IPA
November 16, 2020, 7:41pm
1
I need some help setting up a static-route between two VLANs using LuCi on OpenWRT 19.07 please.
I have added two VLANs: VLAN 3 is subnet 192.168.3, VLAN 4 is subnet 192.168.4, and the LAN is 192.168.1 on VLAN 1. The VLANs work fine: Devices get assigned a DHCP IP address in their subnet, can ping other devices in the subnet, and can access the internet when I setup an appropriate firewall rule.
What I want to do now is create a static-route to allow devices in subnet 3 to access one specific device in subnet 4. I've had many goes at doing this but cannot get it to work. I assume I'm missing a step to make this work.
Please can someone advise the steps required to create the static-route between VLAN's.
Thanks
trendy
November 16, 2020, 8:17pm
2
You don't need any static routes, the routes are already there.
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
ubus call system board; \
uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
3 Likes
IPA
November 16, 2020, 9:24pm
3
Thanks for your help, command output below.
root@OpenWrt:~# ubus call system board; \
>
{
"kernel": "4.14.195",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 0 (v7l)",
"model": "Netgear Nighthawk X4S R7800",
"board_name": "netgear,r7800",
"release": {
"distribution": "OpenWrt",
"version": "19.07.4",
"revision": "r11208-ce6496d796",
"target": "ipq806x/generic",
"description": "OpenWrt 19.07.4 r11208-ce6496d796"
}
}
root@OpenWrt:~#
root@OpenWrt:~# uci export network; uci export firewall; \
>
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxx:xxxx:xxxx::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
option auto '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '1 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 5'
option vid '2'
config interface 'IOT'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.3.1'
option ifname 'eth1.3'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '3'
option ports '0t 2t 3 6t'
config switch_vlan
option device 'switch0'
option vlan '4'
option vid '4'
option ports '0t 2t 6t'
config interface 'MEDIA'
option ifname 'eth1.4'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.4.1'
config route
option target '192.168.4.0'
option gateway '192.168.4.1'
option netmask '255.255.255.0'
option interface 'IOT'
config route
option target '192.168.3.0'
option gateway '192.168.3.1'
option netmask '255.255.255.0'
option interface 'MEDIA'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'DROP'
option forward 'DROP'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'DROP'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
root@OpenWrt:~#
root@OpenWrt:~# head -n -0 /etc/firewall.user; \
>
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
root@OpenWrt:~#
root@OpenWrt:~#
root@OpenWrt:~# iptables-save -c; \
>
# Generated by iptables-save v1.8.3 on Mon Nov 16 20:46:58 2020
*nat
:PREROUTING ACCEPT [2425:373322]
:INPUT ACCEPT [375:29046]
:OUTPUT ACCEPT [307:24404]
:POSTROUTING ACCEPT [633:28246]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[2425:373322] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[201:17936] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[1218:261292] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[947:50880] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[3:704] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[314:22634] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[3:704] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[201:17936] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[314:22634] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[314:22634] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[1218:261292] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Mon Nov 16 20:46:58 2020
# Generated by iptables-save v1.8.3 on Mon Nov 16 20:46:58 2020
*mangle
:PREROUTING ACCEPT [7855:4909962]
:INPUT ACCEPT [3938:553926]
:FORWARD ACCEPT [3477:4248265]
:OUTPUT ACCEPT [3620:1034381]
:POSTROUTING ACCEPT [6444:5247254]
[636:33808] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[31:1860] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Nov 16 20:46:58 2020
# Generated by iptables-save v1.8.3 on Mon Nov 16 20:46:58 2020
*filter
:INPUT ACCEPT [573:46752]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [6:1422]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_DROP - [0:0]
[415:38337] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[3527:515797] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[1769:237639] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[29:1740] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[225:19217] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[960:212189] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[3477:4248265] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[2780:4209837] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[43:2708] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[654:35720] -A FORWARD -m comment --comment "!fw3" -j reject
[415:38337] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[3209:997084] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[2559:947421] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[5:1367] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[639:46874] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[601:31708] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[53:4012] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[29:1740] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[5:1367] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[43:2708] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[43:2708] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[225:19217] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[225:19217] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[5:1367] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[5:1367] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[225:19217] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[682:49582] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_DROP -o eth0.2 -m comment --comment "!fw3" -j DROP
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_DROP
[960:212189] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j DROP
[2:64] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[958:212125] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_DROP
[639:46874] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[639:46874] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[958:212125] -A zone_wan_src_DROP -i eth0.2 -m comment --comment "!fw3" -j DROP
COMMIT
# Completed on Mon Nov 16 20:46:58 2020
root@OpenWrt:~#
root@OpenWrt:~# ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
7: br-IOT: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.3.1/24 brd 192.168.3.255 scope global br-IOT
valid_lft forever preferred_lft forever
9: br-MEDIA: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.4.1/24 brd 192.168.4.255 scope global br-MEDIA
valid_lft forever preferred_lft forever
11: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
13: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet xxxxxxxxxxxx/24 brd 192.168.1.255 scope global eth0.2
valid_lft forever preferred_lft forever
default via 192.168.1.1 dev eth0.2 src xxxxxxxxxxxx
192.168.1.0/24 dev br-lan scope link src 192.168.1.1
192.168.1.0/24 dev eth0.2 scope link src xxxxxxxxxxxx
192.168.3.0/24 dev br-IOT scope link src 192.168.3.1
192.168.4.0/24 dev br-MEDIA scope link src 192.168.4.1
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local scope link src 192.168.1.1
broadcast 192.168.1.0 dev eth0.2 table local scope link src xxxxxxxxxxxx
local 192.168.1.1 dev br-lan table local scope host src 192.168.1.1
local xxxxxxxxxxxx dev eth0.2 table local scope host src xxxxxxxxxxxx
broadcast 192.168.1.255 dev br-lan table local scope link src 192.168.1.1
broadcast 192.168.1.255 dev eth0.2 table local scope link src xxxxxxxxxxxx
broadcast 192.168.3.0 dev br-IOT table local scope link src 192.168.3.1
local 192.168.3.1 dev br-IOT table local scope host src 192.168.3.1
broadcast 192.168.3.255 dev br-IOT table local scope link src 192.168.3.1
broadcast 192.168.4.0 dev br-MEDIA table local scope link src 192.168.4.1
local 192.168.4.1 dev br-MEDIA table local scope host src 192.168.4.1
broadcast 192.168.4.255 dev br-MEDIA table local scope link src 192.168.4.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
root@OpenWrt:~#
trendy
November 16, 2020, 11:06pm
4
A couple of problems:
3 Likes
IPA
November 17, 2020, 11:38pm
5
Thanks for your help. I did try creating Firewall traffic rules previously, but couldn't get communication between subnet 3 & 4 to work. However following your advice I have tried again and now have it working, and found why it didn't before.
Previously I tested using ping, but ping it seems does not work through a Firewall traffic rule (though it does work when the subnets are bridged). I noted there is a pre defined traffic rule for ICMPv6 but not for ICMPv4, so this time I tested using SSH and that does work via the traffic rule.
Is there a way to restore ICMPv4 ?
trendy
November 18, 2020, 9:00am
6
If you are using protocols TCP+UDP in the rule, ping will not work. For ping to work you also need ICMP.
This should be for wan to device and wan to lan, as IPv6 depends on ICMP6 to operate.
1 Like
IPA
November 18, 2020, 4:36pm
7
Yep ok now, missed the dropdown box previously. Still finding my way around LuCi.
Thanks for your help.
1 Like
system
November 28, 2020, 4:36pm
8
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
