Trouble configuring PPTP client

As I just found that my ISP blocked the bridge function in my moderm+router(mentioned above),
How can I set the openwrt router as the gateway for my devices?

You can connect the ISP router LAN port to the OpenWrt router's WAN port, and then connect all of your devices to the OpenWrt router (either by wire or wireless), and not to the ISP router. To do this, you will need to change your OpenWrt router's LAN address to a different subnet. Maybe 10.0.20.1 as an example (it can be any RFC1918 address as long as it is not in the 192.168.2.0/24 subnet that currently is in use by your ISP router). You'll need to remove the gateway and dns statements form the LAN, as well.

Thank you. I understood all the details you provided me.
What about the DHCP settings? should I leave it on in my modem and keep them off in the OpenWrt router?

You can have DHCP turned on on both places. DHCP on the ISP modem/router will issue an IP to your OpenWrt router's WAN interface (you can turn if off if you like, but then you will have to set a static IP on the OpenWrt router). And since the LAN of the OpenWrt is a distinctly different network, DHCP on the LAN will issue your client devices (computers, phones/tablets, etc.) all the necessary IP configuration information.

Thank you for your patience.

This lan configuration would be correct?

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '10.0.20.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

I was able to change the ip to10.0.20.1 without setting a gateway and dns for the router but now my devices connected to the router have no internet, how can I forward the internet to those devices?(lan)

Let's see how is the configuration now:

uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro ls tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*

I connected my modem/router to my openwrt router via wan. Now there is internet in all of my devices connected to my openwrt router.
My modem/router ip is: 192.168.2.1
My openwrt ip is: 192.168.1.1

Now my issue is that my router cannot connect to the vpn server like when my router was working as a switch. As for now I have not configured the firewall to work with the vpn. I was thinking in doing that config once I can connect to the vpn.

This is how my log looks:

Wed Apr 15 20:21:39 2020 daemon.notice netifd: Interface 'lollipop' is setting up now
Wed Apr 15 20:21:42 2020 daemon.info pppd[2517]: Plugin pptp.so loaded.
Wed Apr 15 20:21:42 2020 daemon.info pppd[2517]: PPTP plugin version 1.00
Wed Apr 15 20:21:42 2020 daemon.notice pppd[2517]: pppd 2.4.7 started by root, uid 0
Wed Apr 15 20:21:43 2020 kern.info kernel: [  237.815416] pptp-lollipop: renamed from ppp0
Wed Apr 15 20:21:43 2020 daemon.info pppd[2517]: Renamed interface ppp0 to pptp-lollipop
Wed Apr 15 20:21:43 2020 daemon.info pppd[2517]: Using interface pptp-lollipop
Wed Apr 15 20:21:43 2020 daemon.notice pppd[2517]: Connect: pptp-lollipop <--> pptp (vpn server address)
Wed Apr 15 20:21:49 2020 daemon.info pppd[2517]: Terminating on signal 15
Wed Apr 15 20:21:54 2020 daemon.notice netifd: Interface 'lollipop' is now down
Wed Apr 15 20:21:54 2020 daemon.notice netifd: Interface 'lollipop' is setting up now
Wed Apr 15 20:21:54 2020 daemon.info pppd[2674]: Plugin pptp.so loaded.
Wed Apr 15 20:21:54 2020 daemon.info pppd[2674]: PPTP plugin version 1.00
Wed Apr 15 20:21:54 2020 daemon.notice pppd[2674]: pppd 2.4.7 started by root, uid 0
Wed Apr 15 20:21:55 2020 kern.info kernel: [  249.845641] pptp-lollipop: renamed from ppp0
Wed Apr 15 20:21:55 2020 daemon.info pppd[2674]: Renamed interface ppp0 to pptp-lollipop
Wed Apr 15 20:21:55 2020 daemon.info pppd[2674]: Using interface pptp-lollipop
Wed Apr 15 20:21:55 2020 daemon.notice pppd[2674]: Connect: pptp-lollipop <--> pptp (vpn server address)
Wed Apr 15 20:22:25 2020 daemon.warn pppd[2674]: LCP: timeout sending Config-Requests
Wed Apr 15 20:22:25 2020 daemon.notice pppd[2674]: Connection terminated.
Wed Apr 15 20:22:25 2020 daemon.notice pppd[2674]: Modem hangup
Wed Apr 15 20:22:25 2020 daemon.info pppd[2674]: Exit.
Wed Apr 15 20:22:25 2020 daemon.notice netifd: Interface 'lollipop' is now down
Wed Apr 15 20:22:25 2020 daemon.notice netifd: Interface 'lollipop' is setting up now
Wed Apr 15 20:22:26 2020 daemon.info pppd[2857]: Plugin pptp.so loaded.
Wed Apr 15 20:22:26 2020 daemon.info pppd[2857]: PPTP plugin version 1.00
Wed Apr 15 20:22:26 2020 daemon.notice pppd[2857]: pppd 2.4.7 started by root, uid 0
Wed Apr 15 20:22:27 2020 kern.info kernel: [  281.565795] pptp-lollipop: renamed from ppp0
Wed Apr 15 20:22:27 2020 daemon.info pppd[2857]: Renamed interface ppp0 to pptp-lollipop
Wed Apr 15 20:22:27 2020 daemon.info pppd[2857]: Using interface pptp-lollipop
Wed Apr 15 20:22:27 2020 daemon.notice pppd[2857]: Connect: pptp-lollipop <--> pptp (lvpn server)
Wed Apr 15 20:22:57 2020 daemon.warn pppd[2857]: LCP: timeout sending Config-Requests
Wed Apr 15 20:22:57 2020 daemon.notice pppd[2857]: Connection terminated.
Wed Apr 15 20:22:57 2020 daemon.notice pppd[2857]: Modem hangup
Wed Apr 15 20:22:57 2020 daemon.info pppd[2857]: Exit.

