Hi all,
Here the setup of my linksys wrt3200acm (openwrt 19.07):
What I want to do is to be able to access all the devices on vlan3 from vlan1.
When I try to ping a device on vlan3 from vlan1 most of the requests are successful but I get some "request timed out".
Also I can't access the web interface of the devices on vlan3.
I tried to scan the ports with nmap and I see them all open.
What could be the problem?
Thanks.
I do not think you need to mark the FRITZLAN as masqueraded, unless you have specific requirements.
If there is no masquerade, OP must add static routes and will also have to troubleshoot possible packets dropped due to route asymmetry. So for this purpose it is fine.
Config looks fine, but we cannot see everything from the photos.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
A explanation of the setup would also be useful.
uci export network
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd52:8cdf:c8c4::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'eth0.1'
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
option peerdns '0'
list dns '192.168.20.1'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '2 3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '2'
option ports '4 6t'
config route
option target '192.168.178.0/24'
option gateway '192.168.178.1'
option netmask '255.255.255.0'
option interface 'lan'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '3'
option ports '1 5t'
config interface 'fritzlan'
option ifname 'eth0.3'
option proto 'static'
option netmask '255.255.255.0'
option broadcast '192.168.178.255'
option ipaddr '192.168.178.52'
option gateway '192.168.178.1'
uci export wireless
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11a'
option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
option htmode 'VHT80'
option channel 'auto'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option key 'XXX'
option encryption 'psk2'
option ssid 'YYY'
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11g'
option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
option channel 'auto'
option htmode 'HT40'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option key 'XXX'
option encryption 'psk2'
option ssid 'YYY'
config wifi-device 'radio2'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
option htmode 'VHT80'
option disabled '1'
config wifi-iface 'default_radio2'
option device 'radio2'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
uci export dhcp
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
uci export firewall
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
list device 'eth0.1'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list device 'tun0'
list device 'wlan0'
list device 'wlan1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config forwarding
option src 'lan'
config forwarding
option dest 'fritz'
option src 'lan'
config zone
option name 'fritz'
option network 'fritz fritzlan'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
list device 'eth0.3'
option masq '1'
head -n -0 /etc/firewall.user
nothing
iptables-save -c
*nat
:PREROUTING ACCEPT [7364:1845589]
:INPUT ACCEPT [700:55825]
:OUTPUT ACCEPT [1213:85228]
:POSTROUTING ACCEPT [1:74]
:postrouting_fritz_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_fritz_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_fritz_postrouting - [0:0]
:zone_fritz_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[7364:1845589] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[0:0] -A PREROUTING -i eth0.1 -m comment --comment "!fw3" -j zone_lan_prerouting
[1893:482293] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i wlan0 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i wlan1 -m comment --comment "!fw3" -j zone_wan_prerouting
[101:21289] -A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[5370:1342007] -A PREROUTING -i eth0.3 -m comment --comment "!fw3" -j zone_fritz_prerouting
[2190:336811] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o eth0.1 -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[1115:262071] -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o wlan0 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o wlan1 -m comment --comment "!fw3" -j zone_wan_postrouting
[1074:74666] -A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth0.3 -m comment --comment "!fw3" -j zone_fritz_postrouting
[0:0] -A zone_fritz_postrouting -m comment --comment "!fw3: Custom fritz postrouting rule chain" -j postrouting_fritz_rule
[0:0] -A zone_fritz_postrouting -m comment --comment "!fw3" -j MASQUERADE
[5370:1342007] -A zone_fritz_prerouting -m comment --comment "!fw3: Custom fritz prerouting rule chain" -j prerouting_fritz_rule
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[1893:482293] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[2189:336737] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[2189:336737] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[101:21289] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
*mangle
:PREROUTING ACCEPT [103334:59004038]
:INPUT ACCEPT [38498:27248671]
:FORWARD ACCEPT [59149:30234435]
:OUTPUT ACCEPT [27592:6953632]
:POSTROUTING ACCEPT [86530:37179627]
[708:33984] -A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o wlan0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o wlan1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_fritz_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_fritz_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_fritz_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_fritz_dest_ACCEPT - [0:0]
:zone_fritz_forward - [0:0]
:zone_fritz_input - [0:0]
:zone_fritz_output - [0:0]
:zone_fritz_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[22:1889] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[38478:27246862] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[37044:27086390] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[6:288] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[0:0] -A INPUT -i eth0.1 -m comment --comment "!fw3" -j zone_lan_input
[724:53534] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[8:320] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i wlan0 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i wlan1 -m comment --comment "!fw3" -j zone_wan_input
