Routing WWAN to LAN and WLAN on Rpi3

afnan · January 31, 2019, 7:33pm

Hi,

I have run into a bit of routing problem using my Raspberry Pi with a Sierra Wireless MC7455 connected through USB.

I am able to get internet access to the Raspberry Pi but the Pi is not able to route that connection to my LAN side which means that anything that is connected to it locally does not have internet access.

Here is what my network config looks like for now:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fxxx:xxxx:xxxx::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'dhcp'

config interface 'wwan'
        option proto 'qmi'
        option device '/dev/cdc-wdm0'
        option ifname 'wwan0'
        option apn 'data641003'
        option type 'bridge'

Also this is how I know that I am getting data through the cell:

root@OpenWrt:~# ping -I wwan0 www.google.ca
PING www.google.ca (172.217.12.163): 56 data bytes
64 bytes from 172.217.12.163: seq=0 ttl=50 time=89.238 ms
64 bytes from 172.217.12.163: seq=1 ttl=50 time=80.653 ms
64 bytes from 172.217.12.163: seq=2 ttl=50 time=102.277 ms
64 bytes from 172.217.12.163: seq=3 ttl=50 time=118.494 ms
64 bytes from 172.217.12.163: seq=4 ttl=50 time=94.663 ms

Sorry I am a noob to this environment. Any help would be greatly appreciated.

Thanks

lleachii · January 31, 2019, 7:14pm

Did you place WWAN in the WAN firewall zone?

afnan · January 31, 2019, 7:29pm

I had done it before but then removed it. Is there any specifics I need to be aware of while assigning the interface to WAN firewall?

lleachii · January 31, 2019, 7:32pm

You simply need to place any Interfaces into a firewall zone. If you place WWAN into a zone, you can then proceed to ALLOW traffic from zone-WAN to zone-LAN.

afnan · January 31, 2019, 7:58pm

Hey I tried it and it's the same. I set up the firewall in LUCI but Below are my settings for through the terminal:

root@OpenWrt:/etc/config# cat firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option network 'wwan'
        option family 'ipv4'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config forwarding
        option dest 'lan'
        option src 'wan'

config forwarding
        option dest 'wan'
        option src 'lan'

What am I missing here?

Thanks once again!

lleachii · January 31, 2019, 8:04pm

You're missing an enabled Masquerade on WAN.

afnan · January 31, 2019, 8:49pm

That still does not change anything. I still cannot route my WWAN to WLAN or LAN.

vgaetera · January 31, 2019, 9:13pm

ip a; ip r; head -n -0 /etc/resolv.conf /tmp/resolv.conf.auto
sysctl net.ipv4 | grep forward
iptables-save

afnan · February 6, 2019, 7:16pm

Hey guys Thank you for your help. I did some reconfiguration and basically removed the bridge from most interfaces and looks like I have internet connectivity through wwan. The ping and trace route work perfectly fine through the host devices BUT going onto a webpage still does not bring anything up. Here is my config for the network:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fxxx:xxxx:xxxx::/48'

config interface 'lan'
        option ifname 'eth0'
        option proto 'dhcp'

config interface 'wwan'
        option ifname 'wwan0'
        option proto 'qmi'
        option device '/dev/cdc-wdm0'
        option apn 'data641003'

config interface 'STATICLAN'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        option type 'bridge'

What could be wrong now?

vgaetera · February 6, 2019, 8:14pm

Remove gateway from LAN-network.
Change network/interface names to lowercase.
Assign LAN-network to firewall LAN-zone.

afnan · February 6, 2019, 8:43pm

Hey vgaetera,

I changed that accordingly but unfortunately this does not resolve the issue. One thing I should mention is that while I am on my phone, opening some apps that need internet work perfectly fine while others do not work whatsoever. Do you think this is still a firewall problem?

vgaetera · February 6, 2019, 8:45pm

uci show network; uci show firewall

afnan · February 6, 2019, 8:54pm

Here it is:

root@OpenWrt:~# uci show network; uci show firewall
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fxxx:xxxx:xxxx::/48'
network.lan=interface
network.lan.ifname='eth0'
network.lan.proto='dhcp'
network.wwan=interface
network.wwan.ifname='wwan0'
network.wwan.proto='qmi'
network.wwan.device='/dev/cdc-wdm0'
network.wwan.apn='data641003'
network.dhcplan=interface
network.dhcplan.proto='static'
network.dhcplan.ipaddr='192.168.1.1'
network.dhcplan.netmask='255.255.255.0'
network.dhcplan.type='bridge'
network.dhcplan.ifname='eth0'
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='ACCEPT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].masq='1'
firewall.@zone[0].network='lan dhcplan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].forward='ACCEPT'
firewall.@zone[1].family='ipv4'
firewall.@zone[1].masq='1'
firewall.@zone[1].network='STATICLAN wwan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fxxx:xxxx::/6'
firewall.@rule[3].dest_ip='fxxx:xxxx::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fxxx:xxxx::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable                                                                             ' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-so                                                                             licitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertise                                                                             ment'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable                                                                             ' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.miniupnpd=include
firewall.miniupnpd.type='script'
firewall.miniupnpd.path='/usr/share/miniupnpd/firewall.include'
firewall.miniupnpd.family='any'
firewall.miniupnpd.reload='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='lan'
firewall.@forwarding[0].src='wan'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='wan'
firewall.@forwarding[1].src='lan'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].proto='tcp'
firewall.@redirect[0].src_dport='422'
firewall.@redirect[0].dest_ip='192.168.1.1'
firewall.@redirect[0].dest_port='22'
firewall.@redirect[0].name='SSH'

afnan · February 19, 2019, 9:06pm

Hey guys,

I finally had it sorted out. The wrong firmware was loaded onto the USB modem. This was quite bizzare!

Now I am trying to sort out the GPS on the modem. Does anyone know which packages I will need on my OpenWRT to get GPS coordinates of the modem? Any links for the instructions?

Help would be appreciated.

Thanks

tmomas · February 19, 2019, 9:31pm

@afnan If your problem is solved, please consider marking this topic as [Solved]. (Click the pencil behind the topic...)

Please open a new topic for any questions not related to this topic.