Connecting between VLANs using OpenWrt device

Hi All,
I have used 192.168.x.x and 10.10.x.x networking but for simplicity I am using short VLANs.
I have configured an OpenWRT on a PI and gave it a VLAN scope to handle (i.e. 1.1.1.0) and I have connected several devices to it through the Wlan0 interface and all have 1.1.1.x IP addresses.
One of the devices is connected using the Wlan0 and got 1.1.1.10 and i want to be able to go from there to one of the devices on the other network (i.e. 2.2.2.3)
I have added the rout on the 1.1.1.0 as follow:

route add -net 2.2.2.0 netmask 255.255.255.0 gw  1.1.1.1 dev wlan0

Is this correct? Since i want to be able to get to the 2.2.2.0 network the ONLY device that has a "leg" in that other VLAN is the gateway on my VLAN so I have added its IP and I can see in my route list:

2.2.2.0/24 via 1.1.1.1 dev wlan0

That means I have added a route to send traffic from one VLAN to another, correct? I thought that it what it meant - But I am still not able to access NONE of my devices on the other VLAN. not even a ping from any of my devices on Network 1 I can't access network 2 beside the 1.1.1.1 that has also a leg 2.2.2.1 and can ping and access both VLANs.

on my OpenWRT Pi I have this settings:

**~# ip route list**
default via 2.2.2.1 dev wlan0
1.1.1.0/24 dev br-lan scope link  src 1.1.1.1
2.2.2.0/24 dev wlan0 scope link  src 2.2.2.1

is that all I need?
How can I tell the router to forward traffic that comes from VLAN1 to VLAN2 on the correct leg?
Since I am not able to connect any of my devices on VLAN2 from VLAN1 beside the openWrt router I am sure that I am missing a route or even more settings.

I have tried my best to draw a diagram (do not judge me on my art skills)


I want to be able to connect from 1.1.1.10 on Wifi to server 2.2.2.3
Please assist.
Thanks

I'm confused here... are you using 1.1.1.0/24 and 2.2.2.0/24, etc. as your networks, or are you actually using RFC1918 (192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8) ranges?

To be clear, you should always use RFC1918 addresses. So if this was just to "simplify" the discussion here, it will actually add confusion. It is best to use the actual ranges.

You do not need to add any routes if everything is handled by the OpenWrt Pi, since OpenWrt already knows about each of the networks. You just need to enable forwarding in the firewall configuration.

Not judging, but this is not legible. Instead of drawing on the computer, it might be easier to draw this by hand (pencil on paper) and take a picture to upload. Or if that is an issue, use an actual block-diagram drawing tool (there are free online options) to create something that is more clear.

Yes I am using 192.168.x.x as network 2 and 10..x.x.x as network 1 - I just wanted to make it simple using 1s and 2 to identify the VLans. I have mentioned that at the beginning of my question. sorry :frowning:

Thanks @psherman
I have created a diagram that I hope will be better from my first one.


Please assist. thanks

And this is my Firewall configuration - I am not sure if it correct - But it does not work

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option mtu_fix '1'
        list network 'wwan'
        option forward 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config forwarding
        option src 'wan'
        option dest 'lan'

Thanks


This is the GUI settings that I have.
Please help me understand what can be wrong here. thanks

Is 192.168.x.99 the Pi's wan IP address? If yes, enable temporarily masquerading on the wan zone and try to access 192.168.x.102 from 10.0.x.5.

If it works disable masquerading, add a static route in 192.168.x.102 to host 10.0.x.5/32 with next hop address 192.168.x.99 and check the firewall settings of 192.168.x.102 if any.

1 Like

Thanks a lot @pavelgl - I have enabled masquerading on the wan and I was able to access all of my devices on the 192.168 lan.
I know that it is not secure to leave that as it is, I am not sure how to move forward from here since the 192.168 device is WD My Cloud device and I wanted to mount it public folder on a device on 10.0.x lan.
How can I do that? adding a rout to WD My Cloud is simple?
Furthermore - If I want to access a IoT device that I do not have command line to it - would I be able to set something there?
please assist.
Thanks

Where is the upstream connection? Is the pi the main router, or is that coming from somewhere else?

