Im trying to setup a simple router between two lans (different ip and networks on 10.0.0.0/24 and 10.0.1.0/24). Configuring interfaces is ok but trying to ping from a host in first network is not working. Adding static routes make no difference. What im missing. Thanks
uci show network; uci show firewall
ip -4 a; ip -4 r; ip -4 ru
2 Likes
Welcome
If you can ping form one network to the other but not opposite then you are likely re-using the WAN interface with its firewall settings that doesn't allow connection form WAN to LAN (typically WAN zone will have red colour in LuCI).
if you can't ping from any network to the other then you are likely missing the firewall zone completely for one (or both) of the interfaces (will have white colour in LuCI).
Anyway if you send the output of the commands that @vgaetera mentioned (from SSH), it should show where the problem is. To include the output, please use the Preformatted text tool </>. (after you paste the code, highlight it and click the button in the text editor toolbar.
2 Likes
1st thanks for your quick responses.
Maybe I need to clarify what I'm trying to do:
As you can see I have several switches (Cisco SG200-26P) with vlan capabilities.
My intention is setting different VLANs (this works fine) and use openwrt to route between them.
After a long search i found this routing example
At this moment im testing with first (R1 router config) with partial results. I know my setup is different but i think im in the right direction. I find some difficulties to understand firewall setup. Could you recommend me where (or what documentation) to start reading ?
Again Thanks!
Martin
uci show network; uci show firewall
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.lan=interface
network.lan.ifname='eth1'
network.lan.proto='static'
network.lan.ipaddr='172.16.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan2=interface
network.lan2.ifname='eth0'
network.lan2.proto='static'
network.lan2.ipaddr='10.1.1.1'
network.lan2.netmask='255.255.255.252'
network.wan=interface
network.wan.ifname='eth1'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.ifname='eth1'
network.wan6.proto='dhcpv6'
network.globals=globals
network.globals.ula_prefix='fd58:c7b9:863f::/48'
network.default=route
network.default.interface='lan2'
network.default.target='0.0.0.0'
network.default.netmask='0.0.0.0'
network.default.gateway='10.1.1.2'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
ip -4 a; ip -4 r; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 1000
inet 10.1.1.1/30 brd 10.1.1.3 scope global eth0
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
inet 172.16.1.1/24 brd 172.16.1.255 scope global eth1
valid_lft forever preferred_lft forever
default via 10.1.1.2 dev eth0
10.1.1.0/30 dev eth0 scope link src 10.1.1.1
172.16.1.0/24 dev eth1 scope link src 172.16.1.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Fro start, you have eth1 on both LAN and WAN. This configuration is wrong. Then you have he WAN interface on the WAN zone (which is "firewalled").
I still don't get what is the router doing behind manged switches if it's only connected to them, unless this graph is a simplification of a much bigger network. But anyway, if you delete the WAN interface on the router, it should hopefully work.
2 Likes
The thing that might be helpful to remember is that OpenWrt is configured, by default, to handle the common consumer use case of a WAN interface connected to an ISP and a LAN interface for the local devices.
Using OpenWrt for an interior router is straightforward if you configure new interfaces and firewall zones (and either delete or ignore the WAN/WAN6 interfaces and zones).
You'd want to declare the new interfaces, likely using "standard" VLAN notation of ethM.NNNN. You'd also need to configure the switch for the VLANs, tagged for the CPU and the port both, given what I understand of your topology. Firewalling to allow/drop VLAN-to-VLAN forwarding would be to meet your own needs.
1 Like
Thanks for your response. My switches are independent hardware not an router integrated. Vlans are configured only to split the switch . The problems (that is driving me crazy) is that can ping/access y one direction but not in the other. Added static routes, zones, etc. Nothing works. It s a simple setup what i need: a PC x86 with 2 wired nics with two different networks on each one and openwrt forwarding in both directions. EX: ( PC1 10.1.1.2/24) <---> (nic1:10.1.1.1-OPENWRT-nic2:10.1.2.1)<--->(PC2:10.1.2.2/24) (assume <---> as an unmanaged switch for simpler analysis)
I think, as explained earlier, it's because one LAN is using the same interface as WAN, and the firewall is configured to allow traffic from WAN to LAN but not the other way.
1 Like
This kind of configuration should work, though there are a few "gotchas" as OpenWrt is generally configured as a border router.
The sketch is to:
-
Configure the network interfaces you want to use with the appropriate VLANs. The
ethM.NNNNnotation should work. -
Configure firewall zones for each.
-
Allow the traffic between these zones that you desire, including forwarding rules.
On an x86, you don't have a switch, so you shouldn't need to configure that.
I remove wan from my /etc/config/network and added new interface/zone. Same results...
Switch ports assigned to router and hosts on same network are untagged (access ports) Its neccesary to work router interfaces as vlans too?
root@OpenWrt:~# uci show network; uci show firewall
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.lan=interface
network.lan.ifname='eth1'
network.lan.proto='static'
network.lan.ipaddr='10.2.2.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan2=interface
network.lan2.ifname='eth0'
network.lan2.proto='static'
network.lan2.ipaddr='10.1.1.1'
network.lan2.netmask='255.255.255.0'
network.globals=globals
network.globals.ula_prefix='fd58:c7b9:863f::/48'
network.default=route
network.default.interface='lan'
network.default.target='10.1.1.0'
network.default.netmask='255.255.255.0'
network.default.gateway='10.1.1.1'
network.@route[1]=route
network.@route[1].interface='lan2'
network.@route[1].target='10.2.2.0'
network.@route[1].netmask='255.255.255.0'
network.@route[1].gateway='10.2.2.1'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[0]=zone
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].name='LAN1'
firewall.@zone[0].network='lan'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].name='LAN2'
firewall.@zone[1].network='lan2'
firewall.@zone[1].forward='ACCEPT'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='LAN1'
firewall.@forwarding[0].src='LAN2'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='LAN2'
firewall.@forwarding[1].src='LAN1'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 1000
inet 10.1.1.1/24 brd 192.168.0.255 scope global eth0
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
inet 10.2.2.1/24 brd 10.2.2.255 scope global eth1
valid_lft forever preferred_lft forever
10.2.2.0/24 dev eth1 scope link src 10.2.2.1
192.168.0.0/24 dev eth0 scope link src 192.168.0.5
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
You are missing default route.
Specify option gateway for one of the interfaces and remove the route network.default.
2 Likes