Hi Trendy,
thanks for your quick reply. I have been away from home to gather all the info you required.
My home configuration is a little more complicated then I explained. the actual situation is made by 3 sub network, a generic LAN for local/wifi use, a DMZ for the web server and a DMZ-like, GAMING, for a gaming machine
there is also a vpn server and the LAN is routed via VPN but not DMZ nor GAMING (Gaming not at the moment at least)
I've masked some information and I hope I left everything which is necessary for the investigation.
lan ip: 192.168.1.0/24
DMZ ip: 192.168.2.0/24
gaming ip: 192.168.3.0/24
I'm trying to reach Cloud server in DMZ IP 192.169.2.2 from networks lan and gaming
I thank in advance for the help of this forum
Below the content of the file and command requested
Cheers
ubus call system board
{
"kernel": "4.9.211",
"hostname": "OpenWrt",
"system": "xRX200 rev 1.2",
"model": "TP-LINK TD-W8970",
"board_name": "tplink,tdw8970",
"release": {
"distribution": "OpenWrt",
"version": "18.06.7",
"revision": "r7976-ca47026b7d",
"target": "lantiq\/xrx200",
"description": "OpenWrt 18.06.7 r7976-ca47026b7d"
}
}
uci export network
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd54:c576:2f5a::/48'
config atm-bridge 'xx'
option encaps 'xx'
option payload 'xxx'
option nameprefix 'xxx'
option vci 'xx'
option vpi 'xx'
config dsl 'dsl'
option tone 'xx'
option ds_snr_offset '0'
option annex 'xx'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option dns '208.67.222.222 208.67.220.220'
config interface 'wan'
option ifname 'dsl0'
option proto 'pppoe'
option ipv6 '1'
option username 'xxxx'
option password 'xxxx'
option mtu '1492'
config device 'wan_dev'
option name 'dsl0'
option macaddr 'xxxx'
config interface 'wan6'
option ifname '@wan'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '5 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '10'
option ports '2 4 6t'
config interface 'DMZ'
option ifname 'eth0.10'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option dns '208.67.222.222 208.67.220.220'
config interface 'surfsharktun'
option ifname 'tun0'
option proto 'dhcp'
option metric '10'
option defaultroute '0'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '11'
option ports '0 6t'
config interface 'gaming'
option proto 'static'
option ifname 'eth0.11'
option dns '208.67.222.222 208.67.220.220'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option delegate '0'
uci export dhcp
package dhcp
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dnsmasq 'lan_dns'
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases.lan'
option resolvfile '/etc/resolv.conf.lan'
option nonwildcard '1'
list interface 'lan'
option localservice '0'
list server '208.67.222.222'
list server '208.67.220.220'
config dhcp 'lan'
option interface 'lan'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
list dhcp_option '6,192.168.1.1,208.67.222.222,208.67.220.220'
option start '50'
config dnsmasq 'DMZ_dns'
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/DMZ/'
option domain 'DMZ'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases.DMZ'
option resolvfile '/etc/resolv.conf.DMZ'
option nonwildcard '1'
list interface 'DMZ'
list notinterface 'loopback'
option localservice '0'
list server '208.67.222.222'
list server '208.67.220.220'
config dhcp 'DMZ'
option instance 'DMZ_dns'
option interface 'DMZ'
option leasetime '12h'
option start '226'
option limit '6'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config host
option name 'cloud'
option dns '1'
option mac '00:0D:B9:4E:C1:38'
option ip '192.168.2.2'
config dnsmasq 'gaminging_dns'
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases.lan'
option resolvfile '/etc/resolv.conf.lan'
option nonwildcard '1'
list interface 'gaming'
option localservice '0'
option local '/gaming/'
option domain 'gaming'
list server '208.67.222.222'
list server '208.67.220.220'
config dhcp 'gaming'
option interface 'gaming'
option start '2'
option limit '3'
option leasetime '24h'
list dhcp_option '6,208.67.222.222,208.67.220.220'
uci export firewall
package firewall
config defaults
option syn_flood '1'
option output 'ACCEPT'
option drop_invalid '1'
option input 'REJECT'
option forward 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
option log '1'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option log '1'
option network 'wan wan6'
option forward 'REJECT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option output 'ACCEPT'
option name 'dmz'
option network 'DMZ'
option input 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option dest 'wan'
option src 'dmz'
config redirect
option target 'DNAT'
option src 'wan'
option proto 'tcp'
option name 'http'
option dest_port 'xxx'
option src_dport 'xxx'
option dest 'dmz'
option dest_ip '192.168.2.2'
config redirect
option target 'DNAT'
option src 'wan'
