I need help with some basic routing

I am trying to setup a basic isolated device network. But the isolated device has very broken connectivity. it has never been able to access the internet. But also access into the device is broken currently.

What subnet masks , routes & gateways should I have in place?

isolated device (192.168.98.11/24)
|
V
firewall inside (192.168.98.1)
firewall (192.168.1.11) (has port forwards to the isolated host)
|
V
normal home network (192.168.6.0/23)
|
V
router (192.168.6.1 - has static route for 192.168.1.0/24 as well)
|
V
internet

What are you trying to achieve? Which boxes are OpenWRT and ubus call system board from those?

I need access into the isolated device from the home network, I just want to tightly control what it can access outbound (statefully).

Currently, I can't access the openwrt gui via its external IP, even though I enabled it in the UI and firewall rules.

the firewall is openwrt. Its an asus ac68u (bcm4708) running version 23.05.2

I can't easily share data, as I'd need to transfer it via usb everytime. Once I can get access to the external gui, then this will speed up.

Luci and ssh are not accessible from WAN side.

I opened up both . I had them working at one point, but its broken now

ok, so I fixed access to the external IP for SSH and Luci. I had to change the WAN interface subnet mask

old: 192.168.1.11/24
new: 192.168.1.11 / 16

This is probably excessively large... maybe it would be helpful to see your network config files from each of the routers.

I agree the firewall WAN interface subnet mask is a big large. I have previously used /20. I guess it needs to have the default gateway IP within its network? Is that correct?

The home network is 192.168.6.0/23 , and the router's ip is 192.168.6.1.

the router has a static route for 192.168.1.0/24 gateway 0.0.0.0
That was required to reach the firewall WAN interface.

BTW, I have no other routers.

Router routing table (trimmed), BR1 is the guest wifi network

Destination     Gateway         Genmask         Flags    Metric Ref    Use Type Iface
default         PUBLIC_IP     0.0.0.0         UG       0      0        0 WAN0 eth0
192.168.1.0     *               255.255.255.0   U        2      0        0 LAN  br0
192.168.6.0     *               255.255.254.0   U        0      0        0 LAN  br0
192.168.101.0   *               255.255.255.0   U        0      0        0      br1

Let's actually go back to basics.

1. What is the purpose of the 3 (?) cascaded routers?
2. How are the routers connected to each other? (wan or lan)?
3. Is masquerading being used on the cascaded routers?

Depending on the context, static routes (manually added) may not be necessary, but it's not at all clear how things are really configured and why.

What can I provide from my openwrt to help? I now have ssh access from the external/wan interface

The diagram in the first post lays out pretty much everything.
I need access to the isolated host, but want to restrict (and log) what it can access.

Let's start by getting answers to the questions I asked earlier. Then we'll move on to looking at the configurations themselves.

1. I need access to the isolated host, but want to restrict (and log) what it can access. I don't have 3 physical routers? just two.

OpenWRT on "Asus RT-AC68U (BCM4708)"
and a standard vendor config on my internet router "Asus GT-AXE11000".

2. on my openwrt router/firewall: Isolated device is on LAN port 2, WAN connects to my internet Router LAN port .

3. I enabled masquarading on a "LAN => WAN" zone entry in my openwrt config. I'm unsure if this is required. I do not have it for my isolated network. I haven't gotten far enough to know if its required.

Let me know if you need more clarity

In your OP, I see 3 subnets described:

• 192.168.98.0/24
• 192.168.1.0/24 (I think it's /24)
• 192.168.6.0/23

It would seem that the GT-AXE11000 is using 192.168.6.0 for it's network. Why did you make it larger than a /24?

Where are the other two subnets coming from? Are they both on the sme AC68U?

If your main router supports adding static routes, masquerading is not required. But we need to make sure everything is configured properly.

In addition to answering the above questions, let's see the complete config of your AC68U

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
ifstatus wan | grep address

Regarding 192.168.6.0/23: (on ASUS internet router)
so, the usage of a /23 was related to another attempt to redesign all this before I found openwrt. Its unnecessarily large, but I'm not changing it for this.

Regarding 192.168.1.0/24 (on openwrt WAN interface)
This is to relocate my device that is to be isolated, without requiring me to change what other devices pointed at for its IP (192.168.1.11). The IP is now assigned on the openwrt WAN interface.

Regarding 192.168.99.0/24: (on openwrt LAN interface port 1)
I used this to configure openwrt initially. I now use the WAN interface to configure it.

