[Solved] Internet access ok from wifi on lan network, not from ethernet

y_b_y · November 28, 2022, 8:16pm

Hi there,

Most likely a silly noob problem asked 1000 times, sorry for that but I didn't find an answer.

On a freshly flashed router (Belkin 3200) with just the configuration of a wifi:

the router can access the internet (ssh'ing then ping openwrt.org etc. work),
I can access the router and the internet through the wifi,
I can access the router when connected via ethernet,
my problem: I can not access the internet when connected via ethernet.

What I don't understand is that the wifi is associated to the 'lan' network, so the firewall rules should apply to wifi and ethernet the same way, right?

Here's my configuration:

# uci export network
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd45:de37:fac5::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

# uci export wireless
package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/18000000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'some_ssid'
	option encryption 'psk2'
	option key 'some_key_here'

# uci export firewall
package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

Any help appreciated, thank you!!

psherman · November 28, 2022, 8:22pm

What is the ip address info you are getting on your Ethernet connected computer(s)? Ip, subnet mask, router/gateway, dns?

y_b_y · November 28, 2022, 9:21pm

On the same laptop, when wifi and cable are connected (wlp0s20f3 is my wifi interface, enp0s20f0u4 my ethernet interface):

$ ip a | grep 192      
    inet 192.168.1.152/24 brd 192.168.1.255 scope global dynamic noprefixroute wlp0s20f3
    inet 192.168.1.254/24 brd 192.168.1.255 scope global noprefixroute enp0s20f0u4

$ ip route
default via 192.168.1.1 dev wlp0s20f3 proto dhcp src 192.168.1.152 metric 3003 
192.168.1.0/24 dev enp0s20f0u4 proto kernel scope link src 192.168.1.254 metric 100 
192.168.1.0/24 dev wlp0s20f3 proto dhcp scope link src 192.168.1.152 metric 3003

$ cat /etc/resolv.conf 
# Generated by resolvconf
domain lan
nameserver 1.1.1.1
nameserver 8.8.8.8
nameserver 192.168.1.1
nameserver fd45:de37:fac5::1
options edns0

psherman · November 28, 2022, 9:28pm

As you pointed out, there is no reason that wired should be any different than wireless.

Try rebooting both the computer and the router. And make sure your wired connection is direct to the router (no intermediate switches).

y_b_y · November 29, 2022, 3:02am

Update, it works now!

The mistake was on my side: I had configured the wired connection on this laptop by hand (and a while ago). Removing this config and getting a IP via DHCP now, I get internet via ethernet.

That explains why the connection was not showing up among the DHCP leases before...

ip route now looks different:

$ ip route
default via 192.168.1.1 dev enp0s20f0u4 proto dhcp src 192.168.1.202 metric 100 
default via 192.168.1.1 dev wlp0s20f3 proto dhcp src 192.168.1.152 metric 3003 
192.168.1.0/24 dev enp0s20f0u4 proto kernel scope link src 192.168.1.202 metric 100 
192.168.1.0/24 dev wlp0s20f3 proto dhcp scope link src 192.168.1.152 metric 3003

Thanks for your help!

psherman · November 29, 2022, 3:04am

yup... that will do it! I actually should have asked you to verify that earlier. But glad you caught it.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

y_b_y · November 29, 2022, 3:54pm

Done! Many thanks!

tmomas · December 9, 2022, 3:54pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.