Lan to wan RDP

Hey so i am trying to isolate my devices on my OpenWRT router (my 2. router) but not for any security reasons. just need the ARP table of router 1 to not be visible on devices on router 2.

When i configure it to be router1 lan->router2 wan, and assigning a different subnet, i am totally unable to ping any device that is connected to router 1. However when i go to router 2 openwrt diagnostics, and ping my main computer for example, (192.168.1.2) it works just fine.

I have tried disabling firewall and a bunch of stuff though i am a newbie, as far as i can understand this is a double NAT setup which people say to avoid, however when i do avoid it i run into this problem

Interface: 192.168.1.157 --- 0xa
  Internet Address      Physical Address      Type
  192.168.1.1           b0-ac-**-**-**-e0     dynamic
  192.168.1.99          9a-9d-**-**-**-63     dynamic

Which is that it includes both openwrt mac (that i can now change) and the ZTE main router mac (that is not changable)

How can i make sure RDP stays working and likewise lan->lan apps i use keep working with still redacting or spoofing all the macs?

One obvious thing i thought of is to move my devices that i need RDP on to second router aswell, but im on an archer c60 so i am essentially capping myself to 100 up 100 down for the 'secure' devices. don't know if thats very desirable and i am also worried that somehow the mac of the devices itself will be visible

Example: on my main pc, arp -a outputs

Interface: 192.168.1.2 --- 0xc
  Internet Address      Physical Address      Type
  192.168.1.1           b0-main-router-mac     dynamic
  192.168.1.99          76-open-wrt-mac     dynamic
  192.168.1.157         a8-second-pc-mac     dynamic

Don't know if this is a ZTE router specific thing or just my little knowledge, but i cant have these macs visible on the isolated computer.

Why do you feel that this is necessary?

MAC addresses are a layer 2 construct, the do not pass though layer 3 (routing).

Lets take a look at the configuration

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Hey thank you for your reply, the macs are because some software collects them. Although its not a common use case of OpenWrt I am certain it is necessary in my case.

Diagnostics traceroute (ping my pc on 1st router from openwrt)

traceroute to 192.168.1.2 (192.168.1.2), 20 hops max, 46 byte packets
 1  192.168.1.2  0.169 ms

The config you asked me to share:

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.134",
        "hostname": "OpenWrt",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "TP-Link Archer C60 v3",
        "board_name": "tplink,archer-c60-v3",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0",
                "revision": "r23497-6637af95aa",
                "target": "ath79/generic",
                "description": "OpenWrt 23.05.0 r23497-6637af95aa"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd6b:268c:d7f9::/48'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0t'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option disabled '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'RdpI'
        option src 'wan'
        option src_dport '3389'

config redirect
        option dest 'wan'
        option target 'DNAT'
        option name 'RdpO'
        option src 'lan'
        option src_dport '3389'

config rule
        option name 'RDP-Inbound-Test'
        option src 'lan'
        option dest 'wan'
        option target 'ACCEPT'

config rule
        option name 'RDP-Outbound-Test'
        option src 'wan'
        option dest 'lan'
        option target 'ACCEPT'

root@OpenWrt:~#

I also included the lan-lan version, where rdp as expected works but multiple macs are visible.

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.134",
        "hostname": "OpenWrt",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "TP-Link Archer C60 v3",
        "board_name": "tplink,archer-c60-v3",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0",
                "revision": "r23497-6637af95aa",
                "target": "ath79/generic",
                "description": "OpenWrt 23.05.0 r23497-6637af95aa"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd73:a118:a6ea::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.99'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0t'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option disabled '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '99'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

Quite curious if the ZTE routers settings may be the issue here, i really have close to no idea how it all works in detail but first routers DHCP range is 192.168.1.1 to 192.168.1.100, and it treats openwrt as a normal lan device so i forced its ip to be 192.168.1.99 for ease of access. one more thing is when firewall is disabled 192.168.1.x ping from pc2 ends in 'general failure' as opposed to timed out.

Sorry for the newbie questions appreciate the help and great work

Some software? Can you be more specific? What software? Where is it located (i.e. within the network topology, where is the device that has this application)?

In general, the MAC addresses on a local network are of no interest or use to anybody outside that L2 network. Sure, the data could be used to create a "profile" of your network (i.e. "we see that this is a network that is filled with many Samsung devices and a few Macs"), but while that is a bit creepy, it isn't really a security threat.

Also, many devices have MAC randomization options, so you could engage that (iOS, Android, MacOS, etc.).

You should upgrade to 23.05.5

remove the gateway below:

This config does literally nothing -- the device becomes purely a bridge, it does not route and cannot filter anything.

No...

The MAC addresses are required for devices to communicate at Layer 2 (switching). You cannot block/filter them at L2. You can, however, use routing (Layer 3) to have 2 distinct networks... MAC addresses do not pass through the routing layer. That appears to be what you have done in the first config.

Can you show a diagram of your network topology including the two routers (ZTE router, TP-Link router) and the computers involved (the 'source' where you are attempting to make the RDP connection and the destination which is the RDP target)?

Software on windows end. it grabs it essentially via the same way as arp -a but just using the appropriate Windows API instead. Both my devices are windows for that matter

Is it logging it and sending it somewhere? or just using it for local network purposes? If the former, can you disable this?

Sorry for my half response, i accidently sent.
No i cannot disable it if i want to use that kind of software. the only way is to isolate the device using it to be on the openwrt router and other devices away from the openwrt router. this way is okay by me, but i need the macs of zte router etc to not be visible at all costs (grabbed by kernel software via arp -a equivilant Windows API functions).

Yes it is logging and sending to their database, aswell as a lot of other data that i am able to code a solution for.

Network diagram

ZTE Modem (connected to a weird fiber house cable) -> ZTE Router Wan

Zte router wifi -> Irrelevant Device 2 (phone)
Zte router lan 1 -> Irrelevant Device 1 (windows) ->
Zte router lan 2 -> openwrt router wan

Openwrt router lan -> Windows Device that needs to never receive macs other than openwrts own that i can easily change.

edit: to clarify, i want to be able to have LAN interactions between the 2 windows devices, however, with the config i posted above, i cannot do that unless they are both on openwrt router, which brings in the issue of the mac of the windows device that isnt the 'obscure' one being visible when the software on the obscure one calls arp -a

I am currently using the setup of wan -> lan and just living without RDP / any other lan-lan functionality however it is quite suboptimal to not be able to interact with devices on the other network. having all devices on openwrt router would also work, only if their macs were not displayed in the ARP table on windows end. Changing these macs when requested to randomized macs would even work, however static macs identifiable via windows would not

Any updates would be appreciated.

Also a side question: is it possible to oc the lan speeds (i assume not) because i made a big mistake and bought a 100/100 router, should i go ahead and buy a gigabit router instead