huj3r
May 21, 2022, 7:47pm
1
I have a strange problem, not sure if it is has always been there or not.
This is my setup:
Archer C7 - main OpenWRT router connected to internet (LAN 192.168.1.0/24)
Archer C7 - secondary OpenWRT router without any DHCP, acting as a wireless AP only (same LAN 192.168.1.0/24 with IP 192.168.1.2)
my PC is connected to the secondary C7 via ethernet (with IP 192.168.1.100)
I have configured a second LAN in the secondary C7 and added its static route to the main router (LAN 192.168.50.0/24 routed through 192.168.1.2)
From my PC I cannot connect into the second LAN; however if I manually add the route to the PC (ip add route 192.168.50.0/24 via 192.168.1.2), it works. When I try connecting to the second LAN from either routers it also works.
Any ideas?
Let’s see your config. First with the main router
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
huj3r
May 21, 2022, 8:19pm
3
network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
option igmp_snooping '1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.1'
list dns '1.1.1.1'
list dns '8.8.8.8'
config interface 'wan'
option proto 'pppoe'
option ipv6 'auto'
option device 'eth0.6'
option username 'internet'
option password 'ppp'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '6t 4 3 2 1'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '6'
option ports '0t 5t'
config device
option name 'eth0.6'
option type '8021q'
option ifname 'eth0'
option vid '6'
config route
option interface 'lan'
option target '192.168.50.0/24'
option gateway '192.168.1.2'
option metric '100'
config interface 'guest1'
option proto 'static'
option device 'wlan1'
option ipaddr '192.168.4.1'
option netmask '255.255.255.0'
list dns '8.8.8.8'
list dns '1.1.1.1'
dhcp:
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option force '1'
list dhcp_option '6,1.1.1.1,8.8.8.8'
option limit '100'
option leasetime '24h'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
list ra_flags 'none'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest1'
option interface 'guest1'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'
firewall:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'lan'
option forward 'REJECT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest1'
option name 'guest1'
config forwarding
option dest 'wan'
option src 'guest1'
config rule
option name 'Guest-DHCP'
list proto 'udp'
option src 'guest1'
option target 'ACCEPT'
config rule
option name 'Guest-DNS'
option dest_port '53'
option target 'ACCEPT'
option src 'guest1'
config rule
option name 'Guest-Block'
list proto 'all'
option src 'guest1'
option dest 'lan'
option target 'DROP'
let's see the other router's configs
huj3r
May 21, 2022, 8:38pm
7
network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.2'
option gateway '192.168.1.1'
list dns '1.1.1.1'
list dns '8.8.8.8'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
config device
option type 'bridge'
option name 'br-lan2'
list ports 'eth0.2'
config interface 'LAN2'
option proto 'static'
option device 'br-lan2'
option ipaddr '192.168.50.1'
option netmask '255.255.255.0'
dhcp:
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ignore '1'
list ra_flags 'none'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'LAN2'
option interface 'LAN2'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'
firewall:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config include
option path '/etc/firewall.user'
config zone
option name 'LAN2'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'LAN2'
config zone
option name 'LAN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config forwarding
option src 'LAN'
option dest 'LAN2'
config rule
option name 'LAN2_fwd_internet'
option src 'LAN2'
option dest '*'
list dest_ip '!192.168.1.0/24'
option target 'ACCEPT'
list proto 'all'
trendy
May 21, 2022, 10:34pm
8
Routing asymmetry causes invalid packets due to statefull firewall.
huj3r
May 21, 2022, 11:11pm
10
Bill:
You've got both VLANs connected to br-lan: remove VLAN2 from it, then create a new interface (e.g. "LAN2") with just VLAN2 in it and give it IP-address 192.168.2.1 or similar. Create a new firewall-zone for LAN2 and disable forwarding from LAN<->LAN2 Create a new firewall-rule for LAN2 to allow forwarding from LAN2 to !192.168.1.0/24 -- the exclamation-mark inverses that rule, ie. it basically says "allow forwarding to anything except to the 192.168.1.0/24-network" You need to add a static rout…
If you check the network configuration that I posted you will see that it is not the case.
huj3r
May 21, 2022, 11:13pm
11
If that were true then adding the route on my PC wouldn't work.
Bill
May 21, 2022, 11:52pm
12
Is this new situation unique or could you say it has manifested since either the previously mention thread or since you changed IP range on this Interface?
Because not knowing, affects the trustworthiness of the wiki page you authored.
trendy
May 22, 2022, 8:09am
13
It's the other way around. By adding the route you bypass the main router and there is no routing asymmetry.
huj3r
May 22, 2022, 8:33am
14
Bill:
Is this new situation unique or could you say it has manifested since either the previously mention thread or since you changed IP range on this Interface?
Because not knowing, affects the trustworthiness of the wiki page you authored.
I remember it was working correctly; but I could be wrong. That wiki page is under my own user's home page and I just authored it yesterday as agreed with @WereCatf in the other thread; by walking back my steps I noticed that the static route was not working and opened this new thread. This thread is about fixing the problem, afterwards I can fix the wiki page if needed. But so far we do not know whether the wiki page steps are not incorrect or not. I think I provided enough information to troubleshoot the issue, let's go with analysis instead of trust, shall we?
huj3r
May 22, 2022, 8:34am
15
Ok, so perhaps this static route never worked; what is the solution to do routing in this setup? Nobody mentioned it so far.
I don't think the secondary router can do anything about this because it is acting as a switch for the PC and the main router.
trendy
May 22, 2022, 8:43am
16
You can either setup a dedicated uplink. Or loosen up the firewall to ignore invalid packets.
1 Like
Bill
May 22, 2022, 9:13am
17
huj3r:
This thread is about fixing the problem, afterwards I can fix the wiki page if needed. But so far we do not know whether the wiki page steps are not incorrect or not. I think I provided enough information to troubleshoot the issue, let's go with analysis instead of trust, shall we?
You are correct Viktor, it was less than amicable for me to post despairingly about your sincere contribution to our community. I am embarrassed and hope that I can work toward a sincere rapport for future projects.
1 Like
trendy
May 22, 2022, 9:46am
18
From a similar case solved some time ago.
The first case fails because you have asymmetric routing. Echo request goes host2->fb4040->host1. Reply goes host1->fb6490 where it is blocked as invalid, because the firewall on 6490 never examined the initial packet. You need to find in the config of 6490 how to disable this.
The third case is weird, but still it is not an issue of OpenWrt, if you can see the packet in tcpdump leaving wan6 with correct source and destination IPs.
huj3r
May 22, 2022, 10:10am
19
No problem, I think we both have good intentions; right now I consider it a draft, I would like to make that page much better before moving it to a non-personal section of the wiki. And surely if it contains incorrect steps it has to be amended/retracted. Unfortunately I hit this snag and due to my ignorance on routing I could not properly figure it out / fix it.
Thanks for the help so far!
1 Like
huj3r
May 22, 2022, 10:12am
20
I will check this thread, thanks; from the top of my head I could either:
use DHCP to push the extra route to clients
reconfigure this using separate VLANs (since both routers are OpenWRT)
