Some web pages not loading

ertank · October 28, 2020, 7:08pm

Hello,

My searches did not help me and I am posting in here.

I am using OpenWrt 19.07.3 r11063-85e04e9f46 / LuCI openwrt-19.07 branch git-20.136.49537-fb2f363 on TP-Link Archer C7 v5. There is no additional packages loaded. DNS server is 1.1.1.1

My broadband connection is over an industrial WiFi. OpenWrt is connected to that Industrial WiFi using PPPoE.

Recently, I cannot get some web pages (etc. duckduckgo.com). After about a month of investigation with my internet service provide it turned out that I am to blame here.

If I directly connect a Laptop to the ethernet cable coming from Industrial WiFi, setup PPPoE connection and I can get access to all web pages just fine.

However, if I connect Industrial WiFi to a switch and to my OpenWrt router, I cannot access some web pages.

Error I receive on browsers is either connection reset or connection timed out.

mtr output is as following:

root@OpenWrt:~# mtr -wbc10 duckduckgo.com
Start: 2020-10-28T21:51:21+0300
HOST: OpenWrt                                           Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- 10.40.0.1 (10.40.0.1)                              0.0%    10   26.6  42.6  15.6  75.5  19.3
  2.|-- 31.206.45.185 (31.206.45.185)                      0.0%    10  110.4  54.1  30.0 110.4  29.1
  3.|-- 31.206.45.153 (31.206.45.153)                      0.0%    10  122.2 117.2  83.4 165.5  28.7
  4.|-- 46.234.28.93 (46.234.28.93)                       20.0%    10  154.1 118.7  93.2 154.1  20.3
  5.|-- ae3-17-xcr1.ise.cw.net (195.2.26.253)              0.0%    10  118.6 108.1  54.6 156.3  28.9
  6.|-- ae29-xcr1.sof.cw.net (195.2.18.210)               10.0%    10  229.7 129.2  69.4 229.7  45.0
  7.|-- ae10-0.sof01-96cbe-1b.ntwk.msn.net (104.44.12.74)  0.0%    10  205.0 148.0 106.4 220.1  38.6
  8.|-- ae25-0.vie-96cbe-1b.ntwk.msn.net (104.44.40.146)   0.0%    10  193.7 163.9 109.1 193.7  32.4
  9.|-- be-36-0.ibr01.vie.ntwk.msn.net (104.44.21.233)     0.0%    10  287.5 194.9 133.7 287.5  52.5
 10.|-- be-5-0.ibr01.zrh20.ntwk.msn.net (104.44.19.6)      0.0%    10  251.7 207.3 127.4 268.0  40.8
 11.|-- be-6-0.ibr01.fra21.ntwk.msn.net (104.44.18.79)     0.0%    10  291.4 196.2 128.1 291.4  44.0
 12.|-- be-8-0.ibr01.ams30.ntwk.msn.net (104.44.19.234)   20.0%    10  289.7 200.8 133.1 289.7  56.4
 13.|-- be-4-0.ibr03.ams06.ntwk.msn.net (104.44.18.185)    0.0%    10  254.0 188.5 136.2 254.0  40.3
 14.|-- ae143-0.icr04.ams06.ntwk.msn.net (104.44.21.178)  20.0%    10  218.1 169.8 134.1 218.1  32.1
 15.|-- ???                                               100.0    10    0.0   0.0   0.0   0.0   0.0
root@OpenWrt:~#

DHCP settings

root@OpenWrt:~# uci show dhcp
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_management='1'
dhcp.lan.leasetime='48h'
dhcp.lan.force='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
dhcp.@host[0]=host
dhcp.@host[0].dns='1'
dhcp.@host[0].mac='B8:27:EB:AF:5F:31'
dhcp.@host[0].name='RaspberryPi3_WiFi'
dhcp.@host[0].ip='192.168.8.92'
dhcp.@host[1]=host
dhcp.@host[1].dns='1'
dhcp.@host[1].mac='DC:A6:32:02:59:DC'
dhcp.@host[1].ip='192.168.8.90'
dhcp.@host[1].name='RaspberryPi4_WiFi'
dhcp.@host[2]=host
dhcp.@host[2].name='RaspberryPi4_LAN'
dhcp.@host[2].dns='1'
dhcp.@host[2].mac='DC:A6:32:02:59:DB'
dhcp.@host[2].ip='192.168.8.91'
dhcp.@host[3]=host
dhcp.@host[3].mac='2C:4D:54:56:C9:F9'
dhcp.@host[3].name='ErtanPC'
dhcp.@host[3].dns='1'
dhcp.@host[3].ip='192.168.1.99'
dhcp.@host[4]=host
dhcp.@host[4].mac='70:85:C2:7B:26:24'
dhcp.@host[4].name='FreeNAS'
dhcp.@host[4].dns='1'
dhcp.@host[4].ip='192.168.8.2'
dhcp.@host[5]=host
dhcp.@host[5].mac='b8:27:eb:fa:0a:64'
dhcp.@host[5].name='RaspberryPi3_LAN'
dhcp.@host[5].dns='1'
dhcp.@host[5].ip='192.168.8.93'
dhcp.@host[6]=host
dhcp.@host[6].mac='B8:27:EB:15:51:4B'
dhcp.@host[6].name='PiZeroW_WiFi'
dhcp.@host[6].dns='1'
dhcp.@host[6].ip='192.168.8.94'
root@OpenWrt:~#

Network settings

root@OpenWrt:~# uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd91:8a85:4db7::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.8.1'
network.lan.dns='1.1.1.1'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='pppoe'
network.wan.username=[snip]
network.wan.password=[snip]
network.wan.keepalive='6 10'
network.wan.ipv6='0'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='2 3 4 5 0t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='1 0t'
root@OpenWrt:~#

Any help is appreciated.

