No access to DMZ network segment from desktop PC connected to LAN

cmonty14 · May 4, 2022, 8:39pm

Hello,
my desktop PC has 2 NICs.
Each NIC is connected to a dedicated router.
This means, my network setup has 2 routers.
Router A is provided by ISP, and desktop PC is connected to its LAN with network 192.168.1.0/24.
Router B is running OpenWRT, and on the downstream side there are 2 network segments: LAN (172.16.1.0/24) and DMZ (172.16.9.0/24).
Each network segment is setup on a dedicated NIC, means there's no VLAN.
The desktop PC is connected to LAN.

My main issue currently is that I cannot ping 172.16.9.1 that is router B's IP of DMZ, and conseqently I cannot ping any other client in subnet 172.16.9.0/24.

Can you please advise how to fix this issue?

Here's the route table:

$ ip r
default via 192.168.1.1 dev br0 proto dhcp src 192.168.1.83 metric 10 
default via 172.16.1.1 dev enp5s0 proto dhcp src 172.16.1.100 metric 20 
172.16.1.0/24 dev enp5s0 proto kernel scope link src 172.16.1.100 metric 20 
172.16.1.1 dev enp5s0 proto dhcp scope link src 172.16.1.100 metric 20 
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.83 metric 10 
192.168.1.1 dev br0 proto dhcp scope link src 192.168.1.83 metric 10 
192.168.100.249 via 192.168.1.1 dev br0 proto dhcp src 192.168.1.83 metric 10

Restriction is that DMZ is only available from clients connected to LAN, subnet 172.16.1.0/24.

Can you please advise how to fix this issue?

mattimat · May 6, 2022, 3:49pm

The destination 172.16.9.0/24 is propably routed towards 192.168.1.1. You need to add a explicit route for it towards 172.16.1.1. I'm not sure how two default routes are working.

lleachii · May 6, 2022, 9:17pm

They don't work [very well].

The OP could connect/route thru the 2 devices, unless there's some reason the two physical networks are gaped. If the ISP's routers can configure static routes...

cmonty14 · May 7, 2022, 8:56pm

To continue with analysis I have unplugged LAN with network 192.168.1.0/24.

This result in following routing table:

$ ip r
default via 172.16.1.1 dev enp5s0 proto dhcp src 172.16.1.100 metric 1024 
172.16.0.0/20 dev enp5s0 proto kernel scope link src 172.16.1.100 metric 1024 
172.16.1.1 dev enp5s0 proto dhcp scope link src 172.16.1.100 metric 1024

This routing table has a larger network /20 that includes 172.16.1.0/24 and 172.16.9.0/24.

Internet connections work as expected:

$ ping -c 3 openwrt.org
PING openwrt.org (139.59.209.225) 56(84) Bytes an Daten.
64 Bytes von 139.59.209.225 (139.59.209.225): icmp_seq=1 ttl=51 Zeit=15.5 ms
64 Bytes von 139.59.209.225 (139.59.209.225): icmp_seq=2 ttl=51 Zeit=15.0 ms
64 Bytes von 139.59.209.225: icmp_seq=3 ttl=51 Zeit=15.6 ms

--- openwrt.org ping-Statistik ---
3 Pakete übertragen, 3 empfangen, 0% packet loss, time 16948ms
rtt min/avg/max/mdev = 15.047/15.377/15.607/0.239 ms

$ traceroute openwrt.org
traceroute to openwrt.org (139.59.209.225), 30 hops max, 60 byte packets
 1  _gateway (172.16.1.1)  0.370 ms  0.397 ms  0.433 ms
 2  fritz.box (192.168.1.1)  1.118 ms  1.103 ms  1.084 ms
 3  * * *
 4  ip-081-210-148-070.um21.pools.vodafone-ip.de (81.210.148.70)  18.920 ms  18.890 ms  18.854 ms
 5  de-str01c-rc1-ae-21-0.aorta.net (84.116.190.241)  29.192 ms  29.157 ms  29.163 ms
 6  de-fra01b-rc2-ae-4-0.aorta.net (84.116.140.201)  22.409 ms  22.073 ms  22.080 ms
 7  de-bfe18a-rt01-lag-1.aorta.net (84.116.190.34)  19.654 ms  16.790 ms  16.773 ms
 8  ae32-100-pcr1.fnt.cw.net (195.2.18.217)  25.751 ms ae8-100-tcr1.fnt.cw.net (195.2.26.93)  15.188 ms ae32-100-pcr1.fnt.cw.net (195.2.18.217)  42.767 ms
 9  telia-gw.fnt.cw.net (195.2.22.238)  21.345 ms ae34-pcr1.fnt.cw.net (195.2.31.38)  20.098 ms telia-gw.fnt.cw.net (195.2.22.238)  18.967 ms
10  telia-gw.fnt.cw.net (195.2.22.238)  50.756 ms  17.730 ms ffm-bb2-link.ip.twelve99.net (62.115.124.118)  16.399 ms
11  * ffm-b5-link.ip.twelve99.net (62.115.114.89)  23.991 ms ffm-b5-link.ip.twelve99.net (62.115.114.91)  23.998 ms
12  digitalocean-ic328178-ffm-b5.ip.twelve99-cust.net (80.239.128.23)  23.958 ms ffm-b5-link.ip.twelve99.net (62.115.114.91)  22.930 ms digitalocean-ic328178-ffm-b5.ip.twelve99-cust.net (80.239.128.23)  24.016 ms
13  * 138.197.250.134 (138.197.250.134)  18.822 ms 138.197.250.138 (138.197.250.138)  18.812 ms
14  138.197.250.148 (138.197.250.148)  21.204 ms 138.197.250.142 (138.197.250.142)  21.195 ms *
15  * * *
16  139.59.209.225 (139.59.209.225)  15.785 ms * *

However, I still cannot reach DMZ network 172.16.9.0/24 and its router interface IP 172.16.9.1:

$ ping -c 3 172.16.9.1
PING 172.16.9.1 (172.16.9.1) 56(84) Bytes an Daten.
Von 172.16.1.100 icmp_seq=1 Zielhost nicht erreichbar
Von 172.16.1.100 icmp_seq=2 Zielhost nicht erreichbar
Von 172.16.1.100 icmp_seq=3 Zielhost nicht erreichbar

--- 172.16.9.1 ping-Statistik ---
3 Pakete übertragen, 0 empfangen, +3 Fehler, 100% packet loss, time 2020ms
pipe 3

$ traceroute 172.16.9.1
traceroute to 172.16.9.1 (172.16.9.1), 30 hops max, 60 byte packets
 1  homer (172.16.1.100)  3042.097 ms !H  3042.074 ms !H  3042.067 ms !H

cmonty14 · May 14, 2022, 6:17am

After disconnecting my desktop PC from LAN of router A the issue is solved.

system · May 24, 2022, 6:18am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.