Virtualbox Openwrt works fine but clients connecting to vm-router have no internet

I followed the guide here dozen of times:

https://openwrt.org/docs/guide-user/virtualization/virtualbox-vm

my /etc/config/network

config interface 'loopback'                    
        option ifname 'lo'                     
        option proto 'static'                  
        option ipaddr '127.0.0.1'              
        option netmask '255.0.0.0'             
                                               
config globals 'globals'                       
        option ula_prefix 'fde2:3e1c:b155::/48'
                                      
config interface 'mng'                
        option type 'bridge'          
        option proto 'static'         
        option ipaddr '192.168.56.2'  
        option netmask '255.255.255.0'
        option ip6assign '60'         
        option ifname 'eth0'          
                                      
config interface 'wan'                
        option ifname 'eth1'          
        option proto 'dhcp'           
                                      
config interface 'lan'                
        option proto 'dhcp'           
        option ifname 'eth2'    

the last interface on eth2 is optional according to the guide and made no difference.

the "router" is working fine, it has internet connectivity and can ping the real router in my office (192.168.1.1)

the host machine hosting the VM can ssh into the VM and has a ping to the VM and to the real router

all is fine until I change my iOS device to manual and provide it with a static IP and the router VM as the gateway and DNS address

however the iOS device which connected to the WIFI network (my real router) configured to use the VM gateway has no internet connection...

I tried to setup routes like

route add 10.0.3.0 gateway 192.168.1.1 eth0

but still no internet

what am I doing wrong?

BTW, my ifconfig in openwrt:

root@OpenWrt:~# ifconfig
br-mng    Link encap:Ethernet  HWaddr 08:00:27:04:B8:B1  
          inet addr:192.168.56.2  Bcast:192.168.56.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe04:b8ba/64 Scope:Link
          inet6 addr: fde2:3e1c:b155::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:290 errors:0 dropped:0 overruns:0 frame:0
          TX packets:161 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:21576 (21.0 KiB)  TX bytes:19298 (18.8 KiB)

eth0      Link encap:Ethernet  HWaddr 08:00:27:04:B8:B2  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3191 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2375 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:387765 (378.6 KiB)  TX bytes:897675 (876.6 KiB)

eth1      Link encap:Ethernet  HWaddr 08:00:27:ED:A0:31  
          inet addr:10.0.3.15  Bcast:10.0.3.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:feed:a032/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:75708 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2879 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:15326164 (14.6 MiB)  TX bytes:215731 (210.6 KiB)

eth2      Link encap:Ethernet  HWaddr 08:00:27:04:B8:B2
          inet addr:192.168.1.53  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe04:b8b1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9214 errors:0 dropped:0 overruns:0 frame:0
          TX packets:75821 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1137386 (1.0 MiB)  TX bytes:15337676 (14.6 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:536 errors:0 dropped:0 overruns:0 frame:0
          TX packets:536 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:38199 (37.3 KiB)  TX bytes:38199 (37.3 KiB)

route add -net, ... check all your routes.... nat etc.

Check all links one at a time... direct... the way you are testing your client, while not impossible... is not the 'directest' approach... nor have you provided a definitive / exhaustive breakdown of what is happening with it...

I checked, tried many approaches

I understand my specific setup is kind of wierd, but if I want a WIFI device (my phone) to connect to the network I need it to go through a real WIFI router (192.168.1.1 WIFI) but be setup with manual settings:

static ip: 192.168.1.10
mask: 255.255.255.0
gateway: 192.168.1.53
dns: 192.168.1.53

my VM-router routes table:

root@OpenWrt:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.0.3.2        0.0.0.0         UG    0      0        0 eth1
10.0.3.0        *               255.255.255.0   U     0      0        0 eth1
192.168.1.0     192.168.1.1     255.255.255.0   UG    0      0        0 eth2
192.168.56.0    *               255.255.255.0   U     0      0        0 br-mng

Not sure if my routes table is missing something, not an expert.

Using iOS libTerm app I can ping 192.168.1.53 while connected to the real router WIFI and setup with the 192.168.1.53 gateway, I cannot however ping 192.168.56.2

any other information I can provide?