option proto 'tcp'
option src_dport 'xxx'
option dest_port 'xxx'
option name 'https'
option dest 'dmz'
option dest_ip '192.168.2.2'
config zone
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option log '1'
option network 'surfsharktun'
config forwarding
option dest 'vpnfirewall'
option src 'lan'
config forwarding
option dest 'wan'
option src 'lan'
config zone
option name 'game'
option forward 'ACCEPT'
option output 'ACCEPT'
option network 'gaming'
option input 'ACCEPT'
config forwarding
option dest 'wan'
option src 'game'
option src 'wan'
option proto 'tcp udp'
option
head -n -0 /etc/firewall.user (no extra rule)
ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.1/24 brd 182.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
6: eth0.10@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.2.1/24 brd 192.168.2.255 scope global eth0.10
valid_lft forever preferred_lft forever
7: eth0.11@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.3.1/24 brd 192.168.3.255 scope global eth0.11
valid_lft forever preferred_lft forever
10: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
inet xxxxx peer xxxxx scope global pppoe-wan
valid_lft forever preferred_lft forever
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
inet xxxxxx brd xxxxx scope global tun0
valid_lft forever preferred_lft forever
ip -4 ro li tab all
default via ISP_IP dev pppoe-wan table 201
192.168.2.0/24 dev eth0.10 table 201 proto kernel scope link src 192.168.2.1
192.168.3.0/24 dev eth0.11 table 201 proto kernel scope link src 192.168.3.1
default via VPN_IP dev tun0 table 202
192.168.2.0/24 dev eth0.10 table 202 proto kernel scope link src 192.168.2.1
192.168.3.0/24 dev eth0.11 table 202 proto kernel scope link src 192.168.3.1
0.0.0.0/1 via VPN_IP dev tun0
default via ISP_IP dev pppoe-wan proto static
ISP_IP dev pppoe-wan proto kernel scope link src ISP_IP
VPN_IP dev tun0 proto kernel scope link src VPN_SRC
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev eth0.10 proto kernel scope link src 192.168.2.1
192.168.3.0/24 dev eth0.11 proto kernel scope link src 192.168.3.1
128.0.0.0/1 via VPN_IP dev tun0
WAN via ISP_IP dev pppoe-wan
local ISP_IP dev pppoe-wan table local proto kernel scope host src ISP_SRC
broadcast VPN dev tun0 table local proto kernel scope link src VPN_SRC
local VPN_SRC dev tun0 table local proto kernel scope host src VPN_SRC
broadcast VPN dev tun0 table local proto kernel scope link src VPN_SRC
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
broadcast 192.168.2.255 dev eth0.10 table local proto kernel scope link src 192.168.2.1
local 192.168.2.1 dev eth0.10 table local proto kernel scope host src 192.168.2.1
broadcast 192.168.2.255 dev eth0.10 table local proto kernel scope link src 192.168.2.1
broadcast 192.168.3.0 dev eth0.11 table local proto kernel scope link src 192.168.3.1
local 192.168.3.1 dev eth0.11 table local proto kernel scope host src 192.168.3.1
broadcast 192.168.3.255 dev eth0.11 table local proto kernel scope link src 192.168.3.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
ip -4 ru
0: from all lookup local
32764: from all fwmark 0x20000/0xff0000 lookup 202
32765: from all fwmark 0x10000/0xff0000 lookup 201
32766: from all lookup main
32767: from all lookup default
ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv./
lrwxrwxrwx 1 root root 16 Jan 29 2020 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 0 May 21 2020 /etc/resolv.conf.DMZ
-rw-r--r-- 1 root root 0 May 21 2020 /etc/resolv.conf.lan
lrwxrwxrwx 1 root root 21 Dec 11 22:45 /tmp/resolv.conf -> /tmp/resolv.conf.auto
-rw-r--r-- 1 root root 272 Dec 11 22:47 /tmp/resolv.conf.auto
-rw-r--r-- 1 root root 48 Dec 11 22:47 /tmp/resolv.conf.ppp
head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv./
==> /etc/resolv.conf <==
# Interface DMZ
nameserver 208.67.222.222
nameserver 208.67.220.220
# Interface lan
nameserver 208.67.222.222
nameserver 208.67.220.220
# Interface trading
nameserver 208.67.222.222
nameserver 208.67.220.220
# Interface wan
nameserver 91.80.35.166
nameserver 91.80.35.133
==> /etc/resolv.conf.DMZ <==
==> /etc/resolv.conf.lan <==
==> /tmp/resolv.conf <==
# Interface DMZ
nameserver 208.67.222.222
nameserver 208.67.220.220
# Interface lan
nameserver 208.67.222.222
nameserver 208.67.220.220
# Interface trading
nameserver 208.67.222.222
nameserver 208.67.220.220
# Interface wan
nameserver 91.80.35.166
nameserver 91.80.35.133
==> /tmp/resolv.conf.auto <==
# Interface DMZ
nameserver 208.67.222.222
nameserver 208.67.220.220
# Interface lan
nameserver 208.67.222.222
nameserver 208.67.220.220
# Interface trading
nameserver 208.67.222.222
nameserver 208.67.220.220
# Interface wan
nameserver 91.80.35.166
nameserver 91.80.35.133
==> /tmp/resolv.conf.ppp <==
nameserver 91.80.35.166
nameserver 91.80.35.133
head: /tmp/resolv.: No such file or directory