Single device cannot communicate with router

I have a proxmox server connected to a lan port on my openWRT router (WAVLINK WL-WN536AX6, MediaTek Filogic, OpenWrt 24.10.5).

When I ping the internet or the router (192.168.1.1) from the server it times out. The server can ping other local devices such as my desktop PC. I have a debian VM running in proxmox that I've had set up for a while and that has a working network (to the router and internet) but when I try and create a new VM, there is no network connectivity.

I've been trying to troubleshoot using Anthropic's Claude and have tried many things to do with IP conflicts and firewall rules or such in openWRT that block this specific ip or MAC (I never intentionally added any). The MAC is set to a static ip of 192.168.1.50 in openWRT.

Other things to note:

• tcpdump -i lan1 shows packets arriving from 192.168.1.50
• tcpdump -i br-lan shows nothing from 192.168.1.50
• All other devices on same port work fine
• My Raspberry Pi works on both LAN ports, Proxmox fails on both ports
• As far as Claude has had me check, no firewall rules, no MAC filtering, clean network config

I've tried rebooting both router and server. Am now thinking I need to dig up an old router (this will be a bit of a pain in the ass) and try that..

Any help would be much appreciated.

Does the host OS (not the Proxmox VMs) upon which Proxmox runs have access to the internet and to other hosts on your network (including the router)?

To rule out anything with the router, let's see your complete configuration.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

This will end up badly. Do not use AI for OpenWrt, full stop.

Thanks for your reply and help. The proxmox server cannot access the internet or router at 192.168.1.1 (if I ping either, all packets are lost). Proxmox can successfully ping other machines in the network such as my desktop PC.

I have one VM in proxmox that has been set up for some time and that has working internet and can access the router. If I create a new VM (I did earlier today), it has the same limitations as proxmox (cannot hit internet or router but can hit my PC).

Noted re using claude

root@OpenWrt:~# ubus call system board
{
        "kernel": "6.6.119",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "WAVLINK WL-WN536AX6 Rev a",
        "board_name": "wavlink,wl-wn536ax6-a",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.5",
                "revision": "r29087-d9c5716d1d",
                "target": "mediatek/filogic",
                "description": "OpenWrt 24.10.5 r29087-d9c5716d1d",
                "builddate": "1766005702"
        }
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '<redacted>:e940::/48'
        option packet_steering '0'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config interface 'wg0'
        option proto 'wireguard'
        option private_key '<redacted>'
        option listen_port '51821'
        list addresses '10.0.0.1/24'
        list dns '192.168.1.1'

config wireguard_wg0
        option description 'pixel9Pro'
        option public_key '<redacted>'
        option private_key '<redacted>'
        option persistent_keepalive '25'
        list allowed_ips '10.0.0.2/32'
        list allowed_ips '192.168.1.0/24'

config wireguard_wg0
        option description 'zenbook'
        option public_key '<redacted>'
        option private_key '<redacted>'
        list allowed_ips '192.168.1.0/24'
        list allowed_ips '10.0.0.3/32'

config interface 'express_canada'
        option proto 'none'
        option device 'tun0'

config interface 'vpnCanWifi'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option dns '10.134.0.1 8.8.8.8'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option band '2g'
        option channel '1'
        option htmode 'HE20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid '<redacted>'
        option encryption 'psk2'
        option key '<redacted>'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option band '5g'
        option channel '36'
        option htmode 'HE80'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid '<redacted> 5GHz'
        option encryption 'sae'
        option key '<redacted>'
        option ocv '0'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid '<redacted>-CAN'
        option encryption 'psk2'
        option key '<redacted>'
        option network 'vpnCanWifi'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list server '8.8.8.8'
        list server '1.1.1.1'
        list addnhosts '/etc/dnsmasq.hosts'
        list addn_hosts '/etc/dnsmasq.hosts'
        list rebind_domain '<redacted>'

config dhcp 'lan'
        option interface 'lan'
        option start '120'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piofolder '/tmp/odhcpd-piofolder'

