OpenWrt with Raspberry Pi 4 and USB 3.0 Ethernet dongle. PPPoE connected but no Internet in LAN

watz · June 18, 2021, 9:38am

Hey guys, i guess im somewhat close to success but need help getting there.

I configured OpenWRT on my Raspi 4 so that LAN is serving DHCP and using eth0, the internal NIC of the Pi.
For WAN i used the USB 3.0 Dongle and set it up with PPPoE.

Now im getting a PPPoE connection, both wan and wan_6 are connected and using the gui i can ping sites just fine.
The DHCP is working too, but the LAN devices dont get Internet access.

This is my network config:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fde3:ab45:0bb8::/48'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.2.2'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-lan'

config interface 'wan'
        option proto 'pppoe'
        option username 'XXX'
        option password 'XXX'
        option ipv6 'auto'
        option device 'eth1.7'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

How do i get Internet connectivity bridged to my LAN?

trendy · June 18, 2021, 10:04am

Did you delete the lan->wan forwarding in the firewall by any chance?
uci export firewall

kpoman · June 18, 2021, 10:05am

I'd say verify the rpi4 does ping internet, then verify you have firewall rules from zone LAN to WAN allowing input, output and forward ?

watz · June 18, 2021, 10:09am

Could it be something with the VLAN tagging of the WAN connection?

this is the content of "uci export firewall":

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

trendy · June 18, 2021, 10:13am

Interfaces wan and wan_6 are missing from the wan firewall zone.

watz · June 18, 2021, 10:17am

mh, thats odd. i thought i assigned wan to the firewall. i added them now and will try it when i get home. thanks a lot, ill keep this updated if it works or i need more help
thanks!