Routing different networks to different wan's

Hi guys,

i'm worried what is going wrong... my setup contains two wan's each on a different port.
Internal i have multiple networks (vlan's which are reaching openwrt with an untagged port) to route to the one or the other wan. In general all parts are working wihich are using wan.
vlan3 and vlan4 shoud route to wanb but if i check the logging forwarding is rejected but firewall rules allows forwarding to wanb.

ps: openwrt's lan is not used - only for management access.

network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd78:181c:ba17::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'eth5'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipv6 '0'
	option ipaddr '192.168.0.1'
	option broadcast '192.168.0.255'
	option gateway '192.168.100.1'

config device
	option name 'eth0'
	option ipv6 '0'

config device
	option name 'eth1'
	option ipv6 '0'

config interface 'WAN'
	option proto 'static'
	option netmask '255.255.255.0'
	option device 'eth4'
	option gateway '192.168.100.1'
	option broadcast '192.168.100.255'
	option ipaddr '192.168.100.10'
	list dns '8.8.8.8'
	option metric '0'

config interface 'VLAN3'
	option proto 'static'
	option device 'eth2'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option broadcast '192.168.3.255'
	option gateway '192.168.200.1'

config device
	option name 'eth2'
	option ipv6 '0'

config device
	option name 'eth3'
	option ipv6 '0'

config interface 'VLAN4'
	option proto 'static'
	option device 'eth3'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'
	option broadcast '192.168.4.255'
	option gateway '192.168.200.1'

config device
	option name 'eth4'
	option ipv6 '0'

config device
	option name 'eth5'
	option ipv6 '0'

config interface 'VLAN2'
	option proto 'static'
	option device 'eth0'
	option netmask '255.255.255.0'
	option broadcast '192.168.2.255'
	option ipaddr '192.168.2.1'
	option gateway '192.168.100.1'

config device
	option name 'eth6'
	option ipv6 '0'

config interface 'VLAN1'
	option proto 'static'
	option device 'eth1'
	option ipaddr '10.10.60.230'
	option netmask '255.255.255.0'
	option gateway '10.10.60.1'
	option broadcast '10.10.60.255'
	option defaultroute '0'

config interface 'WANB'
	option proto 'static'
	option device 'eth6'
	option ipaddr '192.168.200.10'
	option netmask '255.255.255.0'
	option gateway '192.168.200.1'
	list dns '8.8.8.8'
	option metric '2'

firewall


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vlan2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'VLAN2'

config zone
	option name 'vlan3'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'VLAN3'
	option family 'ipv4'

config zone
	option name 'vlan4'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'VLAN4'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'WAN'

config zone
	option name 'vlan1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'VLAN1'
	option forward 'REJECT'
	option masq '1'

config zone
	option name 'wanb'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'WANB'
	option masq '1'
	option input 'REJECT'
	option mtu_fix '1'

config forwarding
	option src 'vlan2'
	option dest 'wan'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Webinterface'
	option src 'vlan1'
	option src_dport '80'
	option dest_ip '192.168.0.1'
	option dest_port '80'

config forwarding
	option src 'vlan3'
	option dest 'wanb'

config forwarding
	option src 'vlan4'
	option dest 'wanb'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'SSH'
	option src 'vlan1'
	option src_dport '22'
	option dest_ip '192.168.0.1'
	option dest_port '22'

config rule
	option name 'Allow-Ping  wanb'
	list proto 'icmp'
	option src 'wanb'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-DHCP-Renew wanb'
	option family 'ipv4'
	option src 'wanb'
	option src_port '68'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option name 'Allow-IGMP wanb'
	option family 'ipv4'
	list proto 'igmp'
	option src 'wanb'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP wanb'
	list proto 'esp'
	option src 'wanb'
	option dest 'lan'
	option target 'ACCEPT'

Any hints ?

install and configure:

or create static route:

view:

1 Like

I hope I haven't made any mistakes in this configuration, in case I'm waiting for the opinions of someone more knowledgeable than me

change:

config interface 'VLAN3'
	option proto 'static'
	option device 'eth2'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option broadcast '192.168.3.255'

config interface 'VLAN2'
	option proto 'static'
	option device 'eth0'
	option netmask '255.255.255.0'
	option broadcast '192.168.2.255'
	option ipaddr '192.168.2.1'

config rule
        option src '192.168.2.0/24' #VLAN_2 subnet
        option dest '0.0.0.0/0'
        option priority '1'
        option lookup '1'

config rule
        option src '192.168.3.0/24' #VLAN3 subnet
        option dest '0.0.0.0/0'
        option priority '2'
        option lookup '2'

config route
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option gateway '192.168.100.1'
        option table '1'  #use numbers or a complex method to use names
        option interface 'WAN'

config route
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option gateway '192.168.200.1'
        option table '2'
        option interface 'WANB'
RT="0"
for NET in lan VLAN1 VLAN2 VLAN3 VLAN4 WANB
do let RT++
uci set network.${NET}.ip4table="${RT}"
done
for NET in VLAN3 VLAN4
do
uci -q delete network.${NET}_WANB
uci set network.${NET}_WANB="rule"
uci set network.${NET}_WANB.in="${NET}"
uci set network.${NET}_WANB.lookup="${RT}"
uci set network.${NET}_WANB.priority="30000"
done
uci commit network
/etc/init.d/network restart