Access of a VPN client to exactly one IP address in a second LAN

A certain VPN client should get access to an IP address in a 2nd LAN, which is unknown to the router so far.
I probably can't find anything because I'm not using the right terms.
Does the network card for the local LAN have to be given a second IP address for this task?
It must be certain that no other vpn client gets this access.
I have already made sure that all vpn clients get a static IP address.
Which firewall rule is needed?
Many greetings

Hi

well, the question could not be answered until you make a second LAN
then it will be possible to discuss about firewall roule

config rule
        option name 'Do my homework for me'
        option src 'Source zone name'
        option src_ip 'Source IP address'
        option dest 'Destination zone name'
        option dest_ip 'Destination IP address'
        option target 'ACCEPT'
1 Like

Firewall rules work by IP address, so the IP of the destination device must be known ahead of time and stay the same. A DHCP reserved lease can be used for that.

2 Likes

Thanks for the help.
I still don't understand the meaning of the terms. Does each physical interface belong to exactly one zone or can each logical network belong to a different zone? This raises the question of whether I should create a new zone for the new logical lan? Are the source and target zones the same here?
Many greetings

Hi

that is a reason why i told you to
first make a 2nd LAN
when you do it, then you will place this 2nd LAN in different zone
then you could make filters

My problem is that I get an error message when I simply give another zone name. How do I set up a firewall zone?

Sorry, I vergot the error message:
Section @rule[11] (AB->RT1) option 'dest' specifies invalid value 'lan2'
This can I see at the interface difinition:

You've added an interface named lan2 into the lan zone. This will not allow separate rules for lan and lan2. Make a new zone named lan2 just for the lan2 interface.

No. The logical interface does, not the physical interface.

One interface can belong to only one zone.

One zone can contain many interfaces.

Is it nesseccary to use a second networkadapter for this task? I hoped I can it realise with one physical LAN-adapter and 2 logikal networks.

If you want to get to grips with VLAN configuration, you can do it with a single physical interface (or controller). Two examples of this which I know from experience are the GL.iNet GL-MT300N and its successor the GL-MT300N-V2. The interfaces are not eth0 and eth1 as you might expect, but rather they are eth0.1 and eth0.2.

Sorry, I don't know these devices. My router has eth0 (lan) and eth1 (wan). The external vpn clients should reach the computers of a network (xxx.xxx.xxx.xxx) via eth0. Except one. This VPN client should reach all computers in the same network (xxx.xxx.xxx.xxx) and also one computer in another network (yyy.yyy.yyy.100). Both networks are physically connected with eth0.

Unfortunately, I am not getting anywhere. In the meantime, I have had to play the recovery into the openWRT router several times in order to reach it again.

I assume that the following questions should be answered:
How must eth0 be configured? How must two different zones be set up for (xxx.xxx.xxx.xxx) and (yyy.yyy.yyy.yyy)?
Since all VPN clients are located in (xxx.xxx.xxx.xxx): How is the one computer (yyy.yyy.yyy.100) to be made accessible for exactly one VPN client? Is this a filter or is this routing?
Thanks for your help.

Probably both, and it would help - if you're using RFC 1918 addresses - if you don't obfuscate the addresses. That way, it makes it easier for your audience to determine if there are any configuration errors, or also suggest possible solutions using real data.

RFC 1918 addresses aren't permitted to be accessible from the Internet, so there's little harm in revealing them. If you are using public addresses internally, then I understand that obfuscation might be necessary.

Ok. The adresses are:
for xxx..: 192.168.11.1 to 192.168.11.254
for yyy...: 192.168.12.100
thanks for help.

1 Like

Have you already attempted to set up a firewall rule per the placeholder example earlier in this thread?

Can you post the contents of both /etc/config/network and /etc/config/firewall? It's entirely possible that you're nearly there, and perhaps only one or two lines of configuration might need to be adjusted.

Redact any passwords, keys, and public addresses which might be revealed.

Here is an example of representative firewall rules which should give you some idea of how to construct your own policy.

