It is up to you to use it or not.
If you connect the wan port of OpenWrt to the lan of the ISP router and connect the hosts on the lan of OpenWrt it will work more easily that what you have now.
Thank you for taking your time to explain.
By turning off the DHCP server in my modem router, then it will start working more like a modem only?
If that is the case I just should follow the guides out there of how to set an openwrt as a common router?
I can't mess with my ISP router right now because I am working at the same time.
I will be working on this issue at nights where I live and post my progress here 
If the modem+router supports bridge mode, you can make the openwrt router the primary router and then the vpn connection will “just work”. But if you cannot do this, the modem+router will still be a router, it just won’t automatically hand out addresses to your network if dhcp is disabled.
As it stands now, though, if you set the openwrt router as the gateway for your various devices, it will work while the vpn is running. However, when the vpn is not active, your devices will not be able to get to the internet.
In the first option, what do you mean by it will "just work"? In this the ideal scenario?
Looking here:
https://forum.huawei.com/enterprise/en/how-to-use-hg8245q-as-a-bridge-for-a-second-router/thread/467425-100181
It looks my modem router supports bridge mode.
The ideal situation is that the openwrt router is the primary (only) router for your network. If the modem is bridged, it will pass the address provided by the isp directly to the wan port on your openwrt router and your openwrt router will be the router/gateway for your network and will perform dhcp and often dns functions. Once this is the case, you don’t need to do anything special to the client devices to get them to pass traffic through the vpn - the router would handle that for the entire network, automatically.
1 Like
I understood every step that has to be done. Thank you!
As many of the config has to be done through ssh, do you know if there is any manual out there?
For now I have found this thread:
It looks it can help me to get me started.
Just had loop to my modem router and it looks my ISP locked that function(bridge).
The other option is to set the openwrt router as the gateway for my devices. How can I achieve this?
Apologies for asking many questions. I do appreciate your help! 
You can do much of the stuff directly using LuCI (the web interface). There are only a few things you need to do via the command line (using ssh to login to the router).
The resources on the OpenWrt site (wiki, tutorials, etc.) are likely going to be the most accurate, up-to-date, and best-practice techniques, but there are other great tutorials out there (just be aware, though, that they aren't always the right way to do things, or there may be assumptions that are not stated and that don't apply to your network).
You might want to look at the quick start guide to get you going.
Are there specific things you need help with right now, or just looking for general info?
As I just found that my ISP blocked the bridge function in my moderm+router(mentioned above),
How can I set the openwrt router as the gateway for my devices?
You can connect the ISP router LAN port to the OpenWrt router's WAN port, and then connect all of your devices to the OpenWrt router (either by wire or wireless), and not to the ISP router. To do this, you will need to change your OpenWrt router's LAN address to a different subnet. Maybe 10.0.20.1 as an example (it can be any RFC1918 address as long as it is not in the 192.168.2.0/24 subnet that currently is in use by your ISP router). You'll need to remove the gateway and dns statements form the LAN, as well.
Thank you. I understood all the details you provided me.
What about the DHCP settings? should I leave it on in my modem and keep them off in the OpenWrt router?
You can have DHCP turned on on both places. DHCP on the ISP modem/router will issue an IP to your OpenWrt router's WAN interface (you can turn if off if you like, but then you will have to set a static IP on the OpenWrt router). And since the LAN of the OpenWrt is a distinctly different network, DHCP on the LAN will issue your client devices (computers, phones/tablets, etc.) all the necessary IP configuration information.
Thank you for your patience.
This lan configuration would be correct?
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '10.0.20.1'
option netmask '255.255.255.0'
option ip6assign '60'
I was able to change the ip to10.0.20.1 without setting a gateway and dns for the router but now my devices connected to the router have no internet, how can I forward the internet to those devices?(lan)
1 Like
Let's see how is the configuration now:
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro ls tab all ; ip -4 ru; \
ls -l /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
I connected my modem/router to my openwrt router via wan. Now there is internet in all of my devices connected to my openwrt router.
My modem/router ip is: 192.168.2.1
My openwrt ip is: 192.168.1.1
Now my issue is that my router cannot connect to the vpn server like when my router was working as a switch. As for now I have not configured the firewall to work with the vpn. I was thinking in doing that config once I can connect to the vpn.
This is how my log looks:
Wed Apr 15 20:21:39 2020 daemon.notice netifd: Interface 'lollipop' is setting up now
Wed Apr 15 20:21:42 2020 daemon.info pppd[2517]: Plugin pptp.so loaded.
