My D-Link DIR-860L B1 is used as Access Point, the WAN connected to a unmanaged switch which connects to the main router.
The forwarding from WiFi network to the upstream network works just fine, however, when a computer wire-connected to one of the lan ports of DIR-860L B1, it got dhcp assigned ip and everything, but just cannot access internet.
Please help me figure out what went wrong. Thanks a lot in advance.
BTW, the gateway ip '192.168.1.2' is what the wan got from upstream network, i.e. the main router.
The configuration is as following:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'ffff:ffff:ffff::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
option ipv6 '0'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'lan1'
option macaddr 'xx:xx:xx:xx:xx:x0'
config device
option name 'lan2'
option macaddr 'xx:xx:xx:xx:xx:x0'
config device
option name 'lan3'
option macaddr 'xx:xx:xx:xx:xx:x0'
config device
option name 'lan4'
option macaddr 'xx:xx:xx:xx:xx:x0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option gateway '192.168.1.2'
option ipaddr '192.168.2.1'
config device
option name 'wan'
option macaddr 'xx:xx:xx:xx:xx:x3'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'guest0'
option proto 'static'
option ipaddr '172.16.0.1'
option netmask '255.255.255.0'
option device 'wlan0'
option gateway '192.168.1.2'
config interface 'guest1'
option proto 'static'
option ipaddr '172.16.1.1'
option netmask '255.255.255.0'
option device 'wlan1'
option gateway '192.168.1.2'
config interface 'guest2'
option proto 'static'
option device 'radio0.network2'
option ipaddr '172.16.2.1'
option netmask '255.255.255.0'
option gateway '192.168.1.2'
config interface 'guest3'
option proto 'static'
option device 'radio1.network2'
option ipaddr '172.16.3.1'
option netmask '255.255.255.0'
option gateway '192.168.1.2'
firewall:
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option output 'ACCEPT'
option input 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option input 'ACCEPT'
list network 'wan'
list network 'wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'WiFi'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest0'
list network 'guest1'
list network 'guest2'
list network 'guest3'
config rule
option name 'Allow WiFi DHCP'
list proto 'udp'
option src 'WiFi'
option src_port '67-68'
option dest_port '67-68'
option target 'ACCEPT'
config rule
list proto 'udp'
option src_port '67-68'
option dest_port '67-68'
option target 'ACCEPT'
option name 'Allow LAN DHCP'
option src 'lan'
config rule
option name 'Allow WiFi DNS'
option family 'ipv4'
option dest_port '53'
option target 'ACCEPT'
option src 'WiFi'
list dest_ip '192.168.1.1'
option dest 'wan'
config rule
option family 'ipv4'
option dest_port '53'
option target 'ACCEPT'
list dest_ip '192.168.1.1'
option dest 'wan'
option name 'Allow LAN DNS'
option src 'lan'
config rule
option name 'Allow WiFi Access NAS'
option family 'ipv4'
option src 'WiFi'
option dest_port '445'
list dest_ip '192.168.1.3'
list dest_ip '192.168.1.7'
option target 'ACCEPT'
option dest 'wan'
config rule
option name 'Block WiFi Visit Private Net'
option family 'ipv4'
option src 'WiFi'
list dest_ip '0.0.0.0/8'
list dest_ip '10.0.0.0/8'
list dest_ip '127.0.0.0/8'
list dest_ip '169.254.0.0/16'
list dest_ip '169.254.0.0/16'
list dest_ip '172.16.0.0/12'
list dest_ip '192.0.0.0/24'
list dest_ip '192.0.2.0/24'
list dest_ip '224.0.0.0/3'
list dest_ip '192.168.0.0/16'
list dest_ip '198.18.0.0/15'
list dest_ip '198.51.100.0/24'
list dest_ip '203.0.113.0/24'
option target 'REJECT'
option dest '*'
list proto 'all'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'WiFi'
option dest 'wan'
Connect using the lan port instead. Be sure to disable the DHCP server on the lan network first!
If you want to use the wan port as 'just another port' let me know and I can advise about the changes necessary (fairly simple).
There is certainly an issue here, too... either the gateway or the address is wrong.
These guest networks also have issues. The wlan/radio hardware should not be referenced in this file (only in the /etc/config/wireless file).
There are other issues, too... but let's get your lan figured out first. Oh, and your guest networks will break, but well fix that.
1 Like
If you plug a computer directly into the unmanaged switch, what IP address does it get? And what does it list as the gateway?
If you mean the upstream switch, the cidr is 192.168.1.0/24, the ip WAN get is configured as fixed to '192.168.1.2'.
When I plug a wire to the DIR-860L B1, I got an ip of '192.168.2.112' with default gateway as '192.168.2.1'.
Do you intend to have the lan on the DIR-860L on the same subnet as the upstream (i.e. 192.168.1.0/24), or do you want it to be a separate routed network?
My intension is to let them have separate networks, in order to protect my local network.
I am also curious how to let the ports on DIR-860L get dhcp service from my main router, as an alternative.
