Setting firewall - routing between two interfaces

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi,

Got a device with two LAN and one WAN interfaces.

  1. lan interface is the production one. There are couple of hosts there in address range of 192.168.1.1. Its hosts are allowed to communicate with each other and WAN network. Here's the one:
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.1.113'
network.lan.gateway='192.168.1.1'
  1. Service interface. It is supposed to be used by service people maintaining the controller connected to the device. They are restricted to access webpage on the device port 8443 and controller under 192.168.1.111. Here's its config:
network.Service=interface
network.Service.proto='static'
network.Service.device='eth0.2'
network.Service.netmask='255.255.255.0'
network.Service.ipaddr='10.47.0.9'

To cover my needs I've set up the firewall in the following way:

firewall.@zone[2]=zone
firewall.@zone[2].name='service_zone'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].network='Service'
firewall.@rule[9]=rule
firewall.@rule[9].name='Allow_Webpage_Access'
firewall.@rule[9].src='service_zone'
firewall.@rule[9].dest='lan'
firewall.@rule[9].proto='tcp'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].dest_port='8443'
firewall.@rule[10]=rule
firewall.@rule[10].name='Allow_Controller_Access'
firewall.@rule[10].src='service_zone'
firewall.@rule[10].dest='lan'
firewall.@rule[10].dest_ip='192.168.1.111'
firewall.@rule[10].proto='all'
firewall.@rule[10].target='ACCEPT'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='service_zone'
firewall.@forwarding[1].dest='lan'

Unfortunately something's missing. When I connect to the device, I am able to access webpage of the device, but I am unable to access 192.168.1.111 - I got timeout. I cannot access it neither using SSH nor WWW. Config seems right to me, but I'm sure something should be added.

Here is my routing table:

default         10.100.187.4    0.0.0.0         UG    0      0        0 usb0
10.0.0.0        *               255.0.0.0       U     0      0        0 usb0
10.47.0.0       *               255.255.255.0   U     0      0        0 eth0.2
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan

Please advise.

Kal

2

Since this OpenWrt device is not the main gateway, you will need to do one of two things:

  • Set a static route on your main router/gateway (10.47.0.0/24 via 192.168.1.113)
    -- or --
  • enable masquerading on the lan firewall zone on your OpenWrt router.
1 Like