Am 23.09.2015 um 23:37 schrieb Christian Kellermann:
* Markus Hutmacher <[email protected]> [150923 20:19]:
more package I've installed: kmod-usb-serial-wwan
As far as I can tell this package is needed when using an USB-Modem as
WAN-Connection.
Indeed that has done the trick for me! Now if I could only figure out
the firewall settings. I can connect to the internet on the router
itself, I have set up a wifi that is in the lan interface group and
clients can connect to that and get an ip and dns is forwarded.
However it seems that ICMP and other traffic from those clients
directed to external addresses get dropped? Or the route has not been
set up properly.
My firewall config:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'lan'
config zone
option name 'wan'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'wan6 wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
TBH I am not sure what it should look like for my scenario, what did
you set in yours? What I want to do is NATing the wifi traffic through
the 3g network...
Well, Natting should work with the masq Option -- option masq '1'
which is set correctly as far as I can see. You'll have to check where
the clientconnections break. Check if the firewall or other settings are
the problem: Check DNS, do your clients have the router as their
nameserver? Does the router nameresolution for the clients? or only for
itself? Check if you Computer has the correct routes with "ip route" on
Linux or "route print" on Windows. Check if you can connect to both
interfaces of your router. And of the masqerading: check if the
interface-settings match the firewall rules. Does your 3g-umts interface
really belong to the wan zone? Markus
Thanks for your help so far!
Kind regards,
Christian
--
May you be peaceful, may you live in safety, may you be free from
suffering, and may you live with ease.
_______________________________________________
openwrt-users mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-users
