Hello,
I've got two interfaces, I'd like to be able to route between the two but I can't get it working. Below are my details:
Interface 1:
IP: 192.168.16.250
Subnet: 255.255.255.0
Interface 2:
IP: 192.168.2.1
Subnet: 255.255.255.0
I've put them both into the same firewall zone (LAN), I thought if I setup a static route on the OpenWRT router for both IP's it might work but I didn't have any luck.
Let me know if you need anymore details, many thanks.
trendy
October 15, 2019, 9:18am
2
You don't need anything special the way you implemented it.
There are routes because the interfaces are directly connected.
And the default policy for forwarding in LAN firewall zone is allowed.
Post here the following if you still have issues:
uci show network; uci show firewall; ip -4 addr; ip -4 ro; ip -4 ru
Make sure that hosts in both networks use the openwrt for gateway.
1 Like
I've got a Coova Chilli captive portal running on interface 2, so the IP's I'm getting are actually different from the ones I've setup on the interface. I think this is probably why I'm not able to get them talking?
Interface 2 (after I connect to the wifi):
IP range: 192.168.176.1-255
Subnet: 255.255.240.0
DG: 192.168.182.1
Here's uci show network:
root@OpenWrt:~# uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd85:488a:848d::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.2.1'
network.lan.netmask='255.255.255.0'
network.lan.gateway='192.168.2.1'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='static'
network.wan.dns='8.8.8.8'
network.wan.ipaddr='195.224.172.24'
network.wan.netmask='255.255.255.248'
network.wan.gateway='195.224.172.23'
network.wan_dev=device
network.wan_dev.name='eth0.2'
network.wan_dev.macaddr='68:ff:7b:0e:57:7b'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='2 0t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='1 0t'
network.@switch_vlan[2]=switch_vlan
network.@switch_vlan[2].device='switch0'
network.@switch_vlan[2].vlan='3'
network.@switch_vlan[2].ports='4 5 0t'
network.@switch_vlan[3]=switch_vlan
network.@switch_vlan[3].device='switch0'
network.@switch_vlan[3].vlan='4'
network.@switch_vlan[3].ports='3 0t'
network.AdminLAN=interface
network.AdminLAN.proto='static'
network.AdminLAN.netmask='255.255.255.0'
network.AdminLAN.ifname='eth0.3'
network.AdminLAN.type='bridge'
network.AdminLAN.ipaddr='192.168.16.250'
network.AdminLAN.gateway='192.168.16.250'
network.GuestLAN=interface
network.GuestLAN.proto='static'
network.GuestLAN.netmask='255.255.255.0'
network.GuestLAN.ifname='eth0.4'
network.GuestLAN.type='bridge'
network.GuestLAN.ipaddr='192.168.0.250'
network.GuestLAN.gateway='192.168.0.250'
network.@route[0]=route
network.@route[0].interface='AdminLAN'
network.@route[0].target='192.168.16.25'
network.@route[0].gateway='192.168.16.250'
Here's uci show firewall:
root@OpenWrt:~# uci show firewall
firewall.@rule[0]=rule
firewall.@rule[0].src='GuestWanOut'
firewall.@rule[0].name='Block GuestLan to ALAN'
firewall.@rule[0].proto='all'
firewall.@rule[0].dest='lan'
firewall.@rule[0].target='REJECT'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-DHCP-Renew'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='udp'
firewall.@rule[1].dest_port='68'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].family='ipv4'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-Ping'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='icmp'
firewall.@rule[2].icmp_type='echo-request'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-IGMP'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='igmp'
firewall.@rule[3].family='ipv4'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-DHCPv6'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='udp'
firewall.@rule[4].src_ip='fc00::/6'
firewall.@rule[4].dest_ip='fc00::/6'
firewall.@rule[4].dest_port='546'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-MLD'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].src_ip='fe80::/10'
firewall.@rule[5].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Input'
firewall.@rule[6].src='wan'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-ICMPv6-Forward'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='*'
firewall.@rule[7].proto='icmp'
firewall.@rule[7].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[7].limit='1000/sec'
