Icmp port unreachable


#1

After reading some similar pages I have to ask.
ping google.com on the router (gl inet) works (ssh’ed), while on my laptop it returns Destination port unreachable.

Here’s my /etc/config/firewall:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config include 'shadowsocks'
	option type 'script'
	option path '/var/etc/shadowsocks.include'
	option reload '1'

config rule 'glservice_rule'
	option name 'glservice'
	option dest_port '83'
	option proto 'tcp udp'
	option src 'wan'
	option target 'ACCEPT'
	option enabled '0'

and /etc/config/network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix fd08:04a4:9ecd:4c02::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option hostname 'gl'
	option ipaddr '192.168.8.1'

config interface 'wan'
	option ifname 'eth0'
	option proto 'dhcp'
	option hostname 'gl'
	option metric '10'
	option peerdns '0'
	option custom_dns '1'
	option dns '8.8.8.8 8.8.4.4'

config interface 'wan6'
	option ifname 'eth0'
	option proto 'dhcpv6'

config interface 'wwan'
	option proto 'dhcp'
	option metric '20'
	option peerdns '0'
	option dns '8.8.8.8 8.8.4.4'

finally /etc/firewall.user:

iptables -I INPUT -p tcp --dport 22 -s 192.168.8.0/24 -j ACCEPT
iptables -I INPUT -p tcp --dport 22 ! -s 192.168.8.0/24 -j DROP

Any help appreciated. Thank you.


#2

What did you operate before?


#3

I don’t understand; what do you mean?


#4

Kyson is asking what did you do before this happen.


#5

Nothing, this was on the stock firmware (just bought the device)


#6

from what you have posted, you have at least set up WISP.

So we need to know what you have set. So please just describe the details of what you have done.

You also didn’t say what models you are using.