RM65 mt7981 router cannot reach internet

Hi!

Since I upgraded my mt7981 based (hilink rm65) router to openwrt 23.05.3 my router cannot reach internet.
Eth1 (wan) is working I presume as from ssh connection to the router (also from uart connection) if in the router i ping my devices connected on the wan side it works fine.
I installed iperf3 and did iperf3 tests from rm65 openwrt router towards raspberry, pc, smartphone and it works fine.

However when (in the openwrt router ssh) do "ping www.google.com" it says "bad adress".

I don't know whats going on. Its very frustrating, my router apparently can see the tplink vdsl (192.168.1.254) and the rest of the network on its wan side fine, but it refuses to connect to the internet and pass thru any ip traffic from the router itself and devices connected on its wifi or lan towards the wan connected tplink vdsl router on 192.168.1.254.

I did a route -ne and it showed:

root@OpenWrt:/# route -ne
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.254   0.0.0.0         UG        0 0          0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 br-lan
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth1

Ip route show gave:

root@OpenWrt:/# ip route show
default via 192.168.1.254 dev eth1  src 192.168.1.102
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
192.168.1.0/24 dev eth1 scope link  src 192.168.1.102

Ip link show gave:

root@OpenWrt:/# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1504 qdisc mq state UP qlen 1000
    link/ether 2a:ea:4b:65:bf:72 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether f2:b1:55:7f:ce:6b brd ff:ff:ff:ff:ff:ff
4: lan1@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
    link/ether 2a:ea:4b:65:bf:72 brd ff:ff:ff:ff:ff:ff
5: lan2@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
    link/ether 2a:ea:4b:65:bf:72 brd ff:ff:ff:ff:ff:ff
6: lan3@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
    link/ether 2a:ea:4b:65:bf:72 brd ff:ff:ff:ff:ff:ff
7: lan4@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 2a:ea:4b:65:bf:72 brd ff:ff:ff:ff:ff:ff
8: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether e4:38:19:11:73:ce brd ff:ff:ff:ff:ff:ff
9: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 66:38:19:11:73:ce brd ff:ff:ff:ff:ff:ff
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 2a:ea:4b:65:bf:72 brd ff:ff:ff:ff:ff:ff

Also when (for a test) I added eth1 wan to br-lan bridge something weird happened. All wifi-lan connected devices suddenly do got internet. But then from any connection I couldn't enter the luci router page anymore.
Also from uart router login I couldn't ping any ip adress anymore. Even not its own ip adresses.

Does anyone know what is going on here?

Thanks a ton!!!!

Can't have same subnet on lan and wan.

Oh yeah sorry, my bad. I did a firstboot and then ip of br-lan became 192.168.1.1.
But in my normal setup where br-lan = 192.168.2.254 the problem still is happening.

Currently i removed br-lan bridge as a test.
ip route show:

root@Hilink:/# ip route show
default via 192.168.1.254 dev eth1 proto static src 192.168.1.105
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.105

route -ne:

root@Hilink:/# route -ne
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.254   0.0.0.0         UG        0 0          0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth1

pinging 192.168.1.20 (raspberrypi), pinging 192.168.1.254 tplink vdsl and pinging my smartphone at 192.168.1.11 works all fine.
Also iperf3 tests works. So connections on the 192.168.1.x network works.

Still when I ping www.google.com it says "ping: bad address 'www.google.nl' "

Is there a command I can type in on openwrt router to set or show which dns nameserver is used?
I edited /etc/resolv.conf on top "nameserver 192.168.1.254" but it didn't fix the problem. which command should I use so that the system uses the edited resolv.conf?

Thanks a lot!

Du you have a name server at 192.168.1.254 ?

Yep! Its my tplink vdsl router. All connected devices get dhcp/dns info from it and itself goes fetch dns info from the ISP nameserver.

Update: At interfaces wan -> advanced settings I checked the "Use broadcast flag" thingy. And now it seems my openwrt router can ping www.google.nl and update packages etc.
For now it seems it is fixed. I will try with my openwrt setup with br-lan and all devices enabled and such.