firewall.@rule[7].family='ipv6'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-IPSec-ESP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].proto='esp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Allow-ISAKMP'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest='lan'
firewall.@rule[9].dest_port='500'
firewall.@rule[9].proto='udp'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[10]=rule
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].src='wan'
firewall.@rule[10].proto='tcp'
firewall.@rule[10].dest_port='80'
firewall.@rule[10].name='AllowWebWAN'
firewall.@rule[10].src_ip='94.30.31.4'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='AdminLAN lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].forward='REJECT'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].proto='tcp'
firewall.@redirect[0].name='iPECS UCP100'
firewall.@redirect[0].dest_ip='192.168.16.100'
firewall.@redirect[0].dest_port='444'
firewall.@redirect[0].src_dport='444'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].proto='udp'
firewall.@redirect[1].src_dport='5060'
firewall.@redirect[1].dest_port='5060'
firewall.@redirect[1].name='5060'
firewall.@redirect[1].dest_ip='192.168.16.100'
firewall.@redirect[2]=redirect
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].proto='udp'
firewall.@redirect[2].src_dport='5588'
firewall.@redirect[2].dest_port='5588'
firewall.@redirect[2].name='5588'
firewall.@redirect[2].dest_ip='192.168.16.100'
firewall.@redirect[3]=redirect
firewall.@redirect[3].target='DNAT'
firewall.@redirect[3].src='wan'
firewall.@redirect[3].dest='lan'
firewall.@redirect[3].proto='udp'
firewall.@redirect[3].src_dport='6254'
firewall.@redirect[3].dest_port='6254'
firewall.@redirect[3].name='6254'
firewall.@redirect[3].dest_ip='192.168.16.100'
firewall.@redirect[4]=redirect
firewall.@redirect[4].target='DNAT'
firewall.@redirect[4].src='wan'
firewall.@redirect[4].dest='lan'
firewall.@redirect[4].proto='udp'
firewall.@redirect[4].src_dport='7000-7331'
firewall.@redirect[4].dest_port='7000-7331'
firewall.@redirect[4].name='7000'
firewall.@redirect[4].dest_ip='192.168.16.100'
firewall.@redirect[5]=redirect
firewall.@redirect[5].target='DNAT'
firewall.@redirect[5].src='wan'
firewall.@redirect[5].dest='lan'
firewall.@redirect[5].proto='udp'
firewall.@redirect[5].src_dport='10000-10239'
firewall.@redirect[5].dest_port='10000-10239'
firewall.@redirect[5].name='10000'
firewall.@redirect[5].dest_ip='192.168.16.100'
firewall.@redirect[6]=redirect
firewall.@redirect[6].target='DNAT'
firewall.@redirect[6].src='wan'
firewall.@redirect[6].dest='lan'
firewall.@redirect[6].proto='tcp'
firewall.@redirect[6].src_dport='7878'
firewall.@redirect[6].dest_port='7878'
firewall.@redirect[6].name='7878'
firewall.@redirect[6].dest_ip='192.168.16.100'
firewall.@redirect[7]=redirect
firewall.@redirect[7].target='DNAT'
firewall.@redirect[7].src='wan'
firewall.@redirect[7].dest='lan'
firewall.@redirect[7].proto='tcp'
firewall.@redirect[7].src_dport='8899'
firewall.@redirect[7].dest_port='8899'
firewall.@redirect[7].name='8899'
firewall.@redirect[7].dest_ip='192.168.16.100'
firewall.@zone[2]=zone
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='ACCEPT'
firewall.@zone[2].name='GuestWanOut'
firewall.@zone[2].network='GuestLAN'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='wan'
firewall.@forwarding[1].src='GuestWanOut'
firewall.@rule[11]=rule
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].src='wan'
firewall.@rule[11].proto='tcp'
firewall.@rule[11].dest_port='444'
firewall.@rule[11].name='AllowPhoneSysWeb'
firewall.@rule[11].dest='lan'
firewall.@rule[11].dest_ip='192.168.16.100'
Here's ip -4 addr:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
5: br-AdminLAN: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.16.250/24 brd 192.168.16.255 scope global br-AdminLAN
valid_lft forever preferred_lft forever
7: br-GuestLAN: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.0.250/24 brd 192.168.0.255 scope global br-GuestLAN
valid_lft forever preferred_lft forever
9: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
valid_lft forever preferred_lft forever
11: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 195.224.172.58/29 brd 195.224.172.63 scope global eth0.2
valid_lft forever preferred_lft forever
12: tun0: <POINTOPOINT,UP,LOWER_UP> mtu 1500 qdisc mq state UNKNOWN qlen 100
inet 192.168.182.1/20 scope global tun0
valid_lft forever preferred_lft forever
Here's ip -4 ru:
root@OpenWrt:~# ip -4 ru
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Many thanks!