The error displaying in the interface is:

Error: Unknown error (NEGOTIATION_FAILED)

Sorry here is the output:

  root@OpenWrt:~# uci export network; uci export wireless; \
  > uci export dhcp; uci export firewall; \
  > head -n -0 /etc/firewall.user; \
  > ip -4 addr ; ip -4 ro ls tab all ; ip -4 ru; \
  > ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
  package network

  config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

  config globals 'globals'
    option ula_prefix 'fd8a:921d:2cd2::/48'

  config interface 'lan'
    option type 'bridge'
    option ifname 'eth0.1'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option ip6assign '60'

  config device 'lan_eth0_1_dev'
    option name 'eth0.1'
    option macaddr '88:57:EE:29:64:38'

  config interface 'wan'
    option ifname 'eth0.2'
    option proto 'dhcp'

  config device 'wan_eth0_2_dev'
    option name 'eth0.2'
    option macaddr '88:57:EE:29:64:38'

  config interface 'wan6'
    option ifname 'eth0.2'
    option proto 'dhcpv6'

  config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

  config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '0 1 2 3 6t'

  config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '4 6t'

  config interface 'lollipop'
    option proto 'pptp'
    option username 'username'
    option ipv6 'auto'
    option password 'password'
    option server 'vpnserver

  package wireless

  config wifi-device 'radio0'
    option type 'mac80211'
    option channel '11'
    option hwmode '11g'
    option path 'pci0000:00/0000:00:01.0/0000:02:00.0'
    option htmode 'HT20'

  config wifi-iface 'default_radio0'
    option device 'radio0'
    option network 'lan'
    option mode 'ap'
    option key 'sanchezawada'
    option ssid 'Hogar1'
    option encryption 'psk2'

  config wifi-device 'radio1'
    option type 'mac80211'
    option channel '36'
    option hwmode '11a'
    option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
    option htmode 'VHT80'

