Hello Guys,
LAN + WLAN (IP Range 192.168.2.x) --> zone 1
At the moment any devices in zone 1 have no access to any devices in zone 2 (and vice versa).
To perform a test, i have created to traffic rules:
Any traffic
Any traffic
There is still the same behaviour:
Any devices in zone 1 have no access to any devices in zone 2 (and vice versa).
Why the traffic rules dont work?
trendy
December 16, 2020, 10:27am
2
The correct way to enable interzone communication is with forwardings .
1 Like
The following steps are now used:
1. Firewall - Zone Settings General Settings
Zones
ZONE1 (LAN) - Advanced Settings
ZONE2 (WLAN2) - Advanced Settings
Port Forwards
IPv4-TCP, UDP, ICMP
Nevertheless zone1 (192.168.2.x) cant reach zone 2 (10.0.0.x) and vice versa
I am really frustrated
trendy
December 16, 2020, 7:56pm
4
Use ssh to connect to the device.
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
1 Like
Thanks in advance for your response.
{
"kernel": "3.18.23",
"hostname": "superwrt",
"system": "Qualcomm Atheros QCA9558 ver 1 rev 0",
"model": "TP-Link TL-WR1043N\/ND v2",
"release": {
"distribution": "OpenWrt",
"version": "15.05.1",
"revision": "r48532",
"codename": "chaos_calmer",
"target": "ar71xx\/generic",
"description": "OpenWrt Chaos Calmer 15.05.1"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'eth0'
option ifname 'eth0'
option mtu '1508'
config globals 'globals'
option ula_prefix 'fd85:2c86:fcc1::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '64'
option ipaddr '192.168.2.2'
option gateway '192.168.2.1'
option broadcast '192.168.2.255'
option dns '192.168.2.1'
option igmp_snooping '1'
option _orig_ifname 'eth1 wlan0'
option _orig_bridge 'true'
option ifname 'eth1'
config interface 'wan'
option ifname 'eth0'
option mtu '1508'
option _orig_ifname 'eth0'
option _orig_bridge 'false'
option proto 'pppoe'
option username 'USERNAME'
option password 'PASSWORD'
option ipv6 '1'
config interface 'wan6'
option ifname '@wan'
option _orig_ifname '@wan'
option _orig_bridge 'false'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
config interface 'Mobile0'
option proto '3g'
option device '/dev/ttyUSB0'
option service 'umts'
option auto '0'
config interface 'Mobile1'
option proto '3g'
option device '/dev/ttyUSB1'
option service 'umts'
option auto '0'
config interface 'Mobile2'
option proto '3g'
option device '/dev/ttyUSB2'
option service 'umts'
option auto '0'
config interface 'Mobile3'
option ifname 'wwan0'
option proto 'qmi'
option device '/dev/cdc-wdm0'
option apn 'internet'
option delay '40'
option auto '0'
option type 'bridge'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 4'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 6'
option vid '2'
config interface 'wlan10'
option _orig_ifname 'wlan0-2'
option _orig_bridge 'false'
option proto 'static'
option ipaddr '10.0.0.1'
option netmask '255.255.255.0'
option dns '192.168.2.1'
config interface 'wlan11'
option _orig_ifname 'wlan0-2'
option _orig_bridge 'false'
option proto 'static'
option ipaddr '172.16.0.1'
option netmask '255.255.255.0'
option dns '208.67.222.222'
package dhcp
config dnsmasq
option boguspriv '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option domainneeded '1'
option port '0'
list server '192.168.2.36'
config dhcp 'lan'
option interface 'lan'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option maindhcp '1'
config dhcp
option start '100'
option interface 'wlan10'
option limit '100'
option leasetime '2h'
config host
option mac '00:d2:2f:2d:35:4b'
option ip '10.0.0.51'
config host
option mac '48:50:73:f6:96:5c'
option ip '10.0.0.52'
config host
option mac '38:1d:d9:80:f4:f6'
option ip '10.0.0.60'
config host
option mac '0c:41:3e:41:77:b0'
option ip '10.0.0.53'
config host