config host
        option name 'DESKTOP-1'
        option ip '192.168.1.111'
        list mac '<redacted>'

config host
        option name 'raspberryPi2'
        list mac '<redacted>'
        option ip '192.168.1.36'

config host
        option name 'raspberryPi3'
        list mac '<redacted>'
        option ip '192.168.1.9'

config host
        option name '3DPrinterPlugTasmota'
        list mac '<redacted>'
        option ip '192.168.1.17'

config host
        option name 'SparePlugTasmota'
        list mac '<redacted>'
        option ip '192.168.1.22'

config host
        option name 'LampPlugTasmota'
        list mac '<redacted>'
        option ip '192.168.1.24'

config host
        option name 'SnitzelServerProxMox'
        list mac '<redacted>'
        option ip '192.168.1.50'

config host
        option name 'IPCam2KUnbrandedEth'
        list mac '<redacted>'
        option ip '192.168.1.41'

config host
        option name 'Zenfone83DPCam'
        option ip '192.168.1.16'
        list mac '<redacted>'

config host
        option name 'IPCamSwann'
        list mac '<redacted>'
        option ip '192.168.1.19'

config host
        option name 'IPCamUnbranded2Eth'
        list mac '<redacted>'
        option ip '192.168.1.42'

config host
        option name 'IPCamUnbranded1Eth'
        list mac '<redacted>'
        option ip '192.168.1.43'

config host
        option name 'debian1'
        option ip '192.168.1.37'
        list mac '<redacted>'

config domain
        option name '*.<redacted>.duckdns.org'
        option ip '<redacted>'

config domain
        option name '<redacted>.duckdns.org'
        option ip '192.168.1.37'

config domain
        option name '<redacted>'
        option ip '<redacted>'

config dhcp 'vpnCanWifi'
        option interface 'vpnCanWifi'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,10.134.0.1,8.8.8.8'
        list dhcp_option '3,192.168.2.1'

config host
        option name 'Wavlink'
        option ip '192.168.1.152'
        list mac '<redacted>'

config host
        option name 'ptzCAM'
        option ip '192.168.1.20'
        list mac '<redacted>'

config host
        option name 'cs2server'
        option ip '192.168.1.55'
        list mac '<redacted>'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'piSSH'
        option src 'wan'
        option src_dport '3322'
        option dest_ip '192.168.1.36'
        list reflection_zone 'lan'
        option dest_port '3322'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'wireguardServer'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '192.168.1.9'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'webServerHTTP'
        list proto 'tcp'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.1.9'
        list reflection_zone 'lan'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'webServerHTTPS'
        list proto 'tcp'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.1.9'
        list reflection_zone 'lan'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'moonlight'
        list proto 'udp'
        option src 'wan'
        option src_dport '47998'
        option dest_ip '192.168.1.111'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'GTA'
        option src 'wan'
        option src_dport '4499'
        option dest_ip '192.168.1.111'
        list proto 'tcp'
        list proto 'udp'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'moonlight'
        list proto 'udp'
        option src 'wan'
        option src_dport '48000'
        option dest_ip '192.168.1.111'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'plex'
        option src 'wan'
        option src_dport '6107'
        option dest_ip '192.168.1.37'
        option dest_port '32400'
        list reflection_zone 'lan'
        list reflection_zone 'wireguard'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'PCSSH'
        option src 'wan'
        option src_dport '3344'
        option dest_ip '192.168.1.111'

config zone
        option name 'wireguard'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'wg0'
        option mtu_fix '1'

config forwarding
        option src 'wireguard'
        option dest 'lan'

config forwarding
        option src 'wireguard'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'wireguard'

config forwarding
        option src 'wan'
        option dest 'wireguard'

config rule
        option src 'wan'
        option name 'wireguardWRT'
        list proto 'udp'
        option dest_port '51821'
        option target 'ACCEPT'

