Why can't I reach one of my routers?

As a relative newby I need some help finding out why I can't access one of of my two routers.

Background: for about a year I have been using a Fritzbox 4040 router running OpenWrt 22.03 as an exposed host behind my Fritzbox 5530 internet modem. This 4040 router serves all my computer gear in house (together with 2 auxiliary TP-Link APs). Let's call this Fritzbox router 4040-1. Now I want to migrate to OpenWrt 23.05 using a second Fritzbox 4040 (4040-2). In the past I have installed OpenWrt 23.05.02 on this router (and will upgrade to the latest version when I get access).

Steps I undertook:

  1. As a first step I have (manually) duplicated the configuration of router 4040-1 to router 4040-2 (only the wan and lan IP addresses differ).
  2. Both routers are connected from a lan port on the internet modem to their respective wan ports. Router 4040-1 is an exposed host seen from the internet modem.

What is working (4040-1):

  • my primary router 4040-1 is still playing it's role in my home network as before and is fully accessible (ping, trace route, ssh, luci)

What is working in router 4040-2 running 23.05:

  • it shows up as connected in the internet modem (192.168.178.8)
  • it responds to ping and trace route from my regular network served by 4040-1 (using either the wan and lan address)
  • when I access 4040-2 via its WLAN I can login with Luci

What is not working:

  • I can't use ssh to access 4040-2 (connection refused) although 'Password Authentication' is ticked as well as 'Allow root logins with password' ('Gateway Ports' not ticked in both 4040-1 and 4040-2)
  • I can't use Luci to login ("Server not responding")

What am I overlooking?

Configuration files:
Network (4040-2)

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.202.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.178.1'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

Firewall (4040-2) - except the standard rules

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

According to scarce rules you posted you connect from wan zone, you need to connect from any of 4 lan ports

Both routers are connected from the same type of port: from the lan port on the internet modem to the wan port on the router. In this case I would expect the same behaviour from each of the routers which is, unfortunately, not the case at tjhe moment.

A gateway must be in the same layer-3 subnet.

Did you allowed ssh and http input firewall rules on the wan interface?

The WAN interface has IP address 192.168.178.8 so it is on the same layer-3 subnet of the internet modem.

@_bernd
I couldn't find these firewall rules in my 4040-1 configuration but I still have ssh and http access. Where should I look for these rules in my configuration?

When you are configuring an interface, it's IP address and Default gateway must belong to the same subnet. Your configuration is invalid.

This is the Network configuration of my 4040-1 router which has worked for a year already (ie is fully accessible by ssh and luci).

Seen from the internet router, the WAN port of the router has IP address 192.168.178.7 in this case and is on the same subnet as the gateway. Isn't it?

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7b:5db6:b9ef::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.200.1'
	option gateway '192.168.178.1'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0'

Remove the gateway. The routing engine is smart enough to automatically setup a default route and will route the lan accordingly.

You probably need to enable masquerading on the wan, unless your upstream network has a static route installed.

Many thanks to all contributors for the help provided. Unfortunately I still don't have access.

Feedback for the latest recommendations:
@psherman I have removed the gateway and yes, I have static routes on my internet modem for both 4040 routers. The two 4040 routers are the only devices connected to my internet modem and both have a static route defined:

Static routes:

My desktop is connected to the 4040-1 router and this is the trace route from my desktop to the 4040-2 router: (4040-1 = 192.168.200.1; internet modem = fritz.box; 4040-2 = 192.168.202.1):

But still no access via ssh or luci.

If I'm following correctly you have connected the downstream router via their wan port to the edge router... Did you have ensured that you allow http/https and ssh on the wan zone at least for your (private) rfc1918 networks?

1 Like

@_bernd Thanks for raising this question again. My inexperience with networking and firewall rules made me not fully understand the importance of your question.

To test your conclusion I tried the reverse route, ie to access the 4040-1 router (192.168.200.0/24 network) from my 4040-2 (192.168.202.0/24). Without firewall rules allowing this traffic, I got the same result: I could ping and use trace route to show there was traffic possible but I couldn't ssh nor use luci to access the 4040-1 router. And, without additional firewall rules allowing this, this behaviour is what you want (ie by default no ssh/http(s) access over the WAN interface, in particular when it is exposed to the outside world).

I'm going to test the 4040-2 router (OpenWrt 23.05) over the weekend as my exposed host replacing the 4040-1 router (OpenWrt 22.03).

Many thanks and I'll get back when I have another question.

I am not sure what you are trying to do here. Typically you have one router and any AP/switch etc on the same subnet. In that case you can connect from anywhere on your LAN to anywhere on your LAN. Alternatively you can make different subnets but then you have either have double NAT or need static routes, complicating things unnecessary. (Note by using the modem on a different subnet you already have double NAT, place the 4040-1 into the DMZ of the modem, then double NAT should not be much of an issue),

So I am not sure if that is what you want exactly. I would suggest for the 4040-2 to connect that via a LAN port on the 4040-1 LAN port then change the IP address of the 2nd router to 192.168.200.2.

As I wrote in my first post above

Once I'm satisfied the second modem is up to its task and network traffic flows as expected, I will promote it to my main router running 23.05 and retire the first router (running 22.03).

What's the IP address of your client (computer) your are trying to access the Fritzbox 4040-2 with? Have you attempted the following? Set the IP address of your client manually to 192.168.202.x (where x is >1 < 255). Then try connecting to 192.168.202.1 again.

When I connected my client directly tot the 4040-2 (192.168.202.0) the client received an IPaddress in this range and I had no trouble connecting.

My problem was that in the 4040-2 firewall all ping/traceroute traffic was allowed but no other traffic (eg ssh/http(s)).

My problems have been solved.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.