Connecting (sub)nets

Installing and Using OpenWrt
1

Dear Community,
I need your help... I know there are already several threads about connecting differents subnets; but I can't simply figure out how I am doing wrong.

But, let me explain: I have this situation:

DeskRouter Diagram.drawio
DeskRouter Diagram.drawio3800×1393 105 KB

The desire is to reach 10.0.0.* servers (via multiple protocols: sftp, web ui, ssh, etc...) from a completely different network area, the 169.254.0..
I would like the 10.0.0. hosts to not be able to connect directly to the 169.254.0.* area: so the requests must be one way only.

But at the moment, I can reach any servers/hosts/services on 169.254.0.* net as normal, but I really can't reach any 10.0.0.* servers.
From openwrt router I can ping the 10.0.0.1 gateway, but no other hosts are reacheable within the 10.0.0.* area.

From 10.0.0.1 gateway perspective, the openwrt router is just a common client, and it should be able to see servers on 10.0.0.* area. The interface eth4 is served by DHCP Server to receive the 10.0.0.70 address as static lease on 10.0.0.1.

I tried everything, from putting in the same firewall area (with open forwarding rules and masquerading), even if it was not the desired, then to make a static ipv4 route, and to create a custom ipv4 NAT rule. But nothing.

Could you please help?

Thanks in advance,
Francesco

2

169.254.0.0/16 is reserved for IPv4 link-local addresses, don't use it for LAN.
Also post your network and firewall configs as text if you want someone to check it.

6 Likes
3

Ehi, thanks for the feedback, vgaetera

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd7:6d87:f3ee::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	option bridge_empty '1'
	list ports 'eth0'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'
	list ports 'eth5'

config interface 'lan'
	option proto 'static'
	option device 'br-lan'
	option ipaddr '169.254.0.236'
	option netmask '255.255.255.224'
	option gateway '169.254.0.254'
	option broadcast '169.254.0.255'

config interface 'eth4'
	option proto 'dhcp'
	option device 'eth4'
	option force_link '1'

config rule
	option in 'lan'
	option src '169.254.0.224/27'
	option out 'eth4'
	option dest '10.0.0.0/24'
	option priority '0'

Then, /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'eth4'

config forwarding
	option src 'lan'
	option dest 'wan'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

Screenshot 2023-12-22 at 20.13.47
Screenshot 2023-12-22 at 20.13.471738×1010 62.7 KB

Thanks again for the help!

4

You didn't listen to @vgaetera.

Why are you using the addresses in the 169.254.0.0/16 block?

5

No, that's clear. The plan was to change it in the future (since three years I have an entire infrastructure on 169.254.0.224/27 with a 169.254.0.254 router/gateway and 8 hosts connected; I can't change it immediately.)
But, just let me understand if my problem is related to that, or 'caused by other mistakes in configuration...

6

First of all .139 is not inside the /27 subnet that includes .254. This is a problem.

After fixing that, then install a route into the "router gateway" of the 169 network (not the OpenWrt router) to route requests for 10.0.0.0/24 to the OpenWrt router at 169.254.0.139. Similarly the "router gateway" of the 10 network needs a route back to the 169 network via the OpenWrt router's IP on the 10 network.

It isn't necessary to install explicit routes in the OpenWrt router as they are automatically installed when an address and netmask is configured on its local interfaces. These two interfaces need to be in the same firewall zone with forwarding enabled, or if they are in different zones, have forwarding rules between them. Using different zones allows you to enforce one-way forwarding only.

1 Like
7

169.254.0.0/16 is defined as link local, see https://www.rfc-editor.org/rfc/rfc3927.html and https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml

The issue is the following: you can of course assign these addresses and use these within your lan and you can also set routes how ever you like to this network or more specific networks but chances are high that some operating system might treat them special because they are not intended for routing.
Also it might can be that if an (end user) os detects these addresses on its "lan" that maybe it will report issues to these users because for instance Microsoft Windows used these addresses for auto configuration on a lan without a router and or DHCP server.

Tldr rfc1918 offers plenty of useable private IPv4 space, just use that.

2 Likes
8

Thanks everyone! I finally resolved the issue, all feedback were correct and useful:
as @vgaetera, @psherman, and @_bernd suggested, just for macos the 169.254.* network address was problematic, so I remapped every hosts: it took a while to reconfigure services and clients...
And also the comment by @mk24 was critical: I deleted every static routes and just took advantage of the firewall zones.

I find this setup working for me:

image
image703×435 8.32 KB

Thanks again everyone! Really Really appreciated.

9

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.