config rule
        option src 'wireguard'
        option name 'wireguardWRT'
        list proto 'udp'
        option dest_port '51821'
        option target 'ACCEPT'
        option dest '*'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'CS2Server'
        option src 'wan'
        option src_dport '27015'
        option dest_ip '192.168.1.231'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'cs2ServerClientPort'
        list proto 'udp'
        option src 'wan'
        option src_dport '27005'
        option dest_ip '192.168.1.231'

config redirect
        option name 'WG-DNS-Redirect'
        option src 'wireguard'
        option proto 'tcp udp'
        option src_dport '53'
        option dest 'lan'
        option dest_ip '192.168.1.1'
        option dest_port '53'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'openWRTWG'
        option src 'wan'
        option src_dport '51821'
        option dest_ip '192.168.1.1'

config include
        option path '/etc/firewall.user'
        option fw4_compatible '1'

config zone
        option name 'vpnCAN'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'express_canada'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'vpnCanClients'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'vpnCanWifi'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'vpnCanClients'
        option dest 'vpnCAN'

config forwarding
        option src 'vpnCAN'
        option dest 'vpnCanClients'

config rule
        option src 'lan'
        option dest '*'
        option name 'allow-proxmox-host'
        list proto 'all'
        list src_ip '192.168.1.50'
        option target 'ACCEPT'

Did you also try pinging the link-local addresses? (Those start with fe80:: and you have to append something like %eth0 to make it use the right link.)

Remove list allowed_ips '192.168.1.0/24'
from each of the above. Restart and then test again.

Also check the ip address configuration on the host in question. In many cases, dhcp is desirable. If not, please show us what is set.

As I read more, there are additional errors:

The limit (size variable for the DHCP pool) here is too large -- the total of start + limit - 1 must be >=254 on a /24 network.

masquerading should be disabled on this zone.

Delete the above rule.

Delete this rule:

Delete this rule:

Remove masquerading on the zone below:

Delete this forward:

and delete this rule:

thanks for the reply, tried this but same result, timed out

Thanks - I have made these changes and rebooted but same results. I did also notice that although I can ssh into my proxmox server from my windows PC connected via cable 1I cannot log in to ssh from my windows laptop on wifi.. not sure if this helps

which wifi network are you connected to ?

Just my normal 2.4 GHz one

Your wireless config shows two networks on the 2.4g band. One on the 'lan' network and one on the 'vpnCanWifi' network. The vpnCanWifi is in a different firewall zone and on a different subnet

I also have a proxmox system used with an Openwrt router and have no problems connecting either wired or wireless to the proxmox host or any of the VMs

Let's get to the specifics...

• What is the IP address of the host that is having trouble connecting? Is it static, or DHCP assigned?
• Does the host have both Ethernet and wifi? If so, what are the IP addresses on each adapter?
• What is the IP address of the target(s)?
• How are you testing (ping, ssh, opening a web page or a file share, etc.)?

I guess others here have more experience than me, but at this point I'd start looking at the arp table and see if you can figure out if that gets filled and what kind of traffic you can see with tcpdump.

I was connected to the regular non VPN one

The ip is static, set by the router to 192.168.1.50 and the router is 192.168.1.1.
It does have Ethernet and wifi but the wifi isn't set up or connected. Testing via ping

Please check the computer itself - check its network settings to ensure it is set to dhcp and confirm the address is what you expect.

Also, what operating system is on the system?

Another question: do you have any vpn configurations on that host?

Sorry do you mean the proxmox server? It's running proxmox based on debian and is set to dhcp. The ip is what I expect and it does not have any vpns configured.

You said proxmox works but the host upon which the vms are situated is unable to access the network… is that correct?

Sorry I'm a little confused, I'm calling proxmox the host which cannot access the router or internet

that was not clear at all.

It seems to me that this is a proxmox issue, not related to OpenWrt at all. Check your Proxmox networking settings on both the VM and the proxmox supervisor environment itself.

OK thanks, yeah I have been doing that but am yet to find anything that could cause this and it was suggested to me that it was likely the router rejecting traffic since packets are hitting the router - confirmed via tcpdump -i lan1 on the router that packets from 192.168.1.50 are arriving at the router's physical port. The issue is they never appear on tcpdump -i br-lan