First off, here's a diagram showing the example network:

And here is an example firewall policy:

config zone
	option name 'wan'
	list network 'wan'

config zone
	option name 'lan'
	list network 'lan1'
	list network 'lan2'

config zone
	option name 'vpn'
	list network 'vpn'

config rule
	option name 'Allow single VPN client to 192.168.12.100'
	option src 'vpn'
	option src_ip '172.16.0.172'
	option dest 'lan'
	option dest_ip '192.168.12.100'
	option target 'ACCEPT'

config rule
	option name 'Deny single VPN client to rest of 192.168.12.0/24'
	option src 'vpn'
	option src_ip '172.16.0.172'
	option dest 'lan'
	option dest_ip '192.168.12.0/24'
	option target 'DROP' (or, optionally, target 'REJECT' depending on the response you want)

config rule
	option name 'Allow all VPN clients to 192.168.11.0/24'
	option src 'vpn'
	option dest 'lan'
	option dest_ip '192.168.11.0/24'
	option target 'ACCEPT'

config rule
	option name 'Allow all VPN clients to 192.168.12.0/24'
	option src 'vpn'
	option dest 'lan'
	option dest_ip '192.168.12.0/24'
	option target 'ACCEPT'

The files are almost as they were after installation. Changes in the network led to the "disappearance" of the router. Appending the lines from this thread led to the error message.

network:

 1
 2 config interface 'loopback'
 3         option device 'lo'
 4         option proto 'static'
 5         option ipaddr '127.0.0.1'
 6         option netmask '255.0.0.0'
 7
 8 config globals 'globals'
 9         option ula_prefix 'xxxx:xxxx:xxxx::/48'
10
11 config device
12         option name 'br-lan'
13         option type 'bridge'
14         list ports 'eth0'
15
16 config interface 'lan'
17         option device 'br-lan'
18         option proto 'static'
19         option ipaddr '192.168.11.1'
20         option netmask '255.255.255.0'
21         option ip6assign '60'
22
23 config interface 'wan'
24         option device 'eth1'
25         option proto 'dhcp'
26
27 config interface 'wan6'
28         option device 'eth1'
29         option proto 'dhcpv6'
30
31 config interface 'vpn0'
32         option proto 'none'
33         option auto '1'
34         option device 'tun0'

