Router Communication Issues

SMc · December 6, 2023, 9:45pm

Hi All,

I have been banging my head against the wall trying to figure this out, & feel like someone with a fresh set of eyes looking at this will be able to spot my issue.

In short, I had to wipe my router this morning after an issue popped up overnight & now I am having trouble getting internet access on the router itself, & devices on WLAN or LAN. I used to have a Pi-Hole setup for DHCP & DNS, however I removed those settings from the router to rule those out as the culprit. My WAN interface is getting an IP, but I can't ping out or run an nslookup. I have one laptop right now that is able to get to the web UI & SSH, but I can't find why other LAN devices cannot connect to the router (& vice versa).

redactedMAC was the same for those 4 interfaces

root@OpenWrt-EA6350v3:~# ubus call system board
{
	"kernel": "5.15.137",
	"hostname": "OpenWrt-EA6350v3",
	"system": "ARMv7 Processor rev 5 (v7l)",
	"model": "Linksys EA6350v3",
	"board_name": "linksys,ea6350v3",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "ipq40xx/generic",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}
root@OpenWrt-EA6350v3:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd6c:bfde:fe1b::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option ipv6 '0'

config device
	option name 'lan1'
	option macaddr 'redactedMAC'

config device
	option name 'lan2'
	option macaddr 'redactedMAC'

config device
	option name 'lan3'
	option macaddr 'redactedMAC'

config device
	option name 'lan4'
	option macaddr 'redactedMAC'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.42.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipv6 '0'

config device
	option name 'wan'
	option ipv6 '0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option ipv6 '0'
	option broadcast '1'
	option hostname '*'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config wireguard_wg_lan
	option public_key 'REDACTED_PUBLIC_KEY'
	option preshared_key 'REDACTED_PSK'
	option description 'REDACTED_DEVICE_NAME'
	list allowed_ips 'REDACTED_IP_ADDRESS'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config wireguard_wg_lan
	option public_key 'REDACTED_PUBLIC_KEY'
	option preshared_key 'REDACTED_PSK'
	option description 'REDACTED_DEVICE_NAME'
	list allowed_ips 'REDACTED_IP_ADDRESS'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config wireguard_wg_lan
	option public_key 'REDACTED_PUBLIC_KEY'
	option preshared_key 'REDACTED_PSK'
	option description 'REDACTED_DEVICE_NAME'
	list allowed_ips 'REDACTED_IP_ADDRESS'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config wireguard_wg_lan
	option description 'REDACTED_DEVICE_NAME'
	option public_key 'REDACTED_PUBLIC_KEY'
	option preshared_key 'REDACTED_PSK'
	list allowed_ips 'REDACTED_IP_ADDRESS'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config wireguard_wg_lan
	option description 'REDACTED_DEVICE_NAME'
	option public_key 'REDACTED_PUBLIC_KEY'
	option preshared_key 'REDACTED_PSK'
	list allowed_ips 'REDACTED_IP_ADDRESS'
	option persistent_keepalive '25'

root@OpenWrt-EA6350v3:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Plex'
	option src 'wan'
	option src_dport '32400'
	option dest_ip '192.168.42.78'
	option dest_port '32400'

root@OpenWrt-EA6350v3:~#
⏰: 16:40 | smc@BR41N14C-M2 | 📁: /Users/smc
%

lleachii · December 6, 2023, 9:54pm

To be clear, you did a reset, correct?

What issue, router-related?

What is the output of:

cat /etc/config/dhcp

What is the results of e.g.:

traceroute 8.8.8.8

and

ping 8.8.8.8

Are they wired, or wireless clietns?
Where they connected before the wipe?

Did you add this?

If so why?

While leaving this?

psherman · December 6, 2023, 10:02pm

I'd start by removing all of the wireguard stuff... it seems that it is missing an interface, too... but just to rule out issues there (you've over-redacted, so we cannot tell what might be happening there).

SMc · December 6, 2023, 10:07pm

01: I did a full reset, holding the button on the back of the router itself.

