openwrt: failsafe mode
recently i bricked my router (running an openwrt firmware) again: i changed the firewall setting of zone lan by setting input policy to reject; this effectively blocks all incoming traffic to the router from the lan interfaces; this is pretty bad because i lost access to luci and ssh, so i cannot restore the firewall settings;
in the old days i would simply use a serial cable to re-flash the firmware; but i dont have one at hand right now; so i did some search and decided to try the failsafe mode;
the official doc is here; basically, failsafe mode only mounts the read-only filesystem (squashfs) during boot, and does not mount the read-write filesystem (jffs2); so after boot the router is in its initial and intact state, as if you have not made any modifications; next, you can mount the read-write filesystem manually to see what goes wrong;
the doc gives 3 different procedures to enter failsafe mode:
-
wait for a flashing led and press a button;
-
wait for a udp message and press a button;
-
wait for a serial message and press a button;
in my case, i didnt see any udp message and didnt have a serial cable, but the flashing led just works fine; after power on the router, the led will flash as follows:
-
a sequence of lights specific to the device;
-
a 5/sec blink lasting 2 sec; this means the router is waiting for user to trigger the failsafe mode; press the reset button now; holding for 1-2 sec looks good; and you may need a pin;
-
the led will flash as:
-
a 10/sec fast blink, if failsafe mode is triggered:
-
a 2.5/sec slow blink, if failsafe mode is not triggered and normal boot continues;
-
if you see the 10/sec fast blink, congrat, you can continue the next steps:
-
plug an ethernet cable between pc and router, because failsafe mode disables wireless connection on the router;
-
in failsafe mode, the router has ip address
192.168.1.1
; so configure pc ethernet ip address to192.168.1.xxx
, wherexxx
is not1
; for example:ifconfig eth0 192.168.1.100
-
in failsafe mode, the router provides a telnet interface; so you can connect to it from pc by running:
telnet 192.168.1.1
-
in telnet, there is a special command
mount_root
, which mounts the read-write partition at/overlay
and overlays it on top of/
; you need to run this command to see the overlay content:mount_root
-
fix your specific problem; in my case, it was firewall misconfig; so i can inspect and fix firewall settings by running:
vi /etc/config/firewall
to fix my problem, i just need to restore input policy for zone lan:
config zone option name 'lan' option output 'ACCEPT' option forward 'ACCEPT' option network 'lan' #option input 'REJECT' option input 'ACCEPT'
-
save; restart; enjoy your day;
finally, as doc says, failsafe mode is the higher level way to “start over” with your router; if failsafe mode doesnt work, you may try factory reset or recovery mode; but those are off topic for this article; so read the doc;