Thanks & Regards,
Ertan

eduperez · October 28, 2020, 7:42pm

What is the MTU on the WAN interface on OpenWrt and the computer?

ertank · October 28, 2020, 7:58pm

Forgot to include it, sorry about that. It is 1492 on OpenWrt
I am going to update my computer MTU once I find it out.

Linux Debian has MTU 1500
Raspberry Pi also has MTU 1500
Windows 10 has MTU 1500

BTW, Problem exists on Linux and Windows both. Briefly, any computer accessing internet thru OpenWrt has that problem.

In the mean time, I just upgraded to 19.07.04 and problem still exists for me.

lleachii · October 29, 2020, 2:48am

Move DNS to the WAN interface...otherwise, I don't see anything odd...

trendy · October 29, 2020, 10:19am

For what it's worth my mtr also terminates with 100% loss at the last hop.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*

ertank · October 29, 2020, 10:35am

Here is the output.

I have tried to change nameserver to see if it helps. I did that for LAN though. I am yet to try to change name server on PPPoE.

root@OpenWrt:~# ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
{
        "kernel": "4.14.195",
        "hostname": "OpenWrt",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "TP-Link Archer C7 v5",
        "board_name": "tplink,archer-c7-v5",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.4",
                "revision": "r11208-ce6496d796",
                "target": "ath79/generic",
                "description": "OpenWrt 19.07.4 r11208-ce6496d796"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd91:8a85:4db7::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.8.1'
        list dns '1.1.1.1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'pppoe'
        option username '[snip]'
        option password '[snip]'
        option keepalive '6 10'
        option ipv6 '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option htmode 'VHT80'
        option txpower '23'
        option legacy_rates '1'
        option country 'TR'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option key '[snip]'
        option wds '1'
        option ssid 'OpenWrt_5G'
        option encryption 'psk2'
        option network 'lan'
        option disabled '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option country 'TR'
        option legacy_rates '0'
        option txpower '20'
        option channel 'auto'
        option path 'platform/ahb/18100000.wmac'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option key '[snip]'
        option ssid 'OpenWrt'
        option network 'lan'
        option encryption 'psk-mixed'

config wifi-device 'radio2'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option htmode 'HT20'
        option disabled '1'
        option path 'platform/ahb/18100000.wmac'

config wifi-iface 'default_radio2'
        option device 'radio2'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        option leasetime '48h'
        option force '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option dns '1'
        option mac 'B8:27:EB:AF:5F:31'
        option name 'RaspberryPi3_WiFi'
        option ip '192.168.8.92'

config host
        option dns '1'
        option mac 'DC:A6:32:02:59:DC'
        option ip '192.168.8.90'
        option name 'RaspberryPi4_WiFi'

config host
        option name 'RaspberryPi4_LAN'
        option dns '1'
        option mac 'DC:A6:32:02:59:DB'
        option ip '192.168.8.91'

config host
        option mac '2C:4D:54:56:C9:F9'
        option name 'ErtanPC'
        option dns '1'
        option ip '192.168.1.99'

config host
        option mac '70:85:C2:7B:26:24'
        option name 'FreeNAS'
        option dns '1'
        option ip '192.168.8.2'

config host
        option mac 'b8:27:eb:fa:0a:64'
        option name 'RaspberryPi3_LAN'
        option dns '1'
        option ip '192.168.8.93'

config host
        option mac 'B8:27:EB:15:51:4B'
        option name 'PiZeroW_WiFi'
        option dns '1'
        option ip '192.168.8.94'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.3 on Thu Oct 29 13:30:53 2020
*nat
:PREROUTING ACCEPT [134524:9916683]
:INPUT ACCEPT [7862:617021]
:OUTPUT ACCEPT [9478:660806]
:POSTROUTING ACCEPT [118:15740]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[134524:9916683] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[25540:2860380] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[108157:6922447] -A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[19349:1315952] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[30:9381] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[19231:1300212] -A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[30:9381] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[25540:2860380] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[19231:1300212] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[19231:1300212] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[108157:6922447] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Thu Oct 29 13:30:53 2020
# Generated by iptables-save v1.8.3 on Thu Oct 29 13:30:53 2020
*mangle
:PREROUTING ACCEPT [1312724:809120993]
:INPUT ACCEPT [117909:34938984]
:FORWARD ACCEPT [1186166:772459340]
:OUTPUT ACCEPT [81272:9471999]
:POSTROUTING ACCEPT [1156500:774832585]
[11858:659988] -A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[7208:394180] -A FORWARD -i pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Oct 29 13:30:53 2020
# Generated by iptables-save v1.8.3 on Thu Oct 29 13:30:53 2020
*filter
:INPUT ACCEPT [87500:28209605]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[473:61816] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[117438:34877248] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[14936:4099724] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[53:2804] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[14893:2561213] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[109:6706] -A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
[1186166:772459340] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[1057607:763996487] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[20426:1542341] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[108133:6920512] -A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[473:61816] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[80796:9410547] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[70275:8646738] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[82:26800] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[10439:737009] -A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
[100:6103] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[108142:6921115] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[53:2804] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[82:26800] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[20426:1542341] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[20426:1542341] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[14893:2561213] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[14893:2561213] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[82:26800] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[82:26800] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[14893:2561213] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[2800:178254] -A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[28065:2101096] -A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
[108133:6920512] -A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
[108133:6920512] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[108133:6920512] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[109:6706] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[109:6706] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[10439:737009] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[10439:737009] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[109:6706] -A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu Oct 29 13:30:53 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.8.1/24 brd 192.168.8.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN qlen 3
    inet 10.40.1.15 peer 10.40.0.1/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
default via 10.40.0.1 dev pppoe-wan 
10.40.0.1 dev pppoe-wan scope link  src 10.40.1.15 
192.168.8.0/24 dev br-lan scope link  src 192.168.8.1 
local 10.40.1.15 dev pppoe-wan table local scope host  src 10.40.1.15 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.8.0 dev br-lan table local scope link  src 192.168.8.1 
local 192.168.8.1 dev br-lan table local scope host  src 192.168.8.1 
broadcast 192.168.8.255 dev br-lan table local scope link  src 192.168.8.1 
0:      from all lookup local 
32766:  from all lookup main 
32767:  from all lookup default 
lrwxrwxrwx    1 root     root            16 Sep  6 19:19 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Oct 28 21:44 /tmp/resolv.conf
-rw-r--r--    1 root     root            96 Oct 28 21:43 /tmp/resolv.conf.auto
-rw-r--r--    1 root     root            45 Oct 28 21:43 /tmp/resolv.conf.ppp
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface lan
nameserver 1.1.1.1
# Interface wan
nameserver 213.194.110.17
nameserver 8.8.8.8

