Topic: Routing problem

The content of this topic has been archived on 24 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

balanga

24 Feb 2018, 02:29

I've managed to install OpenWrt on my TP-LINK (TL-WDR3600) router and have now upgraded it to 17.01.4, It's IP address has been changed to 192.168.1.3 to avoid conflicts with my pfSense Internet gateway which has 192.168.1.1 assigned. What I can't do is get it configured so that it can be accessed from anywhere on my LAN.

The router has 192.168.1.1 assigned as the gateway address and is able to acces the Internet, but accesss to or from the router to the rest of the LAN is disabled apart from one system which is physically attached to th router.

Can anyone suggest what I've overlooked?

Post #2

Antek

24 Feb 2018, 10:01

Post your configuration files from /etc/config on the OpenWrt router. At least 'network', 'firewall', 'wireless' and 'dhcp' are required. Do you have VPN tunnels or similar configured on the OpenWrt router? Or on the pfSense device?

What do you mean by "access to or from the router is disabled"? Do you mean that other devices cannot reach the SSH server on the router? Or they cannot access LuCI on the router? Or they cannot see the pfSense device? Or that they cannot access the Internet through the OpenWrt and pfSense devices?

How are the pfSense and OpenWrt devices connected physically? How about the devices which cannot operate on the network? Are they on the wireless network? Is the OpenWrt device acting as AP?

Who is the DHCP authority of your network, or do you even have one?

(Last edited by Antek on 24 Feb 2018, 10:02)

Post #3

balanga

24 Feb 2018, 11:23

pfSense is the DHCP authority for the LAN, dhcp has been disabled on OpenWrt. It has an IP address of 192.168.1.3 to avoid conflicts with pfSense which has an address of 192.168.1.1. This address is the gateway for OpenWrt.

The OpenWrt router is connected to the rest of the LAN via the Internet port. One LAN port on the router connects one system from which I can ssh into the router. That system has a static IP of 192.168.1.200 and it can only access OpenWrt, but nothing else, not on the LAN or the Internet. Wireless has not been enabled on OpenWrt .

I have only just started using OpenWRT, so don't really know my way round the system. The changes from the default configuration amount to setting the IP address to 192.168.1.3 with a gateway of 192.168.1.1 and disabling dhcp. I would post the configuration files but can't access them from the system which has Internet access. I would copy them to a USB stick, but don't yet know how to use one on OpenWrt.

Post #4

mk24

24 Feb 2018, 19:44

Plug one of the LAN ports to your existing LAN. When you set up a router as a LAN device, it should not contain a WAN network. You can delete the wan network entirely and move eth1 (the blue "Internet" port on the back) into the lan network to have five LAN ports instead of four.

(Last edited by mk24 on 24 Feb 2018, 19:44)

Post #5

Antek

24 Feb 2018, 20:07

Is the pfSense connected to the OpenWrt router's yellow LAN ports, or the the blue WAN port? If it's connected to the blue port, try connecting it to one of the yellow ones instead.

If you can access LuCI on the OpenWrt router, then you can download a backup of the configuration files from a submenu under "System". I think it's called "Backup / Restore". Just click on the "Download backup", and you'll receive an archive file which contains all the configuration files. From there, you can post the contents. Remember to mask out sensitive information such as names, e-mail addresses and passwords first.

Post #6

balanga

25 Feb 2018, 01:06

Further to the last two posts, I've plugged in the cable from the LAN into one of the yellow ports instead of the blue (Internet) port, and now OpenWrt is accessible from my LAN.

Apologies if I misunderstood how it should have been setup.

Thanks for all the help.

Post #7

balanga

25 Feb 2018, 10:10

Just as a followup... when the cable from my LAN is moved from the blue to a yellow port, I can no longer access the Internet from OpenWrt, which means I can't install any packages. To do that I need to move the cable back to the blue port.

Is there any way to have OpenWrt accessing both the Internet and the LAN at the same time?

