I have created an isolated LAN called NPR on ethernet port 2 of an Openwrt. It takes in traffic from a special wireless modem and only allows it to go to the WAN connection, that piece works fine. I now need to access and manage a device on the isolated LAN and do this from my normal LAN. I need ping, SSH and maybe Telnet access.
I was thinking the best way to do this is just create some special firewall rules to allow this traffic. I am relatively new to Openwrt so any comments are appreciated?
lan -> guest tcp ports 22,23
lan -> guest icmp echo request
Responses are handled by stateful firewall aka conntrack.
If you have custom routing table for guest you need to add route to lan in guest table and vice versa.
I would recommend simply putting these in the standard traffic rules, not the NAT rules section. Same general setup, though -- source is lan, destination is guest, ports 22 (and 23 for telnet, if needed).
Neither ICMP, Telnet or SSH work. I am wondering if I have the right action selected. What is the option action contrack helper? Here are the entries from my firewall config.
config rule
option src 'lan'
option dest 'NPRZone'
option name 'NPR telnet Ssh'
option src_port '22 23'
option target 'ACCEPT'
config rule
option src 'lan'
option dest 'NPRZone'
option name 'ICMP '
list proto 'icmp'
option target 'ACCEPT'
option family 'ipv4'
list icmp_type 'address-unreachable'
list icmp_type 'echo-reply'
list icmp_type 'echo-request'
list icmp_type 'extended-echo-request'
list icmp_type 'extended-echo-reply'
list icmp_type 'host-unreachable'
list icmp_type 'timestamp-reply'
list icmp_type 'timestamp-request'
Should be destination port, telnet is not included for quite some time.
This all is not needed, conntrack includes ICMP related to existing connections and handles ICMP responses
config rule
option src 'lan'
option dest 'NPRZone'
option name 'ICMP '
list proto 'icmp'
option target 'ACCEPT'
option family 'ipv4'
- list icmp_type 'address-unreachable'
- list icmp_type 'echo-reply'
list icmp_type 'echo-request'
list icmp_type 'extended-echo-request'
- list icmp_type 'extended-echo-reply'
- list icmp_type 'host-unreachable'
list icmp_type 'timestamp-reply'
- list icmp_type 'timestamp-request'
I missed the src port rather than dest. I applied the changes but and restarted interface but still no ping telnet or SSH.
config rule
option src 'lan'
option dest 'NPRZone'
option name 'NPR telnet ssh'
option target 'ACCEPT'
option dest_port '22 23'
config rule
option src 'lan'
option dest 'NPRZone'
option name 'ICMP '
list proto 'icmp'
option target 'ACCEPT'
option family 'ipv4'
list icmp_type 'echo-reply'
list icmp_type 'echo-request'
list icmp_type 'timestamp-reply'
No. I cannot ping the target from the router. I restarted the interface to make sure something wasnt amiss there. Attached is the entire firewall config. Your help is greatly appreciated.
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'GuestZone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'GuestWifi'
config forwarding
option src 'GuestZone'
option dest 'wan'
config rule
option src 'GuestZone'
option name 'GuestDHCP'
option dest_port '67'
option target 'ACCEPT'
config rule
option src 'NPRZone'
option name 'NPR DHCP'
option dest_port '67'
option target 'ACCEPT'
config rule
option src 'GuestZone'
option name 'Guest DNS'
option dest_port '53'
option target 'ACCEPT'
config rule
option src 'NPRZone'
option name 'NPR DNS'
option dest_port '53'
option target 'ACCEPT'
config zone
option name 'NPRZone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'NPRmaaster'
config forwarding
option src 'NPRZone'
option dest 'wan'
config rule
option src 'lan'
option dest 'NPRZone'
option name 'NPR telnet ssh'
option target 'ACCEPT'
option dest_port '22 23'
config rule
option src 'lan'
option dest 'NPRZone'
option name 'ICMP '
list proto 'icmp'
option target 'ACCEPT'
option family 'ipv4'
list icmp_type 'echo-reply'
list icmp_type 'echo-request'
list icmp_type 'timestamp-reply'
Is the target machine online and able to access the internet?
Does the target machine actually hold the expected IP address (i.e. the address you're pinging)? It is worth double checking this, as the address may not be what is expected.
Does the target machine accept pings, ssh, etc. in general. Again, double check that it doesn't have any of the services disabled and/or blocked by a host level firewall.
The target machine is a New Packet Radio modem. This contains an ethernet connection to the Openwrt router and a wide area radio link using 430 MHz. Intended use if for remote clients to get internet access. It is not internet accessible in the other direction as it's address is 192.168.100.99. It is indeed at live that address as I can go to a client separated by the radio link and ping it no problem. There is no compute in the modem so no firewalls.
Ok... let's see some other important config files:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