==> /tmp/resolv.conf.ppp <==
nameserver 213.194.110.17
nameserver 8.8.8.8
root@OpenWrt:~#

trendy · October 29, 2020, 11:07am

option peerdns='0'

Then you can add nameservers under wan.
Other than that, it looks fine to me.
What you can try is to capture the interesting traffic. Install tcpdump:

opkg update ; opkg install tcpdump

Then find the IP of the site you have issues:

nslookup duckduckgo.com

and run the capture with that address:
tcpdump -i pppoe-wan -evn host 40.114.177.156
Try to access the page, stop the capture with Ctrl-c and paste here the output.

ertank · October 29, 2020, 12:27pm

When I go over your advise and running commands following output got my attention

root@OpenWrt:~# nslookup duckduckgo.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:      duckduckgo.com
Address 1: 40.114.177.156
*** Can't find duckduckgo.com: No answer
root@OpenWrt:~#

This is after I changed my DNS server from LAN to PPPoE. Just to be complete, below is current output of earlier asked commands:

root@OpenWrt:~# ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
{
        "kernel": "4.14.195",
        "hostname": "OpenWrt",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "TP-Link Archer C7 v5",
        "board_name": "tplink,archer-c7-v5",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.4",
                "revision": "r11208-ce6496d796",
                "target": "ath79/generic",
                "description": "OpenWrt 19.07.4 r11208-ce6496d796"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd91:8a85:4db7::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.8.1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'pppoe'
        option username '[snip]'
        option password '[snip]'
        option keepalive '6 10'
        option ipv6 '0'
        list dns '8.8.8.8'
        option peerdns '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option htmode 'VHT80'
        option txpower '23'
        option legacy_rates '1'
        option country 'TR'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option key '[snip]'
        option wds '1'
        option ssid 'OpenWrt_5G'
        option encryption 'psk2'
        option network 'lan'
        option disabled '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option country 'TR'
        option legacy_rates '0'
        option txpower '20'
        option channel 'auto'
        option path 'platform/ahb/18100000.wmac'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option key '[snip]'
        option ssid 'OpenWrt'
        option network 'lan'
        option encryption 'psk-mixed'

config wifi-device 'radio2'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option htmode 'HT20'
        option disabled '1'
        option path 'platform/ahb/18100000.wmac'

config wifi-iface 'default_radio2'
        option device 'radio2'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        option leasetime '48h'
        option force '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option dns '1'
        option mac 'B8:27:EB:AF:5F:31'
        option name 'RaspberryPi3_WiFi'
        option ip '192.168.8.92'

config host
        option dns '1'
        option mac 'DC:A6:32:02:59:DC'
        option ip '192.168.8.90'
        option name 'RaspberryPi4_WiFi'

config host
        option name 'RaspberryPi4_LAN'
        option dns '1'
        option mac 'DC:A6:32:02:59:DB'
        option ip '192.168.8.91'

config host
        option mac '2C:4D:54:56:C9:F9'
        option name 'ErtanPC'
        option dns '1'
        option ip '192.168.1.99'

config host
        option mac '70:85:C2:7B:26:24'
        option name 'FreeNAS'
        option dns '1'
        option ip '192.168.8.2'

config host
        option mac 'b8:27:eb:fa:0a:64'
        option name 'RaspberryPi3_LAN'
        option dns '1'
        option ip '192.168.8.93'

