Wireless AP + STA mode as a travel router

Looks good to me, what seems to be the problem?

I am baffled.

The network diagnostic utility (ping, nslookup, trace) in Openwrt work.

And what is not working?

That parm is wrong. You've configured in your system (network/firewall) a "wwan" interface, please use this interface in travelmate as well.

something to do with........

when I connect to wlan wifi (Radio0), I cannot ping internet, no traceroute to intenet website, DNS lookup is ok.

I can ping 192.168.1.30, I cannot ping 192.168.1.8

what could the issue?

changed to wwan, but still no help

Please post here the output of the following command, copy and paste the whole block:

uci show network;uci show wireless; \
uci show firewall; uci show dhcp; \
uci show travelmate ; 
ip -4 addr ; ip -4 ro ; ip -4 ru; \
iptables-save; \
head -n -0 /etc/firewall.user; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*

You have restarted the travelmate service, right?
Also explain what are the addresses 1.130 and 1.1 as they don't appear on the picture.

Hi trendy,

I have recompile Openwrt and now travelmate appear in the menu, it displays the correct message and appear to have no error, just like before.

here is the info. Thank you for your time:

I have corrected the IP with according to the picture.
192.168.2.1 is the statistic IP of wlan with DHCP enabled.
192.168.1.30 is the DHCP assigned IP by "Internet router" to "My Router"


