Get internetconnection to a subnet over a standard router as next hop

naseweis · February 8, 2023, 12:39pm

Hey Guys,

I'am building a Testlab with a newly flashed Asus RT-85P with OpenWrt 22.03.03 running.

Now i wana connect my server network with the Internet. But even i set IP-4 Gateway to 192.168.0.1 and set static dns server still no connection to the Internet.

I think i have to define some Routes and maybe define Firewall Rules. I'am pretty new to this so maybe you can tell me how i can move forward to make internet working in the server network?

To mention is i can't define Routes on the Home Router. This is a really basic Router from an Internet Company. I can't change the setting, because i'am living in a shared flat.

This is how my TestLab Looks like:

Thx for help.

lleachii · February 8, 2023, 12:44pm

Provide /etc/config/network please

I assume you set this on the OpenWrt WAN settings?
If so, FYI DHCP should have work by default on the WAN, and you woulda received an IP in the 192.268.0.x range from your standard router

naseweis · February 8, 2023, 1:54pm

Hey, yes you right i recieved the ip address 192.168.0.30 on WAN

Yes set this in OpenWrt Settings:

Here is my /etc/config/network

As i said the client network is yet not implemented working on the server side right now.

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd7e:fc5a:ef1f::/48'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'Server'
        option proto 'static'
        option device 'server'
        option ipaddr '10.0.100.1'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'
        option broadcast '10.0.100.255'

config device
        option name 'server'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

lleachii · February 8, 2023, 1:57pm

This is invalid, remove.

(As I noted, your gateway is on WAN)
(It's invalid to have a gateway/router address that exists in another subnet.)

naseweis · February 8, 2023, 2:16pm

removed it still no internet connection no ping going outside no ping possible from 10.0.100.2 (Administrator Computer) to 192.168.0.1

grafik

now /etc/config/network looking like that:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd7e:fc5a:ef1f::/48'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'Server'
        option proto 'static'
        option device 'server'
        option ipaddr '10.0.100.1'
        option netmask '255.255.255.0'
        option broadcast '10.0.100.255'

config device
        option name 'server'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

lleachii · February 8, 2023, 2:36pm

The reply should be "Host Destination" unreachable, not "Port".

Do tracert 8.8.8.8

What about /etc/config/firewall

???

(A lot of this works by default, but it seems you chaged the name "LAN" to "Server" and made custom configs Perhaps the firewall isn't setup properly. )

naseweis · February 8, 2023, 3:36pm

Yea i changed it because as you see in my picture above i want to have two Networks one for client one for the servers. I'am a trainee in IT and building a small office as a lab so i get familiar how things work.

Tracrt didnt found any next HOP

On Open Wrt Router Ping is Working to next Hop and to Google DNS 8.8.8.8

grafik

so there should be something wrong in the firewall

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

lleachii · February 8, 2023, 4:17pm

Yep. Thanks for that screenshot, it confirms the cause of the issue.

I assume this means you erased it and setup yourself to learn (editing LAN works too)

In any case, it seems "Server" interface isn't added to a firewall zone - hence no rule exists allowing Server-to-WAN. Place in LAN zone and the forwarding LAN to WAN rule will work, and your Internet should work on Server interface/network.

or

Make a new zone (e.g. name is "server" too)
Add interface "server" to it
Edit Zone to Allow forwarding from Server Zone to WAN Zone

naseweis · February 8, 2023, 4:33pm

Yep found the option just added server as a converged network sry iam a noob and this are my first steps in open wrt thx for help

system · February 18, 2023, 4:34pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.