1 Like
uci show firewall

p.s. the router 192.168.1.x should ideally not be dhcp... (imho)

the 192.168.1.1 is the main router, it is the one connected to the external internet and the only device seeing all clients, why shouldn't it be the DHCP server? who else?

firewall:

root@OpenWrt:~# uci show firewall
firewall.@rule[0]=rule
firewall.@rule[0].src='lan'
firewall.@rule[0].proto='tcp'
firewall.@rule[0].dest_port='ssh'
firewall.@rule[0].target='ACCEPT'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].forward='ACCEPT'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[1]=rule
firewall.@rule[1].dest='lan'
firewall.@rule[1].proto='all'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].src='wan'
firewall.@rule[2]=rule
firewall.@rule[2].dest='wan'
firewall.@rule[2].proto='all'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[2].src='lan'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCP-Renew'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='68'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[3].family='ipv4'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-Ping'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].icmp_type='echo-request'
firewall.@rule[4].family='ipv4'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-IGMP'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='igmp'
firewall.@rule[5].family='ipv4'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-DHCPv6'
firewall.@rule[6].src='wan'
firewall.@rule[6].proto='udp'
firewall.@rule[6].src_ip='fc00::/6'
firewall.@rule[6].dest_ip='fc00::/6'
firewall.@rule[6].dest_port='546'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-MLD'
firewall.@rule[7].src='wan'
firewall.@rule[7].proto='icmp'
firewall.@rule[7].src_ip='fe80::/10'
firewall.@rule[7].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[7].family='ipv6'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ICMPv6-Input'
firewall.@rule[8].src='wan'
firewall.@rule[8].proto='icmp'
firewall.@rule[8].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[8].limit='1000/sec'
firewall.@rule[8].family='ipv6'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Allow-ICMPv6-Forward'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest='*'
firewall.@rule[9].proto='icmp'
firewall.@rule[9].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[9].limit='1000/sec'
firewall.@rule[9].family='ipv6'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[10]=rule
firewall.@rule[10].name='Allow-IPSec-ESP'
firewall.@rule[10].src='wan'
firewall.@rule[10].dest='lan'
firewall.@rule[10].proto='esp'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[11]=rule
firewall.@rule[11].name='Allow-ISAKMP'
firewall.@rule[11].src='wan'
firewall.@rule[11].dest='lan'
firewall.@rule[11].dest_port='500'
firewall.@rule[11].proto='udp'
firewall.@rule[11].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].name='surf_vpn'
firewall.@zone[2].mtu_fix='1'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].network=' '
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='lan'
firewall.@forwarding[1].src='wan'

this is what I mean... you have a reservation?

you mean setting it up as a static address, no reservations.
any suggestions to which? currently my real router assigns the 192.168.1.53 to this network adapter which is accessible to my iphone, can ping, but when used as gateway.. no internet...

so you are doing something like this then? same subnet 'pre-gateway'?

where are your firewall rules between the 1.x and 56.x network? and why does 56 exist in the first place if your assigning dhcp to the iphone and router... only thing that makes sense is similar to diagram above... ( where all vmnics are bridged and isolation is purely logical )

  • where do wan and 56.x go?
  • are all vmnics bridged?
    (diagram needed)

some general advice...

  • simplify your topology a little...
  • use a wired client test from both sides of the vm

EDIT: or perhaps draw a diagram similar to the one above for your intended setup... so we can better understand how to assist.

Have a read / look at some of the topologies and examples virtualbox advanced it might help to refer to or grasp what you are currently doing...

1 Like

good questions, maybe I am not understanding these right. I followed the setup in the guide thinking these are required because of the virtualization

here is an illustration of the setup

1 Like

changes my /etc/config/network to reflect static IP for eth2 as you suggested and added a bunch of routing rules that didn't help

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'

config interface 'lan'
	option proto 'static'
	option ifname 'eth2'
        option ipaddr '192.168.1.53'
        option netmask '255.255.255.0'
        option ip6assign '60'

config route
	option target '192.168.56.0'
	option gateway '192.168.1.1'
	option netmask '255.255.255.0'
	option interface 'mng'

config route
	option target '192.168.1.0'
	option gateway '192.168.1.1'
	option netmask '255.255.255.0'
	option interface 'lan'

config route
	option target '192.168.1.0'
	option gateway '192.168.1.1'
	option netmask '255.255.255.0'
	option interface 'lan'

config route
	option target '10.0.3.0'
        option gateway '192.168.1.1'  
        option netmask '255.255.255.0'
        option interface 'lan' 

config route                          
        option target '10.0.3.0'     
        option gateway '192.168.56.0'  
        option netmask '255.255.255.0'
        option interface 'lan'  
1 Like

(remove the routes for a bit - cp /etc/config/network /config-network-w-routes )

  • step 1 > have you configured the gateway on vm:eth2>192.168.1.1 [ no ]
  • step 2 > you are sending dns to the vm... as it now has a static ip... it also needs a dns entry under eth2
	option gateway '192.168.1.1'
	option dns '192.168.1.1'
/etc/init.d/network restart
/etc/init.d/dnsmasq restart

Now this should work... the trouble is... you had this already when you had it setup as dhcp... so...

