Modify

Opened 3 years ago

Last modified 3 years ago

#18027 new defect

Lan does not forward to Wan on Barrier Breaker with Buffalo WZR-HP-G300NH

Reported by: jmdorfman@… Owned by: developers
Priority: normal Milestone: Barrier Breaker 14.07
Component: packages Version: Trunk
Keywords: Cc:

Description

This means any device that connects to my router cannot access the internet. I can ping the internet and computers on my lan from the router. Thanks for any help!

Network and firewall config file below.

Network config file:
config interface 'loopback'

option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config interface 'lan'

option ifname 'eth0'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'

config interface 'wan'

option proto 'dhcp'
option ifname 'eth1'
option dns '208.67.222.222 208.67.220.220'
option peerdns '0'

config switch

option name 'rtl8366s'
option reset '1'
option enable_vlan '1'

config switch_vlan

option device 'rtl8366s'
option vlan '1'
option ports '0 1 2 3 5'

Firewall config file:
config defaults

option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option drop_invalid '1'

config zone

option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone

option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config forwarding

option src 'lan'
option dest 'wan'

config rule

option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'

config rule

option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option target 'ACCEPT'

config include

option path '/etc/firewall.user'

config rule

option src 'lan'
option proto 'tcp'
option dest_port '9100'
option target 'ACCEPT'

config rule

option src 'lan'
option proto 'tcp'
option dest_port '5000'
option target 'ACCEPT'

Attachments (0)

Change History (12)

comment:1 Changed 3 years ago by anonymous

There is nothing in here of importance, post ifconfig, does wan get a correct ip and gw? Also post route. Besides what are these two rules for accepting 9100 and 5000 on lan? Sure you didn't mean wan?

comment:2 Changed 3 years ago by anonymous

There is nothing in here of importance, post ifconfig, does wan get a correct ip and gw? Also post route. Besides what are these two rules for accepting 9100 and 5000 on lan? Sure you didn't mean wan?

comment:3 Changed 3 years ago by jmdorfman@…

Thanks for the response.

Okay, below is ifconfig output. The wan (eth1) does get an ip. Not sure if the wan gets gw as I am not sure what that is. The wan gets its IP from my dsl modem via DHCP.

See route below ifconfig output. The rule for the 9100 port is to allow traffic to the p910nd printer daemon. I can't remember what the 5000 port was for. I tried disabling both the 9100 and 5000 rule, but still could not connect to the internet with a computer on the lan.

One last thing, I just upgraded from Attitude_Adjustment keeping all my settings except for updating the src/gz for the opkg.conf. Everything worked fine in Attitude_Adjustment....

ifconfig output:
br-lan Link encap:Ethernet HWaddr 00:1D:73:B2:83:B8

inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::21d:73ff:feb2:83b8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:122448 errors:0 dropped:0 overruns:0 frame:0
TX packets:99946 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:13059165 (12.4 MiB) TX bytes:12135556 (11.5 MiB)

eth0 Link encap:Ethernet HWaddr 00:1D:73:B2:83:B8

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:59176 errors:0 dropped:7 overruns:3341 frame:0
TX packets:49099 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:12859786 (12.2 MiB) TX bytes:11556560 (11.0 MiB)
Interrupt:4

eth1 Link encap:Ethernet HWaddr 00:1D:73:B2:83:B9

inet addr:192.168.1.188 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::21d:73ff:feb2:83b9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:59609 errors:0 dropped:0 overruns:0 frame:0
TX packets:27207 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9111328 (8.6 MiB) TX bytes:3067734 (2.9 MiB)
Interrupt:5

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:1662 errors:0 dropped:0 overruns:0 frame:0
TX packets:1662 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:213947 (208.9 KiB) TX bytes:213947 (208.9 KiB)

wlan0 Link encap:Ethernet HWaddr 00:1D:73:B2:83:B8

inet6 addr: fe80::21d:73ff:feb2:83b8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:89276 errors:0 dropped:0 overruns:0 frame:0
TX packets:87992 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:8412281 (8.0 MiB) TX bytes:10568037 (10.0 MiB)

route output:
ernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.254 0.0.0.0 UG 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
192.168.2.0 * 255.255.255.0 U 0 0 0 br-lan

comment:4 Changed 3 years ago by jmdorfman@…

Also, here is my sysctl.conf file:

kernel.panic=3
net.ipv4.conf.default.arp_ignore=1
net.ipv4.conf.all.arp_ignore=1
net.ipv4.ip_forward=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.tcp_ecn=0
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_keepalive_time=120
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_timestamps=1
net.ipv4.tcp_sack=1
net.ipv4.tcp_dsack=1

net.ipv6.conf.all.forwarding=1

net.netfilter.nf_conntrack_acct=1
net.netfilter.nf_conntrack_checksum=0
net.netfilter.nf_conntrack_max=16384
net.netfilter.nf_conntrack_tcp_timeout_established=3600
net.netfilter.nf_conntrack_udp_timeout=60
net.netfilter.nf_conntrack_udp_timeout_stream=180