Post #8

balanga

25 Feb 2018, 10:50

Antek wrote:

Post your configuration files from /etc/config on the OpenWrt router. At least 'network', 'firewall', 'wireless' and 'dhcp' are required. Do you have VPN tunnels or similar configured on the OpenWrt router? Or on the pfSense device?

Here is the network config:-

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fdeb:4faf:d7b4::/48'

config interface 'lan'
    option type 'bridge'
    option ifname 'eth0.1'
    option proto 'static'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option ipaddr '192.168.1.3'
    option gateway '192.168.1.1'

config interface 'wan'
    option ifname 'eth0.2'
    option proto 'dhcp'

config interface 'wan6'
    option ifname 'eth0.2'
    option proto 'dhcpv6'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '2 3 4 5 0t'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '1 0t'

wireless, firewall and dhcp are currently disabled, at least that was my aim, but I don't know how to check when looking at the config files

Post #9

mk24

25 Feb 2018, 15:36

You need to set option dns in the lan configuration. Usually it works to point it at the main router. In other words both option gateway and option dns should be 192.168.1.1.

As it is now you can probably ping a numeric external IP such as 8.8.8.8, meaning your router does have access to the Internet, but it will fail to reach any site by name because it has no name server.

Post #10

balanga

25 Feb 2018, 15:49

mk24 wrote:

As it is now you can probably ping a numeric external IP such as 8.8.8.8, meaning your router does have access to the Internet, but it will fail to reach any site by name because it has no name server.

It's not a DNS problem.

With my LAN cable in the blue port I can ping 8.8.8.8 and google.com but I can't ping anything on the 192.168.1.0 network apart from the gateway.

With my LAN cable in the yellow port I can ping everything on the 192.168.1.0 network, but nothing on the Internet.

Post #11

mk24

25 Feb 2018, 16:00

Comment out the wan and wan6 networks and add a dns to lan and see if it works.

You can also check route. It should look like this:

root@WR2000-2:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1    0.0.0.0         UG    0      0        0 br-lan
192.168.1.0    *               255.255.255.0   U     0      0        0 br-lan
192.168.1.1    *               255.255.255.255 UH    0      0        0 br-lan

Post #12

balanga

25 Feb 2018, 16:10

OK - but where do I insert my LAN cable? In a yellow or blue port?

Post #13

balanga

26 Feb 2018, 19:11

mk24 wrote:

Comment out the wan and wan6 networks and add a dns to lan and see if it works.

You can also check route. It should look like this:

root@WR2000-2:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1    0.0.0.0         UG    0      0        0 br-lan
192.168.1.0    *               255.255.255.0   U     0      0        0 br-lan
192.168.1.1    *               255.255.255.255 UH    0      0        0 br-lan

Mine looks like this:-

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan

What should I change to make it like yours?

Post #14

Antek

26 Feb 2018, 19:18

balanga wrote:

wireless, firewall and dhcp are currently disabled, at least that was my aim, but I don't know how to check when looking at the config files

The firewall configuration file also contains settings related to routing, so you should post its content for completeness sake.

Post #15

balanga

26 Feb 2018, 19:49

config defaults
    option syn_flood    1
    option input        ACCEPT
    option output        ACCEPT
    option forward        REJECT
# Uncomment this line to disable ipv6 rules
#    option disable_ipv6    1

config zone
    option name        lan
    list   network        'lan'
    option input        ACCEPT
    option output        ACCEPT
    option forward        ACCEPT

config zone
    option name        wan
    list   network        'wan'
    list   network        'wan6'
    option input        REJECT
    option output        ACCEPT
    option forward        REJECT
    option masq        1
    option mtu_fix        1

config forwarding
    option src        lan
    option dest        wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
    option name        Allow-DHCP-Renew
    option src        wan
    option proto        udp
    option dest_port    68
    option target        ACCEPT
    option family        ipv4