  config wifi-iface 'default_radio1'
    option device 'radio1'
    option network 'lan'
    option mode 'ap'
    option key 'sanchezawada'
    option ssid 'Hogar2'
    option encryption 'psk2'

  package dhcp

  config dnsmasq
    option domainneeded '1'
    option boguspriv '1'
    option filterwin2k '0'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option local '/lan/'
    option domain 'lan'
    option expandhosts '1'
    option nonegcache '0'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option resolvfile '/tmp/resolv.conf.auto'
    option nonwildcard '1'
    option localservice '1'

  config dhcp 'lan'
    option interface 'lan'
    option start '100'
    option limit '150'
    option leasetime '12h'
    option dhcpv6 'server'
    option ra 'server'

  config dhcp 'wan'
    option interface 'wan'
    option ignore '1'

  config odhcpd 'odhcpd'
    option maindhcp '0'
    option leasefile '/tmp/hosts/odhcpd'
    option leasetrigger '/usr/sbin/odhcpd-update'
    option loglevel '4'

  package firewall

  config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

  config zone
    option name 'lan'
    list network 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'

  config zone
    option name 'wan'
    list network 'wan'
    list network 'wan6'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'

  config forwarding
    option src 'lan'
    option dest 'wan'

  config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

  config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

  config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

  config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fc00::/6'
    option dest_ip 'fc00::/6'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

  config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

  config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

  config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

  config rule
    option name 'Allow-IPSec-ESP'
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

  config rule
    option name 'Allow-ISAKMP'
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

  config include
    option path '/etc/firewall.user'

  # This file is interpreted as shell script.
  # Put your custom iptables rules here, they will
  # be executed with each firewall (re-)start.

  # Internal uci firewall chains are flushed and recreated on reload, so
  # put custom rules into the root chains e.g. INPUT or FORWARD or into the
  # special user chains, e.g. input_wan_rule or postrouting_lan_rule.
  1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
      inet 127.0.0.1/8 scope host lo
        valid_lft forever preferred_lft forever
  8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
      inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
        valid_lft forever preferred_lft forever
  10: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
      inet 192.168.2.75/24 brd 192.168.2.255 scope global eth0.2
        valid_lft forever preferred_lft forever
  ip: invalid argument 'ls' to 'ip'
  0:	from all lookup local 
  32766:	from all lookup main 
  32767:	from all lookup default 
  lrwxrwxrwx    1 root     root            16 Feb 28 06:05 /etc/resolv.conf -> /tmp/resolv.conf
  -rw-r--r--    1 root     root            32 Apr 15 20:18 /tmp/resolv.conf
  -rw-r--r--    1 root     root           104 Apr 15 20:18 /tmp/resolv.conf.auto
  ==> /etc/resolv.conf <==
  search lan
  nameserver 127.0.0.1

  ==> /tmp/resolv.conf <==
  search lan
  nameserver 127.0.0.1

  ==> /tmp/resolv.conf.auto <==
  # Interface wan
  nameserver 192.168.2.1
  # Interface wan6
  nameserver 240d:1a:2e0:bf00:2e97:b1ff:fe71:b7ae

I installed the packages mentioned in the following link:

https://dev.archive.openwrt.org/ticket/19370

And now the error looks to be slightly different.

