Hi people,
couple weeks ago I bought a Flint 2 GL MT-6000 router to use it at home.
M-net (so, Germany) is my provider and I have a fiber connection with PPPoE and DS-Lite.
After quite some struggles I managed to configure the WAN interface and get the connection up, I can ping, nslookup and traceroute from both the web interface and console but....no internet connection for whatever connects to the router, wired or wireless.
I am leaning on the firewall configuration but I need some help
Network config:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd74:b240:00df::/48'
option dhcp_default_duid '00044e887a690a9f4399a00765164e910f9f'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
option macaddr '94:83:c4:d1:63:01'
config device
option name 'lan1'
option macaddr '94:83:c4:d1:63:01'
config device
option name 'lan2'
option macaddr '94:83:c4:d1:63:01'
config device
option name 'lan3'
option macaddr '94:83:c4:d1:63:01'
config device
option name 'lan4'
option macaddr '94:83:c4:d1:63:01'
config device
option name 'lan5'
option macaddr '94:83:c4:d1:63:01'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.8.1'
option netmask '255.255.255.0'
option isolate '0'
option ip6hint '0000'
option ip6ifaceid '::1'
option ip6assign '64'
option multipath 'off'
list ip6class 'wan_6'
config device
option macaddr '94:83:c4:d1:62:ff'
option name 'eth1.40'
config interface 'wan'
option proto 'pppoe'
option device 'eth1.40'
option username 'xxx@mdsl.mnet-online.de'
option password 'xxx'
option ipv6 'auto'
option peerdns '1'
option norelease '1'
option mtu '1492'
option multipath 'off'
config interface 'guest'
option force_link '1'
option proto 'static'
option ipaddr '192.168.9.1'
option netmask '255.255.255.0'
option multicast_querier '1'
option igmp_snooping '0'
option isolate '0'
option bridge_empty '1'
option disabled '1'
option ip6prefix 'fd74:b240:00df::/48'
option ip6assign '64'
option ip6hint '0001'
option ip6ifaceid '::1'
option ip6class 'guest'
option device 'br-guest'
config rule 'policy_relay_lo_rt_lan'
option lookup '16800'
option in 'loopback'
option priority '1'
config interface 'tethering6'
option device '@tethering'
option proto 'dhcpv6'
option disabled '0'
config interface 'wwan'
option proto 'dhcpv6'
option classlessroute '0'
option reqaddress 'try'
option reqprefix 'auto'
option norelease '1'
option multipath 'off'
config interface 'secondwan'
option ipv6 '0'
option proto 'dhcp'
option metric '15'
option force_link '0'
option classlessroute '0'
config interface 'secondwan6'
option proto 'dhcpv6'
option device '@secondwan'
option disabled '1'
config rule 'novpn_to_main'
option gl_vpn_rules '1'
option mark '0x8000/0xf000'
option priority '6000'
option lookup 'main'
option disabled '0'
config rule 'vpn_to_main'
option gl_vpn_rules '1'
option mark '0x0/0xf000'
option priority '9000'
option lookup 'main'
option invert '1'
option disabled '0'
config rule 'vpn_leak_block'
option gl_vpn_rules '1'
option mark '0x0/0xf000'
option priority '9910'
option action 'blackhole'
option invert '1'
option disabled '0'
config rule 'vpn_block_lan_leak'
option gl_vpn_rules '1'
option in 'lan'
option priority '9920'
option action 'blackhole'
option disabled '0'
config rule 'vpn_block_guest_leak'
option gl_vpn_rules '1'
option in 'guest'
option priority '9920'
option action 'blackhole'
option disabled '0'
config rule 'vpn_block_wgserver_leak'
option gl_vpn_rules '1'
option in 'wgserver'
option priority '9920'
option action 'blackhole'
option disabled '0'
config rule 'vpn_block_ovpnserver_leak'
option gl_vpn_rules '1'
option in 'ovpnserver'
option priority '9920'
option action 'blackhole'
option disabled '0'
config rule6 'novpn_to_main_6'
option gl_vpn_rules '1'
option mark '0x8000/0xf000'
option priority '6000'
option lookup 'main'
option disabled '0'
config rule6 'vpn_to_main_6'
option gl_vpn_rules '1'
option mark '0x0/0xf000'
option priority '9000'
option lookup 'main'
option invert '1'
option disabled '0'
config rule6 'vpn_leak_block_6'
option gl_vpn_rules '1'
option mark '0x0/0xf000'
option priority '9910'
option action 'blackhole'
option invert '1'
option disabled '0'
config rule6 'vpn_block_lan_leak_6'
option gl_vpn_rules '1'
option in 'lan'
option priority '9920'
option action 'blackhole'
option disabled '0'
config rule6 'vpn_block_guest_leak_6'
option gl_vpn_rules '1'
option in 'guest'
option priority '9920'
option action 'blackhole'
option disabled '0'
config rule6 'vpn_block_wgserver_leak_6'
option gl_vpn_rules '1'
option in 'wgserver'
option priority '9920'
option action 'blackhole'
option disabled '0'
config rule6 'vpn_block_ovpnserver_leak_6'
