路由器可以上网，DHCP出来的电脑手机却不行

笑西风 · 发表于 2018-6-11 18:11

一个openwrt的路由器，上级WAN口用DHCP获得上网地址192.168.28.x，本机LAN地址192.168.77.x，默认用dnsmasq做DNS及DHCPD服务器

cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.77.1'
option netmask '255.255.255.0'
option dns '223.5.5.5'
option _orig_ifname 'eth0 wlan0'
option _orig_bridge 'true'
option delegate '0'
option ifname 'eth0 wlan0'
config interface 'wan'
option proto 'dhcp'
option delegate '0'
option _orig_ifname 'eth0'
option _orig_bridge 'false'
option ifname 'eth1.2'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '1 2 3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 5t'

复制代码

上级分配地址很正常，看

ifconfig
br-lan Link encap:Ethernet HWaddr 00:1E:40:30:5E:6E
inet addr:192.168.77.1 Bcast:192.168.77.255 Mask:255.255.255.0
inet6 addr: fe80::21e:40ff:fe30:5e6e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1116 errors:0 dropped:0 overruns:0 frame:0
TX packets:929 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:80902 (79.0 KiB) TX bytes:495746 (484.1 KiB)
eth0 Link encap:Ethernet HWaddr 00:1E:40:30:5E:6E
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:16
eth1 Link encap:Ethernet HWaddr 00:1E:40:30:5E:6F
inet6 addr: fe80::21e:40ff:fe30:5e6f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1289 errors:0 dropped:0 overruns:0 frame:0
TX packets:117 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:207494 (202.6 KiB) TX bytes:11473 (11.2 KiB)
Interrupt:14
eth1.2 Link encap:Ethernet HWaddr 00:1E:40:30:5E:6F
inet addr:192.168.28.42 Bcast:192.168.28.127 Mask:255.255.255.128
inet6 addr: fe80::21e:40ff:fe30:5e6f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1289 errors:0 dropped:0 overruns:0 frame:0
TX packets:103 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:184292 (179.9 KiB) TX bytes:9665 (9.4 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:1 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:76 (76.0 B) TX bytes:76 (76.0 B)
wlan0 Link encap:Ethernet HWaddr 00:1E:40:30:5E:70
inet6 addr: fe80::21e:40ff:fe30:5e70/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1115 errors:0 dropped:0 overruns:0 frame:0
TX packets:1352 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:96506 (94.2 KiB) TX bytes:563647 (550.4 KiB)

复制代码

路由表

route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.28.126 0.0.0.0 UG 0 0 0 eth1.2
192.168.28.0 * 255.255.255.128 U 0 0 0 eth1.2
192.168.28.126 * 255.255.255.255 UH 0 0 0 eth1.2
192.168.77.0 * 255.255.255.0 U 0 0 0 br-lan

复制代码

在SSH上可以opkg，也可以ping通各种地址，但无线连接AP后，电脑或手机就是不通WAN，DNS服务都是正常解析的，为啥呢？

leniter · 发表于 2018-6-11 18:31

看看防火墙有没有允许 LAN=>WAN 转发。WAN 有没有开启伪装和钳制

笑西风 · 发表于 2018-6-12 08:48

把防火墙放上来，伪装和钳制没有整过

cat firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan wan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network ' '
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'

复制代码

账号		自动登录	找回密码
密码			立即注册