Hello,
I‘m new to OpenWRT (installed it a few hours ago) but I‘ve just no more idea on how to configure OpenWRT for my purposes to work. I‘ll start with my requirements, then I‘ll explain what I understood from the docs so far and what I did.
Requirements
I‘m living in a student‘s dorm and our internet is provided by the company offering the housing. The internet works like this:
I have one Ethernet port in my apartment which I can connect to. When connecting I‘ve to configure my devices network settings to use a static IP they assigned to me and also to use their Gateway router (same IP range, first three numbers are equal). They ask me to configure 255.255.255.0 as subnet mask and told me 2 DNS servers to configure. When all that is done we still don‘t have internet here as we need to authenticate by opening an SSH connection to a server with a totally different IP. As long as exactly one connection using each student’s user and password is open, all devices connected to their Ethernet port have access to the internet (even though you only have one IP address, so connecting multiple devices needs another router, which is what I want to get done using OpenWRT).
What works but is a crappy solution: Connecting a MacBook and setting up the network settings so I‘ve internet and then sharing this connection using Internet Sharing Wifi Hotspot. But then the laptop get‘s immobile or nobody has WiFi while the laptop is needed elsewhere. When this configuration is set up the MAC does exactly what I want from OpenWRT: It connects to the internet and opens another subnet in which it acts as router, starts a DHCP server, etc.
I hope my requirements are clear, otherwise feel free to ask, I‘m happy to clarify things because I don‘t know any further.
I‘m using the default web interface LuCi for all kinds of configuration, but I‘m fit with SSH as well in case I need that. So far I modified the default LAN bridge between eth0 and eth1 and setup the given Gateway and added the external IP address to the list and also I tried to add an extra interface for the internet connection, which I setup using static settings according to the values that I got for internet access. But in none of my many configurations I could either ping nor ssh to the authentication server, a connection was just not possible.
Hey thank you for your fast reply, Andrew. I think that is what I did. I reset the router configuration and logged in to LuCi. On the Network > Interfaces page I found a pre configured device „br-lan“ in the „LAN“ firewall-zone. On the devices tab I can see that it is of type „Bridge device“ and it has the same MAC address as the eth0 port of my devolo hardware (that is intended as an WiFi Access Point only, but shouldn‘t matter?). The bridge device is configured to connect the eth1 port (to which my laptop is connected) with the eth0 port (which is connected to my Ethernet port in the apartment). By that I mean that Bridge Ports is set to both eth0 and eth1 and I‘ll probably also check the wifi networks as soon as I configured them?
I added a new interface with protocol „static address“ set, entered my public IPv4 address, entered 255.255.255.0 as IPv4 netmask and my providers IPv4 gateway (which is in the same IPv4/24 subnet (so the last byte differs from my own static IP). I also entered the DNS servers in the new static interface. I set the Firewall zone to WAN and configured no DHCP server. The bridge device has a DHCP configured by presets after I reset the router and this is working (my laptop connected to the eth1 port got an IP address and I can access LuCi from the laptop‘s browser). The br-lan bridge‘s IP was set to 192.168.1.1 (OpenWRT default) and I kept this. My static IP from my provider is in a absolutely different subnet (the first byte already differs). Both interfaces are configured to be in an IPv4 /24 subnet. I did not modify any firewall rules. The defaults are to allow everything from LAN to WAN zone. Masquerading is off. From WAN to „Reject“, Input and Forward are set to „Reject“ and Output is set to accept. Masquerading is ticked. I think it says „Reject“ in the overview because no firewall zone is set in the „Allow forward to destination zones“. General settings are accept for input and output and reject to forward.
The bridge device has no gateway set and therefore automatically uses the new interfaces gateway by default. I also tried to set the new interfaces IP address as Gateway but none worked. I can ping the 192.168.1.1 and my static public IP address set in the new interface on eth0 from my connected laptop but I can‘t ping my provider‘s gateway IP address nor ping the ssh server required for authentication. Pings are sent using the laptop connected to eth1. Error message is that the host can‘t be reached.
I think I did what you told me (did the same previously before asking my question) but it doesn‘t work. I hope somebody can help using the more information I posted.
I assume you don't have a public IP on your WAN/upstream interface,
you don't need to keep the IPs secret/omitting them in your posts.
You could however mask any DNS IPs, if public, and MACs, if attaching
screen shots.
Post a screen shot of your interfaces screen in openwrt.
I didn‘t know of the 172.16.0.0-172.31.255.255 private subnet – you are right it‘s not a public IP, my bad. I‘ll share screenshots attached to this post. Thank you for your quick reply and your help so far!
The DNS servers (blacked out) and the ssh server for authentication are in the same a.b.0.0 subnet. The subnet belongs to our university.
I‘ll share more configurations if needed. If it‘s easier for somebody to help: I can also share config files, just tell me which one is interesting for you
I connect to the router device using SSH: „ssh root@192.168.1.1“ and execute „ping 172.31.150.175“. I get „ping: sendto: Network unreachable“
I expect here is the problem?
For obvious reasons I can‘t ping the WAN gateway from my laptop connected to eth1 either.
The client gets DNS IP 192.168.1.1
The site used for authentication is an IPv4 address.
your own WAN IP is 171.31.150.175, you were pinging 172.31.150.175,
is the the 172 IP the default GW, or a typo ?
it's also different to what you previously posted in the screen shots....
This was a typo. I updated my WAN IP to the correct one 172.31.150.175. Had a copy paste error in the ping command, I‘m very sorry for wasting your precious time on my typos. I did this configuration lots of times over and over again since yesterday and I‘m quite sure it wasn‘t always a typo, though. Thank you very much for being so observant and spot my typos^^
I did update the WAN IP to the correct one and restarted the router. I connected via SSH „ssh root@192.168.1.1“ and pinged the WAN Gateway „ping 172.31.150.254“. I don‘t get an error message anymore but also the ping is not successful. Maybe the gateway just doesn‘t answer pings at all. I‘m still connected via ssh to the router on 192.168.1.1 and then I tried to ssh to the authentication server: „ssh user@ip“ and I receive the error message „ssh: Connection to user@ip:22 exited: Connect failed: Host is unreachable“
I also can‘t ssh from my laptop to the authentication server directly getting the same error message „Network is unreachable“
Edit:
Here is a new screenshot from the WAN interface config:
I‘m still connected to the router via ssh on 192.168.1.1:
Executing ping (ip of the authentication host) results in the same behavior as pinging the gateway, the server doesn‘t respond but I don‘t get a network error or so.
Here is a screenshot of the log output:
Pinging the DNS servers behaves the same btw. No network error message but no response to ping packages as well.
I thought it might be interesting to ping the auth host from my laptop connected to the router on eth1, that results in the output from the following screenshot (some timeouts mixed with some destination host unreachable error messages, can‘t really imagine what happens here.
How should the config look like? Yes the LAN is a bridge device on eth0 and eth1 as shown in the above screenshots (Pasting it here again for reference):
Try from default settings again.
Create a wan network interface named exactly 'wan' (must be defined in lower case, LuCI will uppercase it but ignore that). Naming it exactly wan will match the default firewall file and to do what you want.
Reassign one of the Ethernet ports to be the wan device. Remove that port from br-lan.
Install static IP, gateway, and DNS servers on wan. In lan, leave the gateway and DNS blank.
What make and model router is this? I ask because the firstboot scripts are supposed to detect any hardware having more than one Ethernet port and configure one of the ports wan by default.