root@OpenWrt:~# uci show network;uci show wireless; \
> uci show firewall; uci show dhcp; \
> uci show travelmate ; 
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='xxx:xxxb:xxx5::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0'
network.lan.proto='static'
network.lan.ip6assign='60'
network.lan.netmask='255.255.255.0'
network.lan.dns='1.1.1.1'
network.lan.gateway='192.168.1.8'
network.lan.ipaddr='192.168.20.1'
network.vpn0=interface
network.vpn0.ifname='tun0'
network.vpn0.proto='none'
network.wwan=interface
network.wwan.proto='dhcp'
wireless.radio0=wifi-device
wireless.radio0.type='mac80211'
wireless.radio0.hwmode='11g'
wireless.radio0.path='platform/soc/1c1d000.usb/usb5/5-1/5-1:1.0'
wireless.radio0.htmode='HT20'
wireless.radio0.channel='1'
wireless.radio0.country='00'
wireless.radio0.legacy_rates='1'
wireless.radio0.mu_beamformer='0'
wireless.radio1=wifi-device
wireless.radio1.type='mac80211'
wireless.radio1.channel='11'
wireless.radio1.hwmode='11g'
wireless.radio1.path='platform/soc/1c10000.mmc/mmc_host/mmc2/mmc2:0001/mmc2:0001:1'
wireless.radio1.htmode='HT20'
wireless.default_radio1=wifi-iface
wireless.default_radio1.device='radio1'
wireless.default_radio1.network='lan'
wireless.default_radio1.mode='ap'
wireless.default_radio1.ssid='OpenWrt'
wireless.default_radio1.encryption='none'
wireless.@wifi-iface[1]=wifi-iface
wireless.@wifi-iface[1].network='wwan'
wireless.@wifi-iface[1].ssid='F3'
wireless.@wifi-iface[1].encryption='psk2'
wireless.@wifi-iface[1].device='radio0'
wireless.@wifi-iface[1].mode='sta'
wireless.@wifi-iface[1].bssid='A0:AB:xx:xx:xx:xx'
wireless.@wifi-iface[1].key='xxx'
wireless.@wifi-iface[1].disabled='0'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='ACCEPT'
firewall.@defaults[0].fullcone='1'
firewall.@defaults[0].flow_offloading='1'
firewall.@defaults[0].flow_offloading_hw='0'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='ACCEPT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6 wwan stabridge'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.zerotier=include
firewall.zerotier.type='script'
firewall.zerotier.path='/etc/zerotier.start'
firewall.zerotier.reload='1'
firewall.miniupnpd=include
firewall.miniupnpd.type='script'
firewall.miniupnpd.path='/usr/share/miniupnpd/firewall.include'
firewall.miniupnpd.family='any'
firewall.miniupnpd.reload='1'
firewall.adbyby=include
firewall.adbyby.type='script'
firewall.adbyby.path='/usr/share/adbyby/firewall.include'
firewall.adbyby.reload='1'
firewall.adblock=rule
firewall.adblock.name='adblock'
firewall.adblock.target='DROP'
firewall.adblock.src='wan'
firewall.adblock.proto='tcp'
firewall.adblock.dest_port='8118'
firewall.kms=rule
firewall.kms.name='kms'
firewall.kms.target='ACCEPT'
firewall.kms.src='wan'
firewall.kms.proto='tcp'
firewall.kms.dest_port='1688'
firewall.mia=include
firewall.mia.type='script'
firewall.mia.path='/etc/mia.include'
firewall.mia.reload='1'
firewall.openvpn=rule
firewall.openvpn.name='openvpn'
firewall.openvpn.target='ACCEPT'
firewall.openvpn.src='wan'
firewall.openvpn.proto='tcp udp'
firewall.openvpn.dest_port='1194'
firewall.vpn=zone
firewall.vpn.name='vpn'
firewall.vpn.input='ACCEPT'
firewall.vpn.forward='ACCEPT'
firewall.vpn.output='ACCEPT'
firewall.vpn.masq='1'
firewall.vpn.network='vpn0'
firewall.vpnwan=forwarding
firewall.vpnwan.src='vpn'
firewall.vpnwan.dest='wan'
firewall.vpnlan=forwarding
firewall.vpnlan.src='vpn'
firewall.vpnlan.dest='lan'
firewall.pptpd=include
firewall.pptpd.type='script'
firewall.pptpd.path='/etc/pptpd.include'
firewall.pptpd.reload='1'
firewall.pptp=rule
firewall.pptp.name='pptp'
firewall.pptp.target='ACCEPT'
firewall.pptp.src='wan'
firewall.pptp.proto='tcp'
firewall.pptp.dest_port='1723'
firewall.gre=rule
firewall.gre.name='gre'
firewall.gre.target='ACCEPT'
firewall.gre.src='wan'
firewall.gre.proto='47'
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.ra='server'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra_management='1'
dhcp.lan.ra_default='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.@srvhost[0]=srvhost
dhcp.@srvhost[0].srv='_vlmcs._tcp'
dhcp.@srvhost[0].target='OpenWrt'
dhcp.@srvhost[0].port='1688'
dhcp.@srvhost[0].class='0'
dhcp.@srvhost[0].weight='100'
travelmate.global=travelmate
travelmate.global.trm_captive='1'
travelmate.global.trm_triggerdelay='2'
travelmate.global.trm_debug='1'
travelmate.global.trm_maxretry='3'
travelmate.global.trm_minquality='35'
travelmate.global.trm_maxwait='30'
travelmate.global.trm_timeout='60'
travelmate.global.trm_rtfile='/tmp/trm_runtime.json'
travelmate.global.trm_iface='wwan'
travelmate.global.trm_enabled='1'
travelmate.global.trm_radio='radio0'
root@OpenWrt:~# ip -4 addr ; ip -4 ro ; ip -4 ru; \
> iptables-save; \
> head -n -0 /etc/firewall.user; \
> ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*



Travelmate info:

Runtime Information
Travelmate Status (Quality)
connected (net nok/92)
Travelmate Version
1.2.2
Station ID (SSID/BSSID)
radio0/F3/A0:AB:1B:50:C3:DE
Station Interface
wwan
Station Radio
n/a
Last rundate
02.10.2019 21:14:25

Wed Oct 2 21:18:46 2019 user.debug travelmate-1.2.2[1023]: f_check::: mode: initial, name: wlan0, status: true, quality: 95, connection: net nok/92, wait: 1, max_wait: 30, min_quality: 35, captive: 1
Wed Oct 2 21:19:52 2019 user.debug travelmate-1.2.2[1023]: f_check::: mode: initial, name: wlan0, status: true, quality: 92, connection: net nok/92, wait: 1, max_wait: 30, min_quality: 35, captive: 1

This is wrong, you cannot have gateway address out of the subnet. Remove the gateway.

Post also the rest of the commands that don't appear in your previous post.