Wed Apr 15 20:21:42 2020 daemon.info pppd[2517]: PPTP plugin version 1.00
Wed Apr 15 20:21:42 2020 daemon.notice pppd[2517]: pppd 2.4.7 started by root, uid 0
Wed Apr 15 20:21:43 2020 kern.info kernel: [ 237.815416] pptp-lollipop: renamed from ppp0
Wed Apr 15 20:21:43 2020 daemon.info pppd[2517]: Renamed interface ppp0 to pptp-lollipop
Wed Apr 15 20:21:43 2020 daemon.info pppd[2517]: Using interface pptp-lollipop
Wed Apr 15 20:21:43 2020 daemon.notice pppd[2517]: Connect: pptp-lollipop <--> pptp (vpn server address)
Wed Apr 15 20:21:49 2020 daemon.info pppd[2517]: Terminating on signal 15
Wed Apr 15 20:21:54 2020 daemon.notice netifd: Interface 'lollipop' is now down
Wed Apr 15 20:21:54 2020 daemon.notice netifd: Interface 'lollipop' is setting up now
Wed Apr 15 20:21:54 2020 daemon.info pppd[2674]: Plugin pptp.so loaded.
Wed Apr 15 20:21:54 2020 daemon.info pppd[2674]: PPTP plugin version 1.00
Wed Apr 15 20:21:54 2020 daemon.notice pppd[2674]: pppd 2.4.7 started by root, uid 0
Wed Apr 15 20:21:55 2020 kern.info kernel: [ 249.845641] pptp-lollipop: renamed from ppp0
Wed Apr 15 20:21:55 2020 daemon.info pppd[2674]: Renamed interface ppp0 to pptp-lollipop
Wed Apr 15 20:21:55 2020 daemon.info pppd[2674]: Using interface pptp-lollipop
Wed Apr 15 20:21:55 2020 daemon.notice pppd[2674]: Connect: pptp-lollipop <--> pptp (vpn server address)
Wed Apr 15 20:22:25 2020 daemon.warn pppd[2674]: LCP: timeout sending Config-Requests
Wed Apr 15 20:22:25 2020 daemon.notice pppd[2674]: Connection terminated.
Wed Apr 15 20:22:25 2020 daemon.notice pppd[2674]: Modem hangup
Wed Apr 15 20:22:25 2020 daemon.info pppd[2674]: Exit.
Wed Apr 15 20:22:25 2020 daemon.notice netifd: Interface 'lollipop' is now down
Wed Apr 15 20:22:25 2020 daemon.notice netifd: Interface 'lollipop' is setting up now
Wed Apr 15 20:22:26 2020 daemon.info pppd[2857]: Plugin pptp.so loaded.
Wed Apr 15 20:22:26 2020 daemon.info pppd[2857]: PPTP plugin version 1.00
Wed Apr 15 20:22:26 2020 daemon.notice pppd[2857]: pppd 2.4.7 started by root, uid 0
Wed Apr 15 20:22:27 2020 kern.info kernel: [ 281.565795] pptp-lollipop: renamed from ppp0
Wed Apr 15 20:22:27 2020 daemon.info pppd[2857]: Renamed interface ppp0 to pptp-lollipop
Wed Apr 15 20:22:27 2020 daemon.info pppd[2857]: Using interface pptp-lollipop
Wed Apr 15 20:22:27 2020 daemon.notice pppd[2857]: Connect: pptp-lollipop <--> pptp (lvpn server)
Wed Apr 15 20:22:57 2020 daemon.warn pppd[2857]: LCP: timeout sending Config-Requests
Wed Apr 15 20:22:57 2020 daemon.notice pppd[2857]: Connection terminated.
Wed Apr 15 20:22:57 2020 daemon.notice pppd[2857]: Modem hangup
Wed Apr 15 20:22:57 2020 daemon.info pppd[2857]: Exit.
The error displaying in the interface is:
Error: Unknown error (NEGOTIATION_FAILED)
Sorry here is the output:
root@OpenWrt:~# uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro ls tab all ; ip -4 ru; \
> ls -l /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd8a:921d:2cd2::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device 'lan_eth0_1_dev'
option name 'eth0.1'
option macaddr '88:57:EE:29:64:38'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr '88:57:EE:29:64:38'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface 'lollipop'
option proto 'pptp'
option username 'username'
option ipv6 'auto'
option password 'password'
option server 'vpnserver
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'pci0000:00/0000:00:01.0/0000:02:00.0'
option htmode 'HT20'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option key 'sanchezawada'
option ssid 'Hogar1'
option encryption 'psk2'
config wifi-device 'radio1'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
option htmode 'VHT80'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option key 'sanchezawada'
option ssid 'Hogar2'
option encryption 'psk2'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
10: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.2.75/24 brd 192.168.2.255 scope global eth0.2
valid_lft forever preferred_lft forever
ip: invalid argument 'ls' to 'ip'
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
lrwxrwxrwx 1 root root 16 Feb 28 06:05 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 32 Apr 15 20:18 /tmp/resolv.conf
-rw-r--r-- 1 root root 104 Apr 15 20:18 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 192.168.2.1
# Interface wan6
nameserver 240d:1a:2e0:bf00:2e97:b1ff:fe71:b7ae
I installed the packages mentioned in the following link:
https://dev.archive.openwrt.org/ticket/19370
And now the error looks to be slightly different.