[273:31558] -A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
[429:75060] -A INPUT -i eth0.3 -m comment --comment "!fw3" -j zone_fritz_input
[59149:30234435] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[58061:29905346] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i eth0.1 -m comment --comment "!fw3" -j zone_lan_forward
[1088:329089] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wlan0 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wlan1 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth0.3 -m comment --comment "!fw3" -j zone_fritz_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[22:1889] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[27574:6953295] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[26223:6862581] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o eth0.1 -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[277:16048] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o wlan0 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o wlan1 -m comment --comment "!fw3" -j zone_wan_output
[1074:74666] -A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o eth0.3 -m comment --comment "!fw3" -j zone_fritz_output
[251:30918] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[6:288] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_fritz_dest_ACCEPT -o eth0.3 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_fritz_dest_ACCEPT -o eth0.3 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_fritz_forward -m comment --comment "!fw3: Custom fritz forwarding rule chain" -j forwarding_fritz_rule
[0:0] -A zone_fritz_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_fritz_forward -m comment --comment "!fw3" -j zone_fritz_dest_ACCEPT
[429:75060] -A zone_fritz_input -m comment --comment "!fw3: Custom fritz input rule chain" -j input_fritz_rule
[0:0] -A zone_fritz_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[429:75060] -A zone_fritz_input -m comment --comment "!fw3" -j zone_fritz_src_ACCEPT
[0:0] -A zone_fritz_output -m comment --comment "!fw3: Custom fritz output rule chain" -j output_fritz_rule
[0:0] -A zone_fritz_output -m comment --comment "!fw3" -j zone_fritz_dest_ACCEPT
[429:75060] -A zone_fritz_src_ACCEPT -i eth0.3 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o eth0.1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[1088:329089] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[1088:329089] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to * forwarding policy" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to fritz forwarding policy" -j zone_fritz_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[724:53534] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[724:53534] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i eth0.1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[724:53534] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[211:8440] -A zone_wan_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[1154:336697] -A zone_wan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o wlan0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o wlan0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o wlan1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o wlan1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[1074:74666] -A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o wlan0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o wlan1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[281:31878] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[30:960] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[251:30918] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[1351:90714] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[1351:90714] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[8:320] -A zone_wan_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i wlan0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i wlan1 -m comment --comment "!fw3" -j reject
[243:30598] -A zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
COMMIT
ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
10: eth0.3@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.178.52/24 brd 192.168.178.255 scope global eth0.3
valid_lft forever preferred_lft forever
11: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.20.187/24 brd 192.168.20.255 scope global eth1.2
valid_lft forever preferred_lft forever
14: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
inet 10.8.0.25/24 brd 10.8.0.255 scope global tun0
valid_lft forever preferred_lft forever
ip -4 ro li tab all
0.0.0.0/1 via 10.8.0.1 dev tun0
default via 192.168.20.1 dev eth1.2 src 192.168.20.187
10.8.0.0/24 dev tun0 scope link src 10.8.0.25
128.0.0.0/1 via 10.8.0.1 dev tun0
185.183.105.27 via 192.168.20.1 dev eth1.2
192.168.1.0/24 dev br-lan scope link src 192.168.1.1
192.168.20.0/24 dev eth1.2 scope link src 192.168.20.187
192.168.178.0/24 dev eth0.3 scope link src 192.168.178.52
broadcast 10.8.0.0 dev tun0 table local scope link src 10.8.0.25
local 10.8.0.25 dev tun0 table local scope host src 10.8.0.25
broadcast 10.8.0.255 dev tun0 table local scope link src 10.8.0.25
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local scope link src 192.168.1.1
broadcast 192.168.20.0 dev eth1.2 table local scope link src 192.168.20.187
local 192.168.20.187 dev eth1.2 table local scope host src 192.168.20.187
broadcast 192.168.20.255 dev eth1.2 table local scope link src 192.168.20.187
broadcast 192.168.178.0 dev eth0.3 table local scope link src 192.168.178.52
local 192.168.178.52 dev eth0.3 table local scope host src 192.168.178.52
broadcast 192.168.178.255 dev eth0.3 table local scope link src 192.168.178.52
ip -4 ru
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
ls -l /etc/resolv.* /tmp/resolv.*
lrwxrwxrwx 1 root root 16 Feb 27 22:05 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 32 May 27 13:00 /tmp/resolv.conf
-rw-r--r-- 1 root root 40 May 27 13:00 /tmp/resolv.conf.auto
head -n -0 /etc/resolv.* /tmp/resolv.*
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
192.168.1.0/24 vlan1
192.168.178.0/24 vlan3
192.168.20.1 default wan gw
This route is wrong and not needed.