config host
        option mac 'B8:27:EB:15:51:4B'
        option name 'PiZeroW_WiFi'
        option dns '1'
        option ip '192.168.8.94'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.3 on Thu Oct 29 15:22:27 2020
*nat
:PREROUTING ACCEPT [161041:12300265]
:INPUT ACCEPT [10511:803326]
:OUTPUT ACCEPT [12814:884186]
:POSTROUTING ACCEPT [170:20402]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[161041:12300265] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[39009:4398626] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[121100:7750799] -A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[28443:1862935] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[35:10741] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[28273:1842533] -A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[35:10741] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[39009:4398626] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[28273:1842533] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[28273:1842533] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[121100:7750799] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Thu Oct 29 15:22:27 2020
# Generated by iptables-save v1.8.3 on Thu Oct 29 15:22:27 2020
*mangle
:PREROUTING ACCEPT [3103787:2381863281]
:INPUT ACCEPT [142744:41516236]
:FORWARD ACCEPT [2947227:2337579054]
:OUTPUT ACCEPT [95613:11336970]
:POSTROUTING ACCEPT [2918182:2340696189]
[19324:1051760] -A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[10788:577592] -A FORWARD -i pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Oct 29 15:22:27 2020
# Generated by iptables-save v1.8.3 on Thu Oct 29 15:22:27 2020
*filter
:INPUT ACCEPT [97969:31582849]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[1027:116332] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[141719:41399984] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[19329:5115396] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[61:3220] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[24312:4695033] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[109:6706] -A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
[2947227:2337579054] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[2793632:2327364430] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[32518:2465708] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[121076:7748864] -A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
[1:52] -A FORWARD -m comment --comment "!fw3" -j reject
[1027:116332] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[94584:11221106] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[79933:9934727] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[91:29472] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[14560:1256907] -A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
[101:6155] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[121085:7749467] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[61:3220] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[91:29472] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[32518:2465708] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[32518:2465708] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[24312:4695033] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[24312:4695033] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[91:29472] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[91:29472] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[24312:4695033] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[3576:470931] -A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[43502:3251684] -A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
[121076:7748864] -A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
[121076:7748864] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[121076:7748864] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[109:6706] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[109:6706] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[14560:1256907] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[14560:1256907] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[109:6706] -A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu Oct 29 15:22:27 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.8.1/24 brd 192.168.8.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN qlen 3
    inet 10.40.1.15 peer 10.40.0.1/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
default via 10.40.0.1 dev pppoe-wan 
10.40.0.1 dev pppoe-wan scope link  src 10.40.1.15 
192.168.8.0/24 dev br-lan scope link  src 192.168.8.1 
local 10.40.1.15 dev pppoe-wan table local scope host  src 10.40.1.15 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.8.0 dev br-lan table local scope link  src 192.168.8.1 
local 192.168.8.1 dev br-lan table local scope host  src 192.168.8.1 
broadcast 192.168.8.255 dev br-lan table local scope link  src 192.168.8.1 
0:      from all lookup local 
32766:  from all lookup main 
32767:  from all lookup default 
lrwxrwxrwx    1 root     root            16 Sep  6 19:19 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Oct 28 21:44 /tmp/resolv.conf
-rw-r--r--    1 root     root            35 Oct 29 13:37 /tmp/resolv.conf.auto
-rw-r--r--    1 root     root            45 Oct 28 21:43 /tmp/resolv.conf.ppp
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 8.8.8.8

==> /tmp/resolv.conf.ppp <==
nameserver 213.194.110.17
nameserver 8.8.8.8
root@OpenWrt:~#

