OpenWrt router has internet access but not LAN side

Hi !

Ive installed openwrt from an snapshot so it could be a bugg or smt else.

My problem is the entier lan side of my network lacks internet access.
Ive added a base network and a total of 7 vlans in the network everything works fine when it comes to adressing the networks and i can ping all of the networks in the LAN side. But i cant ping out on external DNS/Ip adresses.

Using Luci and diagnostics i can ping and reach external adresses and dns domains. I would think its a firewall issue but every condition on firewall is accept mode. I also manage to have internet access untill adding the vlans.

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'lan11'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vlan11'

config zone
        option name 'lan12'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vlan12'

config zone
        option name 'lan13'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vlan13'

config zone
        option name 'lan14'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vlan14'

config zone
        option name 'lan15'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vlan15'

config zone
        option name 'lan16'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vlan16'

config zone
        option name 'lan17'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vlan17'

One obvious issue is that you have hte lan network in every local zone.

  • Multiple networks may exist in a single zone.
  • Bu any individual network may only exist in one zone.

Try removing the lan network from all but the lan firewall zone, then restart and test again.

If that doesn't fix the issue, we need to see the rest of the config:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

EDIT: Upon further evaluation, it appears that you don't even have a lan zone anymore. As stated above, remove the lan network from all zones. Then create this zone:

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

Hi,

Thanks for that headnote. Ive added what you told me and i got the internet working, my queistion is now just if input, output and forward is recommended to ACCEPT or should i limit it like the wan to lan rules? Is this the factory settings when installing openwrt?

Accept on all three zone policies on the lan zone is the typical and recommended configuration.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

Ok thanks,

Well i noted my vlans are out of internet and the ordinary lan is working perfectly so i seem to have only solved the non vlan network.

I added a lan network to the firewall rules. that gave me access to the internet for the non vlan network.

removing the list network lan 'lan' from the vlans seem not enough

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdaa:70a6:35a0::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.8.8.32'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'

config interface 'vlan11'
	option device 'eth1.11'
	option proto 'static'
	option ipaddr '10.128.64.64'
	option netmask '255.255.255.240'
	option ip6assign '60'

config interface 'vlan12'
	option device 'eth1.12'
	option proto 'static'
	option ipaddr '10.13.129.32'
	option netmask '255.255.255.224'
	option ip6assign '60'

config interface 'vlan13'
	option device 'eth1.13'
	option proto 'static'
	option ipaddr '10.13.129.64'
	option netmask '255.255.255.224'
	option ip6assign '60'

config interface 'vlan14'
	option device 'eth1.14'
	option proto 'static'
	option ipaddr '10.5.15.96'
	option netmask '255.255.255.224'
	option ip6assign '60'

config interface 'vlan15'
	option device 'eth1.15'
	option proto 'static'
	option ipaddr '10.200.145.32'
	option netmask '255.255.255.224'
	option ip6assign '60'

config interface 'vlan16'
	option device 'eth1.16'
	option proto 'static'
	option ipaddr '10.225.45.192'
	option netmask '255.255.255.192'
	option ip6assign '60'

config interface 'vlan17'
	option device 'eth1.17'
	option proto 'static'
	option ipaddr '10.100.10.1'
	option netmask '255.255.255.192'
	option ip6assign '60'



config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '40'
	option limit '20'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'vlan11'
	option interface 'vlan11'
	option start '66'
	option limit '7'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'vlan12'
	option interface 'vlan12'
	option start '35'
	option limit '11'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'vlan13'
	option interface 'vlan13'
	option start '65'
	option limit '11'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'vlan14'
	option interface 'vlan14'
	option start '98'
	option limit '11'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'vlan15'
	option interface 'vlan15'
	option start '35'
	option limit '20'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'vlan16'
	option interface 'vlan16'
	option start '195'
	option limit '40'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'vlan17'
	option interface 'vlan17'
	option start '11'
	option limit '40'
	option leasetime '12h'
	option dhcpv4 'server'



