Hi, it is pretty simple "laboratory" installation.
I have PI4 running OpenWRT connected to my home network.
my regular lan is 192.168.10.0
PI4 is connected using its wan port to it, and gets 192.168.10.124
PI4 has its own "local" network 192.168.9.0, where PI4 has IP of 192.168.9.237
There is one PC connected to it, with IP of 192.168.9.143.
There is no practical purpose in this installation, I just want to understand why it behaves differently from what I expect.
I am playing with this setup from my desktop, connected to lan with 192.168.10.10
This PC has persistent route.
route -p add 192.168.9.0 mask 255.255.255.0 192.168.10.124
From 192.168.9.0 I can browse the internet, ping computers on 192.168.10.0 etc.
From 192.168.10.0 I can ping OpenWRT on 192.168.10.124 and on 192.168.9.237
I can't ping 192.168.9.143 (PC connected to "internal" network on OpenWRT).
If I ping it directly from the OpenWRT box then it works (so PC isn't blocking pings).
I copied firewall traffic rule "Allow Ping" and created "Allow Ping Lan" rule, allowing "forwarding" to any zone.
I get timeout when pinging 192.168.9.143 from 192.168.10.10.
If I disable "Allow Lan Ping" I get
Pinging 192.168.9.143 with 32 bytes of data:
Reply from 192.168.10.124: Destination port unreachable.
Reply from 192.168.10.124: Destination port unreachable.
So looks like ping gets to the PC but answer is lost.
I tried it with and without masquerading on wan zone.
The question is:
- Why it requires masquerading on lan zone to get ping responses?
- Why I get ping responses with TTL 127 from PC on internal network, but with TTL 64 from OpenWRT itself ?
Pinging 192.168.9.237 with 32 bytes of data:
Reply from 192.168.9.237: bytes=32 time<1ms TTL=64
Reply from 192.168.9.237: bytes=32 time<1ms TTL=64
Reply from 192.168.9.237: bytes=32 time<1ms TTL=64
Reply from 192.168.9.237: bytes=32 time<1ms TTL=64
Pinging 192.168.9.143 with 32 bytes of data:
Reply from 192.168.9.143: bytes=32 time<1ms TTL=127
Reply from 192.168.9.143: bytes=32 time<1ms TTL=127
Reply from 192.168.9.143: bytes=32 time<1ms TTL=127
Reply from 192.168.9.143: bytes=32 time<1ms TTL=127
Firewall configuration:
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option output 'ACCEPT'
option synflood_protect '1'
option input 'REJECT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wlan'
config zone
option name 'wan'
option output 'ACCEPT'
option mtu_fix '1'
list network 'wan'
option input 'REJECT'
option forward 'REJECT'
option masq '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
list proto 'icmp'
option src 'wan'
option target 'ACCEPT'
option name 'Allow-Lan-Ping'
option family 'ipv4'
option dest '*'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option family 'ipv4'
option target 'ACCEPT'
list icmp_type 'echo-request'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
Network configuration:
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd35:0d59:3896::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.9.237'
option gateway '192.168.10.250'
option delegate '0'
list dns '192.168.10.244'
config interface 'wlan'
option proto 'dhcp'
option delegate '0'
option metric '10'
config interface 'wan'
option proto 'dhcp'
option device 'eth1'
config route
option target '192.168.9.0/24'
option gateway '192.168.9.237'
option interface 'lan'
option type 'anycast'
option disabled '1'
config rule
option in 'wan'
option out 'lan'
option dest '192.168.9.0/24'
option lookup 'main'
option src '192.168.10.0/24'
option disabled '1'