1 (edited by bebo 2017-07-10 12:44:23)

Topic: no routes with NAT over wifi

Hi all,
I installed Chaos Calmer 15.05 on my DLink DIR300.

I followed the instructions in the guide doc/recipes/routedclient#using_masquerade to create a NATed subnet behind the DLink: here is a base schema

  WWW <-----------> MODEM+AP <---------------------> DLink DIR300 with OWRT <--------> devices
(internet)     ADSL                   192.168.1.1       192.168.1.9                    10.10.10.1     10.10.10.*

The steps performed have been (maybe can be useful for someone else in the future, since the guide seems a bit outdated):

uci del wireless.@wifi-device[0].disabled
uci del wireless.@wifi-iface[0].network
uci set wireless.@wifi-iface[0].mode=sta
uci commit wireless
wifi

iwlist scan doesn't work anymore

iw dev wlan0 scan

or

killall -9 wpa_supplicant
iw dev wlan0 scan

in case a message 'resource is busy' appears.

I use the info retrieved to setup the connection to the modem+AP on the wan interface:

config wifi-device 'wlan0'
        option type       'mac80211'
        option channel    '12'
        option hwmode     '11g'
        option path       '10180000.wmac'
        option htmode     'HT20'

config wifi-iface
        option device     'wlan0'
        option network    'wan'
        option ssid       'Telecom-85785057'
        option encryption 'psk'
        option mode       'sta'
        option key        '***'

Then I setup my network interfaces with the following changes:

config interface 'lan'
        option ifname 'eth0.1'
        option force_link '1'
        option macaddr '14:d6:4d:83:40:2c'
        option type 'bridge'
        option proto 'static'
#        option ipaddr '192.168.1.1'
        option ipaddr '10.10.10.1'
        option gateway '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
#        option ifname 'eth0.2'
        option force_link '1'
        option macaddr '14:d6:4d:83:40:2d'
#        option proto 'dhcp'
        option proto 'static'
        option ipaddr '192.168.1.9'
        option gateway '192.168.1.1'
        option netmask '255.255.255.0'

pay attention to comment out the ifname option in the config interface of the wan interface!

Then I load the networks with:

/etc/init.d/network reload

Enable the wan interface::

ifup wan
wifi

Afterwards, I set up some rules in the firewall with:

# Create firewall rules and redirection in /etc/config/network

    config rule
            option name             Allow_SSH_from_WAN
            option src              wan
            option dest_ip          192.168.1.9/32
            option dest_port        22
            option proto            tcp
            option target           ACCEPT

    config redirect
            option name             Redir_LuCI
            option src              wan
            option src_sport        *
            option src_dport        8080
            option dest_ip          10.10.10.1
            option dest_port        80
            option proto            tcp

    config redirect
            option name             Redir_device1
            option src              wan
            option src_sport        *
            option src_dport        80
            option dest_ip          10.10.10.18
            option dest_port        80
            option proto            tcp

Load the new rules with::

/etc/init.d/firewall reload

The firewall rules work like a charm: being inside the 192.168.1.0/24 network I'm able to access the LuCi interface of the DLink OWRT at the address: 192.168.1.9:8080 as expected.

The problem is that, inside the NATed network I cannot access the outside nor internet. E.g. when I try to ping or connect to a webserver outside the NATed network I get a:

# wget -q -O - 64.182.208.183:80
wget: can't connect to remote host (64.182.208.183): No route to host

(the result is the same even if I try to connect to a web server in the 192.168.1.0/24 network with # wget -q -O - 192.168.1.12:8080 )

The routing table is:

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 wlan0
10.10.10.0      0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 wlan0

What am I missing? how should I implement a proper NAT?

Re: no routes with NAT over wifi

Hi all!
still facing this issue, and I don't understand what's wrong.

The routing table is the following:

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 wlan0
10.10.10.0      0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 wlan0

but the funny part is that I can access the LuCi interface on the router and use the ssh connection using the redirecting rules applied in the firewall and I can access a webserver hosted in the NATed network at 10.10.10.19:80, so a route should exist in order for the packets to come back from the services in the 10.10.10.0/24 net to the 192.168.1.0/24 clients that requested them, right?

I do not know what and how to investigate further: any hint is appreciated.

Re: no routes with NAT over wifi

bebo wrote:

I can access a webserver hosted in the NATed network at 10.10.10.19:80.