Problem not solved. I cannot even replicate the situation with only eth1 (wan) up and running and then have my openwrt router using 192.168.1.254 as nameserver.

I really think the problem lies in the nameserver. Because all the other traffic just works.
Is there a way to set or enforce nameserver from commandline?
When I edit /etc/resolv.conf to set the nameserver that file gets reset to default everytime.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Okido!

ubus call system board

{
        "kernel": "5.15.150",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "MediaTek MT7981 RFB",
        "board_name": "mediatek,mt7981-rfb",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "mediatek/filogic",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd67:3e3b:0192::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.254'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.254'
        option broadcast '192.168.2.255'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option broadcast '1'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config device
        option name 'eth0'
        option ipv6 '0'

config device
        option name 'eth1'
        option ipv6 '0'

config device
        option name 'lan1'
        option ipv6 '0'

config device
        option name 'lan2'
        option ipv6 '0'

config device
        option name 'lan3'
        option ipv6 '0'

config device
        option name 'lan4'
        option ipv6 '0'

config device
        option name 'phy0-ap0'
        option ipv6 '0'

config device
        option name 'phy1-ap0'
        option ipv6 '0'

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/18000000.wifi'
        option channel '1'
        option band '2g'
        option htmode 'HE20'
        option country 'NL'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'It hurts when IP'
        option encryption 'psk-mixed'
        option key 'pwdhere'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/18000000.wifi+1'
        option channel '124'
        option band '5g'
        option htmode 'HE80'
        option country 'NL'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'It hurts when IP_5G'
        option encryption 'sae-mixed'
        option key 'pwdhere'

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

There are issues here:

Your IP address and gateway are in different subnets... that won't work properly.

Starting with this:

  • How is the device connected to the upstream network -- is it via the lan port or the wan port?
  • What is the upstream device -- is it another router (or a modem+router combo), or is it just a modem? Or something else?
  • What is the subnet of the upstream network?

Eh, the openwrt device is connected to upstream network thru the wan port.
That upstream device is a router+modem combi, at 192.168.1.254.
The subnet of the upstream network is 192.168.1.x

I tried putting the br-lan on the same subnet at 192.168.1.1 so that both devices are on the same subnets, but when I try to fill in in gateway "192.168.1.254" in luci in the gateway field of br-lan , then the box becomes red at says "The gateway address must not be a local IP address"

This is not valid. You must have unique, non-overlapping subnets for each interface on a router.

Try editing those stanzas to look like this:

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.254'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

Then restart your router and try again.

... which you (OP) were told 7hrs ago.

Uhm. that sounds a bit contradictory to me.

Look, I know that the 2 subnets must not be overlapping guys, its not the first day I work with networks and linux as cisco ccna certified system administrator.

Thats why, on my mt7981 device, I had my br-lan setup to 192.168.2.254. And my tplink modem/router setup as 192.168.1.254.
I know how it works. When I had openwrt 21.02 on my device everything worked fine.

Only until I installed openwrt 23.05 on it, things broke down. And since I tested everything, pings and iperf3 works perfect. The only thing that doesn't work is my openwrt 23 router resolving the dns properly and retrieving it from 192.168.1.254 modem router's dns relay.

I'm pretty sure this is a dns problem. Thats why I clearly asked "is there a command to force my device to use 192.168.1.254 as a nameserver".
I'm new to openwrt and its uci and firewall4 stuff , not to networking in general.

But thanks for your help, its appreciated. Its nerve wrecking how all the communication on my network works fine, only since I installed the openwrt23.05.3-mt7981-rfb then the device won't use my modem/router (192.168.1.254) as a nameserver anymore.

In the case of a lan/wan situation, the gateway should be left blank and the system will automatically select the correct gateway based on the default route or other routes as defined.

Possibly, sure. But don't overcomplicate things. If your router is setup with a DHCP client on the wan, it should get the DNS servers as advertised by the upstream DHCP server. In a default configuration, this will 'just work' with no other configuration details (except maybe changing the lan subnet to avoid a conflict).