Hi trendy,

I have removed 192.168.1.8 as gateway. And here is the complete info

root@OpenWrt:~# uci show network;uci show wireless; \
> uci show firewall; uci show dhcp; \
> uci show travelmate ;
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='xxx:xx:xx::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0'
network.lan.proto='static'
network.lan.ip6assign='60'
network.lan.netmask='255.255.255.0'
network.lan.dns='1.1.1.1'
network.lan.ipaddr='192.168.20.1'
network.vpn0=interface
network.vpn0.ifname='tun0'
network.vpn0.proto='none'
network.wwan=interface
network.wwan.proto='dhcp'
wireless.radio0=wifi-device
wireless.radio0.type='mac80211'
wireless.radio0.hwmode='11g'
wireless.radio0.path='platform/soc/1c1d000.usb/usb5/5-1/5-1:1.0'
wireless.radio0.htmode='HT20'
wireless.radio0.channel='1'
wireless.radio0.country='00'
wireless.radio0.legacy_rates='1'
wireless.radio0.mu_beamformer='0'
wireless.radio1=wifi-device
wireless.radio1.type='mac80211'
wireless.radio1.channel='11'
wireless.radio1.hwmode='11g'
wireless.radio1.path='platform/soc/1c10000.mmc/mmc_host/mmc2/mmc2:0001/mmc2:0001:1'
wireless.radio1.htmode='HT20'
wireless.default_radio1=wifi-iface
wireless.default_radio1.device='radio1'
wireless.default_radio1.network='lan'
wireless.default_radio1.mode='ap'
wireless.default_radio1.ssid='OpenWrt'
wireless.default_radio1.encryption='none'
wireless.@wifi-iface[1]=wifi-iface
wireless.@wifi-iface[1].network='wwan'
wireless.@wifi-iface[1].ssid='F3'
wireless.@wifi-iface[1].encryption='psk2'
wireless.@wifi-iface[1].device='radio0'
wireless.@wifi-iface[1].mode='sta'
wireless.@wifi-iface[1].bssid='A0:xx:xx:xx:xx:xx'
wireless.@wifi-iface[1].key='xxx'
wireless.@wifi-iface[1].disabled='0'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='ACCEPT'
firewall.@defaults[0].fullcone='1'
firewall.@defaults[0].flow_offloading='1'
firewall.@defaults[0].flow_offloading_hw='0'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='ACCEPT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6 wwan'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.zerotier=include
firewall.zerotier.type='script'
firewall.zerotier.path='/etc/zerotier.start'
firewall.zerotier.reload='1'
firewall.miniupnpd=include
firewall.miniupnpd.type='script'
firewall.miniupnpd.path='/usr/share/miniupnpd/firewall.include'
firewall.miniupnpd.family='any'
firewall.miniupnpd.reload='1'
firewall.adbyby=include
firewall.adbyby.type='script'
firewall.adbyby.path='/usr/share/adbyby/firewall.include'
firewall.adbyby.reload='1'
firewall.adblock=rule
firewall.adblock.name='adblock'
firewall.adblock.target='DROP'
firewall.adblock.src='wan'
firewall.adblock.proto='tcp'
firewall.adblock.dest_port='8118'
firewall.kms=rule
firewall.kms.name='kms'
firewall.kms.target='ACCEPT'
firewall.kms.src='wan'
firewall.kms.proto='tcp'
firewall.kms.dest_port='1688'
firewall.mia=include
firewall.mia.type='script'
firewall.mia.path='/etc/mia.include'
firewall.mia.reload='1'
firewall.openvpn=rule
firewall.openvpn.name='openvpn'
firewall.openvpn.target='ACCEPT'
firewall.openvpn.src='wan'
firewall.openvpn.proto='tcp udp'
firewall.openvpn.dest_port='1194'
firewall.vpn=zone
firewall.vpn.name='vpn'
firewall.vpn.input='ACCEPT'
firewall.vpn.forward='ACCEPT'
firewall.vpn.output='ACCEPT'
firewall.vpn.masq='1'
firewall.vpn.network='vpn0'
firewall.vpnwan=forwarding
firewall.vpnwan.src='vpn'
firewall.vpnwan.dest='wan'
firewall.vpnlan=forwarding
firewall.vpnlan.src='vpn'
firewall.vpnlan.dest='lan'
firewall.pptpd=include
firewall.pptpd.type='script'
firewall.pptpd.path='/etc/pptpd.include'
firewall.pptpd.reload='1'
firewall.pptp=rule
firewall.pptp.name='pptp'
firewall.pptp.target='ACCEPT'
firewall.pptp.src='wan'
firewall.pptp.proto='tcp'
firewall.pptp.dest_port='1723'
firewall.gre=rule
firewall.gre.name='gre'
firewall.gre.target='ACCEPT'
firewall.gre.src='wan'
firewall.gre.proto='47'
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.ra='server'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra_management='1'
dhcp.lan.ra_default='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.@srvhost[0]=srvhost
dhcp.@srvhost[0].srv='_vlmcs._tcp'
dhcp.@srvhost[0].target='OpenWrt'
dhcp.@srvhost[0].port='1688'
dhcp.@srvhost[0].class='0'
dhcp.@srvhost[0].weight='100'
travelmate.global=travelmate
travelmate.global.trm_captive='1'
travelmate.global.trm_triggerdelay='2'
travelmate.global.trm_debug='1'
travelmate.global.trm_maxretry='3'
travelmate.global.trm_minquality='35'
travelmate.global.trm_maxwait='30'
travelmate.global.trm_timeout='60'
travelmate.global.trm_rtfile='/tmp/trm_runtime.json'
travelmate.global.trm_iface='wwan'
travelmate.global.trm_enabled='1'
travelmate.global.trm_radio='radio0'
root@OpenWrt:~# ip -4 addr ; ip -4 ro ; ip -4 ru; \
> iptables-save; \
> head -n -0 /etc/firewall.user; \
> ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