Wed Apr 15 20:58:28 2020 daemon.notice netifd: Interface 'lollipop' is setting up now
Wed Apr 15 20:58:28 2020 daemon.info pppd[2905]: Plugin pptp.so loaded.
Wed Apr 15 20:58:28 2020 daemon.info pppd[2905]: PPTP plugin version 1.00
Wed Apr 15 20:58:28 2020 daemon.notice pppd[2905]: pppd 2.4.7 started by root, uid 0
Wed Apr 15 20:58:30 2020 kern.info kernel: [   90.192066] pptp-lollipop: renamed from ppp0
Wed Apr 15 20:58:30 2020 daemon.info pppd[2905]: Renamed interface ppp0 to pptp-lollipop
Wed Apr 15 20:58:30 2020 daemon.info pppd[2905]: Using interface pptp-lollipop
Wed Apr 15 20:58:30 2020 daemon.notice pppd[2905]: Connect: pptp-lollipop <--> pptp (vpn server)
Wed Apr 15 20:58:44 2020 daemon.info pppd[2905]: Terminating on signal 15
Wed Apr 15 20:58:44 2020 daemon.warn pppd[2907]: read returned zero, peer has closed
Wed Apr 15 20:58:44 2020 daemon.warn pppd[2907]: read returned zero, peer has closed
Wed Apr 15 20:58:49 2020 daemon.notice netifd: Interface 'lollipop' is now down
Wed Apr 15 20:58:49 2020 daemon.notice netifd: Interface 'lollipop' is setting up now
Wed Apr 15 20:58:49 2020 daemon.info pppd[3097]: Plugin pptp.so loaded.
Wed Apr 15 20:58:49 2020 daemon.info pppd[3097]: PPTP plugin version 1.00
Wed Apr 15 20:58:49 2020 daemon.notice pppd[3097]: pppd 2.4.7 started by root, uid 0
Wed Apr 15 20:58:50 2020 kern.info kernel: [  110.717457] pptp-lollipop: renamed from ppp0
Wed Apr 15 20:58:50 2020 daemon.info pppd[3097]: Renamed interface ppp0 to pptp-lollipop
Wed Apr 15 20:58:50 2020 daemon.info pppd[3097]: Using interface pptp-lollipop
Wed Apr 15 20:58:50 2020 daemon.notice pppd[3097]: Connect: pptp-lollipop <--> pptp (vpn server)

Also I added the line to my /etc/firewall.user

iptables -t raw -A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp

that I found here: https://bugs.openwrt.org/index.php?do=details&task_id=1646
still getting same result

Did you reinstall or change the version of the firmware?
pptp was working in the first post, so adding all these packages was not necessary.

No no, I just did a fresh install because it was easier to configure connecting my modem router to my openwrt router via lan.

now bottom line, I was able to connect to the vpn!
Thank you for helping.

I ran the following commands:

uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci rename firewall.@forwarding[0]="lan_wan"
uci commit firewall
/etc/init.d/firewall restart

After that I checked my log and is like this now:

Wed Apr 15 22:29:27 2020 daemon.notice pppd[4498]: Connect: pptp-lollipop <--> pptp (vpn server)
Wed Apr 15 22:29:28 2020 daemon.notice pppd[4498]: CHAP authentication succeeded
Wed Apr 15 22:29:28 2020 daemon.notice pppd[4498]: MPPE 128-bit stateless compression enabled
Wed Apr 15 22:29:28 2020 daemon.notice pppd[4498]: local  LL address fe80::0d69:af7d:2860:dfeb
Wed Apr 15 22:29:28 2020 daemon.notice pppd[4498]: remote LL address fe80::0000:0000:00f1:7ce1
Wed Apr 15 22:29:29 2020 daemon.notice netifd: Network device 'pptp-lollipop' link is up
Wed Apr 15 22:29:29 2020 daemon.notice netifd: Interface 'lollipop' is now up
Wed Apr 15 22:29:29 2020 daemon.notice netifd: Network alias 'pptp-lollipop' link is up
Wed Apr 15 22:29:29 2020 daemon.notice netifd: Interface 'lollipop_6' is enabled
Wed Apr 15 22:29:29 2020 daemon.notice netifd: Interface 'lollipop_6' has link connectivity
Wed Apr 15 22:29:29 2020 daemon.notice netifd: Interface 'lollipop_6' is setting up now
Wed Apr 15 22:29:29 2020 daemon.notice pppd[4498]: local  IP address 10.10.52.99
Wed Apr 15 22:29:29 2020 daemon.notice pppd[4498]: remote IP address 192.168.88.1
Wed Apr 15 22:29:29 2020 daemon.notice pppd[4498]: primary   DNS address 192.168.88.1
Wed Apr 15 22:29:29 2020 daemon.notice pppd[4498]: secondary DNS address 74.82.42.42
Wed Apr 15 22:29:29 2020 daemon.info dnsmasq[2537]: reading /tmp/resolv.conf.auto
Wed Apr 15 22:29:29 2020 daemon.info dnsmasq[2537]: using local addresses only for domain test
Wed Apr 15 22:29:29 2020 daemon.info dnsmasq[2537]: using local addresses only for domain onion
Wed Apr 15 22:29:29 2020 daemon.info dnsmasq[2537]: using local addresses only for domain localhost
Wed Apr 15 22:29:29 2020 daemon.info dnsmasq[2537]: using local addresses only for domain local
Wed Apr 15 22:29:29 2020 daemon.info dnsmasq[2537]: using local addresses only for domain invalid
Wed Apr 15 22:29:29 2020 daemon.info dnsmasq[2537]: using local addresses only for domain bind
Wed Apr 15 22:29:29 2020 daemon.info dnsmasq[2537]: using local addresses only for domain lan
Wed Apr 15 22:29:29 2020 daemon.info dnsmasq[2537]: using nameserver 192.168.88.1#53
Wed Apr 15 22:29:29 2020 daemon.info dnsmasq[2537]: using nameserver 74.82.42.42#53
Wed Apr 15 22:29:29 2020 daemon.info dnsmasq[2537]: using nameserver 192.168.2.1#53
Wed Apr 15 22:29:29 2020 daemon.info dnsmasq[2537]: using nameserver 240d:1a:2e0:bf00:2e97:b1ff:fe71:b7ae#53