02: Despite the network working fine last night, overnight nothing was able to access the internet. Earlier in the day I was trying to configure a firewall rule that would force all DNS traffic to my Pi-Hole (on a different device) but had run into problems & removed the firewall rule along with all WireGuard settings from the GUI, which looks like it left settings visible from the CLI.


root@OpenWrt-EA6350v3:~# date
Wed Dec  6 16:59:20 EST 2023
root@OpenWrt-EA6350v3:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option expandhosts '1'
	option cachesize '1000'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'wan'
	option interface 'wan'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config domain
	option name 'optiplex7050'
	option ip '192.168.42.240'

config domain
	option name 'OptiPl3x7050'
	option ip '192.168.42.78'

config domain
	option name 'panda'
	option ip '192.168.42.241'

config domain
	option name 'OptiPlex7050-MAX'
	option ip '192.168.42.192'

config domain
	option name 'AppleTV-Bedroom'
	option ip '192.168.42.193'

config host
	option name 'optiplex7050'
	option mac '14:B3:1F:14:C5:FF'
	option ip '192.168.42.240'

root@OpenWrt-EA6350v3:~#
root@OpenWrt-EA6350v3:~# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 46 byte packets
 1  68.237.92.159 (68.237.92.159)  451.207 ms !H  1474.400 ms !H  3119.238 ms !H
root@OpenWrt-EA6350v3:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
^C
--- 8.8.8.8 ping statistics ---
8 packets transmitted, 0 packets received, 100% packet loss

root@OpenWrt-EA6350v3:~# ping -c 5 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes

--- 8.8.8.8 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
root@OpenWrt-EA6350v3:~#

I’m having the problem with both Wired & Wireless clients. The laptop that I can get to the Web UI from & can SSH from is wireless & is always wireless. I do have two devices connected directly to the router via LAN1 & LAN2, but they cannot access the router or vice versatility, & are always connected that way.
I did edit some of the IPv6 settings in the UI to try & disable it because I’m not as familiar with it as I am IPv6, but can edit those settings to put them back in place if needed.
Are you asking about the ip6assign because of the ipv6 0 above? I was just trying to disable IPv6 from the UI, so I might not have seen a way to remove that option. I will gladly edit the existing config if it will clean things up for review.

Thank you so much for responding so quickly too.

SMc · December 6, 2023, 10:08pm

Apologies on the over redaction. I’ll clear all the WireGuard settings to clean things up. I intentionally removed the interface from the UI to have less to look into, but it looks like the peers are left behind anyway.

EDIT: I have removed the WireGuard entries from /etc/config/network

root@OpenWrt-EA6350v3:/etc/wireguard# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd6c:bfde:fe1b::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option ipv6 '0'

config device
	option name 'lan1'
	option macaddr '60:38:e0:b0:7a:70'

config device
	option name 'lan2'
	option macaddr '60:38:e0:b0:7a:70'

config device
	option name 'lan3'
	option macaddr '60:38:e0:b0:7a:70'

config device
	option name 'lan4'
	option macaddr '60:38:e0:b0:7a:70'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.42.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipv6 '0'

config device
	option name 'wan'
	option ipv6 '0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option ipv6 '0'
	option broadcast '1'
	option hostname '*'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

root@OpenWrt-EA6350v3:/etc/wireguard

lleachii · December 6, 2023, 10:27pm

Have you contacted your ISP?

SMc · December 6, 2023, 10:29pm

I didn’t because I thought this a result of something I did, not the ISP having a problem.

lleachii · December 6, 2023, 10:38pm

Are you saying that you did something overnight you haven't mentioned yet?

Otherwise, I understood you did nothing, and you reset the device.

The traceroute results show that your 1st and only hop is an IP owned by your ISP. It give you the error "!H" - this means ICMP Destination Host (i.e. 8.8.8.8) Unreachable messages were returned from this ISP router.

It's also odd the response times are so high and erratic (the lower the better). For example, on a FTTH connection for your ISP, you should expect 10 ms or less response time to the 1st hop (depending on distance, etc).

Did you add this?

SMc · December 6, 2023, 11:50pm

No, there was nothing else I did overnight to have it stop working. I just assumed it was delayed from something I did earlier during the day, like working with the firewall rules.

Ah, okay. Thank you for the details on the traceroute results. I wasn’t aware that the “!H” had that meaning. I was also surprised by the response time there. I wouldn’t have expected the response to take that long either.

Yes, I had enabled that while trying to get the connection up & running after the problem this weekend. If you don’t think it should be required I can disable that setting & look at the config again.