Here is tcpdump until I get "ERR_TIMED_OUT" on my computer browser

root@OpenWrt:~# tcpdump -i pppoe-wan -evn host 40.114.177.156
tcpdump: listening on pppoe-wan, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
15:23:51.752187 Out ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 127, id 15227, offset 0, flags [DF], proto TCP (6), length 52)
    10.40.1.15.54576 > 40.114.177.156.443: Flags [S], cksum 0xdc6c (correct), seq 2671721546, win 64240, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
15:23:51.842717 Out ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 127, id 15228, offset 0, flags [DF], proto TCP (6), length 52)
    10.40.1.15.54577 > 40.114.177.156.443: Flags [S], cksum 0x5d05 (correct), seq 576141465, win 64240, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
15:23:51.874461  In ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 46, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    40.114.177.156.443 > 10.40.1.15.54576: Flags [S.], cksum 0x6caf (correct), seq 3746620916, ack 2671721547, win 42340, options [mss 1440,nop,nop,sackOK,nop,wscale 7], length 0
15:23:51.875017 Out ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 127, id 15229, offset 0, flags [DF], proto TCP (6), length 40)
    10.40.1.15.54576 > 40.114.177.156.443: Flags [.], cksum 0x4ecd (correct), ack 1, win 1029, length 0
15:23:51.881842 Out ethertype IPv4 (0x0800), length 573: (tos 0x0, ttl 127, id 15230, offset 0, flags [DF], proto TCP (6), length 557)
    10.40.1.15.54576 > 40.114.177.156.443: Flags [P.], cksum 0x85b2 (correct), seq 1:518, ack 1, win 1029, length 517
15:23:51.993087  In ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 46, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    40.114.177.156.443 > 10.40.1.15.54577: Flags [S.], cksum 0x1a8b (correct), seq 2112428569, ack 576141466, win 42340, options [mss 1440,nop,nop,sackOK,nop,wscale 7], length 0
15:23:51.999417 Out ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 127, id 15231, offset 0, flags [DF], proto TCP (6), length 40)
    10.40.1.15.54577 > 40.114.177.156.443: Flags [.], cksum 0xfca8 (correct), ack 1, win 1029, length 0
15:23:52.004637 Out ethertype IPv4 (0x0800), length 573: (tos 0x0, ttl 127, id 15232, offset 0, flags [DF], proto TCP (6), length 557)
    10.40.1.15.54577 > 40.114.177.156.443: Flags [P.], cksum 0x34f2 (correct), seq 1:518, ack 1, win 1029, length 517
15:23:52.016827  In ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 46, id 56632, offset 0, flags [DF], proto TCP (6), length 40)
    40.114.177.156.443 > 10.40.1.15.54576: Flags [.], cksum 0x4f83 (correct), ack 518, win 330, length 0
15:23:52.017538  In ethertype IPv4 (0x0800), length 973: (tos 0x0, ttl 46, id 56635, offset 0, flags [DF], proto TCP (6), length 957)
    40.114.177.156.443 > 10.40.1.15.54576: Flags [P.], cksum 0x5adc (correct), seq 2905:3822, ack 518, win 330, length 917
15:23:52.017835 Out ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 127, id 15233, offset 0, flags [DF], proto TCP (6), length 52)
    10.40.1.15.54576 > 40.114.177.156.443: Flags [.], cksum 0x71de (correct), ack 1, win 1029, options [nop,nop,sack 1 {2905:3822}], length 0
15:23:52.163325  In ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 46, id 10414, offset 0, flags [DF], proto TCP (6), length 40)
    40.114.177.156.443 > 10.40.1.15.54577: Flags [.], cksum 0xfd5e (correct), ack 518, win 330, length 0
15:23:52.163716  In ethertype IPv4 (0x0800), length 973: (tos 0x0, ttl 46, id 10417, offset 0, flags [DF], proto TCP (6), length 957)
    40.114.177.156.443 > 10.40.1.15.54577: Flags [P.], cksum 0xc1ca (correct), seq 2905:3822, ack 518, win 330, length 917
15:23:52.164066 Out ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 127, id 15234, offset 0, flags [DF], proto TCP (6), length 52)
    10.40.1.15.54577 > 40.114.177.156.443: Flags [.], cksum 0x7a40 (correct), ack 1, win 1029, options [nop,nop,sack 1 {2905:3822}], length 0
15:24:21.884793 Out ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 127, id 15235, offset 0, flags [DF], proto TCP (6), length 40)
    10.40.1.15.54576 > 40.114.177.156.443: Flags [F.], cksum 0x4cc7 (correct), seq 518, ack 1, win 1029, length 0
15:24:21.991384  In ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 46, id 56643, offset 0, flags [DF], proto TCP (6), length 40)
    40.114.177.156.443 > 10.40.1.15.54576: Flags [F.], cksum 0x4094 (correct), seq 3822, ack 519, win 330, length 0
15:24:21.991944 Out ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 127, id 15236, offset 0, flags [DF], proto TCP (6), length 52)
    10.40.1.15.54576 > 40.114.177.156.443: Flags [.], cksum 0x71dd (correct), ack 1, win 1029, options [nop,nop,sack 1 {2905:3822}], length 0
15:24:22.008714 Out ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 127, id 15237, offset 0, flags [DF], proto TCP (6), length 40)
    10.40.1.15.54577 > 40.114.177.156.443: Flags [F.], cksum 0xfaa2 (correct), seq 518, ack 1, win 1029, length 0
15:24:22.098913 Out ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 127, id 15238, offset 0, flags [DF], proto TCP (6), length 52)
    10.40.1.15.54601 > 40.114.177.156.443: Flags [S], cksum 0x9856 (correct), seq 2147721091, win 64240, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
15:24:22.108547  In ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 46, id 10424, offset 0, flags [DF], proto TCP (6), length 40)
    40.114.177.156.443 > 10.40.1.15.54577: Flags [F.], cksum 0xee6f (correct), seq 3822, ack 519, win 330, length 0
15:24:22.108976 Out ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 127, id 15239, offset 0, flags [DF], proto TCP (6), length 52)
    10.40.1.15.54577 > 40.114.177.156.443: Flags [.], cksum 0x7a3f (correct), ack 1, win 1029, options [nop,nop,sack 1 {2905:3822}], length 0
15:24:22.185975  In ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 46, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    40.114.177.156.443 > 10.40.1.15.54601: Flags [S.], cksum 0x6cb6 (correct), seq 1093353469, ack 2147721092, win 42340, options [mss 1440,nop,nop,sackOK,nop,wscale 7], length 0
15:24:22.187017 Out ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 127, id 15240, offset 0, flags [DF], proto TCP (6), length 40)
    10.40.1.15.54601 > 40.114.177.156.443: Flags [.], cksum 0x4ed4 (correct), ack 1, win 1029, length 0
15:24:22.189402 Out ethertype IPv4 (0x0800), length 573: (tos 0x0, ttl 127, id 15241, offset 0, flags [DF], proto TCP (6), length 557)
    10.40.1.15.54601 > 40.114.177.156.443: Flags [P.], cksum 0xc168 (correct), seq 1:518, ack 1, win 1029, length 517
15:24:22.278188  In ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 46, id 27527, offset 0, flags [DF], proto TCP (6), length 40)
    40.114.177.156.443 > 10.40.1.15.54601: Flags [.], cksum 0x4f8a (correct), ack 518, win 330, length 0
15:24:22.283029  In ethertype IPv4 (0x0800), length 973: (tos 0x0, ttl 46, id 27530, offset 0, flags [DF], proto TCP (6), length 957)
    40.114.177.156.443 > 10.40.1.15.54601: Flags [P.], cksum 0x8f6b (correct), seq 2905:3822, ack 518, win 330, length 917
15:24:22.283531 Out ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 127, id 15242, offset 0, flags [DF], proto TCP (6), length 52)
    10.40.1.15.54601 > 40.114.177.156.443: Flags [.], cksum 0xfa1f (correct), ack 1, win 1029, options [nop,nop,sack 1 {2905:3822}], length 0
^C
27 packets captured
27 packets received by filter
0 packets dropped by kernel
root@OpenWrt:~#

trendy · October 29, 2020, 1:28pm

Network-wise there is no issue:
SYN

15:23:51.752187 Out ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 127, id 15227, offset 0, flags [DF], proto TCP (6), length 52)
    10.40.1.15.54576 > 40.114.177.156.443: Flags [S], cksum 0xdc6c (correct), seq 2671721546, win 64240, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0

