Strange behaviour with OpenWrt device

cosmarchy · August 16, 2022, 8:31pm

Hi,

I've finally got around to trying to get the VPN setup on my OpenWRT device and I've noticed some very strange behavior a while after it is plugged in.

The problem is that the internet is being blocked somehow. I have three mobile phones which suddenly cannot connect to the internet even though they are connected to the main router wifi (not the OpenWRT wifi!!). They show as connected, but the internet is not working and just times out when you try to access a webpage.

It is an old BT hub, flashed with OpenWRT. I have reset the device back to defaults so far as I can tell...

I have it connected to the LAN side of my current router with a cable and I have yet to set any port forwarding to the OpenWRT device, so as far as I can tell, it is 'isolated' from the internet.

With it int he default settings, my thinking is that this should just be present on the network and not interfere with the current network???

Can anyone offer any ideas as to what could be causing this?

Many thanks

frollic · August 16, 2022, 8:35pm

So I guess it doesn't work, after all?

psherman · August 16, 2022, 9:28pm

Not without details...

For example, is this OpenWrt device directly connected to the internet, or is there a router (or a combo modem+router device) upstream of the OpenWrt router?

Was it working prior to you setting up your VPN?

What is the VPN protocol? What is the purpose of the VPN (i.e. connect as a client to a commercial VPN service, road-warrior, site-to-site, etc.)?

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

cosmarchy · August 18, 2022, 7:47pm

Not really no. As described in the OP, the device is reset to factory defaults. I haven't even started looking at configuring the VPN yet!!

Yes there is a router downstream. The OpenWRT device is connected on the LAN side of the router.

Yes, as I haven't got around to trying to setup the VPN yet... The OpenWRT device has been reset to factory defaults and other than setting an IP address, nothing else has been done.

Results from cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd8e:fd0e:dc0f::/48'

config atm-bridge 'atm'
        option vpi '1'
        option vci '32'
        option encaps 'llc'
        option payload 'bridged'
        option nameprefix 'dsl'

config dsl 'dsl'
        option annex 'a'
        option tone 'av'
        option ds_snr_offset '0'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.30'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr '40:f2:01:03:9a:26'

config interface 'wan'
        option ifname 'dsl0'
        option proto 'pppoe'
        option username 'username'
        option password 'password'
        option ipv6 '1'

config device 'wan_dsl0_dev'
        option name 'dsl0'
        option macaddr '40:f2:01:03:9a:27'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 6t'

Results from cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'pci0000:01/0000:01:00.0/0000:02:00.0'
        option htmode 'VHT80'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'ChrisPBacon'
        option key 'chrispbacon'
        option encryption 'psk2'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:0e.0'
        option htmode 'HT20'

Results from cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

Results from cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

mk24 · August 18, 2022, 10:48pm

With a LAN-LAN connection your router is a dumb AP. You have to disable the DHCP server so it doesn't conflict with the DHCP server in the main router. If you're not using the DSL modem you can delete everything related to DSL and WAN, or you can leave it in it won't hurt anything.

Also set country code on the radios.

psherman · August 18, 2022, 11:50pm

Everything @mk24 said is correct. If you intend to use this as a VPN endpoint, it would be useful to understand what context this uses (i.e. client for a commercial VPN provider, server for your own 'road warrior' type VPN, or a site-to-site). There are nuances on how this works in your configuration depending on the mode.

cosmarchy · August 21, 2022, 9:14am

I have disabled DHCP as per the help files:

but there is no mention of disabling Dynamic DHCP

Is this automatically disabled or ignored since the options in the other two tabs disable DHCP or does this Dynamic DHCP also need to be disabled?

The main use of this is just for me to be able to access my home network NAS and use a secure internet connection via my home router.

jdwl1o1 · August 21, 2022, 10:19am

To disable DHCP on an interface you need to select the 'Ignore Interface' option in General setup (your first screenshot).