Hi,
Got a device with two LAN and one WAN interfaces.
- lan interface is the production one. There are couple of hosts there in address range of 192.168.1.1. Its hosts are allowed to communicate with each other and WAN network. Here's the one:
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.1.113'
network.lan.gateway='192.168.1.1'
- Service interface. It is supposed to be used by service people maintaining the controller connected to the device. They are restricted to access webpage on the device port 8443 and controller under 192.168.1.111. Here's its config:
network.Service=interface
network.Service.proto='static'
network.Service.device='eth0.2'
network.Service.netmask='255.255.255.0'
network.Service.ipaddr='10.47.0.9'
To cover my needs I've set up the firewall in the following way:
firewall.@zone[2]=zone
firewall.@zone[2].name='service_zone'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].network='Service'
firewall.@rule[9]=rule
firewall.@rule[9].name='Allow_Webpage_Access'
firewall.@rule[9].src='service_zone'
firewall.@rule[9].dest='lan'
firewall.@rule[9].proto='tcp'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].dest_port='8443'
firewall.@rule[10]=rule
firewall.@rule[10].name='Allow_Controller_Access'
firewall.@rule[10].src='service_zone'
firewall.@rule[10].dest='lan'
firewall.@rule[10].dest_ip='192.168.1.111'
firewall.@rule[10].proto='all'
firewall.@rule[10].target='ACCEPT'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='service_zone'
firewall.@forwarding[1].dest='lan'
Unfortunately something's missing. When I connect to the device, I am able to access webpage of the device, but I am unable to access 192.168.1.111 - I got timeout. I cannot access it neither using SSH nor WWW. Config seems right to me, but I'm sure something should be added.
Here is my routing table:
default 10.100.187.4 0.0.0.0 UG 0 0 0 usb0
10.0.0.0 * 255.0.0.0 U 0 0 0 usb0
10.47.0.0 * 255.255.255.0 U 0 0 0 eth0.2
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
Please advise.
Kal