I see that you have 3 guest networks... but what about the lan on the DIR-860? And what network are the lan ports supposed to carry?
All 4 WiFi guest networks are well functional.
The lan of the DIR-860L, which has the cidr of '192.168.2.0/24', just doesn't have internet access. It's the main non-functional problem for me right now.
PS, As you can see in the config, I have already set the forwarding rules for br-lan.
I see the current config. But before I make any further suggestions, I'm trying to understand if the lan on your DIR-680 is supposed to be an extension of the upstream lan, or if it is supposed to be a separately routed network? This will inform how I recommend that you fix the problems.
So to ask the question very specifically:
Should the lan ports be on the 192.168.1.0/24 or the 192.168.2.0/24 subnet?
I am trying to use a separate subnet for the DIR-860L ports, that is 192.168.2.0/24.
192.168.1.0/24 is subnet of the main router, and has it's own dhcp service on that net.
Ok....
So there are many issues.
Your main issue is in your wan zone... turn on masquerading on the wan zone.
Next, remove the gateway from the lan. It will automatically assign the upstream gateway from the wan
Likewise, remove the gateway from all the guest networks. Also remove the wlan/radio network devices from all of these. (I'm just showing one network, but it should be done for all of them)
This is unnecessary, delete it
This can actually be deleted and then you can simply allow DNS on the DIR860 (which will use DNS from the upstream router unless otherwise specified). You'd set the rule the same way you did for DHCP for the wifi zone, but it would be port 53 instead.
Same deal here... unless you've specified otherwise, just use the local DNS. for the lan zone, you can simply remove this rule entirely.
This is entirely wrong... there are only 3 ranges of RFC1918 addresses. The others should be removed. The ones that should stay are:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
Once you've made the changes, post these files again for review. Also include the dhcp and wireless files.
1 Like
For the WAN setting, as you may have already seen, I am just using it as an ordinary port.
Already set in upstream static routes to these subsets (e.g., 172.16.0.0/22 used for the 4 guest networks) via WAN ip '192.168.1.2'.
What puzzles me is that the similar settings of WiFi guest subnets work well, while the br-lan part is not working.
Ok... well, let's do this... make all the other changes I recommended and then test.
Actually, on second thought, I think you should make the recommended changes, but feel free to wait on those... turn on masquerading and see if it fixes the issue. If so, it means the route on the upstream router isn't right.
I would recommend that you remove the gateway from each of the network stanzas, though.
Just tested with masquerading on with WAN, and the br-lan just can connect with the internet.
Not sure the exact problem with upstream, after double checked and make sure the static route is in place, the computer connected with DIR-860L's lan port shows internet, but still cannot connect to the internet without WAN's masquerading.
Anyway, there's some kind of progress, not there yet though.
can you show your upstream router's static route configuration? A screen grab is fine.
It's like the following (redacted for privacy):
Upstream router is running OpenBSD 7.3.
apu2$ route -n show -inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default xxx.xxx.xx.1 UGS 6 4377798 - 8 em0
224/4 127.0.0.1 URS 0 0 32768 8 lo0
10.0.0/24 192.168.1.4 UGS 0 0 - 8 em1
10.100.3/24 192.168.1.4 UGS 0 0 - 8 em1
127/8 127.0.0.1 UGRS 0 0 32768 8 lo0
127.0.0.1 127.0.0.1 UHhl 2 153 32768 1 lo0
xxx.xxx.xx/20 xxx.xxx.xx.1x9 UCn 1 0 - 4 em0
xxx.xxx.xx.1 xx:xx:xx:xx:xx:c0 UHLch 1 18 - 3 em0
xxx.xxx.xx.159 xx:xx:xx:xx:xx:ac UHLl 0 1663 - 1 em0
xxx.xxx.xx.255 xxx.xxx.xx.159 UHb 0 0 - 1 em0
172.16.0/22 192.168.1.2 UGS 0 83630 - 8 em1
192.168.1/24 192.168.1.1 UCn 7 40 - 4 em1
192.168.1.1 xx:xx:xx:xx:xx:xx UHLl 0 1487 - 1 em1
192.168.1.2 xx:xx:xx:xx:xx:93 UHLch 2 1611 - 3 em1
192.168.1.3 xx:xx:xx:xx:xx:xx UHLc 0 51 - 3 em1
192.168.1.4 xx:xx:xx:xx:xx:xx UHLch 2 332198 - 3 em1
192.168.1.5 xx:xx:xx:xx:xx:xx UHLc 0 194633 - 3 em1
192.168.1.6 xx:xx:xx:xx:xx:xx UHLc 0 2998 - 3 em1
192.168.1.7 xx:xx:xx:xx:xx:xx UHLc 0 43 - 3 em1
192.168.1.224 xx:xx:xx:xx:xx:xx UHLc 2 1694854 - 3 em1
192.168.1.255 192.168.1.1 UHb 0 44 - 1 em1
192.168.2/24 192.168.1.2 UGS 0 744 - 8 em1
Maybe destroy and re-add the route to 192.168.2.0/24 via 192.168.1.2
Tried everything, but none of them works except for the one enabling masquerading for WAN.