You can remove the broadcast, it is calculated automatically.
These don't seem right in wan zone. Remove them.
This zone is empty, remove it.
Only fritzlan is correct there.
Remove also this from fritz zone in firewall. There is already fritzlan declared in the covered networks.
Install tcpdump on OpenWrt opkg update; opkg install tcpdump
Then run a packet capture for the IP that web interface doesn't work
tcpdump -i eth0.3 -evn host 192.168.178.X
Try to access the page. Stop the capture with Ctrl-c and copy paste the output here in preformatted text.
tcpdump: listening on eth0.3, link-type EN10MB (Ethernet), capture size 262144 bytes
15:29:02.630563 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 127, id 40269, offset 0, flags [DF], proto TCP (6), length 48)
192.168.178.52.63484 > 192.168.178.1.80: Flags [S], cksum 0x661f (correct), seq 491790971, win 65472, options [mss 1364,nop,nop,sackOK], length 0
15:29:02.893106 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 127, id 40270, offset 0, flags [DF], proto TCP (6), length 48)
192.168.178.52.63485 > 192.168.178.1.80: Flags [S], cksum 0x1d6d (correct), seq 1541221535, win 65472, options [mss 1364,nop,nop,sackOK], length 0
15:29:02.976859 70:26:05:f8:93:18 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.1 tell 192.168.178.54, length 46
15:29:03.640847 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 127, id 40271, offset 0, flags [DF], proto TCP (6), length 48)
192.168.178.52.63484 > 192.168.178.1.80: Flags [S], cksum 0x661f (correct), seq 491790971, win 65472, options [mss 1364,nop,nop,sackOK], length 0
15:29:03.894752 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 127, id 40272, offset 0, flags [DF], proto TCP (6), length 48)
192.168.178.52.63485 > 192.168.178.1.80: Flags [S], cksum 0x1d6d (correct), seq 1541221535, win 65472, options [mss 1364,nop,nop,sackOK], length 0
15:29:05.645197 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 127, id 40273, offset 0, flags [DF], proto TCP (6), length 48)
192.168.178.52.63484 > 192.168.178.1.80: Flags [S], cksum 0x661f (correct), seq 491790971, win 65472, options [mss 1364,nop,nop,sackOK], length 0
15:29:07.028409 5c:49:79:23:8c:52 > 62:38:e0:b8:ce:c8, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 48)
192.168.178.1.80 > 192.168.178.52.63485: Flags [S.], cksum 0x3b62 (correct), seq 270374965, ack 1541221536, win 14600, options [mss 1460,nop,nop,sackOK], length 0
15:29:07.029072 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 127, id 40275, offset 0, flags [DF], proto TCP (6), length 40)
192.168.178.52.63485 > 192.168.178.1.80: Flags [.], cksum 0xa16d (correct), ack 1, win 65472, length 0
15:29:07.030223 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype IPv4 (0x0800), length 409: (tos 0x0, ttl 127, id 40276, offset 0, flags [DF], proto TCP (6), length 395)
192.168.178.52.63485 > 192.168.178.1.80: Flags [P.], cksum 0x6611 (correct), seq 1:356, ack 1, win 65472, length 355: HTTP, length: 355
GET / HTTP/1.1
Host: 192.168.178.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
15:29:07.698203 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.1 tell 192.168.178.52, length 28
15:29:08.738202 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.1 tell 192.168.178.52, length 28
15:29:09.653669 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 127, id 40277, offset 0, flags [DF], proto TCP (6), length 48)
192.168.178.52.63484 > 192.168.178.1.80: Flags [S], cksum 0x661f (correct), seq 491790971, win 65472, options [mss 1364,nop,nop,sackOK], length 0
15:29:09.778202 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.1 tell 192.168.178.52, length 28
15:29:10.038916 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype IPv4 (0x0800), length 409: (tos 0x0, ttl 127, id 40278, offset 0, flags [DF], proto TCP (6), length 395)
192.168.178.52.63485 > 192.168.178.1.80: Flags [P.], cksum 0x6611 (correct), seq 1:356, ack 1, win 65472, length 355: HTTP, length: 355
GET / HTTP/1.1
Host: 192.168.178.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
15:29:11.892750 5c:49:79:23:8c:52 > 01:00:5e:00:00:fb, ethertype IPv4 (0x0800), length 102: (tos 0x0, ttl 1, id 41889, offset 0, flags [none], proto UDP (17), length 88)
192.168.178.1.5353 > 224.0.0.251.5353: 59769+ ANY (QM)? fb7692a4-34d4-581d-b52d-b4f4f95fdf31.local. (60)
15:29:13.092240 62:38:e0:b8:ce:c8 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.1 tell 192.168.178.52, length 28
