Router has internet, PC does not. Is this a Masquerade/NAT issue?

rxmzes · February 9, 2023, 7:40am

Hello!

PC
192.168.1.175
LAN
192.168.1.1
Router
10.2.209.206
WAN
10.2.209.1
WPA2-Enterprise

Router has internet, PC does not

Context

First time using OpenWRT, this is the second day I'm spending trying to crack this problem.

I live at a dorm where all students can only connect to a WPA2-Enterprise WIFI connection using a username and password. I'm trying to connect the router wirelessly to the wifi point, and then create a wifi access point for all the devices in my room to connect to my router, and also let my PC connect wired to the router. I'm starting by trying a wired connection from my PC to the router.

My approach

Using wpad, I've connected my router (archer c7) to the WPA2-Enterprise network (using a username and password) over wlan0 with 'Network' set to wwan, like so:

(As a new user, I could only post one image, so I've made this nice little collage)

The router has an internet connection and I can ping google.com or any web address for an instant reply, on the router, via SSH. I can also download packages onto the router fine.

But when the PC is connected to the router over ethernet, I have no internet at all on the PC and can not even ping any external IP from my PC. But the PC is connected to the router over SSH to 192.168.1.1 and I can access the web interface. I can also successfully ping 10.2.209.1 from the PC...

I've tried setting up NAT rules, but I don't really understand what I'm doing. I've fiddled a bit and none of it works. I should have paid more attention in my Cisco class.

Where I get stuck...

Now here's the thing. When I follow this exact process but I connect my router to a 4G hotspot on my phone, everything works as intended. My PC gets wired internet through the router. However, as soon as I change my phone's internet source from 4G to the WPA2-Enterprise wifi network, and the router is still connected to my phone's hotspot, I no longer get internet.

Am I correct to think there's some kind of masquerade necessary here and this is a NAT issue?

I've been tackling this for like 15 hours now, and I've consulted with 3 tech wizards and ChatGPT and nobody had a clue.

Any help would be deeply appreciated. Thank you for reading.

psherman · February 9, 2023, 7:44am

Let’s see the text configs

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

rxmzes · February 9, 2023, 7:51am

Alright, balls on the table. Thank you for the quick reply.

/etc/config/network

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7e:9c72:c707::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr '[redacted]'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'wwan'
        option proto 'dhcp'

/etc/config/wireless

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'sta'
        option ssid 'REDACTED SSID'
        option encryption 'wpa2'
        option eap_type 'peap'
        option ca_cert_usesystem '1'
        option auth 'EAP-MSCHAPV2'
        option identity 'username'
        option password 'password'
        option network 'wwan'

/etc/config/dhcp

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

/etc/config/firewall

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config nat
        option name 'Forward-LAN-PC'
        option src 'wan'
        option target 'MASQUERADE'
        option src_ip '192.168.1.175'
        option device 'wlan0'
        list proto 'all'
        option dest_ip '10.2.209.1'

yonizaf · February 9, 2023, 8:29am

Are you sure the firewall on your PC allows incoming pings? The default on Windows is no IIRC.

Can your PC ping the router though?

rxmzes · February 9, 2023, 8:32am

You are correct, my PC's firewall was blocking the router's pings from reaching my PC.
I can now ping the PC from my router.

But unfortunately, still no internet on my PC while the router has internet.

pavelgl · February 9, 2023, 10:18am

rxmzes:

config nat
        option name 'Forward-LAN-PC'
        option src 'wan'
        option target 'MASQUERADE'
        option src_ip '192.168.1.175'
        option device 'wlan0'
        list proto 'all'
        option dest_ip '10.2.209.1'

You don't need any additional rules, so remove this.

If the same configuration works with your phone, something else is wrong.

You should check if your dorm sysadmins are messing with the packets TTL to prevent users from using routers.

Install tcpdump and open two ssh sessions to the router.

From the first terminal, run

tcpdump -vvnnqti any '(host 8.8.8.8) and (icmp[0] == 8 or icmp[0] == 0)'

and from the second

ping -c 4 8.8.8.8

Then run ping to 8.8.8.8 from the PC.

Stop the tcpdump session (using Ctrl+C) and post the results.

rxmzes · February 9, 2023, 10:44am

Thank you for your help.

I've started suspecting as much -- that the connection is being blocked, especially when I found out I could actually ping 10.2.209.1 from my PC.