Sure... but then why did you do this?

Seems to indicate that you weren't aware that this would not work and/or you didn't have confidence in the way that OpenWrt handles the interfaces.

Only reason both IPs were set to same subnet in the beginning of my posts was because I issued an firstboot command. And the setting of br-lan went to default 192.168.1.1.

After you wrote [quote="psherman, post:9, topic:196753"]
Your IP address and gateway are in different subnets... that won't work properly.
[/quote]

I thought well thats strange. But well, lets try it, maybe openwrt handles it different than I'm used to. So I tried to put br-lan on 192.168.1.1 and and my vdsl router being on 192.168.1.254. Just because I wanted to try follow your advice.
And no I have no confidence about how openwrt handles devices since I installed 23.05.3! Haha, man. Seriously, its frustrating that everything works, except my openwrt23 router not willing to use nameserver 192.168.1.254.

Do I understand correctly that in interfaces-> lan (br-lan) I should leave the gateway empty? I just tried it. But still same problem.

root@OpenWrt:/# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd35:39a7:c191::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.254'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option broadcast '192.168.2.255'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option broadcast '1'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config device
        option name 'eth0'

config device
        option name 'eth1'

config device
        option name 'lan1'

config device
        option name 'lan2'

config device
        option name 'lan3'

config device
        option name 'lan4'

config device
        option name 'phy0-ap0'

config device
        option name 'phy1-ap0'

Just for some constructive actions, do you know how I can put like a nameserver=192.168.1.254 or dns resolve=192.168.1.254 (or similiar) with uci?
Just to test it out?
Thats what I am trying to do all along but still have no ways of knowing how to work with uci commands.

In your wan interface, you can set it so that it does not use the peer advertised DNS server and then put in your own manually specified one. Or you can put it in the dnsmasq upstream resolver. Or, if you just want to tell your DHCP client devices to use that, use option 6 in the DHCP server on your lan.

Your upstream DHCP server should be advertising a DNS... is it doing that? Is it sending 192.168.1.254?

Yep. on the wan I tried putting in 192.168.1.254 instead of the peer advertised nameserver.

Also used option 6, 192.168.1.254 on dhcp server on LAN interface.

Uhm I should check with tcpdump if it send dns info/broadcasts. But I didn't try to check because everything that I connect to my tplink modem/router gets dhcp/dns information fine. Even my mt7981 openwrt 21 worked fine :). Its just since version 23 that it started to not-work.

I'm going to bake a new 7981 firmware with tcpdump included in it. Tomorrow, its pretty late now. Thanks for your help!

Let's see the output of this:

ifstatus wan

Update: Problem solved!

I baked a firmware with tcpdump and checked what kind of network traffic was going on between openwrt router and upstream modem/router with

tcpdump -v -i eth1 | grep 192.168.1.254
and
tcpdump -v -i eth1 | grep 192.168.1.101   (this temporarlily eth1 ip)

and found out that whenever a device wanted to fetch some information from upstream modem/router it received back information but when my openwrt23 router tries to fetch information, upstream modem/router didn't respond.
So I checked my modem/router for firewall, security and I have my security setup to only allow devices with specified mac adresses. And openwrt23 (i also see it thru Uart kernel log) chooses random wan/lan addresses. So after every reboot of openwrt23 router, it will have random wan+lan mac address. If its connected to upstream modem/router that only allows specified mac addresses, its traffic gets denied.
This is what was going on all along!

Solution:
I turned off allowing only whitelisted mac security on upstream router as temporary fix. Other solution is in luci -> interfaces -> devices -> eth1 fill in the known mac address that upstream router has in whitelisted mac addresses.
And just for fun I'm looking at openwrt23 buildroot for a more permanent fix to disable random generation of lan/wan mac address. So I can bake a firmware that doesn't random generate lan+wan mac.

and ps. thank you peter and frollic for your time and for offering help!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.