15:29:14.098205 62:38:e0:b8:ce:c8 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.1 tell 192.168.178.52, length 28
15:29:15.138203 62:38:e0:b8:ce:c8 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.1 tell 192.168.178.52, length 28
15:29:17.038412 62:38:e0:b8:ce:c8 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.1 tell 192.168.178.52, length 28
15:29:18.098203 62:38:e0:b8:ce:c8 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.1 tell 192.168.178.52, length 28
15:29:19.138203 62:38:e0:b8:ce:c8 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.1 tell 192.168.178.52, length 28
15:29:20.330044 62:38:e0:b8:ce:c8 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.1 tell 192.168.178.52, length 28
15:29:21.378203 62:38:e0:b8:ce:c8 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.1 tell 192.168.178.52, length 28
15:29:22.428203 62:38:e0:b8:ce:c8 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.1 tell 192.168.178.52, length 28
15:29:23.669202 62:38:e0:b8:ce:c8 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.1 tell 192.168.178.52, length 28
15:29:24.748202 62:38:e0:b8:ce:c8 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.1 tell 192.168.178.52, length 28
15:29:25.788203 62:38:e0:b8:ce:c8 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.1 tell 192.168.178.52, length 28
15:29:27.345434 62:38:e0:b8:ce:c8 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.1 tell 192.168.178.52, length 28
15:29:28.418203 62:38:e0:b8:ce:c8 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.1 tell 192.168.178.52, length 28
15:29:29.468202 62:38:e0:b8:ce:c8 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.1 tell 192.168.178.52, length 28
15:29:30.690064 62:38:e0:b8:ce:c8 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.1 tell 192.168.178.52, length 28
15:29:31.698206 62:38:e0:b8:ce:c8 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.1 tell 192.168.178.52, length 28
15:29:32.243162 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:29:32.243180 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 127, id 40300, offset 0, flags [DF], proto TCP (6), length 48)
192.168.178.52.63490 > 192.168.178.1.80: Flags [S], cksum 0x6984 (correct), seq 1648286241, win 65472, options [mss 1364,nop,nop,sackOK], length 0
15:29:32.243185 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype IPv4 (0x0800), length 409: (tos 0x0, ttl 127, id 40301, offset 0, flags [none], proto TCP (6), length 395)
192.168.178.52.63485 > 192.168.178.1.80: Flags [FP.], cksum 0x6610 (correct), seq 1:356, ack 1, win 65472, length 355: HTTP, length: 355
GET / HTTP/1.1
Host: 192.168.178.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
15:29:33.061725 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype IPv4 (0x0800), length 55: (tos 0x0, ttl 127, id 40302, offset 0, flags [none], proto TCP (6), length 41)
192.168.178.52.63485 > 192.168.178.1.80: Flags [.], cksum 0xa16d (correct), seq 0:1, ack 1, win 65472, length 1: HTTP
15:29:33.242719 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:29:34.107166 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 127, id 40303, offset 0, flags [DF], proto TCP (6), length 48)
192.168.178.52.63487 > 192.168.178.1.80: Flags [S], cksum 0x5165 (correct), seq 202000504, win 65472, options [mss 1364,nop,nop,sackOK], length 0
15:29:34.242579 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:29:35.265244 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:29:36.262321 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:29:37.262177 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:29:37.298203 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.1 tell 192.168.178.52, length 28
15:29:38.300232 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:29:38.338203 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.1 tell 192.168.178.52, length 28
15:29:38.695689 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 127, id 40305, offset 0, flags [DF], proto TCP (6), length 48)
192.168.178.52.63490 > 192.168.178.1.80: Flags [S], cksum 0x6984 (correct), seq 1648286241, win 65472, options [mss 1364,nop,nop,sackOK], length 0
15:29:39.292080 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:29:39.378202 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.1 tell 192.168.178.52, length 28
