Connecting between VLANs using OpenWrt device

aryeduino · January 13, 2022, 1:09am

Hi All,
I have used 192.168.x.x and 10.10.x.x networking but for simplicity I am using short VLANs.
I have configured an OpenWRT on a PI and gave it a VLAN scope to handle (i.e. 1.1.1.0) and I have connected several devices to it through the Wlan0 interface and all have 1.1.1.x IP addresses.
One of the devices is connected using the Wlan0 and got 1.1.1.10 and i want to be able to go from there to one of the devices on the other network (i.e. 2.2.2.3)
I have added the rout on the 1.1.1.0 as follow:

route add -net 2.2.2.0 netmask 255.255.255.0 gw  1.1.1.1 dev wlan0

Is this correct? Since i want to be able to get to the 2.2.2.0 network the ONLY device that has a "leg" in that other VLAN is the gateway on my VLAN so I have added its IP and I can see in my route list:

2.2.2.0/24 via 1.1.1.1 dev wlan0

That means I have added a route to send traffic from one VLAN to another, correct? I thought that it what it meant - But I am still not able to access NONE of my devices on the other VLAN. not even a ping from any of my devices on Network 1 I can't access network 2 beside the 1.1.1.1 that has also a leg 2.2.2.1 and can ping and access both VLANs.

on my OpenWRT Pi I have this settings:

**~# ip route list**
default via 2.2.2.1 dev wlan0
1.1.1.0/24 dev br-lan scope link  src 1.1.1.1
2.2.2.0/24 dev wlan0 scope link  src 2.2.2.1

is that all I need?
How can I tell the router to forward traffic that comes from VLAN1 to VLAN2 on the correct leg?
Since I am not able to connect any of my devices on VLAN2 from VLAN1 beside the openWrt router I am sure that I am missing a route or even more settings.

I have tried my best to draw a diagram (do not judge me on my art skills)

I want to be able to connect from 1.1.1.10 on Wifi to server 2.2.2.3
Please assist.
Thanks

psherman · January 13, 2022, 1:35am

I'm confused here... are you using 1.1.1.0/24 and 2.2.2.0/24, etc. as your networks, or are you actually using RFC1918 (192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8) ranges?

To be clear, you should always use RFC1918 addresses. So if this was just to "simplify" the discussion here, it will actually add confusion. It is best to use the actual ranges.

You do not need to add any routes if everything is handled by the OpenWrt Pi, since OpenWrt already knows about each of the networks. You just need to enable forwarding in the firewall configuration.

Not judging, but this is not legible. Instead of drawing on the computer, it might be easier to draw this by hand (pencil on paper) and take a picture to upload. Or if that is an issue, use an actual block-diagram drawing tool (there are free online options) to create something that is more clear.

aryeduino · January 13, 2022, 7:57am

Yes I am using 192.168.x.x as network 2 and 10..x.x.x as network 1 - I just wanted to make it simple using 1s and 2 to identify the VLans. I have mentioned that at the beginning of my question. sorry

aryeduino · January 13, 2022, 8:28am

Thanks @psherman
I have created a diagram that I hope will be better from my first one.

Please assist. thanks

aryeduino · January 13, 2022, 8:43am

And this is my Firewall configuration - I am not sure if it correct - But it does not work

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option mtu_fix '1'
        list network 'wwan'
        option forward 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config forwarding
        option src 'wan'
        option dest 'lan'

Thanks

aryeduino · January 13, 2022, 11:19am

This is the GUI settings that I have.
Please help me understand what can be wrong here. thanks

pavelgl · January 13, 2022, 11:56am

Is 192.168.x.99 the Pi's wan IP address? If yes, enable temporarily masquerading on the wan zone and try to access 192.168.x.102 from 10.0.x.5.

If it works disable masquerading, add a static route in 192.168.x.102 to host 10.0.x.5/32 with next hop address 192.168.x.99 and check the firewall settings of 192.168.x.102 if any.

aryeduino · January 13, 2022, 3:01pm

Thanks a lot @pavelgl - I have enabled masquerading on the wan and I was able to access all of my devices on the 192.168 lan.
I know that it is not secure to leave that as it is, I am not sure how to move forward from here since the 192.168 device is WD My Cloud device and I wanted to mount it public folder on a device on 10.0.x lan.
How can I do that? adding a rout to WD My Cloud is simple?
Furthermore - If I want to access a IoT device that I do not have command line to it - would I be able to set something there?
please assist.
Thanks

psherman · January 13, 2022, 3:20pm

Where is the upstream connection? Is the pi the main router, or is that coming from somewhere else?

It is not necessary to redact rfc1918 addresses since they do not reveal anything sensitive about your network. please leave them intact.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/firewall

aryeduino · January 13, 2022, 4:05pm

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd80:b2f4:f25d::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option force_link '1'

config interface 'wwan'
        option proto 'static'
        option device 'wlan0'
        option ipaddr '192.168.0.99'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'
        option broadcast '192.168.0.255'
        option peerdns '0'
        option dns '8.8.8.8 1.1.1.1'

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '7'
        option hwmode '11g'
        option path 'platform/soc/3f300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
        option htmode 'HT20'
        option disabled '0'
        option short_gi_40 '0'
        option cell_density '0'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'sta'
        option network 'wwan'
        option ssid 'MYWIFI************'
        option encryption 'psk2'
        option key '************************'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'platform/soc/3f980000.usb/usb1/1-1/1-1.3/1-1.3:1.0'
        option htmode 'HT20'
        option disabled '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'MYWIFI*******'
        option encryption 'psk2'
        option key **********************'

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option mtu_fix '1'
        list network 'wwan'
        option forward 'ACCEPT'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config forwarding
        option src 'wan'
        option dest 'lan'

aryeduino · January 13, 2022, 4:09pm

Just send as requested - please check and let me know if i need to remove info or redact it - I am not sure 100% that i have done everything. thanks

psherman · January 13, 2022, 4:11pm

Ok... so it looks like the upstream is provided by some other router on the 192.168.0.1, correct (looks like it connects via wifi)?

