Wrong IP when Raspberry connected to another router and can't navigate either

synchro · February 3, 2021, 11:28pm

Hey everyone,

Currently all my devices are connected directly to my router 192.168.1.1.

I installed OpenWRT in my Raspberry Pi and changed the ip to 192.168.100.1. I also created a wireless network called OpenWRT.

If I don't connect the Raspberry lan port to the router lan port and connect my laptop to the OpenWRT network, my laptop gets the ip 192.168.100.119 and router 192.168.100.1.

If I connect the Raspberry lan port to the router lan port and connect my laptop to the OpenWRT network, my laptop gets the ip 192.168.1.100 and router 192.168.1.1.
I can navigate, but I can't access the UI at 192.168.100.1 unless I configure the IP manually. As a matter of fact, 192.168.1.100 is the fixed ip my laptop has in the 192.168.1.1 router.

Not connected via cable / connected via cable:

My guess is when the Rasp is not connected to the other router, my laptop receives the ip from the OpenWRT DHCP server. When the Rasp is connected to the other router, it seems that OpenWRT delegates the DHCP to the other router, thus receiving 192.168.1.100.

I'd like to be able to both navigate and have access to OpenWRT UI.

I'm not sure where is the mistake in my config. Anyone know?

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdb9:65a5:ab83::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.100.1'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

/etc/config/firewall

config defaults
	option syn_flood	1
	option input		ACCEPT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option src_ip		fc00::/6
	option dest_ip		fc00::/6
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT

# include a file with users custom iptables rules
config include
	option path /etc/firewall.user

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'platform/soc/3f300000.mmc/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
	option htmode 'VHT80'
	option country 'DE'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option key 'very secure password'
	option encryption 'psk2'

eduperez · February 3, 2021, 11:40pm

If you want te RPi to act as a dumb access point, disable the DHCP server and configure it on the same network as the main router (or as a DHCP client).

If you want to isolate the wireless clients.from the main network, separate the wired and wireless interfaces, configure a DHCP client on the wired network, a DHCP server the wireless network, and add a forwarding rule.

synchro · February 4, 2021, 12:34am

I tried to create a new interface for wireless as static ip and with dhcp server and change the lan interface to be dhcp client, but the moment I saved I lost the ability to connect to the router. Not even setting the ip manually solves.

Do you have some example I can follow?

eduperez · February 4, 2021, 6:37am

No, I do not have an example for that specific configuration. Did you configure the firewall to allow connections from both networks?

synchro · February 4, 2021, 12:26pm

I believe I did, yes.

I can now ping Google and I was able to opkg update, so I guess the lan piece is correct.

When I connect to wifi I receive the correct IP 192.168.100.119, I can't navigate though, so I guess there is something missing in the forwarding rules.

Here is my new config:

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option input 'ACCEPT'
	option name 'Wireless'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'Wireless'
	list device 'wlan0'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config forwarding
	option dest 'lan'
	option src 'Wireless'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'platform/soc/3f300000.mmc/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
	option htmode 'VHT80'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'OpenWrt'
	option network 'Wireless'
	option key 'very secure password'
	option encryption 'psk2'

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd1:78cb:3714::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'dhcp'

config interface 'Wireless'
	option proto 'static'
	option ipaddr '192.168.100.1'
	option netmask '255.255.255.0'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'Wireless'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'Wireless'

eduperez · February 4, 2021, 2:47pm

My two cents:

You must disable the DHCP server on the LAN interface.
The LAN interface does not need to be part of a bridge, the Wireless interface does.
The Wireless zone should reference the Wireless interface, not the wlan0 device.

trendy · February 4, 2021, 2:52pm

Follow the instructions for creating a dumbAP.

synchro · February 4, 2021, 4:46pm

Thanks, but I'm not sure if this allows me to reach my end goal, which is to tunnel 100% of the connection through a VPN for all devices connected to the OpenWRT network.

trendy · February 4, 2021, 5:02pm

You didn't specify that earlier.
You'll need to break the bridge so ethernet port and wlan are separated. Then assign to the lan interface some IP on the main network and close the dhcp. Create a new interface and a zone for the wifi only.
Create the VPN, assign it to a zone. Enable forwarding from wifi zone to vpn zone.

synchro · February 4, 2021, 6:22pm

I'm sorry. I should have specified this earlier.
Here is what I did based on your comment:

installed and configured the OpenVPN using my provider file. The VPN is connected as per Luci UI.
created interfaces lan, wlan and tun.
lan network is set as dhcp client and using the interface eth0.
wlan network has a static ip 192.168.100.1 (my main router is in 192.168.1.1), has a dhcp server on, and has bridge interface checked and using interface wlan0.
tun unmanaged and using the interface tun0.

In my firewall zones I have:
wlan -> tun
tun -> lan
lan -> wan

I receive the correct ip from the DHCP server 192.168.100.119, but cannot navigate.
If I SSH into the Raspberry I can ping Google and run opkg update, so I guess the lan piece is working as expected. Looks like the problem is still in how the firewall rule is configured, but I'm not sure what's missing.

Not sure if posting the config files help or just pollutes the thread. If it does, let me know :).

vgaetera · February 4, 2021, 6:44pm

Remove that traffic forwarding since you are using a commercial provider.

synchro · February 4, 2021, 6:48pm

If I remove the tun -> lan, the wlan -> tun becomes wlan -> reject.

@trendy mentioned

Enable forwarding from wifi zone to vpn zone.

I understood that I should have a zone from wlan -> tun.

vgaetera · February 4, 2021, 6:49pm

Don't remove the zone itself, instead disable traffic forwarding to the lan zone in the tun zone settings.

trendy · February 4, 2021, 7:24pm

Also wan zone must have masquerade enabled.

synchro · February 4, 2021, 7:44pm

This is currently my config. Is it correct to think about these as a chain? wlan forward to tun that forward lan that forwards to wan?

vgaetera · February 4, 2021, 7:48pm

No.
Assuming you are using a commercial VPN provider, the VPN zone should forward to nowhere.
In addition, enable masquerading on the VPN zone and set the zone input policy to reject.

synchro · February 4, 2021, 8:07pm

This worked!!! Thanks a lot, folks!

system · February 14, 2021, 8:07pm

This topic was automatically closed 0 minutes after the last reply. New replies are no longer allowed.