Router cannot download from internet while lan clients are fine

ganganray · June 16, 2018, 8:11am

Hi all,

I am setting up LEDE 17.01.4 on my Netgear R7500v2. It connects to the internet on wan with pppoe.

I don't know how I mess up, but now, the router cannot downloaded from internet, say, it cannot receive packages by running

opkg update

nor

wget http://example.com/example.jpg

which returns

root@LEDE:~# wget http://downloads.lede-project.org/releases/17.01.4/targets/ipq806x/generic/packages/Packages.gz
--2018-06-16 16:08:24--  http://downloads.lede-project.org/releases/17.01.4/targets/ipq806x/generic/packages/Packages.gz
Resolving downloads.lede-project.org... 148.251.78.235, 2a01:4f8:202:43ea::3
Connecting to downloads.lede-project.org|148.251.78.235|:80... connected.
HTTP request sent, awaiting response... No data received.
Retrying.

However, if I ping an internet server from the router, it can resolve the domain name and receive packets very well.

root@LEDE:~# ping downloads.lede-project.org
PING downloads.lede-project.org (148.251.78.235): 56 data bytes
64 bytes from 148.251.78.235: seq=0 ttl=48 time=346.496 ms
64 bytes from 148.251.78.235: seq=1 ttl=48 time=340.085 ms
64 bytes from 148.251.78.235: seq=2 ttl=48 time=334.134 ms
64 bytes from 148.251.78.235: seq=3 ttl=48 time=334.960 ms
--- downloads.lede-project.org ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 334.134/338.918/346.496 ms

I can also connect to the internet from my computer, a dhcp client of the router, without any problem.

I am attaching the network settings. Suggestions are appreciated.

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd10:4440:bb70::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ip6assign '60'
        option _orig_ifname 'eth1 wlan0 radio1.network1'
        option _orig_bridge 'true'
        option ipaddr '172.22.76.1'
        option ifname 'eth1'
        option netmask '255.255.255.0'

config interface 'wan'
        option _orig_ifname 'eth0'
        option _orig_bridge 'false'
        option ifname 'eth0'
        option proto 'pppoe'
        option username '*******'
        option password '*******'
        option ipv6 'auto'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0'

config interface 'Zerotier'
        option ifname 'zt0'
        option _orig_ifname 'zt0'
        option _orig_bridge 'false'
        option proto 'none'

Yes, I have installed zerotier on my router, it used to be working well.

ganganray · June 16, 2018, 8:16am

Here is the firewall setting.

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option input 'ACCEPT'
        option network 'wan'

config include
        option path '/etc/firewall.user'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option name 'Zerotier'
        option forward 'ACCEPT'
        option network 'Zerotier'

config forwarding
        option dest 'lan'
        option src 'Zerotier'

config forwarding
        option dest 'Zerotier'
        option src 'lan'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp udp'
        option dest_port '5000-5399'
        option name 'BitTorrent'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option dest_port '6932'
        option name 'DHT'
        option proto 'udp'

config forwarding
        option dest 'wan'
        option src 'Zerotier'

config forwarding
        option dest 'wan'
        option src 'lan'