Beginner's question routing between 2 subnets

Good evening,

I'm new on openwrt. In a first step I wanted to use my device as a router between 2 different wired subnets 192.168.1.0 and 192.168.3.0
I configured two Interfaces Lan/ETH1 (192.168.1.2) and ETH1 (192.168.3.1)
I connected notebook B with IP 192.168.3.55 to ETH1 and Notebook A with 192.168.1.1 to ETH0

I can ping each Port on Router with each Notebook but I cannot ping one Notebook from the other

ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) Bytes Daten.
Von 192.168.3.1 icmp_seq=1 Zielhost nicht erreichbar

I have tried a few things but without success. At the moment I'm stuck. I have no idea if it is related to a wrong configuration of interfaces or if it is a matter of firewall/Nat. I greatly would appreciate to get a hint. Thanks a lot in advance!

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd62:8286:5a89::/48'

config interface 'lan'
	option ifname 'eth0'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.2'
	list dns '192.168.1.1'
	option gateway '192.168.1.1'
	option broadcast '192.168.1.255'

config interface 'ETH1'
	option ifname 'eth1'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	list dns '192.168.1.1'
	option broadcast '192.168.3.255'
	option gateway '192.168.1.2'

Please post /etc/config/firewall as well. That contains default routing policies as well as any rules. I suspect the answer to your question is in the policies, and this file will show that.

Another possibility is that you did not create a firewall zone for the second interface, in which case the router might not forward between them and the netmasks would prevent the ping from succeeding. That also can be determined from this file.

2 Likes

Is a single piece of hardware and/or instance of OpenWrt the main router for both networks?

In that case you don't need anything special other than put both networks in the lan firewall zone and make sure the default forward option for that zone is ACCEPT. Creating a network of type static automatically puts a route to it in the routing table.

There is generally only one time where an option gateway should be used, and this isn't it. Take those out.

1 Like

Do you actually need to enable the default forward option in the firewall zone when the two networks are already in the same zone?

The forward option in the zone definition controls whether forwarding between two networks in that same zone will be generally allowed-- i.e. all devices on all networks on the zone can be trusted to access each other. In the default configuration, forward is already set to ACCEPT on the lan zone, just check that it is that way.

If you want selective forwarding it would be best to make a new zone for the new network and add specific allow rules for the forwards you want.

1 Like

Hello and thanks a lot for your fast replies!

Yes, it is a single piece of hardware. I tried to apply the changes you suggested. I put forward option to accept and I removed both gateway options. This did not change the situation.

Here I post the firewall configuration hopefully this helps :slight_smile:

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'ETH1'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

I'm not sure your issue is with the router. What OS are you running on the notebooks? What's the network config on each?

I'm puzzled by what you're trying to do. If your laptop is 192.168.1.1

Why do you have this

	list dns '192.168.1.1'
	option gateway '192.168.1.1'

In your configuration? Is your laptop also the gateway and the DNS server?

there are some things strange
in this setup are the following devices involved:

  1. NotebookA with IP 192.168.1.1
  2. NotebookB with IP 192.168.3.55
  3. a device with OpenWrt installed, which has two network interfaces (eth0 (with IP 192.168.1.2 ) and eth1 (with IP 192.168.3.1) and this device is supposed to be the router between the subnets 192.168.1.0/24 and 192.168.3.0/24

right?

In this case, I have some questions. Why did you configured this:

config interface 'lan'
...	
	option gateway '192.168.1.1'
...

and this

config interface 'ETH1'
...
	option gateway '192.168.1.2'

?

by the way, on what kind of device did you installed OpenWrt?

Hello and thanks for your replies

I have installed this on an apu1d device.

The configuration with "option gateway '192.168.1.2' was mainly caused by desparation
as I was playing around with many parameters without getting it to work. As MK24 has already pointed out above this configuration is wrong. So I have deleted this parameter already but it didn't make any difference. Maybe I have some odd configuration now by setting uncommon or wrong parameters

Would it make sense to reinstall completely from anew and start with a clean configuration?

I changed my installation by the proposals above and have now the following configuration.
Please suggest if there is still something strange about!

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd62:8286:5a89::/48'

config interface 'lan'
	option ifname 'eth0'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.2'
	option broadcast '192.168.1.255'

config interface 'ETH1'
	option ifname 'eth1'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option broadcast '192.168.3.255'

It's convention to have the main router be .1 on its network, and use higher IPs for endpoint devices.

If you are using DHCP you need to add another DHCP server for the .3.0 network. If you're not using DHCP then each endpoint needs to be statically configured including the main router as its gateway.

Does this network have any connection to the Internet?

as mk24 already mentioned, you have to set the right routes in the notebooks operating systems

Actually at first I started to put a second router (network interface 192.168.1.1 having internet connection) connected to 192.168.2.1. (That's partly where those strange configurations with gateway and DNS come from) As I was not able to connect to Internet from Notebook B my plan was to cut the problem into a smaller piece, so I decided to start with a connection between two lans without internet connection. I Installed my router newly from scratch, that's how I came to the problem discussed here. My thought was, if I'm not able to solve such a simple problem it's no use to go on with a more complex one.

Its more complicated when you involve another router. It is simpler when the endpoints' default route to the Internet is also the router to the other network. That router then directly knows whether to send a request for outside the LAN to the Internet, or the other network.

If there are two routers involved, the default one must also hold a static route to the other router that links to the other network. Traffic between the two networks makes two hops.

1 Like

Hello,

I made it! I was successful now :slight_smile:

I cannot really say what was the solution. However, I installed again from scratch. I did basic configuration by change of conf/network - file, which appeared easier to me especially if you want to change the port you are connected to
From your suggestions in this thread I thought it could not be very serious and obvious errors, maybe I was just playing around too much and not turning the right knob. I even cannot judge if not krazeh and rj-45 were right and it was a matter of configuration of notebooks.

I now was able to connect Port 192.168.1.2 as WAN to another router to Port 192.168.1.1 and I was able to configure an openvpn client to this port. However, I learnt a lot in this discussion and I have a much better understanding of what I'm doing now.

Thanks a lot for your support

Best wishes and a nice Sunday evening