  • Step 3 > To simplify the firewall side of things... you might want to assign eth2 as your 'lan' interface... ( edit: I see that you've already taken care of this - do the restarts anyway )
uci -q set network.lan.ifname='eth2'
uci commit network
/etc/init.d/network restart
/etc/init.d/firewall restart

and you should be good to go... :railway_track:

( for reference... next time... use eth0 as your primary bridged lan interface )

1 Like

did that, still the iphone has no internet connection

/etc/network/config

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fde2:3e1c:b155::/48'

config interface 'mng'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.56.2'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ifname 'eth0'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'

config interface 'lan'
	option proto 'static'
	option ifname 'eth2'
        option ipaddr '192.168.1.53'
        option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	option dns '192.168.1.1'
        option ip6assign '60'

/etc/config/firewall

config rule
	option src 'lan'
	option proto 'tcp'
	option dest_port 'ssh'
	option target 'ACCEPT'

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option output 'ACCEPT'
	option mtu_fix '1'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option dest 'lan'
	list proto 'all'
	option target 'ACCEPT'
	option src 'wan'

config rule
	option dest 'wan'
	list proto 'all'
	option target 'ACCEPT'
	option src 'lan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'surf_vpn'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	option masq '1'
	option output 'ACCEPT'
	option network ' '

config forwarding
	option dest 'lan'
	option src 'wan'

iOS device:

Connected to WIFI (192.168.1.1 router)
IPV4 Address->Manual

IP: 192.168.1.10
Subnet: 255.255.255.0
Router 192.168.1.53

DNS: 192.168.1.53

VM, adapter #1

1 Like

VM, adapter #2

1 Like

VM adapter #3

exactly (I think) as described in the openwrt/virtualbox guide

1 Like

go into the virtual box settings... untick connected for the two nics that are currently unused... ( virtually disconnect their cables )

can you ping between them now?
does opkg update work on the vm now?
is your macbook running a firewall?

1 Like

I unchecked Cable connected for Adapter 1, Adapter 2, leaving only Adapter 3, meaning only the bridged adapter is connected

I can ping 192.168.56.2
I can ping 192.168.1.1

opkg update fails, no internet (I am guessing that Adapter 1 took care of that curtesy of the virtualbox network)

macbook internal firewall is off

sophos home anti virus, I disabled as much as I could of it

BTW, I can probably upload the virtualbox VM for you to see for yourself if you like

this is what i reckon...

  • start with a brand new VM -> 1NIC only ( eth0=lan=bridged)
  • simply set the static ip + dns + gw

simple! :cowboy_hat_face:

any other issues are at the MAC/Sophos :japanese_ogre:/APClientIsolation level... and I vaguely remember a post/s about that... it's early morning here... so i'll do some research on that over the next day... and you can report back how you went...

EDIT:

  • bridged ( emulation-nic: "PCnet-FAST III" ) seems to be one mac workaround

I appreciate that! thank you!
and sorry, the forum wouldn't allow me to post for 9-hours as new user..

I made a brand new VM, started with a fresh image of openWRT and create one NIC as you described

ifconfig

br-lan    Link encap:Ethernet  HWaddr 08:00:27:1A:47:3E  
          inet addr:192.168.1.53  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe1a:473e/64 Scope:Link
          inet6 addr: fd2c:fe7f:c7e6::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1897 errors:0 dropped:0 overruns:0 frame:0
          TX packets:795 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:191583 (187.0 KiB)  TX bytes:96843 (94.5 KiB)

eth0      Link encap:Ethernet  HWaddr 08:00:27:1A:47:3E  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2128 errors:0 dropped:0 overruns:0 frame:0
          TX packets:805 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:240321 (234.6 KiB)  TX bytes:99141 (96.8 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:124 errors:0 dropped:0 overruns:0 frame:0
          TX packets:124 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:8822 (8.6 KiB)  TX bytes:8822 (8.6 KiB)

network setup

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd2c:fe7f:c7e6::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option ipaddr '192.168.1.53'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	option dns '192.168.1.1'
	option ip6assign '60'

route

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    0      0        0 br-lan
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan

I tried another openwrt VM on another host, wired, as the client, assigned it with 192.168.1.4 and tried to use the 192.168.1.53 VM as the gateway, got no internet..

I tried the PCnet-FAST III and Fast II network both resulted in openWRT detecting an Intel one anyone and no adapter actually mounter on openWRT once booted, no IP assigend

*** I also uploaded the virtualbox VM online as a zip file and created a bit.ly link for it

https://bit.ly/2XOY3ev

so you can see for yourself

1 Like

was 'opkg update' working tho?

( one other thing that is often suggested is to re-install/upgrade virtualbox )... i'm not so sure that applies in your case... but at this point we do need to know what version you are running?

i'm thinking sophos is (was during install), the issue here... ( unless your main wireless router is non-typical and doing something fancy... )

1 Like