Cannot acces devices in Subnet

Dhalion · December 20, 2022, 2:11pm

I have an old FritzBox flashed with OpenWrt that is supposed to run a seperate Network from the regular Home Network.
the OpenWrt Router has the Firewall zone "WAN" which is the Uplink to the Internet via the Home Network (Range 192.168.178.0/24).
Then there's the Zone "LAN" which is supposed to be the Subnet (Range 192.168.1.0/24).
I can ping Devices in the Home Network from the Subnet and I also have Internet access, however I want the Subnet to only have Internet access and be reachable from the Home Network for Management purposes. Devices in the Subnet shoudn't be able to access the Home Network.

Is this a Firewall issue and how do I solve it?

This is my Firewall config:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'DROP'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option mtu_fix '1'
        option forward 'ACCEPT'
        list device 'br-lan'
        list device 'eth0.2'
        option log '1'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'WAN'
        option input 'ACCEPT'
        option log '1'
        option forward 'DROP'
        list device 'br-lan'
        list device 'eth0.2'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'
        option dest '*'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'wan'
        option dest 'lan'

And my Network config:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdba:9611:c757::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 4 3 2'
        option description 'LAN'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1'
        option vid '2'
        option description 'WAN'

config interface 'WAN'
        option proto 'dhcp'
        option device 'eth0.2'

trendy · December 20, 2022, 2:21pm

Remove this forwarding and add a rule to allow from lan to wan for destinations !192.168.178.0/24

Dhalion · December 20, 2022, 5:24pm

I just realized the one machine just doesn't answer to pings. So my starting situation is that both networks can ping each other.
I removed the forwarding as you said and added this rule:

config rule
        option name 'lan to wan'
        option src 'lan'
        option dest 'wan'
        list dest_ip '!192.168.178.0/24'
        option target 'ACCEPT'

This stops devices in the Home Network being reachable from the Subnet, but the Subnet also does not have Internet access (which it should)

pavelgl · December 20, 2022, 5:54pm

Dhalion:

config rule
        option name 'lan to wan'
        option src 'lan'
        option dest 'wan'
        list dest_ip '!192.168.178.0/24'
        option target 'ACCEPT'

the Subnet also does not have Internet access (which it should)

If you are using ping for tests, add option proto 'all' to the rule.

psherman · December 20, 2022, 6:08pm

Typically, firewall zones don't have the devices listed (only the networks), with the exception of certain scenarios such as OpenVPN. Typically the network is the way things should be defined.

Dhalion:

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option mtu_fix '1'
        option forward 'ACCEPT'
        list device 'br-lan'
        list device 'eth0.2'
        option log '1'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'WAN'
        option input 'ACCEPT'
        option log '1'
        option forward 'DROP'
        list device 'br-lan'
        list device 'eth0.2'

You also have br-lan and eth0.2 listed in both the wan and lan zones.

Just to confirm:

You have an upstream router running a LAN on the subnet 192.186.178.0/24
The LAN from that router connects to the WAN of your OpenWrt router
Your OpenWrt router has a LAN in the 192.168.1.0/24 subnet
You want to prevent the devices behind the OpenWrt router from reaching the devices on the main/upstream router
Devices in the 192.168.1.0/24 network should have internet access
Devices in the 192.168.178.0/24 network should have the ability to reach the 192.168.1.0/24 network for management purposes (please clarify -- should all of the 192.168.1.0/24 devices be accessible from the upstream network, or just the OpenWrt router itself?)

Does your main router have support for adding static routes?