option gl_vpn_rules '1'
option in 'ovpnserver'
option priority '9920'
option action 'blackhole'
option disabled '0'
config rule 'main_static_net'
option gl_vpn_rules '1'
option suppress_prefixlength '0'
option priority '800'
option lookup '9910'
option disabled '0'
config rule6 'main_static_net_6'
option gl_vpn_rules '1'
option suppress_prefixlength '0'
option priority '800'
option lookup '9910'
option disabled '0'
config device
option name 'br-guest'
option type 'bridge'
config interface 'wan4'
option proto 'dslite'
option peeraddr '2001:a60:0:7::ffff'
option encaplimit 'ignore'
option multipath 'off'
option mtu '1460'
Firewall config:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config rule 'wan_drop_leaked_adgdns'
option name 'wan_drop_leaked_adgdns'
option src 'wan'
option proto 'udp'
option dest_port '3053'
option mark '0x0/0xf000'
option target 'DROP'
option enabled '0'
config rule 'wan_drop_leaked_dns'
option name 'wan_drop_leaked_dns'
option src 'wan'
option proto 'udp'
option dest_port '53'
option mark '!0x8000/0xf000'
option target 'DROP'
option enabled '0'
config rule 'guest_drop_leaked_dns'
option name 'guest_drop_leaked_dns'
option src 'guest'
option proto 'udp'
option dest_port '53'
option mark '!0x8000/0xf000'
option target 'DROP'
option enabled '0'
config rule 'guest_drop_leak_adgdns'
option name 'guest_drop_leak_adgdns'
option src 'guest'
option proto 'udp'
option dest_port '3053'
option mark '0x0/0xf000'
option target 'DROP'
option enabled '0'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option masq '0'
option mtu_fix '1'
option input 'REJECT'
option masq6 '1'
list network 'wan'
list network 'wan_6'
list network 'wan4'
list network 'wwan'
config forwarding
option src 'lan'
option dest 'wan'
option enabled '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config zone
option name 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
list network 'guest'
config forwarding
option src 'lan'
option dest 'wan4'
option enabled '1'
config rule
option name 'Allow-DHCP'
option src 'guest'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
config rule
option name 'Allow-DNS'
option src 'guest'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
config include 'nat6'
option path '/etc/firewall.nat6'
option reload '1'
config include 'dns_order'
option type 'script'
option path '/etc/firewall.dns_order'
option reload '1'
option enabled '1'
config include 'vpnclient'
option type 'script'
option path '/usr/bin/rtp2.sh'
option reload '0'
config include 'dmz_exclude'
option type 'script'
option path '/etc/firewall.dmz.exclude'
option reload '1'
config include 'security'
option type 'script'
option path '/etc/firewall.security'
option reload '0'
config rule 'lan_drop_leaked_dns'
option name 'lan_drop_leaked_dns'
option src 'lan'
option proto 'udp'
option dest_port '53'
option mark '!0x8000/0xf000'
option target 'DROP'
option enabled '1'
config rule 'lan_drop_leak_adgdns'
option name 'lan_drop_leak_adgdns'
option src 'lan'
option proto 'udp'
option dest_port '3053'
option mark '0x0/0xf000'
option target 'DROP'
option enabled '1'
config rule 'wgserver_drop_leaked_dns'
option name 'wgserver_drop_leaked_dns'
option src 'wgserver'
option proto 'udp'
option dest_port '53'
option mark '!0x8000/0xf000'
option target 'DROP'
option enabled '1'
config rule 'ovpnserver_drop_leaked_dns'
option name 'ovpnserver_drop_leaked_dns'
option src 'ovpnserver'
option proto 'udp'
option dest_port '53'
option mark '!0x8000/0xf000'
option target 'DROP'
option enabled '1'
config rule 'wgserver_drop_leaked_adgdns'
option name 'wgserver_drop_leaked_adgdns'
option src 'wgserver'
option proto 'udp'
option dest_port '3053'
option mark '0x0/0xf000'
option target 'DROP'
option enabled '1'
config rule 'ovpnserver_drop_leaked_adgdns'
option name 'ovpnserver_drop_leaked_adgdns'
option src 'ovpnserver'
option proto 'udp'
option dest_port '3053'
option mark '0x0/0xf000'
option target 'DROP'
option enabled '1'
config include 'ethernet_ttl'
option type 'script'
option reload '1'
option path '/etc/firewall.ethernet_ttl'
config rule 'glipv6_guest_dhcp'
option name 'Allow-DHCP-IPV6'
option src 'guest'
option target 'ACCEPT'
option proto 'udp'
option dest_port '546:547'
option family 'ipv6'
config rule 'glipv6_guest_icmp'
option name 'Allow-ICMP-IPV6'
option src 'guest'
option target 'ACCEPT'
option proto 'icmp'
option dest_port '58'
option family 'ipv6'
config include 'glblock'
option type 'script'
option path '/usr/bin/gl_block.sh'
option reload '1'
Installed relese:
OpenWrt 25.12.2, r32802-f505120278 Dave's Guitar
Any hint is appreciated!
