Topic: Archer C7 interface configuration issue

The content of this topic has been archived on 2 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

Bowdzone

8 Jan 2017, 10:54

I have acquired a TP-Link Archer C7 (1.1) Router and successfully installed OpenWrt 15.05.1. I did not change much from the default configuration so far but am unfortunately unsuccessfull in establishing the internet connection from my network devices to the outside world.
Our provide (Telekom) requires the WAN interface to be VLAN7 (for whatever reasons) and using that VLAN the router itself can establish said connection. Connection to the router via ssh allows me to ping google etc. But no matter what I try, the other devices on the network are in no case able to reach the outside world while having no trouble reaching each other or the router.
This is my current config:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd0a:a5d6:c969::/48'

config interface 'lan'
        option force_link '1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.1'
        option type 'bridge'
        option ifname 'eth1'

config interface 'wan'
        option _orig_ifname 'eth0'
        option _orig_bridge 'false'
        option proto 'pppoe'
        option password 'barfoo'
        option username 'foobar@t-online.de'
        option ifname 'eth0.7'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'
        option mirror_source_port '0'
        option mirror_monitor_port '0'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0 2 3 4 5'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '7'
        option ports '1t 6t'

Changing anything about the ports tagging / VID in Vlan7 or adding eth0.7 to interface 'lan' results in lost connectivity of the router to the outside. Adding the ports 1 or 6 in any combination/tagging state to VLAN 1 changes nothing. Changing the 'lan' interface to use the physical device eth0.1 results in lost connectivity from any device to the router and I have to revert using safe_mode.

Any help in establishing a connection between my LAN devices and the VLAN7 WAN is greatly appreciated.

Post #2

xdcc_master

8 Jan 2017, 12:52

did you configure the zone settings under the firewall menu?

Post #3

Bowdzone

8 Jan 2017, 12:54

I left them to their default settings

Post #4

xdcc_master

8 Jan 2017, 13:06

VLAN Tagging for WAN
Note that the WAN port is port #1 and connected to eth0.
To tag the WAN port create the VLAN ID under "Network ⇒ Switch" and assign it to "Port #1" and "Port #6". Under "Network ⇒ Interface" edit the "WAN" interface and for its "Physical Settings" use eth0.<VLAN ID>
Example: VLAN ID 7 for German Telekom VDSL would be eth0.7

https://wiki.openwrt.org/toh/tp-link/ar … ng_for_wan

Maybe this works.

Post #5

Bowdzone

8 Jan 2017, 13:14

Thanks for the reply but isn't this exactly what I did? I have my WAN interface which uses eth0.7 and allows me to ping the outside world from the router. I just can't get devices on the local network (who are able to reach the router) to reach the outside world as well.

(Last edited by Bowdzone on 8 Jan 2017, 13:14)

Post #6

xdcc_master

8 Jan 2017, 13:30

Yeah, so at least check the interface for correct zone settings. I am not sure, if openwrt autocorrect these settings.

Post #7

Bowdzone

12 Jan 2017, 11:17

Sorry for the late reply but the firewall settings appear correct in their default state to me
s23.postimg.org/djb34326j/Unbenannt1.png
s23.postimg.org/8yowp5ih7/Unbenannt2.png

(Too new, not allowed to post links here)

Post #8

Bowdzone

31 Jan 2017, 11:06

Unfortunately I am still having trouble with this. I went back to completly reset the OpenWrt Router and use my existing router not in modem but router mode so that the OpenWrt router can be kept as a DHCP client and I don't have to work with VLANs (for now). The issue still persists.

I use all default settings on the OpenWrt machine: It receives an IP address on the WAN interface from my other router. If I ssh onto it I can ping google and everything else in the world. Any other machine connected to the the LAN interface obtains an Ip adress from it, is able to reach the OpenWrt router but nothing beyond it. There is no simpler test I can come up with, I have played around with all possible firewall settings but I simply can not get this to work.

Any help is greatly appreciated.

Post #9

dnkru

1 Feb 2017, 09:06

I have a similar problem. But on my Router WAN Interface linked to a simply LAN with DHCP-Server. The Router gets IP and route, but DNS is not working local on the Router or WLAN (Router LAN not tested).

Post #10

eduperez

1 Feb 2017, 11:02

If the router can reach internet, and the devices can reach the router, then the problem is unlikely to be inside the "network" configuration file. I would bet it is either a DNS problem (we need to see the "dhcpd" configuration file) or a forwarding problem (and we need to see the "firewall" configuration file).

You can also do some debugging from the clients: can you ping an external server using a domain name ("ping www.google.com" will do)? can you ping an external server using its IP address ("ping 8.8.8.8" will do)?

Post #11

dnkru

1 Feb 2017, 15:13

It's working if I add manual the DNS-Server.
If I have time I will search around dnsmasq and config files.
It's no IP forward problem. It seems the DNS-Server is not fetched from the WAN dhcp-client received lease informations.

Post #12

eduperez

1 Feb 2017, 23:24

Under the default configuration, OpenWrt should acquire DNSs from the upstream router on the WAN network (I guess that is working, as you have internet on the router), use those DNSs to configure the DNSMASQ daemon, and offer itself as a DNS to the devices on the LAN.

Post #13

Bowdzone

2 Feb 2017, 08:32

DNS does not seem to be the problem. Here is my ping response from a client (I had to strip parts of the google url as I am not allowed to post links)

ping google

Ping wird ausgeführt für google [2a00:1450:4016:804::2003] mit 32 Bytes Daten:
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.

Ping-Statistik für 2a00:1450:4016:804::2003:
    Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4
    (100% Verlust),

ping 8.8.8.8

Ping wird ausgeführt für 8.8.8.8 mit 32 Bytes Daten:
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.

