I’ve upgraded my TP-Link 1043 router to OpenWrt 14.07. Everything is perfect, Wifi and LAN are bridged, LAN machines can access each other by name, I can SSH into the router, and the router can access the internet on the
The is one small problem though. The router does not route. The internet is not accessible from the LAN. With one funny exception: DNS lookups do work.
/etc/config/firewall file contains the following section:
config forwarding option src 'lan' option dest 'wan' option mtu_fix '0'
But when I list the POSTROUTING chain of
iptables, there is nothing
# iptables -L POSTROUTING iptables: No chain/target/match by that name. # iptables -t nat -L POSTROUTING Chain POSTROUTING (policy ACCEPT) target prot opt source destination
So I tried adding the masquerading manually, and that seems to work:
# iptables -t nat -A POSTROUTING -o pppoe-wan -j MASQUERADE # iptables -t nat -L POSTROUTING Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- anywhere anywhere
And voilá, suddenly the internet works from the LAN.
But why is the iptables rule not added based on the UCI config in
I added the fixing iptables rule to the custom rules on the web interface. Then I checked, it was indeed inserted into
/etc/firewall.user which is included into
/etc/config/firewall. But after a reboot, the rule is not listed by iptables. And no internet in the LAN. Seems like a UCI config parsing issue…
It turns out I had no firewall at all. My
/etc/config/firewall is completely ignored. It’s just that the lack of filter rules is difficult to notice.
Masquerading is only set up by OpenWrt if the output
zone is configured for it.
config zone option name 'wan' option masq '1' #...everything else
Or in the web interface:
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.