option mac '88:71:E5:26:53:E2'
option ip '10.0.0.70'
config host
option mac '18:f0:e4:07:0d:b0'
option ip '10.0.0.54'
option name 'HandyBianca'
config host
option name 'AmazonFireStick2'
option mac '38:f7:3d:c3:ae:a3'
option ip '10.0.0.80'
config host
option mac '50:a0:09:b2:4f:c9'
option ip '192.168.2.167'
option name 'XiaomiTVBox'
config dhcp 'wlan11'
option interface 'wlan11'
option limit '20'
option leasetime '2h'
option start '10'
package firewall
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'test'
option src 'wlan2'
option dest 'lan'
option proto 'all'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'testDisableLanAccess'
option proto 'all'
option src 'wlan2'
option dest 'lan'
option dest_ip '192.168.2.0/24'
option target 'DROP'
option enabled '0'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config include
option path '/etc/firewall.user'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config zone
option name 'wlan2'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'wlan10'
option forward 'ACCEPT'
config redirect
option target 'SNAT'
option src 'wlan2'
option dest 'lan'
option proto 'all'
option src_dip '192.168.2.2'
option name 'testAllowInternet'
config zone
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option name 'wlan3'
option masq '1'
option network 'wlan11'
config rule
option target 'ACCEPT'
option name 'test2'
option proto 'all'
option src 'lan'
option dest 'wlan2'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wlan2'
option dest 'lan'
option name 'Test1'
option proto 'tcp udp icmp'
config redirect
option target 'DNAT'
option dest 'wlan2'
option name 'Test2'
option src 'lan'
option proto 'tcp udp icmp'
config forwarding
option dest 'lan'
option src 'wlan3'
config forwarding
option dest 'lan'
option src 'wlan2'
config forwarding
option dest 'wlan3'
option src 'lan'
config forwarding
option dest 'wlan2'
option src 'lan'
config forwarding
option dest 'wan'
option src 'lan'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.4.21 on Thu Dec 17 08:13:19 2020
*nat
:PREROUTING ACCEPT [870:41384]
:INPUT ACCEPT [1522:648478]
:OUTPUT ACCEPT [8392:549671]
:POSTROUTING ACCEPT [8392:549671]
:delegate_postrouting - [0:0]
:delegate_prerouting - [0:0]
:postrouting_wlan3_rule - [0:0]
:postrouting_wlan2_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_wlan3_rule - [0:0]
:prerouting_wlan2_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_wlan3_postrouting - [0:0]
:zone_wlan3_prerouting - [0:0]
:zone_wlan2_postrouting - [0:0]
:zone_wlan2_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[2459:712202] -A PREROUTING -j delegate_prerouting
[8392:549671] -A POSTROUTING -j delegate_postrouting
[8392:549671] -A delegate_postrouting -m comment --comment "user chain for postrouting" -j postrouting_rule
[0:0] -A delegate_postrouting -o br-lan -j zone_lan_postrouting
[0:0] -A delegate_postrouting -o eth0 -j zone_wan_postrouting
[0:0] -A delegate_postrouting -o wlan0-1 -j zone_wlan2_postrouting
[2459:712202] -A delegate_prerouting -m comment --comment "user chain for prerouting" -j prerouting_rule
[2449:708922] -A delegate_prerouting -i br-lan -j zone_lan_prerouting
[0:0] -A delegate_prerouting -i eth0 -j zone_wan_prerouting
[0:0] -A delegate_prerouting -i wlan0-1 -j zone_wlan2_prerouting
[0:0] -A zone_wlan3_postrouting -m comment --comment "user chain for postrouting" -j postrouting_wlan3_rule
[0:0] -A zone_wlan3_postrouting -j MASQUERADE
[0:0] -A zone_wlan3_prerouting -m comment --comment "user chain for prerouting" -j prerouting_wlan3_rule
[0:0] -A zone_wlan2_postrouting -m comment --comment "user chain for postrouting" -j postrouting_wlan2_rule
[0:0] -A zone_wlan2_prerouting -m comment --comment "user chain for prerouting" -j prerouting_wlan2_rule
