Router with relayd cannot ping relayed clients

virtualmatador · February 27, 2022, 10:39pm

Thanks in advance for your time.
Here is my setup:

                   ┌───────────────┐
                   │   router 2    │
 ┌─────────────┐   ├───────────────┤
 │   router 1  ├───┤     wwan      │
 │ 192.168.1.1 │   │ 192.168.1.150 │   ┌───────────────┐
 └──────┬──────┘   ├───────────────┤   │     pi        │
        │          │    vlan 1     ├───┤ 192.168.2.103 │
        │          │ 192.168.2.1   │   └───────────────┘
┌───────┴───────┐  ├───────────────┤
│  dev          │  │    vlan2      │   ┌───────────────┐
│ 192.168.1.245 │  │ 192.168.3.1   ├───┤   server      │
└───────────────┘  │ relayed wwan  │   │ 192.168.1.101 │
                   └───────────────┘   └───────────────┘

Pings:
(dev -> router1) Y
(dev -> router2) Y
(dev -> server) Y
(dev -> pi) N
(pi -> router2) Y
(pi -> router1) Y
(pi -> dev) Y
(pi -> server) N
(server -> router1) Y
(server -> dev) Y
(server -> router2) N
(server -> pi) N
(router2 -> router1) Y
(router2 -> dev) Y
(router2 -> pi) Y
(router2 -> server) N

I need to be able to ping server from pi. Why (pi -> server) doesn't work?

Both router1 and router2 are running latest version of openwrt (21.02.1).
Here is the config of router2:

/etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd6:1bcb:699d::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config device
	option name 'eth0.1'
	option macaddr 'a0:04:60:32:34:6a'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.2.1'
	option gateway '192.168.1.1'
	option broadcast '192.168.1.255'

config device
	option name 'eth0.2'
	option macaddr 'A0:04:60:32:34:6B'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '4 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 1 2 3 5t'

config interface 'wwan'
	option proto 'dhcp'

config interface 'lan2'
	option proto 'static'
	option device 'eth0.2'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	option dns '192.168.1.1'

config interface 'stabridge'
	option proto 'relay'
	option network 'lan2 wwan'

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'REJECT'

config forwarding
	option dest 'wan'
	option src 'lan2'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'
	option dest 'lan2'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option dest 'lan2'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config rule
	option name 'Allow-Http'
	option src 'wan'
	option dest_port '80'
	option target 'ACCEPT'

config rule
	option name 'Allow-SSH'
	option src 'wan'
	option dest_port '22'
	option target 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wwan'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan2 wwan'
	option name 'lan2'

config forwarding
	option src 'lan'
	option dest 'wan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'wwan'
	option input 'REJECT'
	option forward 'REJECT'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'lan2'
	option ignore '1'
	option ra 'relay'
	option ndp 'relay'
	option dhcpv6 'relay'

bill888 · February 28, 2022, 4:30am

fwiw, should that be 192.168.3.1 ?

virtualmatador · February 28, 2022, 5:18am

Thanks, fixed it. Still having the issue.

bill888 · February 28, 2022, 5:40am

fwiw, at first glance, failure of ping from 192.168.1.x to 192.168.2.x subnets is to be expected because you are trying to ping from WAN side to LAN side of the router?

Why is the Pi on a separate subnet?

virtualmatador · February 28, 2022, 2:22pm

Correct, that's expected.
I want to implement and learn about hole-punching so I don't want them to be on the same subnet.