Simple Firewall Help, multiple nested LANs [SOLVED]

Here is the kind of network topography I'm working with;
WAN -> large company LAN -> department LAN -> my LAN

I want all traffic from department LAN to have access (forward?) to my LAN. So far I have accomplished this with port forwards but my LAN changes frequently and its laborious. I have tried creating a catch-all forwarding traffic rule;

Any traffic
From IP range [department LAN] in wan
To any host in any zone

This is the top traffic rule, it is enabled, the action is "accept forward". However its not working AFAIK. I have set a route on my computer that belongs to the department LAN to route all traffic for "my LAN" to route over this router's WAN IP (the WAN IP is a department LAN IP). Am I going about this the right way? Do I need to create a new zone?

I'm sure this topic has been covered many times, I must be asking the wrong questions, sorry.

Top rule in /etc/config/firewall;

config rule
        option target 'ACCEPT'
        option src 'wan'
        option name 'Allow 1.1.1.0/25'
        option src_ip '1.1.1.0/25'
        option proto 'all'
        option dest '*'

department LAN isn't actually 1.1.1.0/25 but I thought I'd put some context in.

My zone config is the default setup;

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

If I understand your description, it seems you may wish to turn off masquerade on your WAN interface. Then make a route to your LAN on the Department router, and a route to the department on YOUR router. You would then address hosts in your LAN by their IP address. You can still firewall, it would now be traffic rules instead of port forwards.

Ok I made a mistake. It looks like I can access devices from [dept LAN] -> [my LAN] with my current configuration. What is not working is accessing the router on [my LAN]. I can ping the router but I can't ssh into it or access the webUI. This is probably a rule further down the chain I expect.

So I've modified my traffic rules again so I can now access the router on [my LAN] as well as any other device on [my LAN]. So I changed my top rule from;

config rule
        option target 'ACCEPT'
        option src 'wan'
        option name 'Allow 1.1.1.0/25'
        option src_ip '1.1.1.0/25'
        option proto 'all'
        option dest '*'

To;

config rule
        option target 'ACCEPT'
        option src 'wan'
        option name 'Allow from 1.1.1.0/25'
        option proto 'all'
        option src_ip '1.1.1.0/25'

This was an "action" change from forward to device input.

Simply edit the title and append the word "[SOLVED]"

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.