However, the WiFi guests do work with static route at upstream network without DIR-860L's WAN masquerading.
Now I am just wondering why?
Edit: For me a acceptable solution would be only masquerading at WAN the packets from br-lan. I have searched for the answer in this very forum, so far only iptables solutions. Don't know how to do the same with nftables.
Inspired by this post , I've been able to implement partially masquerading at WAN port, excluding my WiFi subnets.
Now my firewall looks like:
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option flow_offloading '1'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
option input 'ACCEPT'
option masq '1'
option masq_src '!172.16.0.0/22'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'lan'
config zone
option name 'WiFi'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest0'
list network 'guest1'
list network 'guest2'
list network 'guest3'
config rule
option name 'Allow WiFi DHCP'
list proto 'udp'
option src 'WiFi'
option src_port '67-68'
option dest_port '67-68'
option target 'ACCEPT'
config rule
option name 'Allow WiFi DNS'
option dest_port '53'
option target 'ACCEPT'
option src 'WiFi'
config rule
option name 'Allow WiFi Access NAS'
option family 'ipv4'
option src 'WiFi'
option dest 'wan'
option dest_port '445'
list dest_ip '192.168.1.3'
list dest_ip '192.168.1.7'
option target 'ACCEPT'
config rule
option name 'Block WiFi Visit Private Net'
option family 'ipv4'
option src 'WiFi'
option target 'REJECT'
option dest '*'
list proto 'all'
list dest_ip '10.0.0.0/8'
list dest_ip '172.16.0.0/12'
list dest_ip '192.168.0.0/16'
config nat
option name 'Allow Access NAS 1'
list proto 'tcp'
list proto 'udp'
option dest_ip '192.168.1.3'
option dest_port '445'
option target 'SNAT'
option snat_ip '192.168.1.2'
option src 'wan'
config nat
option name 'Allow Access NAS 2'
list proto 'tcp'
list proto 'udp'
option dest_ip '192.168.1.7'
option dest_port '445'
option target 'SNAT'
option snat_ip '192.168.1.2'
option src 'wan'
config forwarding
option src 'WiFi'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'wan'
network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'ffff:ffff:ffff::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'lan1'
option macaddr 'xx:xx:xx:xx:xx:x0'
config device
option name 'lan2'
option macaddr 'xx:xx:xx:xx:xx:x0'
config device
option name 'lan3'
option macaddr 'xx:xx:xx:xx:xx:x0'
config device
option name 'lan4'
option macaddr 'xx:xx:xx:xx:xx:x0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.2.1'
config device
option name 'wan'
option macaddr 'xx:xx:xx:xx:xx:x3'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'guest0'
option proto 'static'
option ipaddr '172.16.0.1'
option netmask '255.255.255.0'
config interface 'guest1'
option proto 'static'
option ipaddr '172.16.1.1'
option netmask '255.255.255.0'
config interface 'guest2'
option proto 'static'
option ipaddr '172.16.2.1'
option netmask '255.255.255.0'
config interface 'guest3'
option proto 'static'
option ipaddr '172.16.3.1'
option netmask '255.255.255.0'
dhcp:
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option cachesize '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
option dhcpv6 'disabled'
option ra 'disabled'
config dhcp 'guest0'
option interface 'guest0'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'guest1'
option interface 'guest1'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'guest2'
option interface 'guest2'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'guest3'
option interface 'guest3'
option start '100'
option limit '150'
option leasetime '12h'
and wireless
config wifi-device 'radio0'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option channel '112'
option band '5g'
option htmode 'VHT80'
option country 'US'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'guest0'
option mode 'ap'
option encryption 'psk2+ccmp'
option key 'xxxxxx'
option ssid 'NETGEAR06-5G'
config wifi-device 'radio1'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
option channel '11'
option band '2g'
option htmode 'HT20'
option country 'US'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'guest1'
option mode 'ap'
option encryption 'psk2+ccmp'
option key 'xxxxxx'
option ssid 'NETGEAR06'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option encryption 'wpa2+ccmp'
option auth_server '192.168.1.7'
option auth_secret 'xxxxxx'
option acct_server '192.168.1.7'
option acct_secret 'xxxxxx'
option network 'guest2'
option auth_port '1812'
option acct_port '1813'
option ssid 'NETGEAR06-5G-ENT'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option network 'guest3'
option encryption 'wpa2'
option auth_server '192.168.1.7'
option auth_secret 'xxxxxx'
option acct_server '192.168.1.7'
option acct_secret 'xxxxxx'
option auth_port '1812'
option acct_port '1813'
option ssid 'NETGEAR06-ENT'
trendy
June 28, 2023, 2:30pm
20
It's a good time to setup a packet capture to understand what is the problem.
opkg update; opkg install tcpdump; tcpdump -i wan -vnn net 192.168.2.0/24
Generate some traffic from the lan hosts to the internet and the OpenBSD, verify that you see the packets, then stop with Ctrl-c and paste it here.