Hi all, I feel like I should be able to figure this one out on my own, but I'm hitting a wall.
The Setup
I've got OpenWRT running in a virtual box on an old Mac Pro server with 2 physical ethernet ports. One port is acting as the WAN port and is connected to my ISP's fiber line. The other port is connected to a Unifi nanoHD AP. The virtual machine has 3 virtual ports. The first two are bridged adapters which allow it directly access the two physical ports on the host machine. The third is a host-only network adapter, connected to the host machine. See the diagram below for addresses and interface names. The host is setup with a static address, and OpenWRT is providing DHCP for the 10.0.1/24 network. The lan and mng interfaces (see network config below) are both in the lan firewall zone, which has forwarding turned on.
All devices can connect to the public internet (can ping 8.8.8.8)
All devices on either local subnet can ping all router interfaces
Devices on the 10.0.1/24 subnet can ping each other
OpenWRT can ping all devices on either subnet
What doesn't work
Devices on either local subnet can't ping devices on the other local subnet
10.0.2.2 (Mac Pro host) can't ping 10.0.1.2 (Unifi AP) or 10.0.1.150 (Wireless client)
10.0.1.150 (Wireless client) can't ping 10.0.2.2 (Mac Pro host)
I'd think by default that OpenWRT would route requests between the two subnets. It's not a firewall issue, because I can turn the firewall off and the issue persists. What am I missing? (I'd appreciate explanations along with solutions.)
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
No, you have to add the forwarding rules yourself. And it is done on the firewall configuration.
Correct me if I'm wrong, but I think this is only true if the interfaces are in different firewall zones. In this case, I have the lan and mng interfaces both assigned to the lan firewall zone, and that zone has forwarding turned on.
Thanks for the input. I think the behavior I'm seeing is actually caused by some misconfiguration (or lack of support for the feature) on the host Mac Pro. From System Prefs on that machine, I had set the ethernet ports to mirror the configuration set within OpenWRT:
Ethernet 1 (en0) set to manual, with IP 10.0.1.1
Ethernet 2 (en1) set to DHCP client
This is actually not required (or recommended as far as I can tell) for the VBox bridged adapter to work. The bridged adapter simply let's the virtual machine use the physical port bypassing the host operating system, but does not prevent the host operating system from also using that port. I was able to set Ethernet 1 (en0) to a manual IP of 10.0.1.3, with a gateway of 10.0.1.1, and everything works. 10.0.1.150 can ping 10.0.1.3, and everyone can access the internet.
Now that I could reliably access the host machine again, I tried running pings with Wireshark open there. It's receiving pings to its VBox Host-only interface (10.0.2.2), but not sending replies. I'm not sure why that is, but I don't think there any issue with OpenWRT or it's configuration here.
