[SOLVED] Vlan3 for guest subnet - cannot opkg update wget error 8

Guys,

in my previous home setup i had my main router to have one main network and one guest/kid network
(links to what i have been doing at the bottom...)

I have a spare tplink 1043 which i initially wanted to use to experiment with mesh ( mesh attempts - archer c7 + 1043v1) but in the end i decided that my issues were related to the limited hardware capabilities of the the 1043 so found a cheap second hand archer c7, it will arrive in February and i will use that for my mesh network

so i decided to move the guest wifi on the tplink 1043 (this is meant to be my attempt at making life easier on the main router...)

now my setup looks like the following

it is overall working but I cannot opkg update from the tplink 1043
one of the errors:

* opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.0-rc2/packages/mips_24kc/telephony/Packages.gz, wget returned 8

i saw in the forums that this might be related to a wrong network, i tried to play around with the network setting but i cannot get a solution.
I specifically tried to change option gateway and option dns on the archer c7 network config

I also added forwarding rules in the firewall config, i know they are redundant and the firewall config needs some love... but this is what i have at the moment...see also my point below..

as mentioned, additionally I have a doubt regarding firewalls
-Do i need a firewall on the tplink 1043? Or is the firewall on the main archer c7 going to be enough?
I read about double nat and similar things, my idea was to reduce the load on the archer, i would hate if what i did actually caused more damage than actually helped

Is there anyone that could point me in the right direction?

some links to my guest network:
https://forum.openwrt.org/t/solved-dnsmasq-addnhosts-ignored-no-local-hostnames/26191
https://forum.openwrt.org/t/solved-guest-network-how-to-communicate-between-clients/34611

thanks a lot

M

network config - main router:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd68:0f6d:e8d1::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1 bat0.1'
	option proto 'static'
	option stp '1'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
        option igmp_snooping '1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'static'
        option ipaddr '192.168.1.64'
        option netmask '255.255.255.0'
        option gateway '192.168.1.254'
        option dns '192.168.1.254'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
#	option ports '2 3 4 5 0t'
        option ports '3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'

### separate the LAN1 port out of the LAN network
### so to have guest network on LAN1
config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '2 0t'

### add guest network
config interface 'guest'
	option ifname 'eth1.3'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
#        option gateway '192.168.2.1'
#       option gateway '192.168.3.1'
#        option dns '192.168.2.1'
#       option dns '192.168.3.1'


config interface 'bat0'
        option proto 'batadv'
        option routing_algo 'BATMAN_IV'
        option aggregated_ogms 1
        option ap_isolation 0
        option bonding 0
        option fragmentation 1
        #option gw_bandwidth '10000/2000'
        option gw_mode 'off'
        #option gw_sel_class 20
        option log_level 0
        option orig_interval 1000
        option bridge_loop_avoidance 1
        option distributed_arp_table 1
        option multicast_mode 1
        option network_coding 0
        option hop_penalty 30
        option isolation_mark '0x00000000/0x00000000'

config interface 'nwi_mesh0'
        option mtu '2304'
        option proto 'batadv_hardif'
        option master 'bat0' 

firewall config on the main router:

config defaults
	option syn_flood	1
	option input		ACCEPT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1
# to add flow offloading (must be ath79 for archer)
        option flow_offloading  1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4



# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option src_ip		fc00::/6
	option dest_ip		fc00::/6
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT

# include a file with users custom iptables rules
config include
	option path /etc/firewall.user

# add new zone section covering the 'guest' interface, allow internet, DNS and DHCP to guests:
# plus ssh
# https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan

  config zone
    option name 'guest'
    option network 'guest'
    option input 'ACCEPT'
    option forward 'REJECT'
    option output 'ACCEPT'

  # Allow Guest -> Internet
  config forwarding
    option src 'guest'
    option dest 'wan'

  config forwarding
    option src 'wan'
    option dest 'guest'



  # Allow DNS Guest -> Router
  # Client DNS queries originate from dynamic UDP ports (>1023)
  config rule
    option name 'Allow DNS Queries'
    option src 'guest'
    option dest_port '53'
    option proto 'tcp udp'
    option target 'ACCEPT'

  # Allow DHCP Guest -> Router
  # DHCP communication uses UDP ports 67-68
  config rule
    option name 'Allow DHCP request'
    option src 'guest'
    option src_port '67-68'
    option dest_port '67-68'
    option proto 'udp'
    option target 'ACCEPT'

  config rule
    option name 'Allow guest ICMP input'
    option src 'guest'
    option proto 'icmp'
    option target 'ACCEPT'
    option family 'ipv6'


config forwarding
    option  src         'lan'
    option  dest        'guest'


config forwarding
    option  src         'guest'
    option  dest        'lan'


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option dest		wan
#	option proto	tcp
#	option target	REJECT

# block a specific mac on wan
#config rule
#	option dest		wan
#	option src_mac	00:11:22:33:44:66
#	option target	REJECT

# block incoming ICMP traffic on a zone
#config rule
#	option src		lan
#	option proto	ICMP
#	option target	DROP

# port redirect port coming in on wan to lan
#config redirect
#	option src			wan
#	option src_dport	80
#	option dest			lan
#	option dest_ip		192.168.16.235
#	option dest_port	80
#	option proto		tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#	option src		wan
#	option src_dport	22001
#	option dest		lan
#	option dest_port	22
#	option proto		tcp