10: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 192.168.1.138/24 brd 192.168.1.255 scope global wlan0
       valid_lft forever preferred_lft forever
11: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.20.1/24 brd 192.168.20.255 scope global br-lan
       valid_lft forever preferred_lft forever
default via 192.168.1.8 dev wlan0 proto static src 192.168.1.138
192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.138
192.168.20.0/24 dev br-lan proto kernel scope link src 192.168.20.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
# Generated by iptables-save v1.8.2 on Wed Oct  2 21:48:03 2019
*nat
:PREROUTING ACCEPT [12:2663]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [3:173]
:POSTROUTING ACCEPT [4:233]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i wlan0 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpn_prerouting
-A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o wlan0 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpn_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_vpn_postrouting -m comment --comment "!fw3: Custom vpn postrouting rule chain" -j postrouting_vpn_rule
-A zone_vpn_prerouting -m comment --comment "!fw3: Custom vpn prerouting rule chain" -j prerouting_vpn_rule
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_prerouting -j MINIUPNPD
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Wed Oct  2 21:48:03 2019
# Generated by iptables-save v1.8.2 on Wed Oct  2 21:48:03 2019
*raw
:PREROUTING ACCEPT [2771:285683]
:OUTPUT ACCEPT [5980:957960]
:zone_lan_helper - [0:0]
-A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
-A zone_lan_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
-A zone_lan_helper -p tcp -m comment --comment "!fw3: FTP passive connection tracking" -m tcp --dport 21 -j CT --helper ftp
-A zone_lan_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
-A zone_lan_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
-A zone_lan_helper -p tcp -m comment --comment "!fw3: IRC DCC connection tracking" -m tcp --dport 6667 -j CT --helper irc
-A zone_lan_helper -p tcp -m comment --comment "!fw3: PPTP VPN connection tracking" -m tcp --dport 1723 -j CT --helper pptp
-A zone_lan_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
-A zone_lan_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
-A zone_lan_helper -p udp -m comment --comment "!fw3: SNMP monitoring connection tracking" -m udp --dport 161 -j CT --helper snmp
-A zone_lan_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
COMMIT
# Completed on Wed Oct  2 21:48:03 2019
# Generated by iptables-save v1.8.2 on Wed Oct  2 21:48:03 2019
*mangle
:PREROUTING ACCEPT [2771:285683]
:INPUT ACCEPT [2592:263281]
:FORWARD ACCEPT [110:7272]
:OUTPUT ACCEPT [5980:957960]
:POSTROUTING ACCEPT [6090:965232]
-A FORWARD -o wlan0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Oct  2 21:48:03 2019
# Generated by iptables-save v1.8.2 on Wed Oct  2 21:48:03 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpn_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpn_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i wlan0 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i wlan0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o wlan0 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output
-A forwarding_rule -i ppp+ -j ACCEPT
-A forwarding_rule -o ppp+ -j ACCEPT
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3: Custom vpn forwarding rule chain" -j forwarding_vpn_rule
-A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to lan forwarding policy" -j zone_lan_dest_ACCEPT
-A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_input -m comment --comment "!fw3: Custom vpn input rule chain" -j input_vpn_rule
-A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT
-A zone_vpn_output -m comment --comment "!fw3: Custom vpn output rule chain" -j output_vpn_rule
-A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o wlan0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o wlan0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 8118 -m comment --comment "!fw3: adblock" -j DROP
-A zone_wan_input -p tcp -m tcp --dport 1688 -m comment --comment "!fw3: kms" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: openvpn" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: openvpn" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1723 -m comment --comment "!fw3: pptp" -j ACCEPT
-A zone_wan_input -p gre -m comment --comment "!fw3: gre" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_ACCEPT -i wlan0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Wed Oct  2 21:48:03 2019
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53
lrwxrwxrwx    1 1000     1000            16 Oct  2 13:57 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root             0 Oct  2 21:47 /tmp/resolv.conf
-rw-r--r--    1 root     root             0 Oct  2 21:47 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==

