I kindly request assistance with a networking issue I am currently facing. My objective is to have my modem set to DHCP mode due to the exceptional performance of the Wi-Fi connection. However, upon implementing this configuration, I have encountered an unexpected outcome. The modem appears to disregard the presence of the router entirely, resulting in non-functional packages, ineffective firewall rules, and other related issues. Essentially, it behaves akin to a switch.
In an attempt to resolve this matter, I proceeded to access my ISP modem/router and designated my OpenWrt device as the DMZ. I have included an image below illustrating my current configuration:
I have also experimented with replacing the default gateway IP address (.1.1) with the IP address provided by OpenWrt for the modem, yet the issue persists.
Does your ISP router support static routes? That is required if you want to turn off NAT masquerading on your OpenWrt router.
Beyond that, if the ISP router's wifi will be used, it is important to stress that any devices connected to that wifi network will not be subject to any firewall rules and routing that you set on the OpenWrt router, since the ISP router is in front of the OpenWrt router.
I think it does. This modem has so many hidden options its unbelievable
That's fine. You need to add a route, not remove one.
let's see your OpenWrt config, and we also need to know the IP address of the OpenWrt router on your ISP router's lan.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
ifconfig
cat /etc/config/network
cat /etc/config/firewall
@OpenWrt:~# ifconfig
br-lan Link encap:Ethernet HWaddr 9C:9D:7E:8E:DF:2F
inet addr:192.168.10.11 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::9e9d:7eff:fe8e:df2f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4623 errors:0 dropped:34 overruns:0 frame:0
TX packets:1725 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:571345 (557.9 KiB) TX bytes:624578 (609.9 KiB)
eth0 Link encap:Ethernet HWaddr 9C:9D:7E:8E:DF:2F
inet6 addr: fe80::9e9d:7eff:fe8e:df2f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1504 Metric:1
RX packets:4913 errors:0 dropped:0 overruns:0 frame:0
TX packets:2162 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:727470 (710.4 KiB) TX bytes:694304 (678.0 KiB)
Interrupt:21
lan1 Link encap:Ethernet HWaddr 9C:9D:7E:8E:DF:2F
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2335 errors:0 dropped:2 overruns:0 frame:0
TX packets:1565 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:249950 (244.0 KiB) TX bytes:611898 (597.5 KiB)
lan2 Link encap:Ethernet HWaddr 9C:9D:7E:8E:DF:2F
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2578 errors:0 dropped:0 overruns:0 frame:0
TX packets:499 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:389086 (379.9 KiB) TX bytes:51285 (50.0 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
wan Link encap:Ethernet HWaddr 9C:9D:7E:8E:DF:30
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
wlan1 Link encap:Ethernet HWaddr 9C:9D:7E:8E:DF:32
inet6 addr: fe80::9e9d:7eff:fe8e:df32/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:321 errors:0 dropped:0 overruns:0 frame:0
TX packets:2942 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:37017 (36.1 KiB) TX bytes:514221 (502.1 KiB)
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.10.11'
option gateway '192.168.10.1'
list dns '1.1.1.1'
option defaultroute '0'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config route
option interface 'wan'
option target '192.168.10.11/24'
option mtu '1500'
option onlink '1'
option gateway '192.168.1.1'
option metric '0'
config route
option interface 'wan'
option target '192.168.10.11/24'
option gateway '192.168.10.1'
config route
option interface 'wan'
option target '192.168.10.11/24'
option gateway '192.168.10.10'
option mtu '1500'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
option input 'REJECT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
list network 'wan'
option masq '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'access'
option src 'lan'
list src_ip '192.168.10.169'
list dest_ip '192.168.10.11'
option target 'ACCEPT'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name '8080'
option src 'lan'
option target 'REJECT'
option src_port '8080'
config redirect 'adblock_lan53'
option name 'Adblock DNS (lan, 53)'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
option family 'any'
config redirect 'adblock_lan853'
option name 'Adblock DNS (lan, 853)'
option src 'lan'
option proto 'tcp udp'
option src_dport '853'
option dest_port '853'
option target 'DNAT'
option family 'any'
config redirect 'adblock_lan5353'
option name 'Adblock DNS (lan, 5353)'
option src 'lan'
option proto 'tcp udp'
option src_dport '5353'
option dest_port '5353'
option target 'DNAT'
option family 'any'
config redirect 'dns_int'
option name 'Intercept-DNS'
option src 'lan'
option src_dport '53'
option proto 'tcp udp'
option target 'DNAT'
config rule 'luci'
option name 'luci'
option src 'lan'
option dest_port '80 443'
option proto 'tcp'
option target 'ACCEPT'
config rule 'ssh'
option name 'ssh'
option src 'lan'
option proto 'tcp'
option target 'ACCEPT'
option dest_port '22229'
config rule 'dhcp'
option name 'dhcp'
option src 'lan'
option dest_port '67'
option family 'ipv4'
option proto 'udp'
option target 'ACCEPT'
config rule 'dhcp6'
option name 'dhcp6'
option src 'lan'
option dest_port '547'
option family 'ipv6'
option proto 'udp'
option target 'ACCEPT'
config rule
config rule
config rule
option name 'block'
option src 'lan'
option src_port '1-65535'
option dest 'wan'
option dest_port '1-65535'
option target 'DROP'
That last rule was added to check if indeed firewall was getting bypassed.
Also luckily the modem let me add this. Does it help or should i remove it?
LEDEuser:
config interface 'lan'
config interface 'wan'
config route
This won't work...
Also, it doesn't appear that the wan is connected to anything at this point? How is the upstream network connected and what address are you expecting on the OpenWrt wan?
Good that you can add a static route. But this is very likely wrong, so remove it. We'll add it when it is relevant.
option gateway '192.168.10.1'
WAN port is disconnected, Since its dhcp it goes through LAN.
What do you mean? Is the upstream router connected to the openwrt lan port?
I always thought that's how it worked. Is that not the case I guess?
Well, if your OpenWrt's lan is connected to the lan of the upstream router, you aren't doing any routing at all.
What exactly are you trying to do?
I want two separate networks. One for guests (the modem router from the ISP) and then an ooenwrt network for me.
reset your OpenWrt router to defaults.... you will not need many (if any) changes relative to the default state.
Then, connect your OpenWrt router's wan port to the lan of your ISP router. For a basic network, you won't even need to add static routes. If you want to avoid double NAT, we will add static routes, but we'll do that after things are generally working to start.
Ooof I feel like an idiot.
Like I said before, you should reset to defaults. That is the fastest way to get back to a known good state -- with a fireall pre-defined that should meet your needs.
Adblock can be added after everything else is working.
Yes I did a factory reset, I forgot to mention that.
Anyways, thanks! If I have more problems I will bump this thread (hopefully not)
Glad things are working now.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
1 Like
