I've upgraded my TP-Link 1043 router to OpenWrt 14.07. Everything is perfect, Wifi and LAN are bridged, LAN machines can access each other by name, I can SSH into the router, and the router can access the internet on the pppoe-wan interface.
The is one small problem though. The router does not route. The internet is not accessible from the LAN. With one funny exception: DNS lookups do work.
The /etc/config/firewall file contains the following section:
config forwarding
option src 'lan'
option dest 'wan'
option mtu_fix '0'
But when I list the POSTROUTING chain of iptables, there is nothing
# iptables -L POSTROUTING
iptables: No chain/target/match by that name.
# iptables -t nat -L POSTROUTING
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
UPDATE
So I tried adding the masquerading manually, and that seems to work:
# iptables -t nat -A POSTROUTING -o pppoe-wan -j MASQUERADE
# iptables -t nat -L POSTROUTING
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
And voilá, suddenly the internet works from the LAN.
But why is the iptables rule not added based on the UCI config in /et/config/firewall?
UPDATE 2
I added the fixing iptables rule to the custom rules on the web interface. Then I checked, it was indeed inserted into /etc/firewall.user which is included into /etc/config/firewall. But after a reboot, the rule is not listed by iptables. And no internet in the LAN. Seems like a UCI config parsing issue…
UPDATE 3
It turns out I had no firewall at all. My /etc/config/firewall is completely ignored. It's just that the lack of filter rules is difficult to notice.
Best Answer
Masquerading is only set up by OpenWrt if the output
zoneis configured for it.For instance:
Or in the web interface: