Configure iptables to set default gateway for local network

Installing and Using OpenWrt Network and Wireless Configuration
1

I have an openwrt router with ip 192.168.1.1. What I want to do is to set a proxy server (192.168.1.249) in LAN, and intercepts all communicaitons from two devices (192.168.1.244, 192.168.1.131). The method I use is to set the proxy server as the default gateway, and I configured the following things on my openwrt router.

iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp -s 192.168.1.131
iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp -s 192.168.1.244
# Set default gateway as the proxy server in table 2
ip route add default via 192.168.1.249 table 2
# Forward traffic with mark 3 to table 2
ip rule add fwmark 3 table 2

After my test, for all WAN communicaitons of the two devices, the proxy server can intercept them and forward them, it's good. However, I found that these two devices also communicate with each other, and these LAN communications seems not to be forwarded to the proxy server. What is the reason? How can I forward these traffic to the proxy server?

ADDITIONAL TEST: In order to figure out whether configuring iptables is useful, I added a rule for testing:

iptables -t mangle -A PREROUTING -j DROP -s 192.168.1.131

In my opinoin, if this rule works, then the device with ip 244 will not receive any traffic from device with ip 131, and this proves that iptables can work for LAN communication. However, I used the 131 device to send tcp traffic to 244 device, and it works. I doubt that configuring iptables cannot help me forward these LAN traffic to my proxy server. Am I right?

2

Communication within the same LAN is "switched" not "routed" so the firewall will not see this communication. If you want to fully separate the two devices you would have to put them in separate VLANs

3 Likes
3

However, the two devices (More specifically, my phone and my iot device) can only work in the same LAN. Otherwise my phone cannot send commands to my device. Is there any method, for example, disabling the switch functionality?

4

I would try creating two SSIDs (one for each device), and bridging them together. At least, this way the communication will go through the CPU.

1 Like
5
1 Like
6

I am sorry that I don't understand what do you mean by "bringing". Could you please explain it?

7

In OpenWrt, each wireless interface is bridged to a network; for example, in a typical case of a router with wired ethernet plus two wireless radios (2.4GHz and 5GHz), there is a wireless interface on each band, all bridged together with the wired interface.

2 Likes