Level3 routing problems

Hello guys!
This is a project I've been working on for a long time and now is in its final stage. However, I have some problems which I can't solve.
So this is simplified view of my network:
Untitled Diagram(1)

LAN segment includes my home net, my WiFi and some servers that will be used for testing
MGMT segment is used for management(switch, router, hypervisor) - there isn't default route, no connection to internet and can't be accessed from other networks.
PROD segment is for production VMs and it shouldn't have access to other networks as well as clients should not see each other. Their only way should the default GW.

Right now, clients from VLAN2 can see 10.10.10.1, but can't see 10.10.10.2 and so on.
Clients from VLAN1 can't see VLAN2. I can't seem to fix this issue.

As far as I read, for the production network, a bridge should be created for every client on the network.
As VLAN1, VLAN444 can be seen from other networks, which is not ok.

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option name 'lan_home'
	list network 'lan_home'
	list device 'eth1.2'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option dest 'wan'
	option src 'lan_home'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'
	option dest 'lan_home'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option dest 'lan_home'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config redirect
	option target 'DNAT'
	option name 'transmission'
	option src 'wan'
	option src_dport '51413'
	option dest_ip '192.168.2.2'
	option dest 'lan_home'

config zone
	option name 'management'
	option forward 'REJECT'
	list network 'mgmt'
	option input 'REJECT'
	option output 'REJECT'

config rule
	option name 'a'
	option dest 'management'
	option target 'REJECT'
	option direction 'out'
	option device 'eth1.1'
	list dest_ip '10.10.10.1'
	option src 'lan_home'
	option enabled '0'

config rule
	option src 'management'
	list src_ip '10.10.10.2'
	option target 'ACCEPT'
	list dest_ip '10.10.10.1'

There is only one forwarding, which is to the internet. Every other forwarding from one zone to another will be denied. Intrazone forwarding between lan_home and eth1.2 is allowed from the lan zone forward rule.

Umm, I already have that in my config.

And where is that?

Fix the following:

  1. It is not clear which interface is which in the firewall config. E.g lan_home is what? eth1.2 is what? Only mgmt is obvious.
  2. Allow at least output, or you won't be able to do anything there.
1 Like

It's in the fourth block in my first post. Look closely.
eth1.1 - mgmt
eth1.2 - lan_home
eth1.444 - production

Edit: Okay, to make things more clear - gateways are ALWAYS pingable, which I don't want. Subnet members are not, which is OK.
For ex. ping from lan_home member (192.168.2.2) to mgmt (10.10.10.1) is successful.
Ping from the same lan_home member to 10.10.10.2 is not (dropped as it should).

Fourth block in your first post is the lan_home-> wan forwarding. If the management zone is isolated then leave that as it is.

192.168.2.1 and 10.10.10.1 are both allowed as you have the INPUT of lan_home ACCEPT. It is the same system, so it doesn't make any difference which IP you ping.

1 Like

Thank you very much for your help, but this doesn't solve my problem. I really can't understand what to do and where I made mistake(s).

What @trendy was saying here:

is that the router actually has both of these addresses, and will respond because input is accept. Not the best analogy, but think of it as a nickname -- you the router responds to its "formal" name (the IP on the same network (so from lan_home, the router's address is 192.168.2.1) and it also responds to its nickname (i.e. the address it occupies on the mgmt network - 10.10.10.1).

It does this because INPUT is set to ACCEPT -- the INPUT setting affects the ability to contact the router itself. If you set that to drop/reject, it will not accept the connection, but that also means that DHCP and DNS will not be allowed, either. So if you change this setting, you need to create rules to accept DHCP and DNS (if needed) connections.

All of that said, this is not a routing/firewall issue -- as you have stated, the hosts on each network cannot reach each other... so the firewall is doing what you've configured -- not allowing inter-VLAN routing.

2 Likes

10.10.10.1 is IP of router ITSELF, so it does not forward packets to another zone. 10.10.10.2 is IP of ANOTHER device in ANOTHER zone, so forwarding of packets is required. As it was explained, you should add corresponding forwarding rules. In the scope of one zone forward is managed by

option forward 'ACCEPT'

in section 'config zone'.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.