After running

uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro ls tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*

this is the output

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd8a:921d:2cd2::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device 'lan_eth0_1_dev'
	option name 'eth0.1'
	option macaddr '88:57:EE:29:64:38'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr '88:57:EE:29:64:38'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

config interface 'lollipop'
	option proto 'pptp'
	option username 'user'
	option ipv6 'auto'
	option password 'password'
	option server 'vpn server'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'pci0000:00/0000:00:01.0/0000:02:00.0'
	option htmode 'HT20'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option key 'sanchezawada'
	option ssid 'Hogar1'
	option encryption 'psk2'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'VHT80'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option key 'sanchezawada'
	option ssid 'Hogar2'
	option encryption 'psk2'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'lan'
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone 'wan'
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list device 'tun0'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option network 'lollipop_fw lollipop'
	option name 'lollipop_fw'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	option masq '1'
	option output 'ACCEPT'

config forwarding
	option dest 'lollipop_fw'
	option src 'lan'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
iptables -t raw -A OUTPUT -p tcp \
-m comment --comment "!fw3: PPTP connection tracking" \
-m tcp --dport 1723 -j CT --helper pptp
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
12: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.75/24 brd 192.168.2.255 scope global eth0.2
       valid_lft forever preferred_lft forever
25: pptp-lollipop: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 3
    inet 10.10.52.99 peer 192.168.88.1/32 scope global pptp-lollipop
       valid_lft forever preferred_lft forever
ip: invalid argument 'ls' to 'ip'
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
lrwxrwxrwx    1 root     root            16 Feb 28 06:05 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Apr 15 22:22 /tmp/resolv.conf
-rw-r--r--    1 root     root           172 Apr 15 22:29 /tmp/resolv.conf.auto
-rw-r--r--    1 root     root            47 Apr 15 22:29 /tmp/resolv.conf.ppp
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface lollipop
nameserver 192.168.88.1
nameserver 74.82.42.42
# Interface wan
nameserver 192.168.2.1
# Interface wan6
nameserver 240d:1a:2e0:bf00:2e97:b1ff:fe71:b7ae

==> /tmp/resolv.conf.ppp <==

Trendy and psherman, thank you for helping me with the concepts. Without understanding that I wouldn't have been able to solve it! Thank you again for your patience.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.