SYN ACK

15:23:51.874461  In ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 46, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    40.114.177.156.443 > 10.40.1.15.54576: Flags [S.], cksum 0x6caf (correct), seq 3746620916, ack 2671721547, win 42340, options [mss 1440,nop,nop,sackOK,nop,wscale 7], length 0

ACK

15:23:51.874461  In ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 46, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    40.114.177.156.443 > 10.40.1.15.54576: Flags [S.], cksum 0x6caf (correct), seq 3746620916, ack 2671721547, win 42340, options [mss 1440,nop,nop,sackOK,nop,wscale 7], length 0

A couple of packets are exchanged and finally the session is gracefully torn down

15:24:21.884793 Out ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 127, id 15235, offset 0, flags [DF], proto TCP (6), length 40)
    10.40.1.15.54576 > 40.114.177.156.443: Flags [F.], cksum 0x4cc7 (correct), seq 518, ack 1, win 1029, length 0
15:24:21.991384  In ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 46, id 56643, offset 0, flags [DF], proto TCP (6), length 40)
    40.114.177.156.443 > 10.40.1.15.54576: Flags [F.], cksum 0x4094 (correct), seq 3822, ack 519, win 330, length 0
15:24:21.991944 Out ethertype IPv4 (0x0800), length 68: (tos 0x0, ttl 127, id 15236, offset 0, flags [DF], proto TCP (6), length 52)
    10.40.1.15.54576 > 40.114.177.156.443: Flags [.], cksum 0x71dd (correct), ack 1, win 1029, options [nop,nop,sack 1 {2905:3822}], length 0

MTU is configured properly and the payload is not big enough to exceed it.
Does this happen only to one device/browser?

ertank · October 29, 2020, 4:15pm

When it happens, it happens to all computers connected to the network over that router.

trendy · October 29, 2020, 4:57pm

It doesn't happen all the time?

To be honest I don't see any other issue. Since you mentioned in the first post that it started recently and there are no other packages, I can only suggest a backup, reset, and quick configuration from scratch (only change wan from dhcp to pppoe, nothing else).

ertank · October 29, 2020, 5:52pm

Some web sites are always like that (not working at all).
Some web sites are working intermittently (like working over night / a couple hours and stopping to work). Netflix for example works randomly for a while and then stops working. No regular time intervals or duration that I could figure.

"Recently" in my initial post means about 1-2 months of time. I did not change any setting or do otherwise a modification or an upgrade to OpenWrt.

I always blamed my internet service provider (they are local and a very small company). They did have problems and stopped their service for a day or two about one month ago. Only recently I agreed to directly connect a computer to the Industrial Router. When I do that all web sites that are not working loaded just fine and I understand that there is some kind of a problem on my side either OpenWrt or my router hardware.

As Industrial WiFi connects to a simple small switch and OpenWrt WAN port also connects to that switch. Industrial WiFi is at the roof. There are several levels between my floor and roof. That small switch helping to jump cable to my floor. Nothing else in between. Also, Industrial WiFi is in bridge mode. It has to be connected to a switch. Top floor is also getting internet service from same Industrial WiFi only during summer times. Top floor router is completely turned off for more than 1-2 months now.

When I did direct connection test, I removed Industrial WiFi from that small switch and plugged it in directly to a laptop LAN port.

What do you mean by "only change wan from dhcp to pppoe"? I couldn't understand it.

trendy · October 29, 2020, 11:02pm

I would try to connect the router directly on the cable coming from the industrial wifi to rule out faulty cabling or switch.

ertank · October 30, 2020, 5:50am

I just pulled the cable behind my OpenWrt router, put it in a laptop. Setup PPPoE and all of the web sites not loading are successfully loaded.

That rules out faulty switch or cable for sure.

How can I reset my device for installing OpenWrt from scratch?

faser · October 30, 2020, 6:00am

System -> Backup/Flash Firmware -> Restore to Defaults

ertank · October 30, 2020, 6:53am

Still no joy. My latest configuration after doing a reset is as following

root@OpenWrt:~# ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
{
        "kernel": "4.14.195",
        "hostname": "OpenWrt",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "TP-Link Archer C7 v5",
        "board_name": "tplink,archer-c7-v5",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.4",
                "revision": "r11208-ce6496d796",
                "target": "ath79/generic",
                "description": "OpenWrt 19.07.4 r11208-ce6496d796"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7c:7085:89e3::/48'

