Forwarding between two lans

hello.

I have a router set up on a PC, I have 3 network cards.

In OpenWRT I have 3 network interfers, one WAN with eth2 device assigned. I have two LAN interfaces (LAN1 and LAN2) with bridge device assigned. Each bridge is assigned a separate network device.
The LAN interfaces have assigned zones in the firewall and enabled DHCP.
I have two hosts connected to the router and each host gets an IP address appropriate for its LAN
The hosts have connectivity (can ping) to the internet and to LAN1 and LAN2 addresses.

My problem is that I can't set forwarding traffic from one LAN to another LAN and vice versa.

I can't get it either by changing the firewall zones or by changing the firewall rules.

I would like to say that my attempts are made on version 22.03, 21.02 on a freshly installed system with no other changes.

I'd like to say that I did a few tries on the VM and it worked every time.

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdef:90a8:2e0c::/48'

config device
        option name 'br-lan1'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.9.1.1'
        option device 'br-lan1'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth2'

config interface 'wan6'
        option proto 'dhcpv6'
        option device 'eth2'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'lan2'
        option proto 'static'
        option ipaddr '10.9.2.1'
        option netmask '255.255.255.0'
        option device 'br-lan2'

config device
        option type 'bridge'
        option name 'br-lan2'
        list ports 'eth1'

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'lan1'
        list network 'lan1'
        option log '1'
        option log_limit '1000'

config zone
        option name 'lan2'
        list network 'lan2'
        option log '1'
        option log_limit '1000'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option forward 'REJECT'
        option mtu_fix '1'
        option log '1'
        option log_limit '1000'
        option output 'ACCEPT'
        option masq '1'

config forwarding
        option dest 'wan'
        option src 'lan1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option proto 'esp'
        option target 'ACCEPT'
        option dest 'lan1'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option dest 'lan1'

config forwarding
        option src 'lan1'
        option dest 'lan2'

config forwarding
        option src 'lan2'
        option dest 'wan'

config forwarding
        option src 'lan2'
        option dest 'lan1'

I would also like to add:
If the host in the LAN2 network is not physically connected, the host in the LAN1 network on the ping receives:
"Reply from 10.9.1.1 Destination host unreachable."

If the host in the LAN2 network is physically connected, the host in the LAN1 network on the ping receives:
"Request timed out."

Regards
Jarek

You have already:

Correct.

Did you enable Ping thru the firewall on the client in LAN2?

Yes.
Both hosts respond to the ping if they are connected to the same network or when the console ping is sent from the router.

The router's firewall policy is set by default - they have no effect on traffic forwarding. Adding extra rules to allow every move, on every interface, in every direction doesn't solve my problem.

Ummmm, OK - I understand your response.

  • Is it a Windows client?
  • Is there a reason you made bridges on the Ethernet ports - since you haven't connected 2 interfaces?
1 Like

Both hosts are Windows.

Bridge is because there will be more network cards in the future.
However, the router will behave the same (does not transmit traffic between interfaces) regardless of whether a bridge or device is connected (assigned) to the interface.

Ultimately, I want to create two separate networks - a trusted network and a guest network.
WiFi AP is UniFi AP.
The guest network will work on the VLAN.

As an administrator, I want access from a trusted network to devices in the guest network.

For now, I do all the tests on additional hardware. I'm sure I'll be using hardware from a working network soon - of course I want to avoid that.

Test with firewall disabled.

???

This is the OpenWrt device?

(I don't recall an AP being mentioned until now.)

1 Like

I mean Ubiquiti UniFi AP.

Thank you very much.
You're right. The traffic was blocked by the firewall on Windows.

Now it seems so simple.

When the hosts were on the same network, the Windows firewall did not block the traffic - simple.
Reply now also matters a lot - host unavailable and response timed out - another good hint.

I did some testing in the VM, but there the client hosts are Ubuntu and apparently the firewall was disabled.

Sorry, I had to check everything.
It's been a while since your reply.

Nerves and stress caused me to overlook the firewall.

Thank lleachii very much once again.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.