For the Nighthawk/FreshTomato, I changed "Nat Target" from "Masquerade" to "SNAT". For the WNDR3700v4/OpenWrt, I unchecked "Maquerading" from the Network->Firewall=>General Settings->Zones. page.
Sill not working.
Even though it shoudn't be needed, I did create two static routes in the firewall: 192.168.4.0/24 via 192.168.0.161; 192.168.1.0/24 via 192.168.0.138.
I ran tcpdump on the openwrt router and could watch pings received by that router (from the freshtomato router), but no reply from the openwrt. I would have tried tcpdump on the freshtomato, but it doesn't seem to have that package available.
So am I getting rather frustrated with this, needless to say.
I don't know how tomato handles NAT, so I can't speak to that.
Can you draw a diagram of your network. Include the IP addresses of each of the routers and key devices and show the routes that are installed on each router.
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
root@OpenWrt:~# ubus call system board; \
> uci export network; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c -t filter
{
"kernel": "4.14.221",
"hostname": "OpenWrt",
"system": "Atheros AR9344 rev 2",
"model": "NETGEAR WNDR3700v4",
"board_name": "wndr3700v4",
"release": {
"distribution": "OpenWrt",
"version": "19.07.7",
"revision": "r11306-c4a6851c72",
"target": "ar71xx/nand",
"description": "OpenWrt 19.07.7 r11306-c4a6851c72"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd47:1039:0f85::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.4.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device 'lan_eth0_1_dev'
option name 'eth0.1'
option macaddr '20:e5:2a:64:7f:a0'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr '20:e5:2a:64:7f:a1'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
option ar8xxx_mib_type '0'
option ar8xxx_mib_poll_interval '500'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'
config route
option target '192.168.1.0'
option gateway '192.168.0.161'
option netmask '255.255.255.0'
option interface 'wan'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.3 on Wed Oct 20 15:08:47 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[2465:226370] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[3492:456079] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[3271:441249] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[3:156] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[193:13612] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[28:1218] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[16126:10562699] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[15923:10489292] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[199:73039] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[4:368] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[4:368] -A FORWARD -m comment --comment "!fw3" -j reject
[2465:226370] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[4722:2682308] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[4326:2655170] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1:84] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[395:27054] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[9:558] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[3:156] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[1:84] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[199:73039] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[199:73039] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[193:13612] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[193:13612] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[1:84] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[1:84] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[193:13612] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[594:100093] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[4:368] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[4:368] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[28:1218] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[5:452] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[18:576] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[5:190] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[395:27054] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[395:27054] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[5:190] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Oct 20 15:08:47 2021
root@OpenWrt:~#
The only change I have made here is to add a static route to 192.168.1.0/24 via 192.168.0.161, which is the WAN IP of the router. And a static route (if needed) on the firewall is set up for 192.168.1.1 via 192.168.0.138.
@trendy: Thanks for the reply. Hope it is somewhat useful.
It is insightful. WAN zone is still in defaults, which means NAT (masquerade) is enabled and wan->lan forwarding is not allowed.
For your usecase I'd suggest to quickly move wan interface to lan zone. This way you'll open access to the device and to the lan interface from the wan interface.
I did that. But I still can't ping from one router to the other. I can ping from the firewall (LAN side) to either router, though. I got rid of the FreshTomato, and put Openwrt on both routers. Still the same problems.