# Allow IPv4 ping
config rule
    option name        Allow-Ping
    option src        wan
    option proto        icmp
    option icmp_type    echo-request
    option family        ipv4
    option target        ACCEPT

config rule
    option name        Allow-IGMP
    option src        wan
    option proto        igmp
    option family        ipv4
    option target        ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
    option name        Allow-DHCPv6
    option src        wan
    option proto        udp
    option src_ip        fc00::/6
    option dest_ip        fc00::/6
    option dest_port    546
    option family        ipv6
    option target        ACCEPT

config rule
    option name        Allow-MLD
    option src        wan
    option proto        icmp
    option src_ip        fe80::/10
    list icmp_type        '130/0'
    list icmp_type        '131/0'
    list icmp_type        '132/0'
    list icmp_type        '143/0'
    option family        ipv6
    option target        ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
    option name        Allow-ICMPv6-Input
    option src        wan
    option proto    icmp
    list icmp_type        echo-request
    list icmp_type        echo-reply
    list icmp_type        destination-unreachable
    list icmp_type        packet-too-big
    list icmp_type        time-exceeded
    list icmp_type        bad-header
    list icmp_type        unknown-header-type
    list icmp_type        router-solicitation
    list icmp_type        neighbour-solicitation
    list icmp_type        router-advertisement
    list icmp_type        neighbour-advertisement
    option limit        1000/sec
    option family        ipv6
    option target        ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
    option name        Allow-ICMPv6-Forward
    option src        wan
    option dest        *
    option proto        icmp
    list icmp_type        echo-request
    list icmp_type        echo-reply
    list icmp_type        destination-unreachable
    list icmp_type        packet-too-big
    list icmp_type        time-exceeded
    list icmp_type        bad-header
    list icmp_type        unknown-header-type
    option limit        1000/sec
    option family        ipv6
    option target        ACCEPT

config rule
    option name        Allow-IPSec-ESP
    option src        wan
    option dest        lan
    option proto        esp
    option target        ACCEPT

config rule
    option name        Allow-ISAKMP
    option src        wan
    option dest        lan
    option dest_port    500
    option proto        udp
    option target        ACCEPT

# include a file with users custom iptables rules
config include
    option path /etc/firewall.user


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#    option src        lan
#    option src_ip    192.168.45.2
#    option dest        wan
#    option proto    tcp
#    option target    REJECT

# block a specific mac on wan
#config rule
#    option dest        wan
#    option src_mac    00:11:22:33:44:66
#    option target    REJECT

# block incoming ICMP traffic on a zone
#config rule
#    option src        lan
#    option proto    ICMP
#    option target    DROP

# port redirect port coming in on wan to lan
#config redirect
#    option src            wan
#    option src_dport    80
#    option dest            lan
#    option dest_ip        192.168.16.235
#    option dest_port    80
#    option proto        tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#    option src        wan
#    option src_dport    22001
#    option dest        lan
#    option dest_port    22
#    option proto        tcp

### FULL CONFIG SECTIONS
#config rule
#    option src        lan
#    option src_ip    192.168.45.2
#    option src_mac    00:11:22:33:44:55
#    option src_port    80
#    option dest        wan
#    option dest_ip    194.25.2.129
#    option dest_port    120
#    option proto    tcp
#    option target    REJECT

#config redirect
#    option src        lan
#    option src_ip    192.168.45.2
#    option src_mac    00:11:22:33:44:55
#    option src_port        1024
#    option src_dport    80
#    option dest_ip    194.25.2.129
#    option dest_port    120
#    option proto    tcp

Post #16

mk24

26 Feb 2018, 21:44

The firewall does nothing in a device where the only active network is br-lan. If you have a IP, netmask, gateway, and DNS set in the lan section of /etc/config/network, it should set up a default route via your gateway.

I run my dumb AP's as DHCP clients, so they are automatically configured from the main router. Then your /etc/config/network lan settings can be as simple as:

config interface 'lan'
    option ifname 'eth0'
    option type 'bridge'
    option proto 'dhcp'
    option hostname 'MR3420'

Your main router should provision the AP with an IP address, gateway, and DNS. If the main router is configured properly, you can now log in to the AP at hostname.lan, e.g. mr3420.lan If this does not work, go to the main router's DHCP client status page to find the AP's IP address.

The discussion might have continued from here.

Page 1 of 1