From the 192.168.1.0/24 network, you mean? In that case you are NATting in the wrong direction. At least if you want to be able to access the 192.168.1.0/24 network from the 10.10.10.0/24 network.

Re: no routes with NAT over wifi

Hi Mijzelf,

I'm able to access the webserver located in the NATed network at 10.10.10.18:80 from the 192.168.1.0/24 network thanks to the firewall rule I set up:

    config redirect
            option name             Redir_device1
            option src              wan
            option src_sport        *
            option src_dport        80
            option dest_ip          10.10.10.18
            option dest_port        80
            option proto            tcp

and it works like a charm, as well as the other two rules inserted for redirection displayed in the first post.

I beginning to think that the "no route to host" error message doesn't represent the true cause of the problem, because the packets coming from the webserver can reach my device in the 192... network: could it be that the firewall is currently dropping all the other types of connections?
how can I implement a proper NAT mechanism that allows me to access the 192... network and the internet, from the NATed network?

The complete /etc/config/firewall configuration is the following, note that I've only added the last three rules:

# cat /etc/config/firewall 
config defaults
    option syn_flood    1
    option input        ACCEPT
    option output        ACCEPT
    option forward        REJECT
# Uncomment this line to disable ipv6 rules
#    option disable_ipv6    1

config zone
    option name        lan
    list   network        'lan'
    option input        ACCEPT
    option output        ACCEPT
    option forward        ACCEPT

config zone
    option name        wan
    list   network        'wan'
    list   network        'wan6'
    option input        REJECT
    option output        ACCEPT
    option forward        REJECT
    option masq        1
    option mtu_fix        1

config forwarding
    option src        lan
    option dest        wan

#config forwarding
#        option src              wan
#        option dest             lan


# We need to accept udp packets on port 68,
# see dev. openwrt .org/ticket/4108
config rule
    option name        Allow-DHCP-Renew
    option src        wan
    option proto        udp
    option dest_port    68
    option target        ACCEPT
    option family        ipv4

# Allow IPv4 ping
config rule
    option name        Allow-Ping
    option src        wan
    option proto        icmp
    option icmp_type    echo-request
    option family        ipv4
    option target        ACCEPT

config rule
    option name        Allow-IGMP
    option src        wan
    option proto        igmp
    option family        ipv4
    option target        ACCEPT

# Allow DHCPv6 replies
# see dev. openwrt .org/ticket/10381
config rule
    option name        Allow-DHCPv6
    option src        wan
    option proto        udp
    option src_ip        fe80::/10
    option src_port        547
    option dest_ip        fe80::/10
    option dest_port    546
    option family        ipv6
    option target        ACCEPT

config rule
    option name        Allow-MLD
    option src        wan
    option proto        icmp
    option src_ip        fe80::/10
    list icmp_type        '130/0'
    list icmp_type        '131/0'
    list icmp_type        '132/0'
    list icmp_type        '143/0'
    option family        ipv6
    option target        ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
    option name        Allow-ICMPv6-Input
    option src        wan
    option proto    icmp
    list icmp_type        echo-request
    list icmp_type        echo-reply
    list icmp_type        destination-unreachable
    list icmp_type        packet-too-big
    list icmp_type        time-exceeded
    list icmp_type        bad-header
    list icmp_type        unknown-header-type
    list icmp_type        router-solicitation
    list icmp_type        neighbour-solicitation
    list icmp_type        router-advertisement
    list icmp_type        neighbour-advertisement
    option limit        1000/sec
    option family        ipv6
    option target        ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
    option name        Allow-ICMPv6-Forward
    option src        wan
    option dest        *
    option proto        icmp
    list icmp_type        echo-request
    list icmp_type        echo-reply
    list icmp_type        destination-unreachable
    list icmp_type        packet-too-big
    list icmp_type        time-exceeded
    list icmp_type        bad-header
    list icmp_type        unknown-header-type
    option limit        1000/sec
    option family        ipv6
    option target        ACCEPT

# include a file with users custom iptables rules
config include
    option path /etc/firewall.user





# do not allow a specific ip to access wan
#config rule
#    option src        lan
#    option src_ip    192.168.45.2
#    option dest        wan
#    option proto    tcp
#    option target    REJECT

# block a specific mac on wan
#config rule
#    option dest        wan
#    option src_mac    00:11:22:33:44:66
#    option target    REJECT

# block incoming ICMP traffic on a zone
#config rule
#    option src        lan
#    option proto    ICMP
#    option target    DROP

