Forward traffic between interfaces in router

I have two OpenWrt routers. Let's call them A and B. They both have the same /etc/config/network configuration (with different IPs on int and int2):

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd82:87e2:dd94::/48'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'

config interface 'int'
        option ifname 'eth1'
        option proto 'static'
        option ipaddr '172.16.1.10'
        option netmask '255.255.255.0'

config interface 'int2'
        option ifname 'eth2'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

Interface wan allows Internet access, int is the interface that connects to router B physically and int2 corresponds to the client's network (it is the gateway for client stations).

On the /etc/config/firewall file, router A has the following configuration, which allows it to forward traffic from interface int2 to wan (so client's can have Internet access):

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config zone
        option name             int2
        list   network          'int2'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             int
        list   network          'int'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config forwarding
        option src              wan
        option dest             int2

config forwarding
        option src              int2
        option dest             wan

Now, I was trying to make an "experiment" where, in router A, I would forward client's traffic from int2 to int, conducting it to router B and once on router B, it will forward it to the Internet (while still forwarding its own clients' traffic to the Internet).

To make this possible, I updated the previous forward configuration lines in the /etc/config/firewall file in router A to:

config forwarding
        option src              int
        option dest             int2

config forwarding
        option src              int2
        option dest             int

so that the traffic would be redirected to router B. And in router B:

config forwarding
        option src              wan
        option dest             int2

config forwarding
        option src              int2
        option dest             wan

config forwarding
        option src              int
        option dest             wan

config forwarding
        option src              wan
        option dest             int

However, this setup is not working and A's clients cannot access Internet through router B, and I don't understand why. Do I need an extra firewall configuration?
When I tcpdump -i eth2 in router A it shows the clients traffic, but when I do tcpdump -i eth1, no traffic is displayed.

Quick answer -- your upstream router needs a static route for the subnet behind the second router via the second router's "WAN" IP. You don't need NAT on the second router.

If you want an explanation of why that is the case, just ask.

3 Likes

@jeff I added, on router A, at the end of /etc/config/network:

config route
    option interface 'int'
    option target '0.0.0.0'
    option netmask '255.255.255.0'
    option gateway '172.16.1.20'

and rebooted. Now:

No internet access from client. I also did:

config route
    option interface 'int'
    option target '10.0.2.0'
    option netmask '255.255.255.0'
    option gateway '172.16.1.20'

being 10.0.2.0 the network associated with the WAN interface in B.
Still no Internet access from client... Am I doing it right?

I'm a bit confused by the "second router" and "upstream router" meanings. If the upstream router is A and second router B, I cannot create a static route via an interface IP that router A does not know (the eth0 - wan interface of B).

Also, you're saying I don't need NAT, but I cannot turn of NAT in B, because it is still serving its own clients...

@jeff I did a small test.

router A: tcpdump in int interface (the one connected to router B).
router B: tcpdump in int and wan interfaces.

A client connected to the interface int2 in router A started pinging router B's wan interface and well, all ICMP requests go until the wan interface of B.

Surprisingly enough, ICMP replies are captured in that same wan interface. However, these replies never leave router B, because the tcpdump of int only captures the ICMP requests, never the replies.

The configuration is exactly as I wrote in the question.

I really need help, please. I've been stuck for a week now :confused:

To make sure we're talking with the same names

  • Router A
    • WAN port connected to your ISP
  • Router B
    • WAN port connected to Router A

Now, very important, thing to remember

NAT is not a firewall

NAT is an IPv4 "hack" because there aren't enough IPv4 addresses to go around. Yes, I remember the days when a "twenty-eight-eight" dial-up line got you a half Class C block, but my hair wasn't gray back then.

Yes, NAT restricts incoming connections, but again NAT is not a firewall.

The only place you need NAT is at your connection to the ISP.

As I understand your goals, you'd like to have:

  • Two subnets, one off Router A and one off Router B
  • Clients of Router A can reach the Internet
  • Clients of Router B can reach the Internet
  • Clients of Router A can reach clients of Router B and vice-versa

This is a "bone-stock" router configuration.