Ping-Statistik für 8.8.8.8:
    Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4
    (100% Verlust),

Also my firewall config, As stated before I tried the default settings and then (only for testing) removed more and more restrictions to see if it makes any difference:

root@OpenWrt:/etc/config# cat firewall 

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option log '1'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option log '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fe80::/10'
        option src_port '547'
        option dest_ip 'fe80::/10'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option dest 'wan'
        option src 'lan'

config forwarding
        option dest 'lan'
        option src 'wan'

And my DHCP config which is completly default:

root@OpenWrt:/etc/config# cat dhcp 

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        option authoritative '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

(Last edited by Bowdzone on 2 Feb 2017, 08:33)

Post #14

eduperez

2 Feb 2017, 08:52

@dnkru: Could you please open your own thread? Just because the symptoms are similar does not mean that the cause is the same, and trying to debug two different issues on the same thread just makes everything very confusing.

@Bowdzone: That "firewall" does not seem like the default configuration: why are you masquerading on the LAN interface? Are you sure you want to ACCEPT on INPUT and FORWARD on the WAN interface?

Post #15

Bowdzone

2 Feb 2017, 09:15

As stated, I played around with less restrictions and information I found in other topics. To be sure I completly reset the router again and use the default firewall config as shown below. The behaviour so far is exactly the same as before.

root@OpenWrt:~# cat /etc/config/firewall 
config defaults
        option syn_flood        1
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option src_ip           fe80::/10
        option src_port         547
        option dest_ip          fe80::/10
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# include a file with users custom iptables rules
config include
        option path /etc/firewall.user


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option dest             wan
#       option proto    tcp
#       option target   REJECT

# block a specific mac on wan
#config rule
#       option dest             wan
#       option src_mac  00:11:22:33:44:66
#       option target   REJECT

# block incoming ICMP traffic on a zone
#config rule
#       option src              lan
#       option proto    ICMP
#       option target   DROP

# port redirect port coming in on wan to lan
#config redirect
#       option src                      wan
#       option src_dport        80
#       option dest                     lan
#       option dest_ip          192.168.16.235
#       option dest_port        80
#       option proto            tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#       option src              wan
#       option src_dport        22001
#       option dest             lan
#       option dest_port        22
#       option proto            tcp

# allow IPsec/ESP and ISAKMP passthrough
config rule
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

config rule
        option src              wan
        option dest             lan
        option dest_port        500
        option proto            udp
        option target           ACCEPT

### FULL CONFIG SECTIONS
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port 80
#       option dest             wan
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
#       option target   REJECT

#config redirect
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port         1024
#       option src_dport        80
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp

Post #16

eduperez

2 Feb 2017, 13:40

I see nothing wrong with your setup...

Are you sure the clients are using the OpenWrt device as a default gateway?
Can you disable the "mtu_fix" on the wan interface and try again?
Could you try with a traceroute instead of a ping, please?

I'm out of ideas here...

Post #17

Bowdzone

2 Feb 2017, 14:42

Thank your for the continuing support. The mtu_fix did not appear to have any influence. The default gateway looks correct to me as well and the traceroute did not reveal anything interesting really.

ipconfig

Windows-IP-Konfiguration


Ethernet-Adapter LAN-Verbindung:

   Verbindungsspezifisches DNS-Suffix: lan
   IPv6-Adresse. . . . . . . . . . . : fd0a:a5d6:c969::4ec
   Verbindungslokale IPv6-Adresse  . : fe80::f502:efcd:9746:7620%23
   IPv4-Adresse  . . . . . . . . . . : 192.168.1.113
   Subnetzmaske  . . . . . . . . . . : 255.255.255.0
   Standardgateway . . . . . . . . . : 192.168.1.1

tracert www.google.de

Routenverfolgung zu www.google.de [216.58.211.35]
über maximal 30 Hops:

  1    <1 ms    <1 ms    <1 ms  OpenWrt.lan [192.168.1.1]
  2     *        *        *     Zeitüberschreitung der Anforderung.
  3     *        *        *     Zeitüberschreitung der Anforderung.
  4     *        *        *     Zeitüberschreitung der Anforderung.
  5     *        *        *     Zeitüberschreitung der Anforderung.
  6     *        *        *     Zeitüberschreitung der Anforderung.
  7     *        *        *     Zeitüberschreitung der Anforderung.
  8     *        *        *     Zeitüberschreitung der Anforderung.

I have no experience with VLANs but they should not have any influence on this should they?

Post #18

eduperez

2 Feb 2017, 17:03

Bowdzone wrote:

I have no experience with VLANs but they should not have any influence on this should they?

I see nothing wrong with your VLAN configuration, and the fact that it works from the router tells me that there is no issue there. However, I have reviewed your configuration again, and found something a bit more complicated that it should be.

You have configured the switch as:

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '7'
        option ports '1t 6t'

You are tagging the WAN interface (port 1) and also de ETH0 interface, and thus you configure your network as:

config interface 'wan'
        option proto 'pppoe'
        option password 'barfoo'
        option username 'foobar@t-online.de'
        option ifname 'eth0.7'

But you do not need to tag the internal interface, because your router has separated ETH0 and ETH1 for WAN and LAN; you could tag just the WAN interface:

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '7'
        option ports '1t 6'

And then you can simplify your network configuration to:

config interface 'wan'
        option proto 'pppoe'
        option password 'barfoo'
        option username 'foobar@t-online.de'
        option ifname 'eth0'

Anyway, this is not going to solve your issue...

EDIT: I have seen that your configuration is the recommended method on the wiki, so I could be wrong.

(Last edited by eduperez on 2 Feb 2017, 17:05)

Post #19

Bowdzone

9 Feb 2017, 14:10

As you correctly assumed, this did not solve my issue.

The discussion might have continued from here.

Page 1 of 1