### FULL CONFIG SECTIONS
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port	80
#	option dest		wan
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp
#	option target	REJECT

#config redirect
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port		1024
#	option src_dport	80
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp 

network config on guest router:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd5b:d314:61ad::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1 eth1'
        option proto 'static'
        option ipaddr '192.168.3.2'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.3.1'
#       option gateway '192.168.2.1'
        option dns '192.168.3.1'
#       option dns '192.168.2.1'
        option igmp_snooping '1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
#        option gateway '192.168.1.254'
#        option dns '192.168.1.254'


config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 4 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 5t'

firewall config on guest router:

config defaults
        option syn_flood        1
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule                                     
        option name             Allow-IGMP      
        option src              wan             
        option proto            igmp            
        option family           ipv4            
        option target           ACCEPT          
                                                
# Allow DHCPv6 replies                          
# see https://dev.openwrt.org/ticket/10381      
config rule                                     
        option name             Allow-DHCPv6    
        option src              wan             
        option proto            udp             
        option src_ip           fc00::/6        
        option dest_ip          fc00::/6        
        option dest_port        546             
        option family           ipv6            
        option target           ACCEPT          
                                                
config rule                                     
        option name             Allow-MLD       
        option src              wan             
        option proto            icmp            
        option src_ip           fe80::/10       
        list icmp_type          '130/0'         
        list icmp_type          '131/0'         
        list icmp_type          '132/0'         
        list icmp_type          '143/0'         
        option family           ipv6            
        option target           ACCEPT          
                                                
# Allow essential incoming IPv6 ICMP traffic    
config rule                                 
        option name             Allow-ICMPv6-Input
        option src              wan               
        option proto    icmp                      
        list icmp_type          echo-request      
        list icmp_type          echo-reply        
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big         
        list icmp_type          time-exceeded          
        list icmp_type          bad-header             
        list icmp_type          unknown-header-type    
        list icmp_type          router-solicitation    
        list icmp_type          neighbour-solicitation 
        list icmp_type          router-advertisement   
        list icmp_type          neighbour-advertisement
        option limit            1000/sec               
        option family           ipv6                   
        option target           ACCEPT                 
                                                       
# Allow essential forwarded IPv6 ICMP traffic          
config rule                                            
        option name             Allow-ICMPv6-Forward   
        option src              wan                    
        option dest             *                      
        option proto            icmp                   
        list icmp_type          echo-request           
        list icmp_type          echo-reply             
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big         
        list icmp_type          time-exceeded          
        list icmp_type          bad-header             
        list icmp_type          unknown-header-type    
        option limit            1000/sec               
        option family           ipv6                   
        option target           ACCEPT                 
                                                       
config rule                                            
        option name             Allow-IPSec-ESP        
        option src              wan                    
        option dest             lan                    
        option proto            esp                    
        option target           ACCEPT                 
                                                       
config rule                                            
        option name             Allow-ISAKMP           
        option src              wan                    
        option dest             lan                    
        option dest_port        500                    
        option proto            udp                    
        option target           ACCEPT                 
                                                       
# include a file with users custom iptables rules      
config include                                         
        option path /etc/firewall.user

thanks

https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html

8 is a server-side error. You might want to check manually to see what is happening.

Can you ping openwrt.org from command line?
Can you wget manually any file from downloads.openwrt.org?

ping is fine:


ping -c 3 www.openwrt.org
PING www.openwrt.org (146.112.61.106): 56 data bytes
64 bytes from 146.112.61.106: seq=0 ttl=55 time=19.023 ms
64 bytes from 146.112.61.106: seq=1 ttl=55 time=16.714 ms
64 bytes from 146.112.61.106: seq=2 ttl=55 time=16.957 ms

--- www.openwrt.org ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 16.714/17.564/19.023 ms

wget does not work

wget http://downloads.openwrt.org/snapshots/targets/ath79/generic/openwr
t-ath79-generic-tplink_tl-wr1043nd-v1-squashfs-sysupgrade.bin
Downloading 'http://downloads.openwrt.org/snapshots/targets/ath79/generic/openwrt-ath79-generic-tplink_tl-wr1043nd-v1-squashfs-sysupgrade.bin'
Connecting to ::ffff:146.112.61.106:80
HTTP error 403

thanks a lot

M

wget tries to use IPv6, disable it (comment section wan6 in /etc/config/network).

There is no need to disable IPv6, invoking wget -4 to force it to IPv4 would already allow testing this.

i think ipv6 was only part of the issue

i disabled it as suggested but still it could not work
so after that i assumed the issue was somehow related to dns
i initially assumed that dns option on the lan interface of the second router had to point to the main router:

        option dns '192.168.2.1'

i replaced this with the same setting i have on the main router (pointing to the ISP modem)
and it works...

        option dns '192.168.1.254'

thanks a lot

PS. any suggestion for the firewall, is it safe to disable the firewall of the guest router?

M

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.