4

I've upgraded my TP-Link 1043 router to OpenWrt 14.07. Everything is perfect, Wifi and LAN are bridged, LAN machines can access each other by name, I can SSH into the router, and the router can access the internet on the pppoe-wan interface.

The is one small problem though. The router does not route. The internet is not accessible from the LAN. With one funny exception: DNS lookups do work.

The /etc/config/firewall file contains the following section:

config forwarding
    option src 'lan'
    option dest 'wan'
    option mtu_fix '0'

But when I list the POSTROUTING chain of iptables, there is nothing

# iptables -L POSTROUTING
iptables: No chain/target/match by that name.

# iptables -t nat -L POSTROUTING
Chain POSTROUTING (policy ACCEPT)
target     prot opt source        destination

UPDATE

So I tried adding the masquerading manually, and that seems to work:

# iptables -t nat -A POSTROUTING -o pppoe-wan -j MASQUERADE
# iptables -t nat -L POSTROUTING
Chain POSTROUTING (policy ACCEPT)
target     prot opt source        destination
MASQUERADE all  --  anywhere      anywhere

And voilá, suddenly the internet works from the LAN. But why is the iptables rule not added based on the UCI config in /et/config/firewall?

UPDATE 2

I added the fixing iptables rule to the custom rules on the web interface. Then I checked, it was indeed inserted into /etc/firewall.user which is included into /etc/config/firewall. But after a reboot, the rule is not listed by iptables. And no internet in the LAN. Seems like a UCI config parsing issue...

UPDATE 3

It turns out I had no firewall at all. My /etc/config/firewall is completely ignored. It's just that the lack of filter rules is difficult to notice.

SzG
  • 141
  • 1
  • 1
  • 5
  • 1
    There's no `POSTROUTING` chain in the filter table, it's in the nat table. So you would have to do: `iptables -t nat -L POSTROUTING` – Michael Hampton Nov 23 '14 at 15:24

2 Answers2

2

Masquerading is only set up by OpenWrt if the output zone is configured for it.

For instance:

config zone
        option name 'wan'
        option masq '1'
        #...everything else

Or in the web interface:

WAN masquerading in OpenWRT GUI

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • I've just checked, the option you mentioned is set. – SzG Nov 23 '14 at 17:44
  • @SzG I'd guess you have something else going on. Better look at the _entire_ firewall config. I also suggest you set `mtu_fix '1'` or you will have trouble passing packets out to the Internet due to path MTU issues. – Michael Hampton Nov 23 '14 at 17:45
  • According to Barrier Breaker docs, mtu_fix is deprecated. – SzG Nov 23 '14 at 17:51
  • @SzG Deprecated maybe, but that's not the same thing as nonfunctional. It's your router, you can ignore me if you want. :) – Michael Hampton Nov 23 '14 at 17:56
  • Yes, thanks, I'll try, but my UPDATE 2 points to a different direction. – SzG Nov 23 '14 at 17:58
  • @SzG Hm. Well yes, UCI can be really touchy. I don't think they've worked all the bugs out of it yet. Worst case you could just reset the config and try again. – Michael Hampton Nov 23 '14 at 17:59
  • Funny thing is, this is the factory firewall config. Not only Barriers are Broken, it seems. :-) – SzG Nov 23 '14 at 18:08
0

UCI config parsing seems to be broken. Issue temporarily fixed by adding a line to /etc/rc.local:

iptables -t nat -A POSTROUTING -o pppoe-wan -j MASQUERADE
SzG
  • 141
  • 1
  • 1
  • 5