needs to be updated then, it still shows the 4096 as default.

@alexarl for a start remove the delegate 0 option.

Enable logging of dns in dnsmasq settings and check if there is anything interesting in the logs.
Install and run tcpdump to check the packets tcpdump -i any -evn host 8.8.8.8 and udp port 53 then run nslookup openwrt.org 8.8.8.8

If this means you set your PI WAN to have the same MAC as the modem uses then that is definitely an incorrect configuration. Do not alter the MAC of the PI. Just leave the mac as default then do the powering off dance

Will try, but I think it was my initial attempt. Then PI4 didn't get any dhcp response. When I added "force broadcast" and copied modem MAC it started to get a response with correct values. Tomorrow I will reset everything and start with "zeroed" fresh Openwrt on another SD card.

I succeed to reproduce (kind of) a problem in a test environment.
PI4 routing works for a very short time after reboot, then wan interface stops receiving packets (TX counter increases, but RX is not). Restart of the interface doesn't help, only reboot. It succeeds to receive DHCP response (as in case with modem in bridge mode), but in test environment, if I am fast enough, I can load a start page of some site (i.e. cnet).
The "catch" is that now I connected my "test computer" to PI4 using WiFi, and not wired, so it is not an identical setup, but anyway - it shouldn't happen.

The suspect is the USB3 adapter. The physical card is OK as it usually used by Android TV box and works perfectly, so the problem is either with its driver, or with its configuration.

USB3 that I use is kmod-usb-net-asix-ax88179.
I can't see anything suspicious in logs (system or kernel).

Any ideas ?

If you are cloning the MAC of the modem then you have two devices connected to each other which have the same MAC address, this is expected to break. Make sure you get rid of this MAC clone... reboot the cable modem, then try.