Ping from lan to wan fails why?

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi, thanks for reading.

I get from my OpenWRT router's WAN interface (wan 192.168.178.72) the ping to my default gateway (192.168.178.1) but not from the OpenWRT LAN interface (lan 10.55.1.3)
Searched among firewall rules or routing and can't find the solution..


> root@R-B01:~# uci show network
> network.loopback=interface
> network.loopback.device='lo'
> network.loopback.proto='static'
> network.loopback.ipaddr='127.0.0.1'
> network.loopback.netmask='255.0.0.0'
> network.globals=globals
> network.globals.ula_prefix='fd5e:ed65:61a2::/48'
> network.@device[0]=device
> network.@device[0].name='br-lan'
> network.@device[0].type='bridge'
> network.@device[0].ports='eth0'
> network.mgmt=interface
> network.mgmt.device='br-lan'
> network.mgmt.proto='static'
> network.mgmt.ipaddr='10.88.1.3'
> network.mgmt.ip6assign='60'
> network.mgmt.broadcast='10.88.1.255'
> network.mgmt.netmask='255.255.255.0'
> network.wan=interface
> network.wan.proto='dhcp'
> network.wan.device='eth1'
> network.wan.delegate='0'
> network.@device[1]=device
> network.@device[1].name='eth1'
> network.@device[1].ipv6='0'
> network.lan=interface
> network.lan.proto='static'
> network.lan.device='eth2'
> network.lan.ipaddr='10.55.1.3'
> network.lan.netmask='255.255.255.0'
> network.lan.broadcast='10.55.1.255'
> network.lan.delegate='0'
> network.@device[2]=device
> network.@device[2].name='eth2'
> network.@route[0]=route
> network.@route[0].interface='lan'
> network.@route[0].target='192.168.178.72'
> network.@route[0].onlink='1'
> network.@route[0].table='local'
> network.@route[1]=route
> network.@route[1].interface='wan'
> network.@route[1].target='10.55.1.3'
> network.@route[1].type='local'
> network.@route[1].onlink='1'

> root@R-B01:~# ip route show table all
> default via 192.168.178.1 dev eth1  src 192.168.178.72
> 10.55.1.0/24 dev eth2 scope link  src 10.55.1.3
> 10.88.1.0/24 dev br-lan scope link  src 10.88.1.3
> 192.168.178.0/24 dev eth1 scope link  src 192.168.178.72
> broadcast 10.55.1.0 dev eth2 table local scope link  src 10.55.1.3
> local 10.55.1.3 dev eth1 table local scope host onlink
> broadcast 10.55.1.255 dev eth2 table local scope link  src 10.55.1.3
> broadcast 10.88.1.0 dev br-lan table local scope link  src 10.88.1.3
> local 10.88.1.3 dev br-lan table local scope host  src 10.88.1.3
> broadcast 10.88.1.255 dev br-lan table local scope link  src 10.88.1.3
> broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
> local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
> local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
> broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
> broadcast 192.168.178.0 dev eth1 table local scope link  src 192.168.178.72
> local 192.168.178.72 dev eth1 table local scope host  src 192.168.178.72
> broadcast 192.168.178.255 dev eth1 table local scope link  src 192.168.178.72
> fd5e:ed65:61a2::/64 dev br-lan  metric 1024
> fd5e:ed65:61a2::/60 dev br-lan  metric 256  expires 0sec
> unreachable fd5e:ed65:61a2::/48 dev lo  metric 2147483647
> fe80::/64 dev eth2  metric 256
> fe80::/64 dev br-lan  metric 256
> local ::1 dev lo table local  metric 0
> anycast fd5e:ed65:61a2:: dev br-lan table local  metric 0
> local fd5e:ed65:61a2::1 dev br-lan table local  metric 0
> anycast fe80:: dev eth2 table local  metric 0
> anycast fe80:: dev br-lan table local  metric 0
> local fe80::2e0:4cff:fe68:49 dev eth2 table local  metric 0
> local fe80::e65f:1ff:fe57:3fad dev br-lan table local  metric 0
> multicast ff00::/8 dev eth2 table local  metric 256
> multicast ff00::/8 dev br-lan table local  metric 256
> root@R-B01:~#

firewall***********

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd5e:ed65:61a2::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'mgmt'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.88.1.3'
        option ip6assign '60'
        option broadcast '10.88.1.255'
        option netmask '255.255.255.0'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth1'
        option delegate '0'

config device
        option name 'eth1'
        option ipv6 '0'

config interface 'lan'
        option proto 'static'
        option device 'eth2'
        option ipaddr '10.55.1.3'
        option netmask '255.255.255.0'
        option broadcast '10.55.1.255'
        option delegate '0'

config device
        option name 'eth2'

config route
        option interface 'lan'

        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'mgmt'
        list network 'mgmt'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'lan'
        list network 'lan'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option dest 'wan'
        option src 'mgmt'

config forwarding
        option dest 'wan'
        option src 'lan'


config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

..standard config...
2

Try removing the static routes. They are not needed since you are masquerading the wan.

2 Likes
3

Thank you for your help! Yes, the static routes are not necessary.
My fault was to set the default route of my client to 10.88.1.1 instead of 10.88.1.3. Later on I will have a gateway with 10.88.1.1 which is not yet installed.
Now it works. It was too late yesterday :slight_smile:

1 Like
4

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.