OpenWrt pings internet and lan client but Lan Clients cannot ping internet

Installing and Using OpenWrt
1

Hello, please am having issues getting clients on the LAN network access to the internet. I am really new to OpenWrt but tried reading and applying a lot of similar such issues on this site to no avail so please bear with me.

My Setup
I have installed OpenWrt on a hp thin client t530. I am using a USB3-RJ45 adapter for the WAN which connects to a LAN port on the ISP gateway router under DHCP. The gateway router when last checked had assigned an ip of 192.168.100.2 to the thin client.

The thin client is able to ping both internet and lan without issue. I have been able to execute opkg update etc... The devices on the Lan can ping themselves.

The Issue
The problem is devices on the LAN cannot access the internet.

The issue
OpenWrt is able to ping the internet and lan but clients on the lan cannot ping the internet either by website name or ip number. The details of my setup are as follows:

Below are the results from running the following commands:

ifconfig
ip a
ip r
ip ru
/etc/config/network
/etc/config/firewall

ifconfig

br-lan    Link encap:Ethernet  HWaddr F4:39:09:2E:1E:9B  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fd7f:5588:a2af::1/60 Scope:Global
          inet6 addr: fe80::f639:9ff:fe2e:1e9b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1853 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1575 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:209026 (204.1 KiB)  TX bytes:395763 (386.4 KiB)

eth0      Link encap:Ethernet  HWaddr F4:39:09:2E:1E:9B  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1866 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1575 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:235826 (230.2 KiB)  TX bytes:395763 (386.4 KiB)

eth1      Link encap:Ethernet  HWaddr 00:23:54:7C:19:81  
          inet addr:192.168.100.2  Bcast:192.168.100.255  Mask:255.255.255.0
          inet6 addr: fe80::223:54ff:fe7c:1981/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:238 errors:0 dropped:0 overruns:0 frame:0
          TX packets:268 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:39318 (38.3 KiB)  TX bytes:28755 (28.0 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:180 errors:0 dropped:0 overruns:0 frame:0
          TX packets:180 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:19439 (18.9 KiB)  TX bytes:19439 (18.9 KiB)

ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP qlen 1000
    link/ether f4:39:09:2e:1e:9b brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether 00:23:54:7c:19:81 brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.2/24 brd 192.168.100.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::223:54ff:fe7c:1981/64 scope link 
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether f4:39:09:2e:1e:9b brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd7f:5588:a2af::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::f639:9ff:fe2e:1e9b/64 scope link 
       valid_lft forever preferred_lft forever

ip r

default via 192.168.100.1 dev eth1  src 192.168.100.2 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 
192.168.100.0/24 dev eth1 scope link  src 192.168.100.2

ip ru

0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default

network

network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd7f:5588:a2af::/48'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth0'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.dns='1.1.1.1' '8.8.8.8' '8.8.4.4'
network.lan.gateway='192.168.100.2'
network.Wan=interface
network.Wan.proto='dhcp'
network.Wan.device='eth1'

firewall

firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Support-UDP-Traceroute'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='33434:33689'
firewall.@rule[9].proto='udp'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].enabled='false'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'

Thanks for having a look and hope the issue may be solved. Grateful for all the help I can get.

2

I notice you have a bridge for LAN, but only one device attached to it. eth0 should be OK.

3

Is the name of your WAN interface wan or Wan?

1 Like
4

You are mixing subnets...
Lan has IP address from 192.168.1.x while you claim that gateway is from 192.168.100.x although netmask is /24 leaving only the last byte for local addressing.

(Gateway should have address from the same subnet as the interface itself. Something in the addressing has confused you.)

2 Likes
5

Should be ACCEPT

6

Thanks a lot. I have changed to eth0 for the lan network. The issue however persists after rebooting though

7

To be honest, I have forgotten how I spelt it but it shows as 'WAN' in Luci and as 'wan' in the network configuration files. Thanks

8

Hello thanks for your interest. I don't remember exactly how I typed it but I used Luci to set it up and in Luci, it shows as 'WAN' while in the network config file, it is 'Wan'. I did not manually make the network config entries.

9

Thanks a lot for your advice. I am confused TBH but I really need to understand this. Please am I to understand that 'network.lan.ipaddr' should be 192.168.100.x?

