Hi,
my OpenWrt router is connected as DHCP client to ISP router's LAN.
From this router device I can ping any client in ISP router's LAN (subnet 192.168.1.0/24).
Now I'm connecting my laptop to OpenWrt router's LAN (172.16.1.0/24), but I cannot access any client in subnet 192.168.1.0/24.
This is my network configuration:
root@rb760igs:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd5f:2c94:d774::/48'
option packet_steering '1'
config device
option name 'sfp'
option macaddr '08:xx:xx:xx:xx:5c'
config device
option name 'wan'
option macaddr '08:xx:xx:xx:xx:5c'
config device
option name 'lan2'
option macaddr '08:xx:xx:xx:xx:5d'
config device
option name 'lan3'
option macaddr '08:xx:xx:xx:xx:5d'
config device
option name 'lan4'
option macaddr '08:xx:xx:xx:xx:5d'
config device
option name 'lan5'
option macaddr '08:xx:xx:xx:xx:5d'
config device
option type 'bridge'
option name 'br-lan'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
list ports 'sfp'
config device
option type '8021q'
option ifname 'br-lan'
option vid '40'
option name 'br-lan.40'
config device
option type '8021q'
option ifname 'br-lan'
option vid '100'
option name 'br-lan.100'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option metric '100'
option hostname '*'
option peerdns '0'
list dns '94.140.14.140'
list dns '176.9.93.198'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
list dns '2a10:50c0::1:ff'
list dns '2a01:4f8:151:34aa::198'
config interface 'iot'
option proto 'dhcp'
option device 'br-lan.40'
config interface 'lan'
option device 'br-lan.100'
option proto 'static'
option ipaddr '172.16.1.1'
option netmask '255.255.255.0'
option defaultroute '1'
option ip6assign '60'
config bridge-vlan
option device 'br-lan'
option vlan '40'
list ports 'lan2:u*'
list ports 'lan3:t'
list ports 'lan4:t'
list ports 'lan5:t'
list ports 'sfp:t'
config bridge-vlan
option device 'br-lan'
option vlan '100'
list ports 'lan3:t'
list ports 'lan4:t'
list ports 'lan5:t'
list ports 'sfp:t'
config bridge-vlan
option device 'br-lan'
option vlan '999'
option local '0'
And here's my firewall config:
root@rb760igs:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'iot'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'iot'
config forwarding
option src 'lan'
option dest 'iot'
config rule
option name 'IoT: Block-DNS-other-networks'
list proto 'tcp'
list proto 'udp'
option src 'iot'
option dest '*'
option dest_port '53'
option target 'REJECT'
config rule
option name 'IoT: Block-all'
list proto 'all'
option src 'iot'
option dest '*'
option target 'REJECT'
I assume this forward rule is requisite:
config forwarding
option src 'lan'
option dest 'iot'
And I assume I need a static route, is this correct?
THX