# port redirect port coming in on wan to lan
#config redirect
#    option src            wan
#    option src_dport    80
#    option dest            lan
#    option dest_ip        192.168.16.235
#    option dest_port    80
#    option proto        tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#    option src        wan
#    option src_dport    22001
#    option dest        lan
#    option dest_port    22
#    option proto        tcp

# allow IPsec/ESP and ISAKMP passthrough
config rule
    option src        wan
    option dest        lan
    option proto        esp
    option target        ACCEPT

config rule
    option src        wan
    option dest        lan
    option dest_port    500
    option proto        udp
    option target        ACCEPT

### FULL CONFIG SECTIONS
#config rule
#    option src        lan
#    option src_ip    192.168.45.2
#    option src_mac    00:11:22:33:44:55
#    option src_port    80
#    option dest        wan
#    option dest_ip    194.25.2.129
#    option dest_port    120
#    option proto    tcp
#    option target    REJECT

#config redirect
#    option src        lan
#    option src_ip    192.168.45.2
#    option src_mac    00:11:22:33:44:55
#    option src_port        1024
#    option src_dport    80
#    option dest_ip    194.25.2.129
#    option dest_port    120
#    option proto    tcp

#### manual additions

    config rule
            option name             Allow_SSH_from_WAN
            option src              wan
            option dest_ip          192.168.1.9/32
            option dest_port        22
            option proto            tcp
            option target           ACCEPT

    config redirect
            option name             Redir_LuCI
            option src              wan
            option src_sport        *
            option src_dport        8080
            option dest             lan
            option dest_ip          10.10.10.1
            option dest_port        80
            option proto            tcp

    config redirect
            option name             Redir_batteries
            option src              wan
            option src_sport        *
            option src_dport        80
            option dest             lan
            option dest_ip          10.10.10.18
            option dest_port        80
            option proto            tcp

    config redirect
            option name             Redir_inverter
            option src              wan
            option src_sport        *
            option src_dport        12345
            option dest             lan
            option dest_ip          10.10.10.19
            option dest_port        80
            option proto            tcp

Re: no routes with NAT over wifi

I think the problem is here:

config interface 'lan'
        option ifname 'eth0.1'
<snip>
        option ipaddr '10.10.10.1'
        option gateway '192.168.1.1'

That gateway is wrong. Interface 'lan' doesn't have a gateway.

6 (edited by bebo 2017-07-20 12:12:07)

Re: no routes with NAT over wifi

You were right, and your suggestion partially solved the problem.

Now I'm able to ping and contact the devices on the 192.168.1.0/24 network, but not other addresses on internet.

root@OpenWrt:~# /etc/init.d//network reload
root@OpenWrt:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 wlan0
10.10.10.0      0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 wlan0
root@OpenWrt:~# ifup wan
root@OpenWrt:~# wifi
root@OpenWrt:~# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: seq=0 ttl=64 time=2.002 ms
64 bytes from 192.168.1.1: seq=1 ttl=64 time=1.516 ms
64 bytes from 192.168.1.1: seq=2 ttl=64 time=1.486 ms
64 bytes from 192.168.1.1: seq=3 ttl=64 time=1.449 ms
64 bytes from 192.168.1.1: seq=4 ttl=64 time=1.509 ms
^C
--- 192.168.1.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.449/1.592/2.002 ms

root@OpenWrt:~# ping 192.168.1.12
PING 192.168.1.12 (192.168.1.12): 56 data bytes
64 bytes from 192.168.1.12: seq=0 ttl=64 time=3.161 ms
64 bytes from 192.168.1.12: seq=1 ttl=64 time=2.681 ms
^C
--- 192.168.1.12 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 2.681/2.921/3.161 ms

root@OpenWrt:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
^C
--- 8.8.8.8 ping statistics ---
13 packets transmitted, 0 packets received, 100% packet loss

Moreover, I can "browse" the modem+router webpage with

root@OpenWrt:~# wget -O - 192.168.1.1:80
Connecting to 192.168.1.1:80 (192.168.1.1:80)
-                    100% |*************************************************************************************************************|  5392   0:00:00 ETA
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "...">
<html>
<head>

but it seems that it can't route packets to other addresses on the 192../24 subnet, e.g. I cannot contact a webserver I opened on my own pc, even though I'm able to ping it!

root@OpenWrt:~# wget -O - 192.168.1.12:8000
Connecting to 192.168.1.12:8000 (192.168.1.12:8000)
wget: can't connect to remote host (192.168.1.12): No route to host

root@OpenWrt:~# ping 192.168.1.12
PING 192.168.1.12 (192.168.1.12): 56 data bytes
64 bytes from 192.168.1.12: seq=0 ttl=64 time=4.115 ms
64 bytes from 192.168.1.12: seq=1 ttl=64 time=2.608 ms
...