Here's the ip -4 ro:
root@OpenWrt:~# ip -4 ro
default via 195.224.172.57 dev eth0.2
192.168.0.0/24 dev br-GuestLAN scope link src 192.168.0.250
192.168.2.0/24 dev br-lan scope link src 192.168.2.1
192.168.16.0/24 dev br-AdminLAN scope link src 192.168.16.250
192.168.16.25 via 192.168.16.250 dev br-AdminLAN
192.168.176.0/20 dev tun0 scope link src 192.168.182.1
195.224.172.22/29 dev eth0.2 scope link src 195.224.172.24
The 192.168.176.0 network is what I'd like to talk to my 192.168.16.0 one.
trendy:
Remove this
SolConnor:
network.lan.gateway='192.168.2.1'
I can remove this, is this because coova chilli doesn't need a gateway specified as it changes it once connected?
trendy:
and this
SolConnor:
network.GuestLAN.gateway='192.168.0.250'
This one is for my guest network, it's seperate from the (Coova Chilli) LAN & AdminLAN. It can't communicate with my other LAN's which is what I want.
trendy:
and this
SolConnor:
network.@route [0]=route
network.@route [0].interface='AdminLAN'
network.@route [0].target='192.168.16.25'
network.@route [0].gateway='192.168.16.250'
This was setup so the VLAN on my switch (192.168.16.25) can forward traffic to the router. It's a 48 port, 24 is setup with the captive LAN (192.168.176.X) & the others are adminLAN (192.168.16.X), it doesn't seem to work without this rule.
trendy
October 15, 2019, 9:56am
7
This is statically assigned so you have to configure the router on other side of the tunnel to route the 192.168.16.0/24 over the tunnel.
You can remove it because it is wrong.
Same here. You cannot assign default gateway the address of the interface.
SolConnor:
This was setup so the VLAN on my switch (192.168.16.25) can forward traffic to the router. It's a 48 port, 24 is setup with the captive LAN (192.168.176.X) & the others are adminLAN (192.168.16.X), it doesn't seem to work without this rule.
This is pointless, you already have a route for the whole .16.0/24 as directly connected.
Damn, I'm using hotspotsystem.com for the captive portal so I wouldn't have access to the router at the other side of the tunnel. So I wouldn't be able to get this working would I?
Removed.
Removed, what would you normally put in here then? The openWRT router is my only one so I assumed it'd be the IP I gave it.
I'll remove it and see what happens
trendy
October 15, 2019, 10:10am
9
I don't know if they can do that for you. Otherwise you would need use NAT, but that would be unidirectional.
Just like you have in WAN interface, you assign the IP of the upstream router.
The reason I was trying to get it working is to allow a WiFi phone to talk to the phone system on admin LAN.
The WiFi phones can connect to the external IP of the phone system from outside the network however It can't find the system when inside. The same goes for the using the public IP to access the phone system, it only works outside the network.
Do you know a way I could get round this? I wouldn't need to get wifi to talk to the lan if I can.
trendy
October 15, 2019, 10:23am
11
Could you draw a diagram as I am not sure I fully understand your topology?
I'll try to explain it best I can.
Leased Line router (195.224.172.23) -> OpenWRT Router (195.224.172.24)
Inteface1:
OpenWRT (AdminLAN, 192.168.16.250) --> Switch (192.168.16.25) -> Phones/PC's/Phone System
Interface2:
OpenWRT (LAN, 192.168.2.1) ---> Switch --> WiFi AP's/WiFi Phone. This is the interface with coova chilli running.
I can't access the public IP once connected to the WiFi network however I can while on the AdminLAN. It must be due to the tunnel router again.... I'll have to speak with hotspotsystem.com to see if they can do anything.
trendy
October 15, 2019, 11:11am
13
Sounds like a hotspot issue. Other than that the config looks fine.
2 Likes
system
Closed
October 25, 2019, 11:11am
14
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.