Here's the tcpdump for the pings:

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
IP (tos 0x0, ttl 64, id 16311, offset 0, flags [DF], proto ICMP (1), length 84)
    10.2.209.206 > 8.8.8.8: ICMP echo request, id 12990, seq 0, length 64
IP (tos 0x0, ttl 1, id 0, offset 0, flags [none], proto ICMP (1), length 84)
    8.8.8.8 > 10.2.209.206: ICMP echo reply, id 12990, seq 0, length 64
IP (tos 0x0, ttl 64, id 16340, offset 0, flags [DF], proto ICMP (1), length 84)
    10.2.209.206 > 8.8.8.8: ICMP echo request, id 12990, seq 1, length 64
IP (tos 0x0, ttl 1, id 0, offset 0, flags [none], proto ICMP (1), length 84)
    8.8.8.8 > 10.2.209.206: ICMP echo reply, id 12990, seq 1, length 64
IP (tos 0x0, ttl 64, id 16342, offset 0, flags [DF], proto ICMP (1), length 84)
    10.2.209.206 > 8.8.8.8: ICMP echo request, id 12990, seq 2, length 64
IP (tos 0x0, ttl 1, id 0, offset 0, flags [none], proto ICMP (1), length 84)
    8.8.8.8 > 10.2.209.206: ICMP echo reply, id 12990, seq 2, length 64
IP (tos 0x0, ttl 64, id 16432, offset 0, flags [DF], proto ICMP (1), length 84)
    10.2.209.206 > 8.8.8.8: ICMP echo request, id 12990, seq 3, length 64
IP (tos 0x0, ttl 1, id 0, offset 0, flags [none], proto ICMP (1), length 84)
    8.8.8.8 > 10.2.209.206: ICMP echo reply, id 12990, seq 3, length 64

IP (tos 0x0, ttl 128, id 10011, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.1.175 > 8.8.8.8: ICMP echo request, id 1, seq 268, length 40
IP (tos 0x0, ttl 128, id 10011, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.1.175 > 8.8.8.8: ICMP echo request, id 1, seq 268, length 40
IP (tos 0x0, ttl 128, id 10011, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.1.175 > 8.8.8.8: ICMP echo request, id 1, seq 268, length 40
IP (tos 0x0, ttl 127, id 10011, offset 0, flags [none], proto ICMP (1), length 60)
    10.2.209.206 > 8.8.8.8: ICMP echo request, id 1, seq 268, length 40
IP (tos 0x0, ttl 1, id 0, offset 0, flags [none], proto ICMP (1), length 60)
    8.8.8.8 > 10.2.209.206: ICMP echo reply, id 1, seq 268, length 40

pavelgl · February 9, 2023, 10:48am

Run these commands.
One of them should return an error (don't worry)
Check the result.

iptables -t mangle -I PREROUTING -i wlan0 -j TTL --ttl-set 64
nft insert rule inet fw4 mangle_prerouting iifname "wlan0" ip ttl set 64 counter

rxmzes · February 9, 2023, 10:53am

Sorry, I didn't have iptables so I found the package by the name iptables and installed it. However, this version doesn't have the option --ttl-set. Which is the correct package for iptables?

pavelgl · February 9, 2023, 10:56am

Ok, so it's version 22.03.x.
Remove the iptables packages you installed and run only the second command.

nft insert rule inet fw4 mangle_prerouting iifname "wlan0" ip ttl set 64 counter

rxmzes · February 9, 2023, 10:57am

Done, and... nothing happened. No output, nada.

WAIT

OH MY GOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOD

WHAT?!?!?!

rxmzes · February 9, 2023, 11:00am

Man, you fixed it!!! Thank you so much!!

How?!

pavelgl · February 9, 2023, 11:02am

I'm sorry, I have to go now.
I'll help you make the settings permanent later.

rxmzes · February 9, 2023, 11:02am

Thank you, Pavel! Safe travels.

rxmzes · February 9, 2023, 11:23am

So the WPA2-Enterprise network returns packets with a TTL of 1, which decrease after one hop and then get rejected, explaining why having a router in-between stops the packets from arriving at my PC?

Damn! I didn't know about TTL!

rxmzes · February 9, 2023, 2:35pm

I ended up doing this to make it permanent

mkdir -p /usr/share/nftables.d/chain-pre/mangle_prerouting
echo iifname "wlan0" ip ttl set 65 counter > /usr/share/nftables.d/chain-pre/mangle_prerouting/01-increase-ttl.nft

Please let me know if this was the wrong way to do it or if it's better to have 64 instead of 65 or if it makes no difference.

In any case, thank you so much for solving this problem @pavelgl, I'm really grateful

RuralRoots · February 9, 2023, 3:13pm

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

pavelgl · February 9, 2023, 3:26pm

You got it, so no further explanation needed.

rxmzes:

I ended up doing this to make it permanent
mkdir -p /usr/share/nftables.d/chain-pre/mangle_prerouting
echo iifname "wlan0" ip ttl set 65 counter > /usr/share/nftables.d/chain-pre/mangle_prerouting/01-increase-ttl.nft
Please let me know if this was the wrong way to do

It's by the book.

It doesn't really matter. Any number greater than 1 will do the trick.

Glad to be of help.

One last thing:
If the admins start looking for someone to beat up, I have nothing to do with this.

rxmzes · February 9, 2023, 3:28pm

No worries!!

system · February 19, 2023, 3:29pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.