config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '40'
	option limit '20'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'vlan11'
	option interface 'vlan11'
	option start '66'
	option limit '7'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'vlan12'
	option interface 'vlan12'
	option start '35'
	option limit '11'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'vlan13'
	option interface 'vlan13'
	option start '65'
	option limit '11'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'vlan14'
	option interface 'vlan14'
	option start '98'
	option limit '11'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'vlan15'
	option interface 'vlan15'
	option start '35'
	option limit '20'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'vlan16'
	option interface 'vlan16'
	option start '195'
	option limit '40'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'vlan17'
	option interface 'vlan17'
	option start '11'
	option limit '40'
	option leasetime '12h'
	option dhcpv4 'server'

Is there a reason you're not just using /24 network sizes for each of the vlans? It makes things a lot easier. Critically (and I haven't done this yet), the DHCP servers need to be reviewed to ensure that they have valid parameters, which requires just a bit more thinking when it is not a /24 to ensure the calculation is correct.

For all of your vlans, you setup individual zones and none of them have forwarding to the wan or to any other zones. Therefore, they would not be expected to be able to route anywhere.

If your VLANs will all have similar broad firewall policies (as they do, currently), you can actually put them all into a single firewall zone, which makes things much easier to handle.

The reason for not using the /24 is only due to security reasons using something more unique and limiting the amount of hosts on the network. The IP calculations are correct since ive been tinkering with this binary. The DHCP and the assigned IPs all work getting correct ip adresses in the right IP span so this should be considered a none issue. But for best practice i can change to /24 untill it works and then go back to my original setup when working correctly.

Do i need to add in the config forwarding command line option src 'vlanxxx' to to give them access or do i need to make more changes?

The vlans have all similar policies due to simplicity of setting up the network. This will change once base configuration is done :slight_smile:

This does not improve your security posture. The size of a subnet has nothing to do with security.

It will look like this (just one example):

config forwarding
        option src 'vlan11'
        option dest 'wan'

...

That is incorrect. You have assigned the router the zeroth IP within its subnet, which is a reserved and unusable IP.

Considering the size of the 10 space, using blocks smaller than /24 does not make a lot of sense.

1 Like

Thank you for the reply, this is correct, this is not valid and ive been missing this. So i will rearrange it accordingly. And do a recheck of the other subnets. :slight_smile:

Or ... just use /24 mask :wink:

This is one reason that /24's are easier... just a lot less 'thinking' to do when you don't have to calculate addresses (i.e. the .0 address is always the subnet address, .255 is always broadcast).

Also, your DHCP servers do appear to be incorrect, too. (but. to be fair I'm actually getting mixed results here as I'll explain in a moment).

let's take for example this one:

Even once you fix the address to be 10.128.64.65, that subnet has usable host range of .65-.78 for a total of 14 usable addresses.

Your DHCP server for VLAN 11 is this:

While you do have the limit set correctly, the start is wrong... the start value is the offset from the base address per the DHCP documentation.

Specifies the offset from the network address of the underlying interface to calculate the minimum address that may be leased to clients. It may be greater than 255 to span subnets.

Therefore, your start value already puts the DHCP server out of range.

However, as noted above, this is oddly contradicted by the ipcalc.shscript in OpenWrt which seems to calculate the start as a direct value rather than an offset.

root@OpenWrt:~# ipcalc.sh 10.128.64.65 255.255.255.240 66 7
IP=10.128.64.65
NETMASK=255.255.255.240
BROADCAST=10.128.64.79
NETWORK=10.128.64.64
PREFIX=28
START=10.128.64.66
END=10.128.64.73

However, I believe that this may be a bug in ipcalc.sh since the DHCP documentation has been proven to be correct

1 Like

I would like to thank everyone for their input and with the great feedback. I can now say everything works as expected with internet connectivity, config forward solved the missing pice.

As far as DHCP i cannot say bit will check the findings you got, but i can say its assigning ip and dose not cause any networking issue.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.