Different subnet for LAN/WLAN - cannot connect to some devices

GmbH · January 12, 2019, 4:05pm

Hello,

I'm trying to confgure OpenWRT to have different subnet for LAN and WAN - the communication between the two subnets shouldn't be restricted. Following configuration almost work, but I cannot connect to some devices on LAN when I'm connected via WLAN. I cannot figure why

P.S. When both WiFi networks are assigned to LAN interface everything works as it should.

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.1'

config interface 'wan'
        option proto 'pppoe'
        option ifname 'eth0'
        option password '*'
        option ipv6 '1'
        option keepalive '5 5'
        option username '*'
        option peerdns '0'
        option dns '*'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 6'

config interface 'ADSL'
        option proto 'static'
        option ifname 'eth0'
        option ipaddr '10.0.0.137'
        option netmask '255.255.255.0'

config interface 'wifi'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option type 'bridge'
        option _orig_ifname 'wlan0 wlan1'
        option _orig_bridge 'true'

/etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'pci0000:01/0000:01:00.0'
        option country 'PL'
        option channel 'auto'
        option htmode 'VHT80'
        option txpower '17'
        option distance '15'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option key '*'
        option encryption 'psk2'
        option macfilter 'allow'
        list maclist '*'
        option ssid '*'
        option network 'wifi'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option path 'platform/qca955x_wmac'
        option htmode 'HT40'
        option country 'PL'
        option channel '3'
        option txpower '17'
        option distance '15'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option encryption 'psk2'
        option key '*'
        option macfilter 'allow'
        list maclist '*'
        option ssid '*'
        option network 'wifi'

/etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config zone
        option name 'wifi'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'wifi'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'wifi'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'wifi'

config forwarding
        option src 'wifi'
        option dest 'lan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        option filterwin2k '1'
        option nonwildcard '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '48h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        option force '1'

config dhcp 'wifi'
        option start '100'
        option limit '150'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        option force '1'
        option interface 'wifi'
        option leasetime '48h'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

vgaetera · January 12, 2019, 4:34pm

Check destination device firewall, it sometimes allows access from local subnet only.

trendy · January 12, 2019, 5:40pm

Can you post here the output of iptables -L -vn ?

GmbH · January 12, 2019, 9:04pm

Here is iptables output:

Chain INPUT (policy ACCEPT 1 packets, 36 bytes)
 pkts bytes target     prot opt in     out     source               destination 
   22  1386 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
  160 14476 input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for input */
  144 13532 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* !fw3 */
    3   172 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 /* !fw3 */
   15   908 zone_lan_input  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wan_input  all  --  pppoe-wan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wifi_input  all  --  br-wifi *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
 6831 4739K forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for forwarding */
 6815 4738K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
    2    80 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* !fw3 */
   12   750 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    2   104 zone_wan_forward  all  --  pppoe-wan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wifi_forward  all  --  br-wifi *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
   22  1386 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            /* !fw3 */
  161 36962 output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for output */
  156 36648 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* !fw3 */
    0     0 zone_lan_output  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    5   314 zone_wan_output  all  --  *      pppoe-wan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wifi_output  all  --  *      br-wifi  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain forwarding_wifi_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain input_wifi_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain output_wifi_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain reject (3 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */ reject-with tcp-reset
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    3   172 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_dest_ACCEPT (5 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination 
   12   750 forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for forwarding */
   12   750 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: forwarding lan -> wan */
    0     0 zone_wifi_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: forwarding lan -> wifi */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination 
   15   908 input_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for input */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
   15   908 zone_lan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 output_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for output */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination 
   15   908 ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_dest_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination 
   17  1064 ACCEPT     all  --  *      pppoe-wan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 reject     all  --  *      pppoe-wan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    2   104 forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for forwarding */
    0     0 zone_lan_dest_ACCEPT  esp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: @rule[7] */
    0     0 zone_lan_dest_ACCEPT  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500 /* !fw3: @rule[8] */
    2   104 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_wan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 input_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for input */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68 /* !fw3: Allow-DHCP-Renew */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* !fw3: Allow-Ping */
    0     0 ACCEPT     2    --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Allow-IGMP */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
    0     0 zone_wan_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    5   314 output_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for output */
    5   314 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 reject     all  --  pppoe-wan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wifi_dest_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     all  --  *      br-wifi  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wifi_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 forwarding_wifi_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for forwarding */
    0     0 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: forwarding wifi -> wan */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: forwarding wifi -> lan */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_wifi_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wifi_input (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 input_wifi_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for input */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
    0     0 zone_wifi_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wifi_output (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 output_wifi_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for output */
    0     0 zone_wifi_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wifi_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     all  --  br-wifi *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

I will check firewall settings

trendy · January 12, 2019, 9:14pm

Firewall settings are correct, the problem I see here is that there are no hits on the firewall, that means no packets were forwarded from WIFI to LAN.

Chain FORWARD (policy DROP 0 packets, 0 bytes)
...
    0     0 zone_wifi_forward  all  --  br-wifi *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
...

Can you try once again after you have tried a few times to connect from a wifi device to a lan device?

GmbH · January 13, 2019, 4:38pm

Seems that the problem was caused by software firewall on destination device.

Thanks,
Best Regards!

system · January 23, 2019, 4:38pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.