config interface 'lan'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.8.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '10.40.0.1'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr 'ac:84:c6:8d:fe:40'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'NimaNet'
        option proto 'pppoe'
        option ifname 'eth0.2'
        option type 'bridge'
        option username '[snip]'
        option ipv6 'auto'
        option password '[snip]'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'platform/ahb/18100000.wmac'
        option htmode 'HT20'
        option disabled '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'NimaNet'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.3 on Fri Oct 30 06:48:40 2020
*nat
:PREROUTING ACCEPT [1120:80669]
:INPUT ACCEPT [182:13265]
:OUTPUT ACCEPT [210:14872]
:POSTROUTING ACCEPT [9:648]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[1120:80669] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[552:43772] -A PREROUTING -i eth0.1 -m comment --comment "!fw3" -j zone_lan_prerouting
[562:35952] -A PREROUTING -i pppoe-NimaNet -m comment --comment "!fw3" -j zone_wan_prerouting
[550:34396] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o eth0.1 -m comment --comment "!fw3" -j zone_lan_postrouting
[541:33748] -A POSTROUTING -o pppoe-NimaNet -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[552:43772] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[541:33748] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[541:33748] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[562:35952] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Fri Oct 30 06:48:40 2020
# Generated by iptables-save v1.8.3 on Fri Oct 30 06:48:40 2020
*mangle
:PREROUTING ACCEPT [311012:291902012]
:INPUT ACCEPT [1538:352444]
:FORWARD ACCEPT [309438:291537640]
:OUTPUT ACCEPT [1196:276844]
:POSTROUTING ACCEPT [310062:291777852]
[282:14664] -A FORWARD -o pppoe-NimaNet -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[252:12880] -A FORWARD -i pppoe-NimaNet -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Oct 30 06:48:40 2020
# Generated by iptables-save v1.8.3 on Fri Oct 30 06:48:40 2020
*filter
:INPUT ACCEPT [464:149502]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[90:8001] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[1450:344523] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[512:99550] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[3:156] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[471:95319] -A INPUT -i eth0.1 -m comment --comment "!fw3" -j zone_lan_input
[3:152] -A INPUT -i pppoe-NimaNet -m comment --comment "!fw3" -j zone_wan_input
[309438:291537640] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[308302:291447325] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[576:54475] -A FORWARD -i eth0.1 -m comment --comment "!fw3" -j zone_lan_forward
[560:35840] -A FORWARD -i pppoe-NimaNet -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[90:8001] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[1104:269251] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[890:254085] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o eth0.1 -m comment --comment "!fw3" -j zone_lan_output
[214:15166] -A OUTPUT -o pppoe-NimaNet -m comment --comment "!fw3" -j zone_wan_output
[1:40] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[562:35952] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[3:156] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_lan_dest_ACCEPT -o eth0.1 -m comment --comment "!fw3" -j ACCEPT
[576:54475] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[576:54475] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[471:95319] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[471:95319] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[471:95319] -A zone_lan_src_ACCEPT -i eth0.1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[6:240] -A zone_wan_dest_ACCEPT -o pppoe-NimaNet -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[784:69401] -A zone_wan_dest_ACCEPT -o pppoe-NimaNet -m comment --comment "!fw3" -j ACCEPT
[560:35840] -A zone_wan_dest_REJECT -o pppoe-NimaNet -m comment --comment "!fw3" -j reject
[560:35840] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[560:35840] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[3:152] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[3:152] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[214:15166] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[214:15166] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[3:152] -A zone_wan_src_REJECT -i pppoe-NimaNet -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri Oct 30 06:48:40 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
30: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.8.1/24 brd 192.168.8.255 scope global eth0.1
       valid_lft forever preferred_lft forever
34: pppoe-NimaNet: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN qlen 3
    inet 10.40.1.15 peer 10.40.0.1/32 scope global pppoe-NimaNet
       valid_lft forever preferred_lft forever
default via 10.40.0.1 dev pppoe-NimaNet 
10.40.0.1 dev pppoe-NimaNet scope link  src 10.40.1.15 
192.168.8.0/24 dev eth0.1 scope link  src 192.168.8.1 
local 10.40.1.15 dev pppoe-NimaNet table local scope host  src 10.40.1.15 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.8.0 dev eth0.1 table local scope link  src 192.168.8.1 
local 192.168.8.1 dev eth0.1 table local scope host  src 192.168.8.1 
broadcast 192.168.8.255 dev eth0.1 table local scope link  src 192.168.8.1 
0:      from all lookup local 
32766:  from all lookup main 
32767:  from all lookup default 
lrwxrwxrwx    1 root     root            16 Sep  6 16:19 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Oct 30 06:41 /tmp/resolv.conf
-rw-r--r--    1 root     root            65 Oct 30 06:43 /tmp/resolv.conf.auto
-rw-r--r--    1 root     root            45 Oct 30 06:43 /tmp/resolv.conf.ppp
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface NimaNet
nameserver 213.194.110.17
nameserver 8.8.8.8

==> /tmp/resolv.conf.ppp <==
nameserver 213.194.110.17
nameserver 8.8.8.8
root@OpenWrt:~#

vgaetera · October 30, 2020, 6:59am

Remove that.

trendy · October 30, 2020, 12:44pm

and that too.

