Opened 7 years ago

Closed 7 years ago

Last modified 21 months ago

#5640 closed defect (fixed)

No ping between LAN ports with Orion/WRT350Nv2 snapshot build

Reported by: Maddes <maddes_trac@…> Owned by: developers
Priority: high Milestone: Barrier Breaker 14.07
Component: kernel Version: Trunk
Keywords: Cc:


Flashed the snapshot build from onto my Linksys WRT350Nv2 router.
But I can not ping another machine in the LAN (10.0.0/24) from my PC (.1), e.g. my NAS (.200).
Pinging the router (.254) works, and the router itself can ping all other machines (.1, .200).

C:\Documents and Settings\Dummy>ping

Pinging with 32 bytes of data:

Reply from Destination port unreachable.

C:\Documents and Settings\Dummy>ping

Pinging with 32 bytes of data:

Reply from bytes=32 time<1ms TTL=64

When I compile and flash a minimum build (only kmod-tun for OpenVPN added), then pinging across the LAN works.

When I compile and flash an "all" build (all packages from trunk plus feeds/packages), then I can reproduce this bug.

Seems that something is missing in the snapshot build.

Attachments (0)

Change History (15)

comment:1 Changed 7 years ago by Maddes <maddes_trac@…>

JFYI, that's how I got the rootfs.squash for flashing:

wget ""
dd if="openwrt-orion-squashfs.img" of="root.squashfs" bs=1024k skip=1

comment:2 Changed 7 years ago by Maddes <maddes_trac@…>

Will try an "all trunk" build next time, so with no packages from any feed, but all packages from trunk.
Plus will also check connection with other services (e.g. FTP, SMB).

comment:3 Changed 7 years ago by Maddes <maddes_trac@…>

Back home, I could check an "all trunk" build, and got the same error:
No traffic between LAN devices (ping, ftp, smb)
Really don't have a clue where to start looking.

comment:4 Changed 7 years ago by Maddes <maddes_trac@…>

Same issue with a build where IPv6 is not enabled.

Re-flashed the snapshot build and installed all kernel modules from the "Network Support" section. Same problem.

Btw WAN access is working fine.

comment:5 Changed 7 years ago by Maddes <maddes_trac@…>

During the router's boot up I can ping another machine on the LAN, then it stops:

C:\Documents and Settings\Dummy>ping

Pinging with 32 bytes of data:

Reply from bytes=32 time<1ms TTL=64
Reply from Destination port unreachable.
Reply from Destination port unreachable.
Reply from Destination port unreachable.

Hence I checked all configurations I could think of:

  • ifconfig was the same.
  • iptables (all tables) was the same.
  • route was the same.
  • uci had two new configs: ucitrack and luci. The rest was the same.
  • brctl had a different order: lan2, lan1, lan3, lan4 (instead of lan1, lan2, ...)
  • dmesg had the following specialities:
    • net_namespace: 1008 bytes (instead of 528)
    • Bridge firewalling registered
    • CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use nf_conntrack.acct=1 kernel paramater, acct=1 nf_conntrack module option or sysctl net.netfilter.nf_conntrack_acct=1 to enable it.
  • sysctl had several changes

sysctl differences:

   net.core.rmem_default = 114688 (instead of 110592)
   net.core.rmem_max = 114688
   net.core.wmem_default = 114688
   net.core.wmem_max = 114688 = 0 (instead of 1)
   net.ipv4.conf.ppp0.arp_ignore = 0 (instead of 1)
   net.ipv4.netfilter.ip_conntrack_count = 11 (instead of 23)
   net.netfilter.nf_conntrack_acct=1 (instead of 0)
   net.netfilter.nf_conntrack_count = 11 (instead of 23)

sysctl new entries:

net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-filter-pppoe-tagged = 0
net.bridge.bridge-nf-filter-vlan-tagged = 0
net.core.xfrm_acq_expires = 30
net.core.xfrm_aevent_etime = 10
net.core.xfrm_aevent_rseqth = 2
net.core.xfrm_larval_drop = 1

What is "Bridge firewalling" and "CONFIG_NF_CT_ACCT / net.netfilter.nf_conntrack_acct"?
How can I can configure it to the normal expected behaviour?

comment:6 Changed 7 years ago by Maddes <maddes_trac@…>

After wading through lots of webpages and documentation I found the reason for this issue:

The following commands fix the problem temporary until the next reboot:

sysctl -w net.bridge.bridge-nf-call-arptables=0
sysctl -w net.bridge.bridge-nf-call-ip6tables=0
sysctl -w net.bridge.bridge-nf-call-iptables=0

Now I have to find out how to make this permanent on OpenWrt.

comment:7 Changed 7 years ago by Maddes <maddes_trac@…>

Adding the settings to /etc/sysctl.conf works fine.

comment:8 Changed 7 years ago by Maddes <maddes_trac@…>

Sent a patch to the developer mailing list.

comment:9 Changed 7 years ago by Maddes <maddes_trac@…>

Another solution would be to build it as module.

Here are the occurrences I found for BRIDGE which include '=y' or '=m':

package/kernel/modules/  KCONFIG:=CONFIG_BRIDGE_NETFILTER=y \
target/linux/generic-2.4/patches/000-linux_mips.patch: CONFIG_BRIDGE=m

The config should be CONFIG_BRIDGE according to 'make kernel_menuconfig'.
Will test a build with CONFIG_BRIDGE=m.

comment:10 Changed 7 years ago by Maddes <maddes_trac@…>

CONFIG_BRIDGE=m causes even worser problems, as the internal switch doesn't get any ip address (no ipv4, no ipv6).

The bridge firewalling is caused by CONFIG_BRIDGE_NETFILTER=y (bool), which is enabled by kmod-ebtables. As it is bool it can not be outsourced into an installable module.

comment:11 Changed 7 years ago by Maddes <maddes_trac@…>

ebtables is already excluded from release builds.

comment:12 Changed 7 years ago by Maddes <maddes_trac@…>

Please close.

comment:13 Changed 7 years ago by florian

  • Resolution set to fixed
  • Status changed from new to closed

comment:14 Changed 6 years ago by Maddes <maddes_trac@…>

My suggestion from comment:6 was committed in [19214]

comment:15 Changed 21 months ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

as closed .
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.