Does that upstream router have the ability to be configured with static routes?

And finally, what are your goals with respect to security between the two networks?

aryeduino · January 13, 2022, 4:27pm

Thanks @psherman - you can see my reply to @pavelgl
I am able to get from 10 to 192 now after I enabled Masquerading - but this is not secured
Can you assist with my request, here is my previous reply:

Thanks a lot @pavelgl - I have enabled masquerading on the wan and I was able to access all of my devices on the 192.168 lan.
I know that it is not secure to leave that as it is, I am not sure how to move forward from here since the 192.168 device is WD My Cloud device and I wanted to mount it public folder on a device on 10.0.x lan.
How can I do that? adding a rout to WD My Cloud is simple?
Furthermore - If I want to access a IoT device that I do not have command line to it - would I be able to set something there?
please assist.
Thanks

psherman · January 13, 2022, 4:41pm

I saw that response, but I was curious what you have as your actual goals for security and access.

Is it purely to enable your WD MyCloud device to be mounted on the LAN behind the Pi on the 10.0.0.0/24 network?
Are there any other requirements?
- Does anything on the 192.168..0.0/24 network need to be able to connect to the 10.0.0.0/24 network?
- Do devices need to be isolated from each other in either or both directions?
- Or do they need to be open access to each other?
- Or some specific combination of access and restriction?
- Do you need to prevent 10.0.0.0/24 from reaching the internet?
And what about access to the Pi itself (OpenWrt administrative interfaces, etc.) -- do is it okay for both networks to have access or should only one? etc.

aryeduino · January 13, 2022, 4:59pm

psherman:

Is it purely to enable your WD MyCloud device to be mounted on the LAN behind the Pi on the 10.0.0.0/24 network?
ANSWER: This is my "NAS" for the time being and it should be available for devices in 192.168 and now I want it also to be available for devices on 10.0 as well. I have the IP for that "NAS" already embeded in lots of mounting on devices in 192.168 so it can not be moved - that will not help.

Are there any other requirements?

Does anything on the 192.168..0.0/24 network need to be able to connect to the 10.0.0.0/24 network?
ANSWER - Yes, I am managing all 10.0 devices form several machines on 192.168 so I must have it BOTH ways - most likely I need 192.168 to be able to connect to 10.0 more then I need 10.0 to connect to 192.168

Do devices need to be isolated from each other in either or both directions?
ANSWER: - they should be able to communicate - the 10.0 is my IoT Network. nad I am planning to add more OpenWRT devices on remote locations that will access in the same manor.

Or do they need to be open access to each other?
ANSWER See above I hope this will also answer that - not sure exactly

Or some specific combination of access and restriction?

Do you need to prevent 10.0.0.0/24 from reaching the internet?
ANSWER - must be able to connect the internet - remote services are logged out and also I have local DNS that need to have an internet connection (PiHole)

And what about access to the Pi itself (OpenWrt administrative interfaces, etc.) -- do is it okay for both networks to have access or should only one? etc.
ANSWER Not OK, I only want to be able to access the Web Interface from 192.168 network and not from 10.0 - I have not had any device with web interface on 10.0 yet , so i can't test that - But I want to prevent that from 10.0.

Hope that my answers above are good and you can understand my needs.
Thanks

psherman · January 13, 2022, 5:17pm

Based on your requirements, I will return to my earlier question:

aryeduino · January 13, 2022, 9:06pm

My main Router in my house? Yes it has a static rout right now,
I have configured the network destination to be 10.0 and gateway is the OpenWrt Pi on 192.168.0.99

psherman · January 14, 2022, 3:36am

Ok... so if you have a route for 10.0.0.0/24 via 192.168.0.99 installed on your main router, the rest should be pretty easy.

You have LAN > WAN forwarding allowed, and WAN > LAN as well. This means that connections should be possible from one network to the other and vice versa.

One change here: Masquerading should be turned off on the wan zone.

You said that you want to have the web management interface only available from the 192.168.0.0/24 network, so you want the wan zone to have input=accept (which it appears is the state currently). output should also be accept, and forward is typically set to reject but may not matter here.

Since you want to prevent 10.0.0.0/24 (the OpenWrt LAN) from reaching the router's interface, set lan zone input = reject.

That should then do what you want and you can always craft additional firewall rules to block any unwanted connections. The only thing we have not checked is /etc/config/dhcp - if you want to post that here, we can make sure everything is correct.

Finally, some devices will not respond to incoming connections from other networks -- for example, Windows blocks this by default, so you need to adjust the windows firewall to allow that. If you have issues, it is possible that the issue lies in the local firewalls on those devices.