ISP's Router (Public IP - 192.168.1.0/24) AKA 1.0/24
Dev Router (192.168.1.128 - 192.168.100.0/24) AKA 100.0/24
Play Zone Router (192.168.1.127 - 192.168.101.0/24) AKA 101.0/24
And they're connected like this:
ISP's Router -> Internet
Dev Router -> ISP's Router
Play Zone Router -> ISP's Router
Only Dev router has OpenWRT and I use it for developing. It has DMZ from the ISP and some ports open for my web server, while I generally use my ISP' router and the Play Zone one for connecting all my devices (phones, computers, consoles, TVs, etc.)
Currently I added some services which I'd like to access from my devices without needing to connect to my Dev Router directly, so I added a routing from my ISP to the Dev Router:
ip route add 192.168.100.0/24 via 192.168.1.128
But every time a device connected to 1.0/24 or 101.0/24 tries to reach my server (192.168.100.32) or LuCi (192.168.100.1), it gets a Timed Out error. But, if I disable the firewall through LuCi (System -> Startup -> Firewall -> Stop), the same devices will be able to connect to both my server and LuCi without any problem.
The issue with disabling the firewall is the DMZ that I set up in my ISP Router. If I leave the Firewall disabled, I'll leave my entire Dev subnet exposed to the internet, which I don't want to do.
Did you set the DMZ on the ISP router to point to the OpenWrt router? If so, why? What is your intent here?
You could create a set of firewall rules in this order:
Drop connections to 192.168.100.0/24 from 192.168.1.1 (Assuming that is the router, from which the DMZ traffic would be coming)
Allow connections to 192.168.100.0/24 from 192.168.1.0/24
This should stop the DMZ'd traffic while allowing connections from the .1.0/24 LAN. This should be at the bottom of the firewall rulesets to make sure that you don't stop valid established/related traffic from the upstream router.
Did you set the DMZ on the ISP router to point to the OpenWrt router? If so, why? What is your intent here?
Yes, because I have almost no control over my ISP router (I was lucky to set some routing rules). In fact, I shouldn't have opened ports in a first place, but I was able to found a hacky way to do it, and I enabled the DMZ so I don't have to open up my ISP router everytime I need to modify a port (and I do that a lot)
You could create a set of firewall rules in this order
I tried to add those lines in Traffic rules, but it doesn't work. It stills giving me Timed Out everytime I want to connect outside from 100.1/24
Even if I set the allowing rule at the top (or at the bottom) of everything, it won't let me thru
Not sure what happened. I tried every possible configuration without success.
Then, bored about this, I just did a Factory Reset and testing with the default settings. After a while, I got it working correctly by just allowing forward traffic in Firewall's general settings and everything else in default.
After that I just needed to add my forward rules and the psherman's traffic rules so I can control the traffic coming from DMZ but allowing anything else coming from my local networks.