[Solved] No internet access for clients though router does have

boll · May 10, 2020, 12:18pm

Hi guys,

Clients connected to OpenWrt are not able to access internet nor to 'ping' IP addresses like 8.8.8.8. By contrast OpenWrt itself has connectivity to the internet ('ping', 'wget', installation of packages, everything works).

OpenWrt router is a FB7530 and has no decided WAN Port like many other supported devices. So a LAN Port must be used as WAN Port (in my case LAN 4). I set up VLANs as followed:

/etc/config/network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdce:e2b5:efbf::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ifname 'eth0.2 eth0.4 eth0.5'
	option ipaddr '192.168.123.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option ports '1 0t'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '4 0t'

config interface 'WAN'
	option ifname 'eth0.3'
	option proto 'dhcp'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '4'
	option ports '3 0t'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option ports '2 0t'
	option vid '5'

The VLAN structure is a bit special, otherwise no client didn't get an IP by the OpenWrt router (static IP 192.168.123.1; 255.255.255.0). So each LAN port is provided with its own VLAN, all together summarized in one LAN Interface.

In front of the OpenWrt router there is another router as gateway (192.168.150.1; 255.255.255.0). OpenWrt is not intended to be a dump router, i.e. a router device. OpenWrt's WAN port (eth0.3) is configured as DHCP client. Output of 'ip a':

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether dc:39:6f:5f:f5:81 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::de39:6fff:fe5f:f581/64 scope link 
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether dc:39:6f:5f:f5:81 brd ff:ff:ff:ff:ff:ff
    inet 192.168.123.1/24 brd 192.168.123.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fe80::de39:6fff:fe5f:f581/64 scope link 
       valid_lft forever preferred_lft forever
6: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether dc:39:6f:5f:f5:81 brd ff:ff:ff:ff:ff:ff
7: eth0.4@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether dc:39:6f:5f:f5:81 brd ff:ff:ff:ff:ff:ff
8: eth0.5@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether dc:39:6f:5f:f5:81 brd ff:ff:ff:ff:ff:ff
9: eth0.3@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether dc:39:6f:5f:f5:81 brd ff:ff:ff:ff:ff:ff
    inet 192.168.150.10/24 brd 192.168.150.255 scope global eth0.3
       valid_lft forever preferred_lft forever
    inet6 fe80::de39:6fff:fe5f:f581/64 scope link 
       valid_lft forever preferred_lft forever
10: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether dc:39:6f:5f:f5:83 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::de39:6fff:fe5f:f583/64 scope link 
       valid_lft forever preferred_lft forever
11: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether dc:39:6f:5f:f5:84 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::de39:6fff:fe5f:f584/64 scope link 
       valid_lft forever preferred_lft forever

For test purposes the firewall is disabled (LuCi, system, startup). So I can access to OpenWrt from uplink router's network (LuCi and ssh). By the way IP-routing is not configured in uplink router (--> double NAT).

Any ideas what the problem is about?

trendy · May 10, 2020, 1:25pm

Does it have a static route to 192.168.123.0/24 via 192.168.150.10?
Does it masquerade it properly?
It would be better to enable back the firewall on OpenWrt and masquerade out of wan zone.

boll · May 10, 2020, 1:43pm

Brilliant! This is the solution!!! Thank you very much!!!

I turned off firewall not knowing that masquerade is disabled, too.

Am I right: If a static route to 192.168.123.0/24 via 192.168.150.10 is configured in uplink router, masquerading in OpenWrt has to be disabled? Then, if firewall is disabled, OpenWrt's clients are able to access internet nonetheless?

trendy · May 10, 2020, 1:55pm

That could work provided the ISP router masquerades subnets not belonging to its lan interface.

boll · May 10, 2020, 2:00pm

I don't think so. Thanks again!

Internet
|
--+ Fritzbox 7590 = Internet-Gateway incl. Telephone; 192.168.150.0/24, connected with
  | -- Clients on LAN and Wifi (explicitly *not* covered by OpenWrt)
  |
  |--+ Fritzbox 7530 (fix assigned IP 192.168.150.10, wired connection)
     |  with OpenWrt --> separate subnet (192.168.123.0/24)
     |
     | -- Clients connected via LAN and Wifi.

trendy · May 10, 2020, 2:02pm

Well, it is trial and error.

boll · May 10, 2020, 2:05pm

I will try. For now I am happy with OpenWrt running like a charm!!!

tmomas · May 20, 2020, 2:06pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.