This is the output of the firewall reload:

root@OpenWrt:~# /etc/init.d/firewall reload
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Option @redirect[0].src_sport is unknown
Warning: Section @redirect[0] (Redir_LuCI) has no target specified, defaulting to DNAT
Warning: Section @redirect[0] (Redir_LuCI) refers to a destination address on this router, assuming port redirection
Warning: Option @redirect[1].src_sport is unknown
Warning: Section @redirect[1] (Redir_batteries) has no target specified, defaulting to DNAT
Warning: Option @redirect[2].src_sport is unknown
Warning: Section @redirect[2] (Redir_inverter) has no target specified, defaulting to DNAT
 * Clearing IPv4 filter table
 * Clearing IPv4 nat table
 * Clearing IPv4 mangle table
 * Clearing IPv4 raw table
 * Populating IPv4 filter table
   * Zone 'lan'
   * Zone 'wan'
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow_SSH_from_WAN'
   * Rule #8
   * Rule #9
   * Redirect 'Redir_LuCI'
   * Redirect 'Redir_batteries'
   * Redirect 'Redir_inverter'
   * Forward 'lan' -> 'wan'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
   * Redirect 'Redir_LuCI'
   * Redirect 'Redir_batteries'
   * Redirect 'Redir_inverter'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 raw table
   * Zone 'lan'
   * Zone 'wan'
 * Clearing IPv6 filter table
 * Clearing IPv6 mangle table
 * Clearing IPv6 raw table
 * Populating IPv6 filter table
   * Zone 'lan'
   * Zone 'wan'
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow_SSH_from_WAN'
     ! Skipping due to different family of ip address
   * Rule #8
   * Rule #9
   * Forward 'lan' -> 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 raw table
   * Zone 'lan'
   * Zone 'wan'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on

maybe you guys can find out some misplaced rule.

Re: no routes with NAT over wifi

Any more hint?

Re: no routes with NAT over wifi

As you can ping the clients in the 192.168.1.0/24 subnet, I think there is no routing issue for that subnet in your DLink..
For 8.8.8.8 you can try a traceroute.

For TCP accessing 192.168.1.0/24, my first idea it that it's somehow blocked in your 'MODEM+AP' (which of course also contains a router+firewall).

Re: no routes with NAT over wifi

Hi Mijzelf, sorry for the late reply. I'm going to set up a dynamic dns to be able to reach the internal network from the internet.

# traceroute -n 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 38 byte packets
 1  192.168.1.1  3.005 ms !C  1.422 ms !C  2.093 ms !C

# traceroute -n 192.168.1.43
traceroute to 192.168.1.43 (192.168.1.43), 30 hops max, 38 byte packets
 1  192.168.1.43  2.897 ms !C  2.907 ms !C  3.985 ms !C

It seems that ICMP isn't filtered by the openwrt router: this makes me believe it's something related to a restrictive firewall that blocks TCP connections.

I've spawned a simple http server on the laptop (IP 192.168.1.43/24) I'm using to connect to the router (through ssh), which has IP 192.168.1.9/24 in the inner network, and 10.10.10.1 in the NAT-ted network, and I tried downloading using wget:

# wget 192.168.1.43:8000
Connecting to 192.168.1.43:8000 (192.168.1.43:8000)
wget: can't connect to remote host (192.168.1.43): No route to host

Here's also my iptables, maybe you or someone else is able to spot a problem that does not allow my NAT-ted router to talk with other networks:

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
delegate_input  all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
delegate_forward  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
delegate_output  all  --  anywhere             anywhere            

Chain delegate_forward (1 references)
target     prot opt source               destination         
forwarding_rule  all  --  anywhere             anywhere             /* user chain for forwarding */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
zone_lan_forward  all  --  anywhere             anywhere            
zone_wan_forward  all  --  anywhere             anywhere            
zone_wan_forward  all  --  anywhere             anywhere            
reject     all  --  anywhere             anywhere            