[0:0] -A zone_wlan2_prerouting -p tcp -m comment --comment Test1 -j REDIRECT
[0:0] -A zone_wlan2_prerouting -p udp -m comment --comment Test1 -j REDIRECT
[0:0] -A zone_wlan2_prerouting -p icmp -m comment --comment Test1 -j REDIRECT
[0:0] -A zone_lan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -m comment --comment testAllowInternet -j SNAT --to-source 192.168.2.2
[2449:708922] -A zone_lan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_lan_rule
[13:676] -A zone_lan_prerouting -p tcp -m comment --comment Test2 -j REDIRECT
[1482:662246] -A zone_lan_prerouting -p udp -m comment --comment Test2 -j REDIRECT
[94:7896] -A zone_lan_prerouting -p icmp -m comment --comment Test2 -j REDIRECT
[0:0] -A zone_wan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_wan_rule
[0:0] -A zone_wan_postrouting -j MASQUERADE
[0:0] -A zone_wan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_wan_rule
COMMIT
# Completed on Thu Dec 17 08:13:19 2020
# Generated by iptables-save v1.4.21 on Thu Dec 17 08:13:19 2020
*raw
:PREROUTING ACCEPT [24387:4120182]
:OUTPUT ACCEPT [17392:1399439]
:delegate_notrack - [0:0]
[24387:4120182] -A PREROUTING -j delegate_notrack
COMMIT
# Completed on Thu Dec 17 08:13:19 2020
# Generated by iptables-save v1.4.21 on Thu Dec 17 08:13:19 2020
*mangle
:PREROUTING ACCEPT [24387:4120182]
:INPUT ACCEPT [23450:4056458]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [17392:1399439]
:POSTROUTING ACCEPT [17392:1399439]
:fwmark - [0:0]
:mssfix - [0:0]
[24387:4120182] -A PREROUTING -j fwmark
[0:0] -A FORWARD -j mssfix
[0:0] -A mssfix -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Dec 17 08:13:19 2020
# Generated by iptables-save v1.4.21 on Thu Dec 17 08:13:19 2020
*filter
:INPUT ACCEPT [197:64616]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:delegate_forward - [0:0]
:delegate_input - [0:0]
:delegate_output - [0:0]
:forwarding_wlan3_rule - [0:0]
:forwarding_wlan2_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_wlan3_rule - [0:0]
:input_wlan2_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_wlan3_rule - [0:0]
:output_wlan2_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_wlan3_dest_ACCEPT - [0:0]
:zone_wlan3_dest_REJECT - [0:0]
:zone_wlan3_forward - [0:0]
:zone_wlan3_input - [0:0]
:zone_wlan3_output - [0:0]
:zone_wlan3_src_ACCEPT - [0:0]
:zone_wlan2_dest_ACCEPT - [0:0]
:zone_wlan2_forward - [0:0]
:zone_wlan2_input - [0:0]
:zone_wlan2_output - [0:0]
:zone_wlan2_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[23450:4056458] -A INPUT -j delegate_input
[0:0] -A FORWARD -j delegate_forward
[17392:1399439] -A OUTPUT -j delegate_output
[0:0] -A delegate_forward -m comment --comment "user chain for forwarding" -j forwarding_rule
[0:0] -A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A delegate_forward -i br-lan -j zone_lan_forward
[0:0] -A delegate_forward -i eth0 -j zone_wan_forward
[0:0] -A delegate_forward -i wlan0-1 -j zone_wlan2_forward
[16800:1335600] -A delegate_input -i lo -j ACCEPT
[6650:2720858] -A delegate_input -m comment --comment "user chain for input" -j input_rule
[478:38802] -A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[13:676] -A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
[5975:2617440] -A delegate_input -i br-lan -j zone_lan_input
[0:0] -A delegate_input -i eth0 -j zone_wan_input
[0:0] -A delegate_input -i wlan0-1 -j zone_wlan2_input
[16800:1335600] -A delegate_output -o lo -j ACCEPT
[592:63839] -A delegate_output -m comment --comment "user chain for output" -j output_rule
[592:63839] -A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A delegate_output -o br-lan -j zone_lan_output
[0:0] -A delegate_output -o eth0 -j zone_wan_output
[0:0] -A delegate_output -o wlan0-1 -j zone_wlan2_output
