[Solved] No internet access through Wi-fi, though router has internet access

Baratao00 · December 14, 2017, 6:30pm

Hi everyone, I'm still kinda new to wifi and routers.

I've compiled a LEDE system for my ZBT WE826-T (I'm making a custom system for my routers), flashed it, everything it's fine, It detects my SIM card at /dev, I've configured it through this guide:

And I got internet connection, accessing the router via SSH I could update packages and ping 8.8.8.8.

However, when I enabled the Wi-Fi, my phone could connect to it but would acces the internet. I strongly believe it's something to do with firewall rules, but I dont have much knowledge over it yet, and for what I researched the config seens fine. The firewall rule is set to my new wwan interface as said in the guide above.

I know it is a really common mistake and it must be some simple error but still I couldn't find much help on internet and the similar topics at this forum weren't of much help.

Here is my interface and firewall configs: (I've ommited the mac addrs, who knows)

Interface:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '####:ca04:####::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr '##:##:##:##:##:##'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr '##:##:##:##:##:##'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

config interface 'wwan'
	option proto 'dhcp'
	option _orig_ifname 'wwan0'
	option _orig_bridge 'false'
	option ifname 'wwan0'
	option type 'bridge'

Firewall: (I've changed a few things with no success)

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan wwan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

Any help is much appreciated or guides so I can research better, thanks o/

eduperez · December 14, 2017, 8:59pm

Why is WWAN bidged?
Why are LAN and WWAN on the same zone?

biangbiangmian · December 14, 2017, 10:42pm

You probably need to add the WLAN to the firewall zone that has internet access

anon57995562 · December 14, 2017, 11:55pm

Take some time and look over the LEDE User's Guide, especially the WiFi configuration section...

https://lede-project.org/docs/user-guide/start#wifi_configuration

Baratao00 · December 15, 2017, 12:17pm

This is the setup I followed at the guide i linked above, it seemed to work properly until I tried connecting my phone to the wifi

Baratao00 · December 15, 2017, 12:46pm

Already did that, my WWAN (interface i created following the guide I posted) is at the same firewall zone as LAN

eduperez · December 15, 2017, 12:47pm

I think that the files you posted here do not match what is being explained in the guide.

Baratao00 · December 15, 2017, 1:11pm

I had made some changes through luci thats why, but even before that the changes, I couldn't get a connection with the internet through the Wi-fi, even though I can ping google.com through my router, my phone still has no internet access when connect to the Wi-fi, so I guess it's something with the firewall rule, but I have no idea what it could be

eduperez · December 15, 2017, 9:32pm

I would go back to the stock configuration, set up the WWAN interface, and then put it in the WAN zone at the firewall configuration; that should be enough.

Baratao00 · December 15, 2017, 11:14pm

I got back to the stock .bin for the WE826, there was no luci and no cdc-wdm device so now I don't know how to setup my SIM card through the router to make a connection to the internet, I was recgonizing the SIM card, that gives me the 4G, through the cdc-wdm0 device, now it has a directory called /dev/bus/usb and in it have two more directories 001/ and 002/ I don't know in which one it's located my SIM card

mk24 · December 16, 2017, 2:20am

The dev/bus/usb is just the raw USB device. A device driver is needed to convert it to an Ethernet-like device. This is usually kmod-usb-net-cdc-ether or kmod-usb-net-rndis. These drivers are not in the regular image. Temporarily connect the router to the Internet by other means so you can download and install them. Then use opkg update and opkg install. You can also install Luci this way.

Baratao00 · December 16, 2017, 4:24am

With those two modules I will be able to recognize the GSM SIM card inserted in my ZBT and configure a wwan interface for it?

mk24 · December 16, 2017, 2:01pm

It depends on which modem card you have, thus which driver it requires. GSM access is through a modem card installed in the PCIe slot. (Though it is a PCIe slot, communication from the modem to the router CPU is a USB link) The modem was usually sold separately.

The SIM card doesn't do anything by itself. The modem card needs to obtain encryption keys from the SIM to logon to the GSM network. So the SIM slot is wired to the modem slot, not the router CPU.

Baratao00 · December 18, 2017, 6:50pm

Well it stills boggles me, I followed the guide in the link I posted above, got connection to the internet through the wwan0 interface created for the cdc-wdm0 device, which I believe represents my SIM card connected in the ZBT modem (only thing capable of provind internet access that I want for my porpuses), all following the guide. So yeah my SIM card is providing internet connection but something is not allowing devices connected to the Wifi of my ZBT to receive any packages back, thats why I'm 99% sure its a problem in my Firewall setup. My LAN and WWAN interfaces are at the same Firewall zone and all, I cant seen to find whats blocking the internet access to my devices through the Wifi, even though the ZBT has internet access.

mk24 · December 18, 2017, 6:56pm

Put the modem in the WAN firewall zone. Use the default settings with LAN forwarding to WAN and masquerade enabled on WAN.

Baratao00 · January 2, 2018, 2:28pm

So sry for the delay, everything is working fine now, it was a stupid missconfiguration haha, I put the WWAN in WAN firewall zone and everything is fine now, thx for your patience everyone, I'm learning alot though

Jumbo · April 14, 2018, 11:21am

Hello Baratao00 please can you help me with same problem? i buy same device but after update i dont know how to create 4G working interface. i am noob with this