Wed Apr 15 20:58:28 2020 daemon.notice netifd: Interface 'lollipop' is setting up now
Wed Apr 15 20:58:28 2020 daemon.info pppd[2905]: Plugin pptp.so loaded.
Wed Apr 15 20:58:28 2020 daemon.info pppd[2905]: PPTP plugin version 1.00
Wed Apr 15 20:58:28 2020 daemon.notice pppd[2905]: pppd 2.4.7 started by root, uid 0
Wed Apr 15 20:58:30 2020 kern.info kernel: [ 90.192066] pptp-lollipop: renamed from ppp0
Wed Apr 15 20:58:30 2020 daemon.info pppd[2905]: Renamed interface ppp0 to pptp-lollipop
Wed Apr 15 20:58:30 2020 daemon.info pppd[2905]: Using interface pptp-lollipop
Wed Apr 15 20:58:30 2020 daemon.notice pppd[2905]: Connect: pptp-lollipop <--> pptp (vpn server)
Wed Apr 15 20:58:44 2020 daemon.info pppd[2905]: Terminating on signal 15
Wed Apr 15 20:58:44 2020 daemon.warn pppd[2907]: read returned zero, peer has closed
Wed Apr 15 20:58:44 2020 daemon.warn pppd[2907]: read returned zero, peer has closed
Wed Apr 15 20:58:49 2020 daemon.notice netifd: Interface 'lollipop' is now down
Wed Apr 15 20:58:49 2020 daemon.notice netifd: Interface 'lollipop' is setting up now
Wed Apr 15 20:58:49 2020 daemon.info pppd[3097]: Plugin pptp.so loaded.
Wed Apr 15 20:58:49 2020 daemon.info pppd[3097]: PPTP plugin version 1.00
Wed Apr 15 20:58:49 2020 daemon.notice pppd[3097]: pppd 2.4.7 started by root, uid 0
Wed Apr 15 20:58:50 2020 kern.info kernel: [ 110.717457] pptp-lollipop: renamed from ppp0
Wed Apr 15 20:58:50 2020 daemon.info pppd[3097]: Renamed interface ppp0 to pptp-lollipop
Wed Apr 15 20:58:50 2020 daemon.info pppd[3097]: Using interface pptp-lollipop
Wed Apr 15 20:58:50 2020 daemon.notice pppd[3097]: Connect: pptp-lollipop <--> pptp (vpn server)
Also I added the line to my /etc/firewall.user
iptables -t raw -A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
that I found here: https://bugs.openwrt.org/index.php?do=details&task_id=1646
still getting same result
Did you reinstall or change the version of the firmware?
pptp was working in the first post, so adding all these packages was not necessary.
No no, I just did a fresh install because it was easier to configure connecting my modem router to my openwrt router via lan.
now bottom line, I was able to connect to the vpn!
Thank you for helping.