Regarding 192.168.98.0/24: (on openwrt IsolatedNet interface)

I need to assign an IP to my isolated device that is NOT in my home network. I chose 192.168.98.0/24 for that isolated network (IsolatedNet) which is assigned on the IsolatedNet interface. I am not a routing guy so have no clue what is actually appropriate for this. there is only the one device (192.168.98.11) and I am hoping the openwrt router can handle routing for it. I chose "98" because it was outside of the /20 I had been using with the main home network (and for access to the openwrt WAN interface of 192.168.1.11)

You will see lots of disabled rules and routes. I have been trying a lot of stuff. All disabled items/rules can be ignored.

Once I can get the isolated device to reach the internet (ICMP to 8.8.8.8 for example) then I can manage the firewall rules at that point. Thats easier for me to understand. its the routing that very foreign to me.

ubus call system board :

{
	"kernel": "5.15.137",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 0 (v7l)",
	"model": "Asus RT-AC68U (BCM4708)",
	"board_name": "asus,rt-ac68u",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "bcm53xx/generic",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '::::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'lan1'
	list ports 'lan3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '192.168.99.1/24'

config device
	option name 'wan'
	option macaddr ''

config interface 'wan'
	option device 'wan'
	option proto 'static'
	option ipaddr '192.168.1.11'
	option netmask '255.255.0.0'
	option gateway '192.168.6.1'
	option broadcast '192.168.7.255'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'none'
	option reqprefix 'auto'

config interface 'Isolatednet'
	option proto 'static'
	option device 'br-Isolated'
	list ipaddr '192.168.98.1/24'

config device
	option type 'bridge'
	option name 'br-Isolated'
	list ports 'lan2'
	option ipv6 '0'

config route
	option interface 'Isolatednet'
	option target '192.168.1.11/32'
	option gateway '192.168.99.1'
	option metric '0'
	option table 'main'
	option mtu '1500'
	option source '192.168.1.1'
	option disabled '1'

config rule
	option priority '30000'
	option in 'lan'
	option src '192.168.99.0/24'
	option out 'Isolatednet'
	option dest '192.168.10.0/24'
	option lookup 'main'
	option disabled '1'

config device
	option name 'lan2'
	option ipv6 '0'
	option acceptlocal '1'

config route
	option interface 'wan'
	option target '192.168.6.0/23'
	option gateway '192.168.6.1'

config route
	option interface 'lan'
	option target '192.168.1.11/32'
	option gateway '192.168.99.1'
	option disabled '1'

config route
	option interface 'lan'
	option target '192.168.10.1/32'
	option gateway '192.168.99.1'
	option disabled '1'

config route
	option interface 'Isolatednet'
	option target '192.168.10.11/32'
	option gateway '192.168.10.1'
	option disabled '1'

config route
	option interface 'lan'
	option target '192.168.98.0/24'
	option gateway '192.168.98.1'
	option disabled '1'

config rule
	option in 'lan'
	option out 'wan'
	option lookup 'main'
	option disabled '1'

config device
	option name 'lan3'

config device
	option name 'lan1'

config rule
	option in 'Isolatednet'
	option out 'wan'
	option lookup 'main'
	option disabled '1'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option log '1'
	option log_limit '10000/minute'
	option family 'ipv4'
	option masq '1'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	option log '1'
	option log_limit '10000/minute'
	option family 'ipv4'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option family 'ipv4'
	option enabled '0'

config zone
	option name 'IsolatedZone'
	option input 'DROP'
	option output 'DROP'
	option forward 'DROP'
	list network 'Isolatednet'
	option log '1'
	option log_limit '10000/minute'
	option family 'ipv4'

config rule
	option name 'firewall ssh access from wan'
	option src 'wan'
	option dest_port '22'
	option target 'ACCEPT'

config rule
	option name 'Permit access to Isolated'
	option src '*'
	option dest 'lan'
	option dest_port '443'
	option target 'ACCEPT'
	option family 'ipv4'
	list dest_ip '192.168.98.11'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name 'Permit ICMP to Isolatednet'
	list proto 'icmp'
	option src '*'
	option dest 'IsolatedZone'
	option target 'ACCEPT'
	option family 'ipv4'

config forwarding
	option src 'wan'
	option dest 'IsolatedZone'