10

Thanks a lot for the advice. Sorry it took me a while to get back. I assumed zone 1 was the 'wan' zone and have changed the 'option forward' to ACCEPT.

Unfortunately the problem persists even after restarting the network.

11

Based on your previous config above, it is wan and setting it to accept means to allow everything from wan to lan. Sounds wrong in principle...

12

Thanks for pointing that out. Yes, I am confused actually. Please what do you think is the correct gateway? Using Luci, I see that Wan has a gateway of 192.168.100.1 but in this case we are talking of Lan and I do not know but I tried 192.168.1.1, Luci informed me 'The address must not be a local IP address'. This added to my uncertainty.

13

If the OpenWrt device gets its wan side via DHCP (from the main router), you do not need to specify any gateway in OpenWrt lan.

The confusion is added by you apparently having a double NAT situation. The outer router (isp gateway router) provides the "first lan" that is then the wan for the OpenWrt router, and then the OpenWrt router creates a second Lan for clients of connected to it.

At least that is how I read the first message...

So, when talking about Lan, please be clear if you talk about inside OpenWrt router, or between ISP router and OpenWrt router... Both are Lan from certain perspective...

1 Like
14

In iptables....

FORWARD = LAN / WAN to speak to each other.

Blocking on the input (WAN) side prevents an intrusion unless it originated from the LAN for the session.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:PERMIT-FWD - [0:0]
:PERMIT-IN - [0:0]
:PERMIT-OUT - [0:0]
-A INPUT -j PERMIT-IN
-A FORWARD -j PERMIT-FWD
-A OUTPUT -j PERMIT-OUT
-A PERMIT-FWD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-FWD -m conntrack --ctstate NEW -j ACCEPT
-A PERMIT-FWD -j DROP
-A PERMIT-IN -i lo -j ACCEPT
-A PERMIT-IN -i br0 -j ACCEPT
-A PERMIT-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-IN -j DROP
-A PERMIT-OUT -o lo -j ACCEPT
-A PERMIT-OUT -o br0 -j ACCEPT
-A PERMIT-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-OUT -m conntrack --ctstate NEW -j ACCEPT
-A PERMIT-OUT -j DROP

*nat
-A POSTROUTING -o bo0 -j MASQUERADE

So, this is how I'm running rules for the FW.

I'm permitting loopback / bridge and then related / established traffic and by default DROP for the policy and explicitly dropping.

Forward is where inside / outside talk to each other and makes things a "router"

Output is letting packets out to the internet with the same rules

Masquerade ties the session to the IP so the packets know where to send them on return.

15

Just as a test, if you run /etc/init.d/firewall restart can you lan hosts access the internet? I assume that you did not change much of the configuration but really are tying to use a pretty run-of-the-mill OpenWrt installation.

16

Hello. Yes, am trying to run a vanilla Openwrt before building on it. Thanks for your suggestion but it did not work.

17

Yes it appears to be a double Nat situation as you describe it. I have removed the gateway property of the inner lan but still not getting through after rebooting. Thanks though for looking at the problem.

18

Thanks for the insight. Please I will be studying this a bit to know how to compare to what I have in my system as I am not so conversant with how to make the necessary changes where the firewall is concerned..

19

It is zone, not forwarding. Setting it to allow doesn't make much difference as it allows intrazone traffic.

This is fw3, not iptables though.

Make sure you change it back to lower case characters, as it is declared in wan firewall zone. That and the wrong gateway in lan interface were blocking your lan clients.

In fact this is a scenario where the default configuration of OpenWrt will work without any modifications. So if in doubt, you can always reset the device.

20

So very grateful. It is working now. With your advice I just opened /etc/config/network and changed config interface 'Wan' to config interface 'wan'. Restarted the network using 'service network restart' then not satisfied rebooted the server and upon restarting I noticed I now had a network icon. This had not been so previously. Next I set the browser to google and without any issue the page opened up.

I have been a bit elaborate so other noobs like myself may benefit.

Actually emotional as to be honest I had spent the last two weeks on this. Thanks a million to you and also to all who made suggestions providing greater insight for how the problem could be resolved. Thanks

1 Like