==> /tmp/resolv.conf <==

==> /tmp/resolv.conf.auto <==
root@OpenWrt:~#

A couple of problems I spotted:

  1. You don't have any DNS resolver. I am not sure this is accidental or intentional.
  2. Most importantly there is no NAT in the iptables. You are missing a line

-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE

My guess is that all those custom firewall scripts you are running are resetting the firewall configuration and delete the masquerade line.

it works after adding this line.

-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE


Thank you very much :):smiley::smiley::smiley::smiley::smiley:

Btw, Dnsmasq is there

I put this line:

iptables -t nat -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE

in /etc/rc.local.

However, it wasn't executed upon a reboot. Any idea why this is not working?

I can execute the rc.local manually, though.

Putting it in the rc.local is a terrible idea, as it is run only once after boot.
Instead of workarounds, find which one of the firewall scripts you are running is removing the masquerade.

1 Like

Oh man, I am having a hard time to find which is the script.

Is there anyway to add manually that NAT line into IPTables?

This line should be there since you have selected masquerading for wan zone.
I'd suggest to comment out all the custom firewall scripts, verify it works, then start adding them one by one till you find the culprit.
Otherwise you can always run it manually from ssh every time it's not working.

Its seem that the branch I am using is using Fullcone-NAT, thats causing the issue.

Do you have any idea of fixing this?

 				{
 					r = fw3_ipt_rule_new(handle);
 					fw3_ipt_rule_src_dest(r, msrc, mdest);
-					fw3_ipt_rule_target(r, "MASQUERADE");
-					fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
+					/*FIXME: Workaround for FULLCONE-NAT*/
+					if  (defs->fullcone)  ##############HERE############
+					{
+						warn("%s will enable FULLCONE-NAT", zone->name);
+						fw3_ipt_rule_target(r, "FULLCONENAT");
+						fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
+						r = fw3_ipt_rule_new(handle);
+						fw3_ipt_rule_src_dest(r, msrc, mdest);
+						fw3_ipt_rule_target(r, "FULLCONENAT");
+						fw3_ipt_rule_append(r, "zone_%s_prerouting", zone->name);
+					}
+					else
+					{
+						fw3_ipt_rule_target(r, "MASQUERADE");
+						fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
+					}
 				}
 			}
 		}

I found the above piece of patch code is related

I have not seen this before. Full Cone NAT is Static NAT or 1-1 NAT. This way you assign one internal IP to one external IP. I'll assume from your problem that you have more than one internal IPs and one external IP, so I hope you also see the problem here.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.