firewall

  1
  2 config defaults
  3         option syn_flood '1'
  4         option input 'ACCEPT'
  5         option output 'ACCEPT'
  6         option forward 'REJECT'
  7
  8 config zone 'lan'
  9         option name 'lan'
 10         option input 'ACCEPT'
 11         option output 'ACCEPT'
 12         option forward 'ACCEPT'
 13         list network 'lan'
 14         list device 'tun+'
 15
 16 config zone 'wan'
 17         option name 'wan'
 18         option input 'REJECT'
 19         option output 'ACCEPT'
 20         option forward 'REJECT'
 21         option masq '1'
 22         option mtu_fix '1'
 23         list network 'wan'
 24         list network 'wan6'
 25
 26 config forwarding
 27         option src 'lan'
 28         option dest 'wan'
 29
 30 config rule
 31         option name 'Allow-DHCP-Renew'
 32         option src 'wan'
 33         option proto 'udp'
 34         option dest_port '68'
 35         option family 'ipv4'
 36         option target 'ACCEPT'
 37
 38 config rule
 39         option name 'Allow-Ping'
 40         option src 'wan'
 41         option proto 'icmp'
 42         option icmp_type 'echo-request'
 43         option family 'ipv4'
 44         option target 'ACCEPT'
 45
 46 config rule
 47         option name 'Allow-IGMP'
 48         option src 'wan'
 49         option proto 'igmp'
 50         option family 'ipv4'
 51         option target 'ACCEPT'
 52
 53 config rule
 54         option name 'Allow-DHCPv6'
 55         option src 'wan'
 56         option proto 'udp'
 57         option dest_port '546'
 58         option family 'ipv6'
 59         option target 'ACCEPT'
 60
 61 config rule
 62         option name 'Allow-MLD'
 63         option src 'wan'
 64         option proto 'icmp'
 65         option src_ip 'fe80::/10'
 66         list icmp_type '130/0'
 67         list icmp_type '131/0'
 68         list icmp_type '132/0'
 69         list icmp_type '143/0'
 70         option family 'ipv6'
 71         option target 'ACCEPT'
 72
 73 config rule
 74         option name 'Allow-ICMPv6-Input'
 75         option src 'wan'
 76         option proto 'icmp'
 77         list icmp_type 'echo-request'
 78         list icmp_type 'echo-reply'
 79         list icmp_type 'destination-unreachable'
 80         list icmp_type 'packet-too-big'
 81         list icmp_type 'time-exceeded'
 82         list icmp_type 'bad-header'
 83         list icmp_type 'unknown-header-type'
 84         list icmp_type 'router-solicitation'
 85         list icmp_type 'neighbour-solicitation'
 86         list icmp_type 'router-advertisement'
 87         list icmp_type 'neighbour-advertisement'
 88         option limit '1000/sec'
 89         option family 'ipv6'
 90         option target 'ACCEPT'
 91
 92 config rule
 93         option name 'Allow-ICMPv6-Forward'
 94         option src 'wan'
 95         option dest '*'
 96         option proto 'icmp'
 97         list icmp_type 'echo-request'
 98         list icmp_type 'echo-reply'
 99         list icmp_type 'destination-unreachable'
100         list icmp_type 'packet-too-big'
101         list icmp_type 'time-exceeded'
102         list icmp_type 'bad-header'
103         list icmp_type 'unknown-header-type'
104         option limit '1000/sec'
105         option family 'ipv6'
106         option target 'ACCEPT'
107
108 config rule
109         option name 'Allow-IPSec-ESP'
110         option src 'wan'
111         option dest 'lan'
112         option proto 'esp'
113         option target 'ACCEPT'
114
115 config rule
116         option name 'Allow-ISAKMP'
117         option src 'wan'
118         option dest 'lan'
119         option dest_port '500'
120         option proto 'udp'
121         option target 'ACCEPT'
122
123 config rule
124         option name 'Allow-OpenVPN-Inbound'
125         option src '*'
126         option proto 'udp'
127         option dest_port '1194'
128         option target 'ACCEPT'
129
130 config zone
131         option name 'vpn'
132         option input 'ACCEPT'
133         option forward 'REJECT'
134         option output 'ACCEPT'
135
136 config forwarding
137         option src 'vpn'
138         option dest 'wan'
139
140 config forwarding
141         option src 'vpn'
142         option dest 'lan'
143
144 config rule 'ovpn'
145         option name 'Allow-OpenVPN'
146         option src 'wan'
147         option dest_port '1194'
148         option proto 'udp'
149         option target 'ACCEPT'
150
151 config rule
152        option name 'my pc'
153        option src 'lan'
154        option src_ip '192.168.11.61'
155        option dest 'lan2'
156        option dest_ip '192.168.12.100'
157        option target 'ACCEPT'

Regards

Alternately, here's an example with discrete LAN zones:

config zone
	option name 'wan'
	list network 'wan'

config zone
	option name 'lan1'
	list network 'lan1'

config zone
	option name 'lan2'
	list network 'lan2'

config zone
	option name 'vpn'
	list network 'vpn'

config rule
	option name 'Allow single VPN client to 192.168.12.100'
	option src 'vpn'
	option src_ip '172.16.0.172'
	option dest 'lan2'
	option dest_ip '192.168.12.100'
	option target 'ACCEPT'

config rule
	option name 'Deny single VPN client to rest of 192.168.12.0/24'
	option src 'vpn'
	option src_ip '172.16.0.172'
	option dest 'lan2'
	option dest_ip '192.168.12.0/24'
	option target 'DROP' (or, optionally, target 'REJECT' depending on the response you want)

config rule
	option name 'Allow all VPN clients to 192.168.11.0/24'
	option src 'vpn'
	option dest 'lan1'
	option dest_ip '192.168.11.0/24'
	option target 'ACCEPT'

config rule
	option name 'Allow all VPN clients to 192.168.12.0/24'
	option src 'vpn'
	option dest 'lan2'
	option dest_ip '192.168.12.0/24'
	option target 'ACCEPT'

The above examples are for illustrative purposes; feel free to adapt them to suit your equipment, environment, and desired security policy.