Hi,
I face a problem with my OpenWRT router. It works well for about 4 months.
Yesterday I tried to block internet access to a range of IP of my LAN but don't manage it.
I just add a Traffic Rule
and suppress it after seeing it doesn't work at all. I reboot my router and then :
- WiFi connection with DHCP not working
- WiFi authentification is OK
- DHCP probably don't work properly
- WiFi connection with static IP is working
Once connected to WiFi I only have access to LAN (not to WAN).
Here are the main configuration files :
network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd21:3720:5ad7::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.10.1'
config device 'lan_dev'
option name 'eth0.1'
option macaddr '40:31:3c:06:3d:64'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option peerdns '0'
option dns '208.67.220.220 208.67.220.222'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
config interface 'guest'
option proto 'static'
option ipaddr '192.168.199.1'
option netmask '255.255.255.0'
dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option domain 'infra'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option dhcpv6 'server'
option ra 'server'
option leasetime '30d'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
firewall
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Allow-Guest-DNS'
option src 'guest'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
config rule
option name 'Allow-Guest-DHCP'
option src 'guest'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config include
option path '/etc/firewall.user'
config zone
option name 'guest'
option network 'guest'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
config forwarding
option src 'guest'
option dest 'wan'
I manage to recover WAN access, in fact /tmp/resolv.conf
was empty. Don't know why ?!
I have to put OpenDNS entries manually in /etc/resolv.conf
and then it was OK. Is this normal ?
But I don't manage to recover WiFi access. I suspect dnsmasq is failling somewhere but don't know where.
Can someone help me ? Or explain a bit how to debug that ? There is nearly nothing in logs.
dnsmasq
is not started and don't start.
root@Universe:~# /etc/init.d/dnsmasq start
root@Universe:~# ps | grep -E 'dnsmasq|odhcp'
1337 root 1424 S /usr/sbin/odhcpd
1596 root 1032 S odhcp6c -s /lib/netifd/dhcpv6.script -P0 -t120 eth0.2
28758 root 1192 S grep -E dnsmasq|odhcp
root@Universe:~# killall dnsmasq
root@Universe:~# ps | grep dnsmasq
3657 root 1192 S grep dnsmasq
root@Universe:~# /etc/init.d/dnsmasq start
udhcpc: started, v1.29.2
udhcpc: sending discover
udhcpc: no lease, failing
udhcpc: started, v1.29.2
udhcpc: sending discover
udhcpc: no lease, failing
root@Universe:~# ps | grep dnsmasq
3765 root 1192 S grep dnsmasq
I also find this log in adblock (I tried with adblock enabled and disabled) :
Wed Jan 9 07:22:22 2019 user.err adblock-3.5.5-2[12096]: 'dnsmasq' not running or not executable
Wed Jan 9 07:22:22 2019 user.err adblock-3.5.5-2[12096]: Please also check 'https://github.com/openwrt/packages/blob/master/net/adblock/files/README.md'
but everything seems okay with the binary :
root@Universe:~# dnsmasq --help | head -n5
Usage: dnsmasq [options]
Valid options are:
-a, --listen-address=<ipaddr> Specify local address(es) to listen on.
-A, --address=/<domain>/<ipaddr> Return ipaddr for all hosts in specified domains.
root@Universe:~# ls -l /usr/sbin/dnsmasq
-rwxr-xr-x 1 root root 146936 Sep 7 17:21 /usr/sbin/dnsmasq
Thanks in advance