Allowing access to LAN server from GUEST network (while said server is not reachable from WAN)

Hi,

I want to access my MQTT (mosquitto) instance, located in the LAN zone at port 1883 from the GUEST zone.

By searching the forum, I have found two posts that might fit my solution. Yet, I did not manage to achieve what I want.

  1. How to allow one port from guest network to lan?

I have tried to create those rules, but I am missing the

firewall.@zone[3]

entries. Do I need them? I am hesitant to create them since they were not part of OpenWRT docs guest wlan and I do not fully understand what is going on there.

  1. Cannot reach internal servers (in br-lan) from network guest

This post seems to be asking a slightly different question, since the LAN service there is reachable from the internet.

One other solution I have thought about is to allow access to the same port on the Router from the GUEST network

firewall.@rule[0]=rule
firewall.@rule[0].name='AllowGuestMQTT'
firewall.@rule[0].family='ipv4'
firewall.@rule[0].proto='tcp'
firewall.@rule[0].src='guest'
firewall.@rule[0].dest_port='1883'
firewall.@rule[0].target='ACCEPT'

and then port forward it to the LAN server.

firewall.@redirect[6]=redirect
firewall.@redirect[6].target='DNAT'
firewall.@redirect[6].name='mqtt'
firewall.@redirect[6].proto='tcp'
firewall.@redirect[6].src='guest'
firewall.@redirect[6].src_dport='1883'
firewall.@redirect[6].dest='lan'
firewall.@redirect[6].dest_ip='my.lan.ip.address'
firewall.@redirect[6].dest_port='1883'

sadly that does not seem to work either.

Remove the first firewall rule you have shown.

If that doesn't resolve the issue, we'll probably need to see the complete firewall and network config files.

1 Like

@psherman amazingly fast reply, thank you!

It seems to work partially. I can use

nc my.routerGUEST.ip.address 1883

and get a connection (I do not get a nc: can't connect to remote host error).

Yet when I run nc -l 1883 on the server in the LAN zone, nothing I type on the client in the GUEST zone appears.

The rule you have allows hosts on the guest network to initiate a connection to your server (and the response back is allowed, too). But it doesn't currently allow the LAN to initiate a connection to the guest network -- if that's what you need, you should allow forwarding (in part or in whole) from LAN > guest

1 Like

My understanding was that when I run nc my.routerGUEST.ip.address 1883 on the GUEST side of the network, it is the host on the GUEST side initiating the connection. So I agree this should arrive at the server on the LAN side (and the responses too). Sadly for some reason that does not happen.

Below you can find the requested configs

root@Router:~# uci show network
network.loopback=interface
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.loopback.device='lo'
network.globals=globals
network.globals.ula_prefix='redacted'
network.lan=interface
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='redacted'
network.lan.dns='1.1.1.1'
network.lan.device='br-lan'
network.wan=interface
network.wan.proto='dhcp'
network.wan.device='eth0.2'
network.wan6=interface
network.wan6.proto='dhcpv6'
network.wan6.device='eth0.2'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].vid='1'
network.@switch_vlan[0].ports='3 6t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='0t 5'
network.@switch_vlan[1].vid='2'
network.@switch_vlan[2]=switch_vlan
network.@switch_vlan[2].device='switch0'
network.@switch_vlan[2].vlan='3'
network.@switch_vlan[2].ports='0t 1 2 4'
network.@switch_vlan[2].vid='3'
network.GUEST=interface
network.GUEST.proto='static'
network.GUEST.ipaddr='redacted'
network.GUEST.netmask='255.255.255.0'
network.GUEST.dns='1.1.1.1'
network.GUEST.device='br-GUEST'
network.wireguard=interface
network.wireguard.proto='wireguard'
network.wireguard.private_key='redacted'
network.wireguard.addresses='redacted'
network.wireguard.mtu='1280'
network.@wireguard_wireguard[0]=wireguard_wireguard
network.@wireguard_wireguard[0].public_key='redacted'
network.@wireguard_wireguard[0].description='redacted'
network.@wireguard_wireguard[0].persistent_keepalive='25'
network.@wireguard_wireguard[0].endpoint_host='redacted'
network.@wireguard_wireguard[0].allowed_ips='redacted'
network.@wireguard_wireguard[0].preshared_key='redacted'
network.@wireguard_wireguard[0].route_allowed_ips='1'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth1.1'
network.@device[1]=device
network.@device[1].name='br-GUEST'
network.@device[1].type='bridge'
network.@device[1].ports='eth0.3'
root@Router:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].mtu_fix='1'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6 wireguard'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='redacted'
firewall.@rule[3].dest_ip='redacted'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='redacted'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].network='GUEST'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].name='guest'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].input='REJECT'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='wan'
firewall.@forwarding[1].src='guest'
firewall.@redirect[0]=redirect
firewall.@redirect[0].dest_port='redacted'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].name='redacted'
firewall.@redirect[0].src_dport='redacted'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].dest_ip='redacted'
firewall.@redirect[0].dest='lan'
firewall.@redirect[1]=redirect
firewall.@redirect[1].dest_port='443'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].name='https'
firewall.@redirect[1].src_dport='443'
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].dest_ip='redacted'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].proto='tcp'
firewall.@redirect[2]=redirect
firewall.@redirect[2].dest_port='80'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].name='http'
firewall.@redirect[2].src_dport='80'
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].dest_ip='redacted'
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].proto='tcp'
firewall.@redirect[3]=redirect
firewall.@redirect[3].dest_port='redacted'
firewall.@redirect[3].src='wan'
firewall.@redirect[3].name='redacted'
firewall.@redirect[3].src_dport='redacted'
firewall.@redirect[3].target='DNAT'
firewall.@redirect[3].dest_ip='redacted'
firewall.@redirect[3].dest='lan'
firewall.@redirect[3].proto='tcp'
firewall.@redirect[3].enabled='0'
firewall.@redirect[4]=redirect
firewall.@redirect[4].dest_port='redacted'
firewall.@redirect[4].src='wan'
firewall.@redirect[4].name='redacted'
firewall.@redirect[4].src_dport='redacted'
firewall.@redirect[4].target='DNAT'
firewall.@redirect[4].dest_ip='redacted'
firewall.@redirect[4].dest='lan'
firewall.@redirect[4].proto='tcp'
firewall.@redirect[5]=redirect
firewall.@redirect[5].dest_port='redacted'
firewall.@redirect[5].src='wan'
firewall.@redirect[5].name='redacted'
firewall.@redirect[5].src_dport='redacted'
firewall.@redirect[5].target='DNAT'
firewall.@redirect[5].dest_ip='redacted'
firewall.@redirect[5].dest='lan'
firewall.@redirect[5].proto='udp'
firewall.@rule[9]=rule
firewall.@rule[9].dest_port='53'
firewall.@rule[9].src='guest'
firewall.@rule[9].name='Allow-DNS-Guest'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[10]=rule
firewall.@rule[10].dest_port='67'
firewall.@rule[10].src='guest'
firewall.@rule[10].name='Allow-DHCP-Guest'
firewall.@rule[10].family='ipv4'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].proto='udp'
firewall.@rule[11]=rule
firewall.@rule[11].name='AllowPingGuest'
firewall.@rule[11].family='ipv4'
firewall.@rule[11].proto='icmp'
firewall.@rule[11].src='guest'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].enabled='0'
firewall.@redirect[6]=redirect
firewall.@redirect[6].target='DNAT'
firewall.@redirect[6].name='mqtt'
firewall.@redirect[6].proto='tcp'
firewall.@redirect[6].src='guest'
firewall.@redirect[6].src_dport='1883'
firewall.@redirect[6].dest='lan'
firewall.@redirect[6].dest_ip='my.lan.ip.address'
firewall.@redirect[6].dest_port='1883'