config rule
	option name 'Permit DNS to 192.168.99.3'
	option src '*'
	option dest 'lan'
	option dest_port '53'
	option target 'ACCEPT'
	option family 'ipv4'
	list dest_ip '192.168.99.3'

config rule
	option name 'From LAN to internet'
	option src 'lan'
	option dest 'wan'
	option target 'ACCEPT'

config redirect
	option dest 'IsolatedZone'
	option target 'DNAT'
	option name 'Isolated syslog'
	option family 'ipv4'
	option src 'wan'
	option src_dport '514'
	option dest_ip '192.168.98.11'
	option dest_port '514'
	list proto 'tcp'
	list proto 'udp'

config forwarding
	option src 'wan'
	option dest 'lan'

config rule
	option name 'From firewall to WAN'
	option dest 'wan'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'

config rule
	option name 'firewall web access from WAN'
	option src 'wan'
	option target 'ACCEPT'
	option dest_port '443'

config rule
	option name 'permit Isolated to ping 8.8.8.8'
	list proto 'icmp'
	option src 'IsolatedZone'
	list dest_ip '8.8.8.8'
	option target 'ACCEPT'

config rule
	option name 'permit Isolated to NCSI'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'
	option src 'IsolatedZone'
	option dest 'wan'
	list dest_ip '13.55.254.36'
	option target 'ACCEPT'

config forwarding
	option src 'IsolatedZone'
	option dest 'wan'

config rule
	option name 'Permit Isolatednet to Isolated syslog'
	option dest 'IsolatedZone'
	option target 'ACCEPT'

config redirect
	option dest 'IsolatedZone'
	option target 'DNAT'
	option name 'Isolated SMB'
	option family 'ipv4'
	option src 'wan'
	option src_dport '445'
	option dest_ip '192.168.98.11'
	option dest_port '445'

config redirect
	option dest 'IsolatedZone'
	option target 'DNAT'
	option name 'Isolated web'
	option family 'ipv4'
	option src 'wan'
	option src_dport '54443'
	option dest_ip '192.168.98.11'
	option dest_port '443'

config redirect
	option dest 'IsolatedZone'
	option target 'DNAT'
	option name 'Isolated SSH'
	option family 'ipv4'
	list proto 'tcp'
	option src 'wan'
	option src_dport '54022'
	option dest_ip '192.168.98.11'
	option dest_port '22'

config redirect
	option dest 'IsolatedZone'
	option target 'DNAT'
	option name 'Isolated Nextcloud'
	option family 'ipv4'
	option src 'wan'
	option src_dport '37685'
	option dest_ip '192.168.98.11'
	option dest_port '37685'

config rule
	option name 'Permit IsolatedNet to IsolatedNet'
	option src 'IsolatedZone'
	option dest 'IsolatedZone'
	option target 'ACCEPT'

config rule
	option name 'permit IsolatedNet to ping firewall'
	list proto 'icmp'
	option src 'IsolatedZone'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'WAN to DNS'
	option src 'wan'
	option src_dport '53'
	option dest_ip '192.168.99.3'
	option dest_port '53'

config rule
	option name 'block Isolated to WAN'
	option src 'IsolatedZone'
	option dest 'wan'
	option target 'DROP'

ifstatus wan | grep address

	"ipv4-address": [
			"address": "192.168.1.11",
	"ipv6-address": [
		"ipv4-address": [
		"ipv6-address": [

You've very much overcomplicated things. Reset your device to defaults.

Once it is in the default state, post your config files and I'll show you what to add to create your isolated network for port 2.

I'm fine with trying that. I just need to point out 2 things.

1. that I will not be able to re-ip the isolated device until it has functional networking.

2. all other devices need to access the isolated device at 192.168.1.11 and I'm not changing that, due to the impact on other systems.

That's fine as long as you know its current address/subnet size.

This is more complicated. More information is needed here:

• From which network(s) will the requesting hosts be connecting to the device at .1.11?
• Can this device actually be set to 1.11 once network access is established (based on it scurrent address)?

• From which network(s) will the requesting hosts be connecting to the device at .1.11?

all clients on 192.168.6.0/23 and 192.168.101.0/24

• Can this device actually be set to 1.11 once network access is established (based on it scurrent address)?

Yes.

Ok... reset and we'll get things going.

Go ahead and make a backup first, but we won't be restoring it.

Do you want the same output as before? I enabled SSH and web access on the WAN. web is working fine. ssh is not