Networking Issues (Turris Omnia)

Hello, I have the following device:

Turris Omnia
Turris OS version: 6.3.1
Kernel version: 5.15.96

Have some issues with the LAN interface; which has the following settings:


Protocol: Static address
Device: br-lan
IPv4 address:
IPv4 netmask:

The WAN interface is set to DHCP client and passes the WAN connection test
in reForis admin webpage.

The problem is not with the WAN connection, which passes the diagnostic ping test, but
with the LAN connection. When a ping is attempted from a device on the LAN to
a DNS server, this test fails. The error message is (Destination Host Unreachable)

So the question is, why is the WAN connection ping working fine, but the ping from
within the LAN fails?

I suspect NAT is the problem. Check if you have Masquerade enabled on WAN zone in Firewall settings. Also you posted a link to private address in your network and nobody but you can access that. Its not public IP.

this should be a public ip address as opposed to private? Would it be helpful to post logs?

There is no masquerade setting applied currently.

But there should be. By default on WAN zone and on TR_VPN zone if you use OpenVPN. So most likely you disabled NAT Masquerading

you are correct that masquerading was turned off. what does this setting do exactly?
is there a wiki article on this? Also, is there a wiki article on how to setup the firewall settings?

Thank you

are there any tools I can use to pentest my firewall and ensure the settings are correct?

If you are unsure about the setting you should stick with defaults. That are sufficiently secure. Mark topic as solved if you think it solved your issue

Yeah you solved the issue. Was just wondering if there are any wiki resources regarding firewall configuration.

sorry, nOOb here on this, but are these settings correct?

There is no good settings. Depends on what you are trying to achieve. These are the defaults. There is ongoing debate if one should use Drop or Reject on Input. But should be ok with Reject. Also the rest of the settings are safe defaults.


Which partially seems to be based on misinformation… the difference is:
drop: will silently ignore unsolicited packets for which no exempting rules exist in the firewall configuration
reject: additionally will tell the sender that a packet was rejected

One big argument for “drop” seems to be that that way the existence of an address can be hidden or “stealthed” however many ISPs will generate differential responses whether an IP address is in use or not, so “drop” will not make your router invisible. (It will still offer less information for fingerprinting so a remote party will have a harder time figuring out what OS that router is using).


1 Like

As the os is based on openwrt this is a good place to start

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.