15:29:40.133173 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 127, id 40306, offset 0, flags [DF], proto TCP (6), length 48)
192.168.178.52.63495 > 192.168.178.1.80: Flags [S], cksum 0x728e (correct), seq 3020783427, win 65472, options [mss 1364,nop,nop,sackOK], length 0
15:29:40.292082 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:29:41.360071 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:29:42.352094 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:29:43.117952 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype IPv4 (0x0800), length 409: (tos 0x0, ttl 127, id 40309, offset 0, flags [none], proto TCP (6), length 395)
192.168.178.52.63485 > 192.168.178.1.80: Flags [FP.], cksum 0x6610 (correct), seq 1:356, ack 1, win 65472, length 355: HTTP, length: 355
GET / HTTP/1.1
Host: 192.168.178.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
15:29:43.158141 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 127, id 40310, offset 0, flags [DF], proto TCP (6), length 48)
192.168.178.52.63495 > 192.168.178.1.80: Flags [S], cksum 0x728e (correct), seq 3020783427, win 65472, options [mss 1364,nop,nop,sackOK], length 0
15:29:43.352096 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:29:44.409718 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:29:45.098076 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype IPv4 (0x0800), length 55: (tos 0x0, ttl 127, id 40311, offset 0, flags [none], proto TCP (6), length 41)
192.168.178.52.63485 > 192.168.178.1.80: Flags [.], cksum 0xa16d (correct), seq 0:1, ack 1, win 65472, length 1: HTTP
15:29:45.402116 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:29:46.179288 5c:49:79:23:8c:52 > 01:00:5e:00:00:01, ethertype IPv4 (0x0800), length 60: (tos 0xc0, ttl 1, id 5103, offset 0, flags [DF], proto IGMP (2), length 36, options (RA))
192.168.178.1 > 224.0.0.1: igmp query v3
15:29:46.402174 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
^C
60 packets captured
60 packets received by filter
0 packets dropped by kernel
root@OpenWrt:~# ^C
root@OpenWrt:~# tcpdump -i eth0.3 -evn host 192.168.178.1
tcpdump: listening on eth0.3, link-type EN10MB (Ethernet), capture size 262144 bytes
15:29:58.552965 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:29:59.589937 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:30:00.583124 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:30:01.583196 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:30:02.618847 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:30:03.613320 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:30:04.613393 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:30:05.641572 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:30:06.633530 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:30:07.223527 5c:49:79:23:8c:52 > 62:38:e0:b8:ce:c8, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 48)
192.168.178.1.80 > 192.168.178.52.63490: Flags [S.], cksum 0x3af8 (correct), seq 1387242020, ack 1648286242, win 14600, options [mss 1460,nop,nop,sackOK], length 0
15:30:07.633610 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:30:08.668769 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:30:09.212420 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 127, id 40321, offset 0, flags [DF], proto TCP (6), length 48)
192.168.178.52.63510 > 192.168.178.1.80: Flags [S], cksum 0x9b7e (correct), seq 1299430622, win 65472, options [mss 1364,nop,nop,sackOK], length 0
15:30:09.475260 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 127, id 40322, offset 0, flags [DF], proto TCP (6), length 48)
192.168.178.52.63511 > 192.168.178.1.80: Flags [S], cksum 0xaaf0 (correct), seq 2788709542, win 65472, options [mss 1364,nop,nop,sackOK], length 0
15:30:09.663761 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:30:10.228108 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 127, id 40323, offset 0, flags [DF], proto TCP (6), length 48)
192.168.178.52.63510 > 192.168.178.1.80: Flags [S], cksum 0x9b7e (correct), seq 1299430622, win 65472, options [mss 1364,nop,nop,sackOK], length 0
15:30:10.475593 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 127, id 40324, offset 0, flags [DF], proto TCP (6), length 48)
192.168.178.52.63511 > 192.168.178.1.80: Flags [S], cksum 0xaaf0 (correct), seq 2788709542, win 65472, options [mss 1364,nop,nop,sackOK], length 0
