Devices with other IP won't be directed to standard gateway

Hi all,
I'm using OpenWRT on a Cudy WR1300v3 device. Version 23.05.3
I have two devices with static IP 192.168.2.99 and 192.168.2.80 (Playstation 5)
My Router has LAN IP 192.168.130.1 DHCP activated WAN IP 192.168.2.2
Fritzbox Modem and PPPOE Router is on LAN Port 192.168.2.1

Playstation 192.168.2.99 <-> Switch <->OpenWRTRouter LAN 192.168.130.1 WAN 192.168.2.2 <-> FritzBox 192.168.2.1 <-> Internet
VLAN is deactivated at Switch and OpenWRT Router
Firewall logs nothing.

Route is activated 0.0.0.0/0 to 192.168.2.2 (Router WAN)

My /network config

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd9f:f265:6dcf::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.130.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.2.1'
        list dns '8.8.8.8'

config interface 'wan'
        option device 'wan'
        option proto 'static'
        option ipaddr '192.168.2.2'
        option gateway '192.168.2.1'
        option netmask '255.255.255.0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config route
        option interface 'lan'
        option target '0.0.0.0/0'
        option gateway '192.168.2.2'

config route
        option interface 'wan'
        option target '0.0.0.0/0'
        option gateway '192.168.2.1'

Firewall config

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option log '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        option log '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow Mgmt Ssh'
        option src 'lan'
        option src_port '22'
        option dest 'lan'
        option dest_port '22'
        option target 'ACCEPT'
        list src_ip '192.168.130.100'
        list dest_ip '192.168.2.1'

config rule
        option name 'Allow Mgmt Https'
        option src 'lan'
        option src_port '443'
        option dest 'lan'
        option dest_port '443'
        option target 'ACCEPT'
        list src_ip '192.168.130.100'
        list dest_ip '192.168.2.1'

config rule
        option name 'Allow mgmt Webinterface'
        option src 'lan'
        option src_port '80'
        option dest 'lan'
        option dest_port '80'
        option target 'ACCEPT'
        list src_ip '192.168.130.100'
        list dest_ip '192.168.2.1'

config rule
        option name 'PS Allow all'
        option src '*'
        list src_ip '192.168.2.80'
        list src_ip '192.168.2.99'
        option dest 'wan'
        option target 'ACCEPT'
        list dest_ip '192.168.2.1'

Route

route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.2.1     0.0.0.0         UG    0      0        0 wan
192.168.2.0     *               255.255.255.0   U     0      0        0 wan
192.168.130.0   *               255.255.255.0   U     0      0        0 br-lan

Have anybody an idea?

those static IP devices can't sit on the openwrt LAN.
you have to put them on the Fritzbox LAN.

3 Likes

Right but on the switch (192.168.130.5) is a OpenWRT WiFi AP and the PlayStation connected. I have only one Ethernet cable in this room.
I thought that openwrt Route all connections, which are not in his LAN to the WAN port because the router has a default route defined.

Nope that’s not how routing works. Router can’t route ips outside its subnet, even with a default route.

Plus the devices wouldn’t be able to communicate via ip to the router either and there is not return path for incoming packets from the internet

3 Likes

Why don't you change the static IP addresses? Either to dynamic or to the 192.168.130.0/24 subnet.

We don’t know which Ports and services will be needed by the PlayStation. When we use a strict firewall policy in openwrt router I must check every multiplayer game for their ports. To avoid this I wanted to put the PS directly in FritzBox LAN.
When this isn’t working I think that we create a new VLAN and firewall zone for PlayStation and allow them to use UPNP :frowning:

so put the PS4s on the WAN side of the openwrt device, connected to the Fritzbox ?
your LAN will be safe, and you probably won't have to sniff the ports.

What is the purpose of the OpenWrt router in your network? You could set it up as a standard bridged AP. If you want to have the OpenWrt device handling routing while also providing direct wifi (and or ethernet) connectivity to the upstream subnet, you can use a variant of the guest wifi on a dumb AP configuration.

1 Like