[0:0] -A reject -p tcp -j REJECT --reject-with tcp-reset
[0:0] -A reject -j REJECT --reject-with icmp-port-unreachable
[13:676] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
[0:0] -A syn_flood -j DROP
[0:0] -A zone_wlan3_forward -m comment --comment "user chain for forwarding" -j forwarding_wlan3_rule
[0:0] -A zone_wlan3_forward -m comment --comment "forwarding wlan3 -> lan" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wlan3_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
[0:0] -A zone_wlan3_forward -j zone_wlan3_dest_REJECT
[0:0] -A zone_wlan3_input -m comment --comment "user chain for input" -j input_wlan3_rule
[0:0] -A zone_wlan3_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
[0:0] -A zone_wlan3_input -j zone_wlan3_src_ACCEPT
[0:0] -A zone_wlan3_output -m comment --comment "user chain for output" -j output_wlan3_rule
[0:0] -A zone_wlan3_output -j zone_wlan3_dest_ACCEPT
[0:0] -A zone_wlan2_dest_ACCEPT -o wlan0-1 -j ACCEPT
[0:0] -A zone_wlan2_forward -m comment --comment "user chain for forwarding" -j forwarding_wlan2_rule
[0:0] -A zone_wlan2_forward -m comment --comment "forwarding wlan2 -> lan" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wlan2_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
[0:0] -A zone_wlan2_forward -j zone_wlan2_dest_ACCEPT
[0:0] -A zone_wlan2_input -m comment --comment "user chain for input" -j input_wlan2_rule
[0:0] -A zone_wlan2_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
[0:0] -A zone_wlan2_input -j zone_wlan2_src_ACCEPT
[0:0] -A zone_wlan2_output -m comment --comment "user chain for output" -j output_wlan2_rule
[0:0] -A zone_wlan2_output -j zone_wlan2_dest_ACCEPT
[0:0] -A zone_wlan2_src_ACCEPT -i wlan0-1 -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "user chain for forwarding" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "forwarding lan -> wlan3" -j zone_wlan3_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "forwarding lan -> wlan2" -j zone_wlan2_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -j zone_lan_dest_ACCEPT
[5975:2617440] -A zone_lan_input -m comment --comment "user chain for input" -j input_lan_rule
[5459:2587280] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
[516:30160] -A zone_lan_input -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "user chain for output" -j output_lan_rule
[0:0] -A zone_lan_output -j zone_lan_dest_ACCEPT
[516:30160] -A zone_lan_src_ACCEPT -i br-lan -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0 -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0 -j reject
[0:0] -A zone_wan_forward -m comment --comment "user chain for forwarding" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "user chain for input" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment Allow-DHCP-Renew -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment Allow-Ping -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "user chain for output" -j output_wan_rule
[0:0] -A zone_wan_output -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth0 -j reject
COMMIT
trendy
December 17, 2020, 12:37pm
6
Remove these dns servers from wlan10 and wlan11. You should add dns which are reachable from that interface.
openMind:
option dns '192.168.2.1'
Other than that your problem is with routing. OpenWrt is not the default gateway in the lan. Have you added a static route on the 192.168.2.1 gateway that the 10.0.0.0/24 and 172.16.0.0/24 are reachable via 192.168.2.2 ?
2 Likes
Correct, my default gateway is 192.168.2.1.
My primary concern is my own dns server, an pi hole raspberry (192.168.2.50), which is not reachable at the 10.0.0.x area.
Do understand openWRT/Firewall/Routing, i tried to open all traffic between 192.168.2-area and 10.0.0.-area.