It is not necessary to redact rfc1918 addresses since they do not reveal anything sensitive about your network. please leave them intact.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/firewall
cat /etc/config/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd80:b2f4:f25d::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option force_link '1'

config interface 'wwan'
        option proto 'static'
        option device 'wlan0'
        option ipaddr '192.168.0.99'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'
        option broadcast '192.168.0.255'
        option peerdns '0'
        option dns '8.8.8.8 1.1.1.1'

cat /etc/config/wireless
config wifi-device 'radio0'
        option type 'mac80211'
        option channel '7'
        option hwmode '11g'
        option path 'platform/soc/3f300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
        option htmode 'HT20'
        option disabled '0'
        option short_gi_40 '0'
        option cell_density '0'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'sta'
        option network 'wwan'
        option ssid 'MYWIFI************'
        option encryption 'psk2'
        option key '************************'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'platform/soc/3f980000.usb/usb1/1-1/1-1.3/1-1.3:1.0'
        option htmode 'HT20'
        option disabled '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'MYWIFI*******'
        option encryption 'psk2'
        option key **********************'
cat /etc/config/firewall
config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option mtu_fix '1'
        list network 'wwan'
        option forward 'ACCEPT'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config forwarding
        option src 'wan'
        option dest 'lan'

Just send as requested - please check and let me know if i need to remove info or redact it - I am not sure 100% that i have done everything. thanks

Ok... so it looks like the upstream is provided by some other router on the 192.168.0.1, correct (looks like it connects via wifi)?

Does that upstream router have the ability to be configured with static routes?

And finally, what are your goals with respect to security between the two networks?

Thanks @psherman - you can see my reply to @pavelgl
I am able to get from 10 to 192 now after I enabled Masquerading - but this is not secured
Can you assist with my request, here is my previous reply:

Thanks a lot @pavelgl - I have enabled masquerading on the wan and I was able to access all of my devices on the 192.168 lan.
I know that it is not secure to leave that as it is, I am not sure how to move forward from here since the 192.168 device is WD My Cloud device and I wanted to mount it public folder on a device on 10.0.x lan.
How can I do that? adding a rout to WD My Cloud is simple?
Furthermore - If I want to access a IoT device that I do not have command line to it - would I be able to set something there?
please assist.
Thanks

I saw that response, but I was curious what you have as your actual goals for security and access.

  • Is it purely to enable your WD MyCloud device to be mounted on the LAN behind the Pi on the 10.0.0.0/24 network?
  • Are there any other requirements?
    • Does anything on the 192.168..0.0/24 network need to be able to connect to the 10.0.0.0/24 network?
    • Do devices need to be isolated from each other in either or both directions?
    • Or do they need to be open access to each other?
    • Or some specific combination of access and restriction?
    • Do you need to prevent 10.0.0.0/24 from reaching the internet?
  • And what about access to the Pi itself (OpenWrt administrative interfaces, etc.) -- do is it okay for both networks to have access or should only one? etc.

Hope that my answers above are good and you can understand my needs.
Thanks

Based on your requirements, I will return to my earlier question:

My main Router in my house? Yes it has a static rout right now,
I have configured the network destination to be 10.0 and gateway is the OpenWrt Pi on 192.168.0.99

Ok... so if you have a route for 10.0.0.0/24 via 192.168.0.99 installed on your main router, the rest should be pretty easy.

You have LAN > WAN forwarding allowed, and WAN > LAN as well. This means that connections should be possible from one network to the other and vice versa.

One change here: Masquerading should be turned off on the wan zone.

You said that you want to have the web management interface only available from the 192.168.0.0/24 network, so you want the wan zone to have input=accept (which it appears is the state currently). output should also be accept, and forward is typically set to reject but may not matter here.

Since you want to prevent 10.0.0.0/24 (the OpenWrt LAN) from reaching the router's interface, set lan zone input = reject.

That should then do what you want and you can always craft additional firewall rules to block any unwanted connections. The only thing we have not checked is /etc/config/dhcp - if you want to post that here, we can make sure everything is correct.

Finally, some devices will not respond to incoming connections from other networks -- for example, Windows blocks this by default, so you need to adjust the windows firewall to allow that. If you have issues, it is possible that the issue lies in the local firewalls on those devices.