Try the following thing as a test:

In the zone forwarding:

  • allow forwarding from lan > guest
  • allow forwarding from guest > lan

Then see if you can get the connections you expect. This will make the forwarding completely open, meaning that all hosts in the LAN will be able to connect to the hosts in Guest, and vice versa. If this doesn't work, there may be a local firewall (on the server host) that is at issue.

1 Like

I hope I did the right thing by adding the following:

firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='lan'
firewall.@forwarding[2].dest='guest'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].src='guest'
firewall.@forwarding[3].dest='lan'

Here is what it looks like:

Still, I get no communication over netcat.
Do you think this is a local firewall issue on the server then?

I checked the following and did not find anything:

sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
TCPMSS     tcp  --  anywhere             anywhere             tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Also, I can not ping a host in the LAN subnet from a host in the GUEST subnet. Is this intentional with those settings too (it sure is intentional in normal operation).

Any chance the VLANs I have configured are messing with things?

I would check that first.
In fact, I'd make sure you can get a response when working on the same subnet. This first step will verify that the host is listening and responding to connections.

Then try from the other subnet.

Possibly, but it depends. By default, Windows will not respond to connections originating from a different subnet. You need to adjust the firewall to allow this to happen.

1 Like

Thank you @psherman for your quick and useful suggestions. Managed to solve it now. You were very close!
It was an issue with the server. Not with the firewall, but the routing table was messed up.
So while the connection/packets reached the server (which explains the working first half of the netcat command from the client in the guest network), the server answered on the wrongly configured route and sent the replies into nowhere.

In case anybody wants to check if they have similar issues, the commands I used on the Linux server are:

root@server:~# tracepath openwrt.guest.ip.address
 1?: [LOCALHOST]                      pmtu 1500
 1:  server                                          3078.503ms !H
     Resume: pmtu 1500

This showed me that I did not even get out of the server.

root@server:~# ip route get openwrt.guest.ip.address
openwrt.guest.ip.address dev eth0 src my.server.ip.address uid 0

Here I saw that the route taken did not go via anything. So I looked at the routing table:

root@server:~# ip route
default via openwrt.lan.ip.address dev eth0 proto static metric 100 
192.0.0.0/8 dev eth0 proto kernel scope link src openwrt.lan.ip.address metric 100 

The routing for all addresses starting with 192 was broken. So I went on to delete the broken route:

root@server:~# ip route delete 192.0.0.0/8

Now I was left with only the default route and everything was fine:

root@server:~# ip route
default via openwrt.lan.ip.address dev eth0 proto static metric 100 

What was needed now was an investigation of what had messed with my routing table. A hot tip is your network configuration tool.
In my case, I had misconfigured NetworkManager and set the static IP of the server to 192.168.1.1/8. The /8 was the problem, which would after each restart would repopulate the routing table with the breaking route.
So if in case your system is broken again after a reboot or similar, you have to find the root of the issue.

But in my case everything was good and the test route selection resulted in the correct path:

root@server:~# ip route get guest.device.ip.address
guest.device.ip.address via openwrt.lan.ip.address dev eth0 src my.server.ip.address uid 0

All that is left to make OpenWRT behave in the required way is to add this rule (no port forward needed):

firewall.@rule[11]=rule
firewall.@rule[11].name='AllowMQTTfromGuesttoLAN'
firewall.@rule[11].family='ipv4'
firewall.@rule[11].src='guest'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].dest='lan'
firewall.@rule[11].dest_ip='my.server.ip.address'
firewall.@rule[11].proto='tcp'
firewall.@rule[11].dest_port='1883'

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.