Chain delegate_input (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
input_rule  all  --  anywhere             anywhere             /* user chain for input */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
syn_flood  tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN
zone_lan_input  all  --  anywhere             anywhere            
zone_wan_input  all  --  anywhere             anywhere            
zone_wan_input  all  --  anywhere             anywhere            

Chain delegate_output (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
output_rule  all  --  anywhere             anywhere             /* user chain for output */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
zone_lan_output  all  --  anywhere             anywhere            
zone_wan_output  all  --  anywhere             anywhere            
zone_wan_output  all  --  anywhere             anywhere            

Chain forwarding_lan_rule (1 references)
target     prot opt source               destination         

Chain forwarding_rule (1 references)
target     prot opt source               destination         

Chain forwarding_wan_rule (1 references)
target     prot opt source               destination         

Chain input_lan_rule (1 references)
target     prot opt source               destination         

Chain input_rule (1 references)
target     prot opt source               destination         

Chain input_wan_rule (1 references)
target     prot opt source               destination         

Chain output_lan_rule (1 references)
target     prot opt source               destination         

Chain output_rule (1 references)
target     prot opt source               destination         

Chain output_wan_rule (1 references)
target     prot opt source               destination         

Chain reject (5 references)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain syn_flood (1 references)
target     prot opt source               destination         
RETURN     tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP       all  --  anywhere             anywhere            

Chain zone_lan_dest_ACCEPT (4 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain zone_lan_forward (1 references)
target     prot opt source               destination         
forwarding_lan_rule  all  --  anywhere             anywhere             /* user chain for forwarding */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* forwarding lan -> wan */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* Accept port forwards */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere            

Chain zone_lan_input (1 references)
target     prot opt source               destination         
input_lan_rule  all  --  anywhere             anywhere             /* user chain for input */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* Accept port redirections */
zone_lan_src_ACCEPT  all  --  anywhere             anywhere            

Chain zone_lan_output (1 references)
target     prot opt source               destination         
output_lan_rule  all  --  anywhere             anywhere             /* user chain for output */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere            

Chain zone_lan_src_ACCEPT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain zone_wan_dest_ACCEPT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain zone_wan_dest_REJECT (1 references)
target     prot opt source               destination         
reject     all  --  anywhere             anywhere            
reject     all  --  anywhere             anywhere            

Chain zone_wan_forward (2 references)
target     prot opt source               destination         
forwarding_wan_rule  all  --  anywhere             anywhere             /* user chain for forwarding */
zone_lan_dest_ACCEPT  esp  --  anywhere             anywhere             /* @rule[8] */
zone_lan_dest_ACCEPT  udp  --  anywhere             anywhere             udp dpt:isakmp /* @rule[9] */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* Accept port forwards */
zone_wan_dest_REJECT  all  --  anywhere             anywhere            

Chain zone_wan_input (2 references)
target     prot opt source               destination         
input_wan_rule  all  --  anywhere             anywhere             /* user chain for input */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc /* Allow-DHCP-Renew */
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request /* Allow-Ping */
ACCEPT     igmp --  anywhere             anywhere             /* Allow-IGMP */
ACCEPT     tcp  --  anywhere             192.168.1.9          tcp dpt:ssh /* Allow_SSH_from_WAN */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* Accept port redirections */
zone_wan_src_REJECT  all  --  anywhere             anywhere            

Chain zone_wan_output (2 references)
target     prot opt source               destination         
output_wan_rule  all  --  anywhere             anywhere             /* user chain for output */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere            

Chain zone_wan_src_REJECT (1 references)
target     prot opt source               destination         
reject     all  --  anywhere             anywhere            
reject     all  --  anywhere             anywhere

For TCP accessing 192.168.1.0/24, my first idea it that it's somehow blocked in your 'MODEM+AP' (which of course also contains a router+firewall).

It shouldn't be related to the main Modem+Router my ISP gave me: i haven't touched anything, and i have minimal control over it.
Moreover, I tried disabling its firewall protection, which "disables control over TCP/UDP ports ...", for a second, but still I wasn't able to ping internet (while I was still able to ping the 192.168.1.0/24 network) and I wasn't able to download anything neither from the inner 192.../24 network or from internet.

Many thanks for your help guys!

