Hi all! Got an ASUS TUF-AX4200 a few days ago and flashed OpenWrt through serial successfully but can't connect to a WAN static IP.
Here's what I've tried:
I have an old TP-Link with OpenWrt installed which connects to the WAN flawlessly. I enter the interface, go to Network/Interfaces, change the protocol to "Static address", enter in the details and it works. Following the same steps on the ASUS TUF-AX4200, it doesn't
I read that since v21.02 DSA support has been added to OpenWrt so I followed those instructions for additional setup I found on Reddit, multiple times with slight differences of the config to no avail.
Tried changing the config so that lan4 is used as the WAN port if the actual WAN port (eth0) has flaws but it didn't help
Tried all of the steps above on three versions of OpenWrt:
23.05.0 (suggested in wiki)
23.05.1
23.05.2 (the one I'm on currently)
Since the forum allows me to post only one image, I merged all these screenshots in case they'd be of help:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
config defaults
option syn_flood 1
option input REJECT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
# option src lan
# option src_ip 192.168.45.2
# option dest wan
# option proto tcp
# option target REJECT
# block a specific mac on wan
#config rule
# option dest wan
# option src_mac xx:xx:xx:xx:xx:xx
# option target REJECT
# block incoming ICMP traffic on a zone
#config rule
# option src lan
# option proto ICMP
# option target DROP
# port redirect port coming in on wan to lan
#config redirect
# option src wan
# option src_dport 80
# option dest lan
# option dest_ip 192.168.16.235
# option dest_port 80
# option proto tcp
# port redirect of remapped ssh port (22001) on wan
#config redirect
# option src wan
# option src_dport 22001
root@OpenWr:~# cat /etc/config/firewall
config defaults
option syn_flood 1
option input REJECT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
# option src lan
# option src_ip 192.168.45.2
# option dest wan
# option proto tcp
# option target REJECT
# block a specific mac on wan
#config rule
# option dest wan
# option src_mac 00:11:22:33:44:66
# option target REJECT
# block incoming ICMP traffic on a zone
#config rule
# option src lan
# option proto ICMP
# option target DROP
# port redirect port coming in on wan to lan
#config redirect
# option src wan
# option src_dport 80
# option dest lan
# option dest_ip 192.168.16.235
# option dest_port 80
# option proto tcp
# port redirect of remapped ssh port (22001) on wan
#config redirect
# option src wan
# option src_dport 22001
# option dest lan
# option dest_port 22
# option proto tcp
### FULL CONFIG SECTIONS
#config rule
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 80
# option dest wan
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
# option target REJECT
#config redirect
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 1024
# option src_dport 80
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
Yes, I tried replicating the same configuration on the TUF as on the TP-Link, especially double checked the WAN configs. Important to know that the TP-Link which I configure without issues is TP-Link TL-WR840N v2 which uses OpenWrt 18.06.9 (pre-DSA support)
Where does the upstream connection come from (what kind of device and to what physical port)?
The upstream connection comes from a modem (my ISP) and connects to the router to the WAN physical port. All they've provided me is a static IP, the default gateway and subnet mask 255.255.255.0.
And is it tagged (if so what VLAN)?
To my knowledge it shouldn't be tagged.
I see your wan using br-lan.2 which is tagged on eth0 and untagged on eth1. We need to know how it is connected and why you have the wan in a bridge.
So my understanding is that eth0 is the router's cpu so it needs to be aware of the VLAN filterings we're doing. That's why on the 2 VLAN's I have, eth0 interface is set to "T" (tagged), so it's aware of the vlans. I might be wrong!
eth1 is the WAN physical port therefore on br-lan.1 I leave it as "Not Member" and set lan1..4 to "Untagged" (so that br-lan.1 is then connected to the lan interface under "Interfaces" tab)
Contrary, on br-lan.2 I set eth1 as untagged so that all traffic coming at eth1 would be let through to br-lan.2 and all of the rest lan1..4 are set as "Not Member" so that packets on those 4 lan ports won't come at the br-lan.2.
Thus I have two VLANs - br-lan.1 which is for LAN and br-lan.2 for WAN. Then what I do is I use these under the "Interfaces tab" instead of the physical devices.
EDIT:
To my understanding this additional layer of VLAN's is required in order for the LAN network to be able to access the WAN network and without it they'd just stay separated from one another
Ok... I'm pretty sure this config is messed up, but I don't know what the default should look like for your device (each device is a bit different). If your device is properly DSA, it likely doesn't expose eth0 and eth1 as ports; if it is swconfig or has individually routed ports, it would expose those.
The best route here is to simply reset to defaults. From there, you can post your /etc/config/network file and we can get it sorted out.
Feel free to take a backup before you do the reset, but I don't think we'll be using that backup at all.
This is /etc/config/network after "reset to defaults" (only user password changed)
$ cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd5f:g3dd:1ce8::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'lan1'
option macaddr '-'
config device
option name 'lan2'
option macaddr '-'
config device
option name 'lan3'
option macaddr '-'
config device
option name 'lan4'
option macaddr '-'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth1'
option macaddr '-'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
After this I'd expect to go to the WAN interface and set it up as follows through luCI (posting the diff before "save & apply"):
# /etc/config/dhcp
uci set dhcp.wan.start='100'
uci set dhcp.wan.limit='150'
uci set dhcp.wan.leasetime='12h'
# /etc/config/network
uci set network.wan.proto='static'
uci set network.wan.ipaddr='xxx.xxx.xxx.xxx'
uci set network.wan.netmask='255.255.255.0'
uci set network.wan.gateway='xxx.xxx.211.1'
uci add_list network.wan.dns='xxx.xxx.192.1'
uci add_list network.wan.dns='xxx.xxx.192.2'
uci add_list network.wan.dns='8.8.8.8'
They tried to make lan4 eth1 because they worried eth0 might be bad.
But something did not stick because they still have a lan4 port in br-lan and, obviously, this configuration is not going to work.
And according to LuCI, all of his ports are bridged to br-lan.
Have you tried connecting a computer directly to the modem and configuring your computer's interface with the same static IP info that the ISP gave you?
This is not the first time I'm trying out this config handed me by the ISP, it worked flawlessly for months on my old TP-Link. I can even wire it up now and extract logs from it if needed (it's running OpenWrt too). Thanks for sticking with the issue and helping out by the way!!
and to verify, the first to octets are not 192.168, correct?
The reason to test it on a regular computer is to make sure it isn't locked against the MAC address of your old router or to confirm that it is working as expected on a different device.
I haven't tried assigning the old MAC address to my new router. Does the MAC address of the device change after you install OpenWrt? I guess it does. And if so MAC shouldn't be the issue in my case.
I see now, they are vlans.