To implement that, i need a static route on DEFAULT Router/Gateway?
mk24
December 17, 2020, 5:28pm
8
The problem here is that the endpoint devices on the 192.168.2.0 network do not know about the 10.0.0.0 network. When the pi hole receives a request from 10.0.0.5 for example, it sends the response back to 10.0.0.5. The pi hole has no way to know that this request arrived via 192.168.2.2. It has no route to 10.0.0.0, so it uses its default gateway, 192.168.2.1. That router also does not know about the 10.0.0.0 network, so it will forward the packet to its default gateway, the ISP. This fails.
The typical solution is to set up a route in 192.168.2.1 which will forward packets for 10.0.0.0 to 192.168.2.2. A more elaborate way is to install this route on every 192.168.2.0 device that needs to interact with the 10.0.0.0 network. This can be done with a DHCP option.
Note that if the router hosting both networks is also the default route for both networks, this is already taken care of. The routes are already in place on it. Most instructions about setting up an additional or guest network assume that.
2 Likes
"The typical solution is to set up a route in 192.168.2.1 which will forward packets for 10.0.0.0 to 192.168.2.2."
ok, i have done!
What has changed?
If i ping from 192.168.2.x to 10.0.0.x the destination is reachable! (before it didnt work)
Unfortunately, wlan-devices with ip-adress 10.0.0.x furthermore cannot reach the internet (probably the DNS server 192.168.2.50 is not reachable)
Do i have to configure a static route on openWRT router 192.168.2.2 (to subnet 10.0.0.x)?
Do i have to enter a gateway on "wlan10-interface"?
config interface 'wlan10'
option _orig_ifname 'wlan0-2'
option _orig_bridge 'false'
option proto 'static'
option ipaddr '10.0.0.1'
option netmask '255.255.255.0'
option dns '192.168.2.1'
trendy
December 17, 2020, 8:27pm
10
No and no.
It is quite possible that your internet router won't NAT packets beyond its lan. One way to find out is to add option masq '1' in lan firewall zone.
It is quite possible that your internet router won't NAT packets beyond its lan. One way to find out is to add option masq '1' in lan firewall zone.
Masquerading has beed enabled, but the problem still exists.
trendy
December 18, 2020, 12:38pm
12
Install tcpdump and capture the packets to check what can be the problem.opkg update; opkg install tcpdump; tcpdump -i any -evn icmpCtrl-c
Also post the following ip -4 addr ; ip -4 ro li tab all ; ip -4 ru which you didn't include in the previous troubleshooting post.
1 Like
My smartphone has been connected to WLAN2 with the ip-adress 10.0.0.171.www.bing.de ), tcpdump reports me:
10.0.0.171.23017 > 10.0.0.1.53: 13486+ A? www.bing.de. (30)
09:40:42.526993 Out ea:de:27:f7:03:e8 ethertype IPv4 (0x0800), length 109: (tos 0xc0, ttl 64, id 29081, offset 0, flags [none], proto ICMP (1), length 93)
10.0.0.1 > 10.0.0.171: ICMP 10.0.0.1 udp port 53 unreachable, length 73
(tos 0x0, ttl 64, id 35374, offset 0, flags [DF], proto UDP (17), length 65)
The UDP-Port 53 is not reachable, because the port has been disabled at "DHCP and DNS"-Settings (Advanced Settings --> DNS server port: 0)
It seems that the openWRT router does not try to connect to the pi-hole-dns-server 192.168.2.50, although this ip-adress was configured at "general settings" / "DNS forwardings"
Also post the following ip -4 addr ; ip -4 ro li tab all ; ip -4 ru which you didn't include in the previous troubleshooting post.
if i enter "ip -4 addr", i get the error message "-ash: ip: not found"
trendy
December 20, 2020, 5:48pm
15
That was a bad idea, considering that you advertise to all dhcp clients the OpenWrt as nameserver.
If you do an nslookup openwrt.org from the OpenWrt it will query the pihole. But if you have disabled the listening port of dnsmasq the lan hosts will not be able to query the dnsmasq.@vgaetera 's advice how to solve this.
But this is not what I asked you to do .opkg update; opkg install ip-tiny
