[Solved] Unable to access internet from devices using AP connected to OpenWrt router

I'm having trouble accessing the internet from my devices using the following setup:

Modem -> Raspberry Pi 5 running OpenWrt as router (no wifi) -> Linksys Velop MX4200 running its own firmware as Bridge (with wifi). From what I can tell, the Raspberry Pi is able to connect to the internet via the modem, but the Linksys and devices connected to it can't connect to the internet. Any ideas what I might be doing wrong? Below are my configs:

root@OpenWrt:~# ubus call system board
{
	"kernel": "6.6.50",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 1",
	"model": "Raspberry Pi 5 Model B Rev 1.0",
	"board_name": "raspberrypi,5-model-b",
	"rootfs_type": "ext4",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r27352-47370eb9ba",
		"target": "bcm27xx/bcm2712",
		"description": "OpenWrt SNAPSHOT r27352-47370eb9ba"
	}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.159.1.2'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipv6 '0'
	list dns '1.1.1.1'

config interface 'wan'
	option proto 'dhcp'
	option device 'br-lan'

config interface 'vpn'
	option proto 'wireguard'
	option private_key 'redacted'
	option listen_port '51820'
	list addresses '10.0.0.1/24'

config wireguard_vpn 'wgclient'
	option public_key 'redacted'
	option presuhared_key 'redacted'
	option description 'phone'
	option private_key 'redacted'
	list allowed_ips '10.0.0.2/32'
	option preshared_key 'redacted'
	option route_allowed_ips '1'
	option endpoint_host 'redacted'
	option endpoint_port '51820'
	option persistent_keepalive '25'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/axi/1001100000.mmc/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
	option band '5g'
	option channel '36'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'vpn'
	option masq '1'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

There are a lots of problems here. How does the pi connect to the internet? How does it connect to the lan?

1 Like

Pi is supposed to be connecting to the internet via the USB-Ethernet adaptor connected directly to the modem. It connects to the lan via the built-in ethernet ports on the Pi and the Linksys. I was seeing packets sent/received in the lan and wan Interfaces in Luci, which led me to believe that the modem-Pi connection was working properly. But maybe not? Please let me know what additional details I can provide.

You have both the lan and the wan using the same port (eth0 via br-lan), so this will not work.

Did you install the drivers for your usb Ethernet adapter?

I really appreciate the very quick replies. Yes, I installed the drivers for the adapter and was able to get that port to communicate without any problems when using the Pi as a VPN server.

So that should be eth1. Edit as follows:

config interface 'wan'
	option proto 'dhcp'
	option device 'eth1'

Reboot and then issue the command:

ifstatus wan | grep address

Hopefully it will have an address -- show us just the first two octets (in bold: aaa.bbb.ccc.ddd)

1 Like

I think that might have solved it. I made the changes and am now seeing this as the address: 67.245.ccc.ddd. I'm able to connect to the internet from devices connected to the AP.

Great!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.