Multi-WAN, Multi-LAN and DMZ routing

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello,

My setup is as follows:

  • OpenWRT latest version in Hyper-V VM, multi-NICs
  • Dual WAN, PPPoE both, fixed public IPs
  • No port is blocked by ISP nor traffic is filtered at their side
  • Port mapping for DMZ servers for WAN access configured and works
  • routing between zones works as designed
  • each interface is defined on its own NIC and its own firewall zone

However, LAN > WAN > Port map > DMZ is not working, e.g. accesing HTTP server on WAN1's IP from LAN, but it works from outside the network as expected.
Currently I use split DNS to redirect critical servers to theirs DMZ IPs, but that is a patch and not manageable due to multi-domains hosted in DMZ.
In mwan3's config I have pinned each WAN traffic so everything is routed properly:

config rule 'http_in_wan1'
	option sticky '1'
	option dest_port '80'
	option proto 'tcp'
	option family 'ipv4'
	option in_interface 'wan1'
	option use_policy 'wan1_only'

config rule 'http_in_wan2'
	option sticky '1'
	option dest_port '80'
	option proto 'tcp'
	option family 'ipv4'
	option in_interface 'wan2'
	option use_policy 'wan2_only'

I have tired to change forward policies, play with NAT, SNAT and DNAT, mess with NFT tables etc. but to no avail.
I also have a similar issue: 2 OpenVPN servers (one per WAN), only WAN1 instance routes traffic, the other one doesn't though the client connects fine. I have a feeling that those 2 issues are connected.

Any ideas on how the hairpicking can be solved?

2

Use the reflection_zone option (in the DNAT rule) to list all the zones from which you want to access the service via the WAN1 IP address.

https://openwrt.org/docs/guide-user/firewall/firewall_configuration#options4

There is little chance of getting useful advice on this issue without posting the entire configuration.

1 Like
3

Hi,

Thanks for the info! I was under impression that if I do not explicitly state the zones, it will default to all zones like in other places... my bad, this is the only thing I did not tried. Using reflection_zone explicitly worked for LANs, but not if I also list the VPN zones, where I get messages like:

Section @redirect[0] (HTTP) internal rewrite IP cannot be determined, disabling reflection).

So far this is annoying but fine, if I need VPN, it means I am outside the network anyway, so WAN port maps should work for the purpose. No need to do more than that.

Regarding OpenVPN, here is the full config (I blanked my public IPs, but x and y are my 2 WAN IPs, ideally I would not hardcode the IP but the interface name pppoe-wan1). The only real difference between them is the subnet and gateway/DNS server IP as well as the routes to the other VPN subnet:

config openvpn 'OpenVPNServerWAN1'
	option enabled '1'
	option dev 'tun0'
	option proto 'udp'
	option port '1194'
	list local 'x.x.x.x'
	option topology 'subnet'
	option client_to_client '1'

	option server '192.168.4.0 255.255.255.0'
	
	list push 'route 192.168.1.0 255.255.255.0'
	list push 'route 192.168.2.0 255.255.255.0'
	list push 'route 192.168.5.0 255.255.255.0'
	list push 'route 192.168.11.0 255.255.255.0'
	list push 'route 192.168.12.0 255.255.255.0'
	list push 'route 192.168.21.0 255.255.255.0'
	list push 'route 192.168.100.0 255.255.255.0'
	list push 'route 192.168.254.0 255.255.255.0'
	
	list push 'dhcp-option DNS 192.168.4.1'
	
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/server.crt'
	option key '/etc/openvpn/server.key'
	option dh '/etc/openvpn/dh.pem'
	
	option persist_key '1'
	option persist_tun '1'
    option keepalive '60 3600'
	option explicit_exit_notify '1'
	option mssfix '1420'
	option verb '3'


	
config openvpn 'OpenVPNServerWAN2'
	option enabled '1'
	option dev 'tun1'
	option proto 'udp'
	option port '1194'
	list local 'y.y.y.y'
	option topology 'subnet'
	option client_to_client '1'

	option server '192.168.5.0 255.255.255.0'
	
	list push 'route 192.168.1.0 255.255.255.0'
	list push 'route 192.168.2.0 255.255.255.0'
	list push 'route 192.168.4.0 255.255.255.0'
	list push 'route 192.168.11.0 255.255.255.0'
	list push 'route 192.168.12.0 255.255.255.0'
	list push 'route 192.168.21.0 255.255.255.0'
	list push 'route 192.168.100.0 255.255.255.0'
	list push 'route 192.168.254.0 255.255.255.0'
	
	list push 'dhcp-option DNS 192.168.5.1'
	
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/server.crt'
	option key '/etc/openvpn/server.key'
	option dh '/etc/openvpn/dh.pem'
	
	option persist_key '1'
	option persist_tun '1'
    option keepalive '60 3600'
	option explicit_exit_notify '1'
	option mssfix '1420'
	option verb '3'

In network I have them defined as:

config interface 'VPN1'
	option proto 'none'
	option device 'tun0'

config interface 'VPN2'
	option proto 'none'
	option device 'tun1'

and in firewall they are assigned to their zones:

config zone
	option name 'VPN_WAN1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'VPN1'

config zone
	option name 'VPN_WAN2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'VPN2'

Everything else regarding those 2 firewall zones (routing, rules) is identical, e.g.:

config forwarding
	option src 'VPN_WAN1'
	option dest 'LAN_WIRED'

config forwarding
	option src 'VPN_WAN2'
	option dest 'LAN_WIRED'

Also in mwan3 I pined the UDP traffic to their single WAN policies as with for other services.

Please let me know if anything else is needed to troubleshoot. As a side note, this issue is kinda "critical" to me as if WAN1 is down for some reason, I have no way to remote in via WAN2...

4

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.