First, deal with Router A:

  • WAN configured as needed for your ISP; let's say its DHCP provides:
    • 203.0.113.113/24 IP
    • 203.0.113.1 default route
  • WAN with NAT ("masquerade") enabled as this is your border
  • LAN configured for
    • 192.168.1.1/24
    • Offering DHCP, if desired; otherwise clients need a default route of 192.168.1.1

Now:

  • Router A can reach the Internet by virtue of its default route via 203.0.113.1 with a source address of 203.0.113.113
    • Return packets addressed to 203.0.113.113 are accepted
  • Router A's clients can reach the Internet by virtue the same, default route, with NAT on the WAN interface altering the source address to 203.0.113.113
    • Return packets addressed to 203.0.113.113 with NAT-table entries are re-addressed to the client's IP
    • And then forwarded to the client directly from the LAN interface by virtue of the link-local route that is created when the interface is brought up

Now, deal with Router B:

  • WAN configured as a static-addressed client of Router A's LAN:
    • 192.168.1.2/24 IP
    • 192.168.1.1 default route
    • Disable NAT!
  • LAN configured for
    • 10.0.0.1/24
    • Offering DHCP, if desired; otherwise clients need a default route of 10.0.0.1

Now, in addition:

  • Router B can reach the Internet by virtue of its default route via 192.168.1.1 with a source address of 192.168.1.2
  • Router B can reach all clients of Router A1 by virtue of the link-local route related to Router A's WAN interface
  • Router B's clients can reach Router A's clients as they have a default route via 10.0.0.1
    • Return packets from Router A's clients go to their default gateway, 192.168.1.1
    • And Router A sends them to 203.0.113.1 as it doesn't have a more-specific route for 10.0.0.0/24 -- oops

So, fix Router A;

  • Add a static route for 10.0.0.0/24 via 192.168.1.2

Now Router A "knows about" 10.0.0.0/24 being "special" and that Router B at 192.168.1.2 will handle it from there.

Now everything should work:

Router A <=> rest of world (ROW):

  • 203.0.113.113 => 8.8.8.8 -- goes out Router A WAN to 203.0.113.1
  • 8.8.8.8 => 203.0.113.113 -- comes in WAN

Client A <=> rest of world (ROW):

  • 192.168.1.100 => 8.8.8.8 -- goes to Router A LAN
  • 192.168.1.100 => 8.8.8.8 -- starts to leave Router A WAN to 203.0.113.1, but gets NAT-ed to
  • 203.0.113.113 => 8.8.8.8 -- goes out Router A WAN
  • 8.8.8.8 => 203.0.113.113 -- comes in Router A WAN, and gets un-NAT-ed to
  • 8.8.8.8 => 192.168.1.100 -- goes out Router A LAN to 192.168.1.100

Client B <=> rest of world (ROW):

  • 10.0.0.200 => 8.8.8.8 -- goes to Router B LAN
  • 10.0.0.200 => 8.8.8.8 -- leaves Router B WAN for Router A LAN
  • 10.0.0.200 => 8.8.8.8 -- comes in Router A LAN
  • 10.0.0.200 => 8.8.8.8 -- starts to leave Router A WAN to 203.0.113.1, but gets NAT-ed to
  • 203.0.113.113 => 8.8.8.8 -- goes out Router A WAN
  • 8.8.8.8 => 203.0.113.113 -- comes in Router A WAN, and gets un-NAT-ed to
  • 8.8.8.8 => 10.0.0.200 -- goes out Router A LAN to Router B WAN
  • 8.8.8.8 => 10.0.0.200 -- comes in Router B WAN
  • 8.8.8.8 => 10.0.0.200 -- goes out Router B LAN to 10.0.0.200

(The client-to-client paths also work, though don't be surprised if you see ICMP redirects suggesting that Client A go direct to 192.168.1.2 for the next-hop destination.)

1 Putting aside client isolation with 802.11, which is a completely different thing.

3 Likes

Thank you so much for your time. I will read everything soon and get back to you when everything is working.

However, the wan ports are not as you described first. I made a diagram (should have done this before). The red arrows represent the comunication flow I'm trying to obtain (otherwise, client1 would simply access Internet through router A)

If the configurations in your answer apply to this diagram, please tell me and I will start doing everything as you said. Otherwise, please tell me what are the important changes to your answer (or change it yourself, if you don't mind).

As you said it was an "experiment", I'd suggest working through packet flow yourself. Remember that at each point, the router needs to know where to send the packet next, either direct or to another router that then knows what to do next. (Don't get confused by the IP addresses on the packet, and the next-hop, which is addressed using the MAC of the device, not its IP address.)

1 Like