15:30:10.663839 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:30:11.701940 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:30:11.889717 5c:49:79:23:8c:52 > 01:00:5e:00:00:fb, ethertype IPv4 (0x0800), length 102: (tos 0x0, ttl 1, id 45200, offset 0, flags [none], proto UDP (17), length 88)
192.168.178.1.5353 > 224.0.0.251.5353: 63586+ ANY (QM)? fb7692a4-34d4-581d-b52d-b4f4f95fdf31.local. (60)
15:30:12.480600 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 127, id 40326, offset 0, flags [DF], proto TCP (6), length 48)
192.168.178.52.63511 > 192.168.178.1.80: Flags [S], cksum 0xaaf0 (correct), seq 2788709542, win 65472, options [mss 1364,nop,nop,sackOK], length 0
15:30:12.693896 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:30:13.693902 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:30:14.487419 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 127, id 40327, offset 0, flags [DF], proto TCP (6), length 48)
192.168.178.52.63515 > 192.168.178.1.80: Flags [S], cksum 0x7c66 (correct), seq 4118819812, win 65472, options [mss 1364,nop,nop,sackOK], length 0
15:30:14.732293 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:30:15.488328 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 127, id 40328, offset 0, flags [DF], proto TCP (6), length 48)
192.168.178.52.63515 > 192.168.178.1.80: Flags [S], cksum 0x7c66 (correct), seq 4118819812, win 65472, options [mss 1364,nop,nop,sackOK], length 0
15:30:15.723938 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:30:16.258923 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 127, id 40329, offset 0, flags [DF], proto TCP (6), length 48)
192.168.178.52.63510 > 192.168.178.1.80: Flags [S], cksum 0x9b7e (correct), seq 1299430622, win 65472, options [mss 1364,nop,nop,sackOK], length 0
15:30:16.723959 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:30:17.492971 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 127, id 40330, offset 0, flags [DF], proto TCP (6), length 48)
192.168.178.52.63515 > 192.168.178.1.80: Flags [S], cksum 0x7c66 (correct), seq 4118819812, win 65472, options [mss 1364,nop,nop,sackOK], length 0
15:30:17.746011 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:30:18.744004 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:30:19.538202 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.1 tell 192.168.178.52, length 28
15:30:19.744027 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:30:20.588202 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.1 tell 192.168.178.52, length 28
15:30:20.782377 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
15:30:21.628204 62:38:e0:b8:ce:c8 > 5c:49:79:23:8c:52, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.1 tell 192.168.178.52, length 28
15:30:21.774094 5c:49:79:23:8c:52 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.178.34 tell 192.168.178.1, length 46
^C
38 packets captured
38 packets received by filter
0 packets dropped by kernel
I don't see anything weird from OpenWrt side.
On the contrary, the Fritz is not replying to OpenWrt as it should. In the whole capture it responded only 2 times.
In connection to the ping loss and the unstable ping responses, I'd day there is something wrong with the Fritz.
It seems strange to me that the requests come from an ip of the fritzbox network 
It's not strange, you are masquerading on fritz zone, therefore the IP of the OpenWrt is used as source.
what do you suggest?
Try to ping another host in 192.168.178.0 network. Try to open a webpage or access some other server in that network. See if the same behavior exists.
If yes it could be a bad cable or failing port.
If not, try to restart the Fritz. Maybe that will fix your issue.
But from OpenWrt perspective I don't see anything wrong.
Same behavior for all host in 192.168.178.0.
I restarted the fritz and disabled the fw but nothing to do.
I guess you have restarted already the OpenWrt?
Then I cannot think of anything else, but to change the cable and the port you connect on the Fritz.
ok I found the problem: in the middle of the linksys and the fritz there is a netgear managed switch, if I exclude that and connect the fritz directly to the linksys it works.
Is there any setting I need to change on the switch?
Thanks.
No, the default untagged ports are fine.
You should have mentioned it earlier though...
You're right, I forgot to mention it.
I apologize.
Keep it in mind for future troubleshooting.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.