# disable bridge firewalling by default
net.bridge.bridge-nf-call-arptables=0
net.bridge.bridge-nf-call-ip6tables=0
net.bridge.bridge-nf-call-iptables=0

comment:5 Changed 3 years ago by anonymous

Did the clients have correct gateway set to your routers IP, have they DNS? Try changing DNS to 8.8.8.8 on the clients. This isnt an OpenWRT problem, it's an user problem, you should ask is the forums instead.

comment:6 Changed 3 years ago by jmdorfman@…

Okay, if you think it is a user problem, I can move it to the forums. I do believe I have the correct gateway and DNS on the client though. Here is detailed info from the client (Windows 7):

Property (Value)
Connection-specific DNS Suffix (lan)
Description (Atheros AR9287 Wireless Network Adapter)
Physical Address (CC-AF-78-B2-BA-B6)
DHCP Enabled (Yes)
IPv4 Address (192.168.2.126)
IPv4 Subnet Mask (255.255.255.0)
Lease Obtained (Sunday, October 05, 2014 1:00:34 AM)
Lease Expires (Sunday, Ocbober 05, 2014 1:00:34 PM)
IPv4 Default Gateway (192.168.2.1)
IPv4 DHCP Server (192.168.2.1)
IPv4 DNS Server (192.168.2.1)
IPv4 WINS Server
NetBIOS over Tcpip Enabled (Yes)
Link-local IPv6 Address (fe80:71b3:fa9:2aeb:9af9%12)
IPv6 Default Gateway
IPv6 DNS Server

Note some properties have no value such as IPv4 WINS Server.

With this, pinging from the client gets me:

C:\Users\johnd>ping yahoo.com

Pinging yahoo.com [206.190.36.45] with 32 bytes of data:
Reply from 192.168.2.1: Destination port unreachable.
Reply from 192.168.2.1: Destination port unreachable.
Reply from 192.168.2.1: Destination port unreachable.
Reply from 192.168.2.1: Destination port unreachable.

Ping statistics for 206.190.36.45:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Pinging the yahoo's ip address directly gets me:

C:\Users\johnd>ping 206.190.36.45

Pinging 206.190.36.45 with 32 bytes of data:
Reply from 192.168.2.1: Destination port unreachable.
Reply from 192.168.2.1: Destination port unreachable.
Reply from 192.168.2.1: Destination port unreachable.
Reply from 192.168.2.1: Destination port unreachable.

Ping statistics for 206.190.36.45:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

If I change "IPv4 DNS Server" so it is set to 8.8.8.8, when I ping from the client, I get this:

C:\Users\johnd>ping yahoo.com
Ping request could not find host yahoo.com. Please check the name and try again.

And to reiterate, if I ping yahoo.com from the router, I do get a response.

root@OpenWrt:~# ping yahoo.com
PING yahoo.com (98.139.183.24): 56 data bytes
64 bytes from 98.139.183.24: seq=0 ttl=49 time=35.050 ms
64 bytes from 98.139.183.24: seq=1 ttl=49 time=33.029 ms
64 bytes from 98.139.183.24: seq=2 ttl=49 time=33.098 ms
64 bytes from 98.139.183.24: seq=3 ttl=49 time=42.065 ms
C
--- yahoo.com ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 33.029/35.810/42.065 ms

Anyway, if you still think I should go to the forums with this, let me know. Thanks.

comment:7 Changed 3 years ago by anonymous

Did you try latest trunk build? Some configs of yours are a little bit different than mine, dont know if they are up to date. Try newest trunk build and reset to default configs.

comment:8 Changed 3 years ago by jmdorfman@…

That worked! I updated to the latest trunk build and reset to default configs. I guess the moral of the story is do not keep old configs when upgrading to new release. Instead, back up the old configs and use them for reference to implement intended function in new configs. Thanks!

P.S. Maybe it would be a good idea to make some sort of note in the Flash upgrade area of Luci about how keeping old configs might potentially break things when upgrading to a new named release.....

comment:9 Changed 3 years ago by anonymous

New/changed config files have an ending to it, like /etc/config/dhcp-opkg or something, you have to look through every one of them for changes and migrate them into your configs if you dont want to reset every time after a new trunk build.

comment:10 Changed 3 years ago by anonymous

And yes, thats how I mostly do it too. Keep a backup of old configs, and use them as a reference. Lot of stuff changes(changed) over the last couple of months of the structure in important config files like dhcp, firewall, network, ddns, system, and so on. If you keep "old" configs it mostly will break something. Thats also why I have the important stuff in my own configs I execute in rc.local and firewall.user file, other OpenVPN scripts, and so on.

comment:11 Changed 3 years ago by anonymous

Ah, okay, thanks for all that info. I will try to put as many config customizations as I can in rc.local and firewall.user, etc as you mention to make upgrading easier.

comment:12 Changed 3 years ago by anonymous

Oh, and just wanted to say that Barrier Breaker+ is working awesome. The wifi is rock solid now. Netflix streaming would degrade sometimes before on Attitude Adjustment. Now, that does not seem to happen. Video seems to stay at Super 1080p the entire time. So good job!

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.