10 (edited by bebo 2017-10-14 01:20:13)

Re: no routes with NAT over wifi

Actually I've seen on LuCi in the Firewall page that the general setting for forward was reject, and the NAT setting for the input and forward were set on reject.
I switched them to reject, saved, and did a

# /etc/init.d/firewall reload

Now my iptables is as following:

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
delegate_input  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
delegate_forward  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
delegate_output  all  --  anywhere             anywhere            

Chain delegate_forward (1 references)
target     prot opt source               destination         
forwarding_rule  all  --  anywhere             anywhere             /* user chain for forwarding */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
zone_lan_forward  all  --  anywhere             anywhere            
zone_wan_forward  all  --  anywhere             anywhere            
zone_wan_forward  all  --  anywhere             anywhere            

Chain delegate_input (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
input_rule  all  --  anywhere             anywhere             /* user chain for input */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
syn_flood  tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN
zone_lan_input  all  --  anywhere             anywhere            
zone_wan_input  all  --  anywhere             anywhere            
zone_wan_input  all  --  anywhere             anywhere            

Chain delegate_output (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
output_rule  all  --  anywhere             anywhere             /* user chain for output */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
zone_lan_output  all  --  anywhere             anywhere            
zone_wan_output  all  --  anywhere             anywhere            
zone_wan_output  all  --  anywhere             anywhere            

Chain forwarding_lan_rule (1 references)
target     prot opt source               destination         

Chain forwarding_rule (1 references)
target     prot opt source               destination         

Chain forwarding_wan_rule (1 references)
target     prot opt source               destination         

Chain input_lan_rule (1 references)
target     prot opt source               destination         

Chain input_rule (1 references)
target     prot opt source               destination         

Chain input_wan_rule (1 references)
target     prot opt source               destination         

Chain output_lan_rule (1 references)
target     prot opt source               destination         

Chain output_rule (1 references)
target     prot opt source               destination         

Chain output_wan_rule (1 references)
target     prot opt source               destination         

Chain reject (0 references)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain syn_flood (1 references)
target     prot opt source               destination         
RETURN     tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP       all  --  anywhere             anywhere            

Chain zone_lan_dest_ACCEPT (4 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain zone_lan_forward (1 references)
target     prot opt source               destination         
forwarding_lan_rule  all  --  anywhere             anywhere             /* user chain for forwarding */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* forwarding lan -> wan */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* Accept port forwards */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere            

Chain zone_lan_input (1 references)
target     prot opt source               destination         
input_lan_rule  all  --  anywhere             anywhere             /* user chain for input */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* Accept port redirections */
zone_lan_src_ACCEPT  all  --  anywhere             anywhere            

Chain zone_lan_output (1 references)
target     prot opt source               destination         
output_lan_rule  all  --  anywhere             anywhere             /* user chain for output */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere            

Chain zone_lan_src_ACCEPT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain zone_wan_dest_ACCEPT (3 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain zone_wan_forward (2 references)
target     prot opt source               destination         
forwarding_wan_rule  all  --  anywhere             anywhere             /* user chain for forwarding */
zone_lan_dest_ACCEPT  esp  --  anywhere             anywhere             /* @rule[8] */
zone_lan_dest_ACCEPT  udp  --  anywhere             anywhere             udp dpt:isakmp /* @rule[9] */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* Accept port forwards */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere            

Chain zone_wan_input (2 references)
target     prot opt source               destination         
input_wan_rule  all  --  anywhere             anywhere             /* user chain for input */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc /* Allow-DHCP-Renew */
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request /* Allow-Ping */
ACCEPT     igmp --  anywhere             anywhere             /* Allow-IGMP */
ACCEPT     tcp  --  anywhere             192.168.1.9          tcp dpt:ssh /* Allow_SSH_from_WAN */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* Accept port redirections */
zone_wan_src_ACCEPT  all  --  anywhere             anywhere            

Chain zone_wan_output (2 references)
target     prot opt source               destination         
output_wan_rule  all  --  anywhere             anywhere             /* user chain for output */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere            

Chain zone_wan_src_ACCEPT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere  

but still I cannot ping the outside nor download anything.

Re: no routes with NAT over wifi

Hi all!

Mijzelf wrote:

my first idea it that it's somehow blocked in your 'MODEM+AP' (which of course also contains a router+firewall).

You were right Mijzelf! the problem was that the modem my ISP gave me was restricting the communication with the outside world to a certain range of IPs.
Other than the DHCP range of addresses config, it has a range of addresses on which to perform the NAT: it was set to start from 192.168.1.10 up to .254, and the IP of the owrt router was 192.168.1.9.
Once I lowered it to start NATting from .2 it started navigating smoothly!

Thanks again guys for your help and patience, you rock  smile