I ran the following commands:
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci rename firewall.@forwarding[0]="lan_wan"
uci commit firewall
/etc/init.d/firewall restart
After that I checked my log and is like this now:
Wed Apr 15 22:29:27 2020 daemon.notice pppd[4498]: Connect: pptp-lollipop <--> pptp (vpn server)
Wed Apr 15 22:29:28 2020 daemon.notice pppd[4498]: CHAP authentication succeeded
Wed Apr 15 22:29:28 2020 daemon.notice pppd[4498]: MPPE 128-bit stateless compression enabled
Wed Apr 15 22:29:28 2020 daemon.notice pppd[4498]: local LL address fe80::0d69:af7d:2860:dfeb
Wed Apr 15 22:29:28 2020 daemon.notice pppd[4498]: remote LL address fe80::0000:0000:00f1:7ce1
Wed Apr 15 22:29:29 2020 daemon.notice netifd: Network device 'pptp-lollipop' link is up
Wed Apr 15 22:29:29 2020 daemon.notice netifd: Interface 'lollipop' is now up
Wed Apr 15 22:29:29 2020 daemon.notice netifd: Network alias 'pptp-lollipop' link is up
Wed Apr 15 22:29:29 2020 daemon.notice netifd: Interface 'lollipop_6' is enabled
Wed Apr 15 22:29:29 2020 daemon.notice netifd: Interface 'lollipop_6' has link connectivity
Wed Apr 15 22:29:29 2020 daemon.notice netifd: Interface 'lollipop_6' is setting up now
Wed Apr 15 22:29:29 2020 daemon.notice pppd[4498]: local IP address 10.10.52.99
Wed Apr 15 22:29:29 2020 daemon.notice pppd[4498]: remote IP address 192.168.88.1
Wed Apr 15 22:29:29 2020 daemon.notice pppd[4498]: primary DNS address 192.168.88.1
Wed Apr 15 22:29:29 2020 daemon.notice pppd[4498]: secondary DNS address 74.82.42.42
Wed Apr 15 22:29:29 2020 daemon.info dnsmasq[2537]: reading /tmp/resolv.conf.auto
Wed Apr 15 22:29:29 2020 daemon.info dnsmasq[2537]: using local addresses only for domain test
Wed Apr 15 22:29:29 2020 daemon.info dnsmasq[2537]: using local addresses only for domain onion
Wed Apr 15 22:29:29 2020 daemon.info dnsmasq[2537]: using local addresses only for domain localhost
Wed Apr 15 22:29:29 2020 daemon.info dnsmasq[2537]: using local addresses only for domain local
Wed Apr 15 22:29:29 2020 daemon.info dnsmasq[2537]: using local addresses only for domain invalid
Wed Apr 15 22:29:29 2020 daemon.info dnsmasq[2537]: using local addresses only for domain bind
Wed Apr 15 22:29:29 2020 daemon.info dnsmasq[2537]: using local addresses only for domain lan
Wed Apr 15 22:29:29 2020 daemon.info dnsmasq[2537]: using nameserver 192.168.88.1#53
Wed Apr 15 22:29:29 2020 daemon.info dnsmasq[2537]: using nameserver 74.82.42.42#53
Wed Apr 15 22:29:29 2020 daemon.info dnsmasq[2537]: using nameserver 192.168.2.1#53
Wed Apr 15 22:29:29 2020 daemon.info dnsmasq[2537]: using nameserver 240d:1a:2e0:bf00:2e97:b1ff:fe71:b7ae#53
After running
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro ls tab all ; ip -4 ru; \
ls -l /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
this is the output
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd8a:921d:2cd2::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device 'lan_eth0_1_dev'
option name 'eth0.1'
option macaddr '88:57:EE:29:64:38'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr '88:57:EE:29:64:38'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface 'lollipop'
option proto 'pptp'
option username 'user'
option ipv6 'auto'
option password 'password'
option server 'vpn server'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'pci0000:00/0000:00:01.0/0000:02:00.0'
option htmode 'HT20'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option key 'sanchezawada'
option ssid 'Hogar1'
option encryption 'psk2'
config wifi-device 'radio1'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
option htmode 'VHT80'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option key 'sanchezawada'
option ssid 'Hogar2'
option encryption 'psk2'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list device 'tun0'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option network 'lollipop_fw lollipop'
option name 'lollipop_fw'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
option masq '1'
option output 'ACCEPT'
config forwarding
option dest 'lollipop_fw'
option src 'lan'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
iptables -t raw -A OUTPUT -p tcp \
-m comment --comment "!fw3: PPTP connection tracking" \
-m tcp --dport 1723 -j CT --helper pptp
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
12: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.2.75/24 brd 192.168.2.255 scope global eth0.2
valid_lft forever preferred_lft forever
25: pptp-lollipop: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 3
inet 10.10.52.99 peer 192.168.88.1/32 scope global pptp-lollipop
valid_lft forever preferred_lft forever
ip: invalid argument 'ls' to 'ip'
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
lrwxrwxrwx 1 root root 16 Feb 28 06:05 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 32 Apr 15 22:22 /tmp/resolv.conf
-rw-r--r-- 1 root root 172 Apr 15 22:29 /tmp/resolv.conf.auto
-rw-r--r-- 1 root root 47 Apr 15 22:29 /tmp/resolv.conf.ppp
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf.auto <==
# Interface lollipop
nameserver 192.168.88.1
nameserver 74.82.42.42
# Interface wan
nameserver 192.168.2.1
# Interface wan6
nameserver 240d:1a:2e0:bf00:2e97:b1ff:fe71:b7ae
==> /tmp/resolv.conf.ppp <==
Trendy and psherman, thank you for helping me with the concepts. Without understanding that I wouldn't have been able to solve it! Thank you again for your patience.
1 Like