FWIW, here is the same cut/paste as before:
root@OpenWrt:~# ubus call system board; \
> uci export network; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c -t filter
{
"kernel": "4.14.221",
"hostname": "OpenWrt",
"system": "Atheros AR9344 rev 2",
"model": "NETGEAR WNDR3700v4",
"board_name": "wndr3700v4",
"release": {
"distribution": "OpenWrt",
"version": "19.07.7",
"revision": "r11306-c4a6851c72",
"target": "ar71xx/nand",
"description": "OpenWrt 19.07.7 r11306-c4a6851c72"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd47:1039:0f85::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.4.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device 'lan_eth0_1_dev'
option name 'eth0.1'
option macaddr '20:e5:2a:64:7f:a0'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr '20:e5:2a:64:7f:a1'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
option ar8xxx_mib_type '0'
option ar8xxx_mib_poll_interval '500'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'
config route
option target '192.168.1.0'
option netmask '255.255.255.0'
option interface 'wan'
option gateway '192.168.0.138'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option family 'ipv4'
option network 'lan wan'
option forward 'ACCEPT'
config zone
option name 'wan'
option output 'ACCEPT'
option mtu_fix '1'
option input 'ACCEPT'
option network 'wan6'
option forward 'REJECT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option family 'ipv4'
option target 'ACCEPT'
list icmp_type 'echo-request'
option dest 'lan'
config rule
option name '1'
option target 'ACCEPT'
list proto 'icmp'
list src_ip '192.168.4.1'
option dest 'lan'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.3 on Fri Oct 22 12:30:31 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
[14:1275] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[188:20433] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[160:18643] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[20:1534] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[8:256] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[946:193622] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[833:187798] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[113:5824] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[14:1275] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[551:73632] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[157:41265] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[394:32367] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[507:38191] -A zone_lan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[113:5824] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[113:5824] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[28:1790] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[28:1790] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[394:32367] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -s 192.168.4.1/32 -p icmp -m comment --comment "!fw3: 1" -j zone_lan_dest_ACCEPT
[394:32367] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[20:1534] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[8:256] -A zone_lan_src_ACCEPT -i eth0.2 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_ACCEPT -i eth0.2 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Fri Oct 22 12:30:31 2021
root@OpenWrt:~#
This is from one of the routers (the same one as before). The other, as far as I can tell, looks the same. But I can post that to for you.
there's no config forward from lan to wan or vise versa, you need both.
mtu_fix is associated with masquerade, take it out.
The rule named '1' is unnecessary, you can always ping LAN machines from the router since output to LAN is allowed. (Note that by default, Windows OS does not answer pings).
Physical interface eth0.2 is assigned to both lan and wan, I think because you have left wan6 interface in wan zone, without specifying its family as ipv6, therefore it considers them both. But this should not matter as eth0.2 is assigned first in lan zone.
Could you tell us the source IP and destination IP that fails the ping?
Also the same for the ping that succeeds?
One of these is wrong, but I don't know which one because I don't know which is router 1 and which is router 2. One of the routes should be via 192.168.0.138 and the other should be via 192.168.0.161. Right now, both are via 161 which won't work.
This is one of the reasons that a diagram would be so helpful.
I have two routers, both flashed with OpenWrt, with factory defaults; both connected to a firewall. The firewall can access either router, including the devices on their internal LANs. But neither router can access the other's LAN. (The only change was to reassign the LAN subnet on the second router).
In detail:
Firewall: LAN 192.168.0.0/0
IP: 192.168.0.1
Static Routes: 192.168.1.0/24 via 192.168.0.10
192.168.4.0/24 via 192.168.0.20
|
+ Router1: WAN IP: 192.168.0.10
LAN: 192.168.1.0/24
IP: 192.168.1.1
Gateway: 192.168.0.1
|
+ Router2: WAN IP: 192.168.0.20
LAN: 192.168.4.0/24
IP: 192.168.4.1
Gateway: 192.168.0.1
|
+ Server1: IP 192.168.0.100
|
+ Server2: 192.168.0.200
|
The firewall, as well as the two servers on the firewall's subnet, can access both routers' LAN (telnet, ssh, ftp,ICMP, etc). But neither router, nor devices on their LANs, can access the other router. Pings from 192.168.1.1 times out, as well as for the other. I have watched traffic through each WAN, via tcdump on the firewall, as well as on each router, and I see ICMPs leaving one router's WAN, but not showing up on the other's WAN. Note that the firewall is configured to allow traffic (src and dest) on its LAN. The two servers can reach each other, as well the two routers.
EDIT: as I re-read this, pings from 192.168.1.1 to what? To the other router 192.168.4.1? Or something else? If we're talking about from router to router, and not the hosts behind the router, read on. Otherwise, I may have given you irrelevant advice (although you can still try it).
This is because of the firewall on router 1 and router 2 with the wan zone. If you want to allow traffic destined for the routers themselves, the solution should be pretty simple.
Do not implement the following unless you consider the upstream network to be trusted/safe In this case, we're talking about the 192.168.0.0/24 network -- if this is trusted, go ahead with this change:
in the firewall, edit the wan zone to accept packets for "Input"
The default state for this rule is reject since the WAN is usually not a trusted network. Changing this to accept will allow the router to be reached just like any other host on your network, which is why it should never be done when upstream cannot be trusted (i.e. the internet or similar).
Also, just want to verify this -- the /0 in the above --> I assume this is a typo in your post, right? If this is really a /0 definition in the main firewall, it is wrong, but I think that it would cause a general failure anyway, so you'd probably already have noticed it. This should likely be /24.
