OpenWRT Barrier Breaker – Router does not route

SzG asked:

I’ve upgraded my TP-Link 1043 router to OpenWrt 14.07. Everything is perfect, Wifi and LAN are bridged, LAN machines can access each other by name, I can SSH into the router, and the router can access the internet on the pppoe-wan interface.

The is one small problem though. The router does not route. The internet is not accessible from the LAN. With one funny exception: DNS lookups do work.

The /etc/config/firewall file contains the following section:

config forwarding
    option src 'lan'
    option dest 'wan'
    option mtu_fix '0'

But when I list the POSTROUTING chain of iptables, there is nothing

# iptables -L POSTROUTING
iptables: No chain/target/match by that name.

# iptables -t nat -L POSTROUTING
Chain POSTROUTING (policy ACCEPT)
target     prot opt source        destination

UPDATE

So I tried adding the masquerading manually, and that seems to work:

# iptables -t nat -A POSTROUTING -o pppoe-wan -j MASQUERADE
# iptables -t nat -L POSTROUTING
Chain POSTROUTING (policy ACCEPT)
target     prot opt source        destination
MASQUERADE all  --  anywhere      anywhere

And voilá, suddenly the internet works from the LAN.
But why is the iptables rule not added based on the UCI config in /et/config/firewall?

UPDATE 2

I added the fixing iptables rule to the custom rules on the web interface. Then I checked, it was indeed inserted into /etc/firewall.user which is included into /etc/config/firewall. But after a reboot, the rule is not listed by iptables. And no internet in the LAN. Seems like a UCI config parsing issue…

UPDATE 3

It turns out I had no firewall at all. My /etc/config/firewall is completely ignored. It’s just that the lack of filter rules is difficult to notice.

My answer:


Masquerading is only set up by OpenWrt if the output zone is configured for it.

For instance:

config zone
        option name 'wan'
        option masq '1'
        #...everything else

Or in the web interface:

WAN masquerading in OpenWRT GUI


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.