Hi, I'm asking for help about my configuration with OpenWrt Chaos Calmer 15.05.1. I've created a setup similar to this superuser question to "join" two LANs by means of an OpenWrt device configured as Wi-Fi client.
Specifically, this is my network diagram:
I would like that each of the two networks has its own separate Internet access (through FirstRouter for LAN0 and SecondRouter for LAN1 which are the default gateways for each lan device) but the OpenWrt router should make the two LANs communicate. On the FirstRouter I set the static route to 192.168.1.0/24 via 192.168.0.253 and on the contrary SecondRouter has a static route to 192.168.0.0/24 via 192.168.1.253.
This setup works perfectly, but the problem is that I would like LAN0 to ping/access any IP on LAN1, but LAN1 should have access only to NAS2 (i.e. the IP address 192.168.0.20) and I'm not able to do this using the LuCI firewall configuration.
My current network setup is the following:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd05:bc45:cc82::/48'
config interface 'lan'
option ifname 'eth0'
option force_link '1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.253'
option gateway '192.168.1.1'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 4'
config interface 'wwan'
option proto 'dhcp'
option defaultroute '0'
Cconsider that the wwan is now a DHCP client but its assignment is reserved on FirstRouter DHCP server to allow the static route to always work.
The firewall setup (created with the LuCI GUI but reported here as text) is the following:
root@OpenWrt:~# cat /etc/config/firewall
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option name 'Allow-SSH'
option family 'ipv4'
option dest_port '22'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '80'
option name 'Allow-Admin'
option family 'ipv4'
config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option src 'lan'
option dest 'wan'
option dest_ip '192.168.0.20'
option proto 'all'
option src_ip '192.168.1.0/24'
option name 'Allow-Forward'
config rule
option src 'lan'
option dest 'wan'
option dest_ip '192.168.0.0/24'
option target 'REJECT'
option name 'OpenWrt-Basic'
option proto 'all'
option src_ip '192.168.1.0/24'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option mtu_fix '1'
option network 'wan wan6 wwan'
option forward 'ACCEPT'
config include
option path '/etc/firewall.user'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding
option dest 'lan'
option src 'wan'
With this configuration from LAN1 I can correctly ping or access only 192.168.0.20 as I want, but the problem is that from LAN0 I cannot ping any device with IP 192.168.1.x (apart from 192.168.1.253)!
If I disable the last "OpenWrt-Basic" rule, then I'm able to ping any host from LAN0 to LAN1 but then also from LAN1 to LAN0 my filter is not active anymore.
Can anyone please help me figuring out where's the error?