ertank · October 30, 2020, 12:51pm

Here both removed. Still having problem with connections to certain web sites. They either give timeout error or network changed error on browser (even there is no disconnection from router or from internet). Latest settings are as following. I didn't even setup router WiFi to simplify things:

root@OpenWrt:~# ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
{
        "kernel": "4.14.195",
        "hostname": "OpenWrt",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "TP-Link Archer C7 v5",
        "board_name": "tplink,archer-c7-v5",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.4",
                "revision": "r11208-ce6496d796",
                "target": "ath79/generic",
                "description": "OpenWrt 19.07.4 r11208-ce6496d796"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7c:7085:89e3::/48'

config interface 'lan'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.8.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr 'ac:84:c6:8d:fe:40'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'NimaNet'
        option proto 'pppoe'
        option ifname 'eth0.2'
        option username '[snip]'
        option ipv6 'auto'
        option password '[snip]'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'platform/ahb/18100000.wmac'
        option htmode 'HT20'
        option disabled '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'NimaNet'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.3 on Fri Oct 30 12:46:46 2020
*nat
:PREROUTING ACCEPT [209:15117]
:INPUT ACCEPT [7:430]
:OUTPUT ACCEPT [9:620]
:POSTROUTING ACCEPT [3:216]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[209:15117] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[90:6962] -A PREROUTING -i eth0.1 -m comment --comment "!fw3" -j zone_lan_prerouting
[119:8155] -A PREROUTING -i pppoe-NimaNet -m comment --comment "!fw3" -j zone_wan_prerouting
[95:7272] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o eth0.1 -m comment --comment "!fw3" -j zone_lan_postrouting
[92:7056] -A POSTROUTING -o pppoe-NimaNet -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[90:6962] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[92:7056] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[92:7056] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[119:8155] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Fri Oct 30 12:46:46 2020
# Generated by iptables-save v1.8.3 on Fri Oct 30 12:46:46 2020
*mangle
:PREROUTING ACCEPT [1626:295419]
:INPUT ACCEPT [440:75863]
:FORWARD ACCEPT [1186:219556]
:OUTPUT ACCEPT [399:88373]
:POSTROUTING ACCEPT [1464:300277]
[22:1144] -A FORWARD -o pppoe-NimaNet -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[22:1060] -A FORWARD -i pppoe-NimaNet -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Oct 30 12:46:46 2020
# Generated by iptables-save v1.8.3 on Fri Oct 30 12:46:46 2020
*filter
:INPUT ACCEPT [92:29638]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[24:1959] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[418:73984] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[249:23915] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[2:104] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[73:19636] -A INPUT -i eth0.1 -m comment --comment "!fw3" -j zone_lan_input
[4:795] -A INPUT -i pppoe-NimaNet -m comment --comment "!fw3" -j zone_wan_input
[1186:219556] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[874:186395] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[197:25801] -A FORWARD -i eth0.1 -m comment --comment "!fw3" -j zone_lan_forward
[115:7360] -A FORWARD -i pppoe-NimaNet -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[24:1959] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[378:87298] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[372:86894] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o eth0.1 -m comment --comment "!fw3" -j zone_lan_output
[6:404] -A OUTPUT -o pppoe-NimaNet -m comment --comment "!fw3" -j zone_wan_output
[3:739] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[116:7416] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[2:104] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_lan_dest_ACCEPT -o eth0.1 -m comment --comment "!fw3" -j ACCEPT
[197:25801] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[197:25801] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[73:19636] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[73:19636] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[73:19636] -A zone_lan_src_ACCEPT -i eth0.1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[5:200] -A zone_wan_dest_ACCEPT -o pppoe-NimaNet -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[198:26005] -A zone_wan_dest_ACCEPT -o pppoe-NimaNet -m comment --comment "!fw3" -j ACCEPT
[115:7360] -A zone_wan_dest_REJECT -o pppoe-NimaNet -m comment --comment "!fw3" -j reject
[115:7360] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[115:7360] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[4:795] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[4:795] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[6:404] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[6:404] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[4:795] -A zone_wan_src_REJECT -i pppoe-NimaNet -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri Oct 30 12:46:46 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
231: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.8.1/24 brd 192.168.8.255 scope global eth0.1
       valid_lft forever preferred_lft forever
233: pppoe-NimaNet: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN qlen 3
    inet 10.40.1.15 peer 10.40.0.1/32 scope global pppoe-NimaNet
       valid_lft forever preferred_lft forever
default via 10.40.0.1 dev pppoe-NimaNet 
10.40.0.1 dev pppoe-NimaNet scope link  src 10.40.1.15 
192.168.8.0/24 dev eth0.1 scope link  src 192.168.8.1 
local 10.40.1.15 dev pppoe-NimaNet table local scope host  src 10.40.1.15 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.8.0 dev eth0.1 table local scope link  src 192.168.8.1 
local 192.168.8.1 dev eth0.1 table local scope host  src 192.168.8.1 
broadcast 192.168.8.255 dev eth0.1 table local scope link  src 192.168.8.1 
0:      from all lookup local 
32766:  from all lookup main 
32767:  from all lookup default 
lrwxrwxrwx    1 root     root            16 Sep  6 16:19 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Oct 30 12:44 /tmp/resolv.conf
-rw-r--r--    1 root     root            65 Oct 30 12:45 /tmp/resolv.conf.auto
-rw-r--r--    1 root     root            45 Oct 30 12:45 /tmp/resolv.conf.ppp
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface NimaNet
nameserver 213.194.110.17
nameserver 8.8.8.8

==> /tmp/resolv.conf.ppp <==
nameserver 213.194.110.17
nameserver 8.8.8.8
root@OpenWrt:~#

trendy · October 30, 2020, 3:15pm

uci set firewall.@zone[0].log='1'
uci set firewall.@zone[1].log='1'
uci commit firewall
fw3 restart

Do a dmesg -c then try again to access a site that doesn't work and do again a dmesg Post the second output.
Run logread -f try to access a non working site and post here the output.