Simple Lan to Guest Routing That Should Be Working(?)

Currently have OpenWrt working as expected on a Linksys E8450. Lan and Guest (both on the same router) can both see the internet. I'm having trouble with a configuration that will allow devices on the lan to see the guest but not the other way around.

I found This recent thread which looks like it has exactly what I'm trying to do. However, after adding that firewall config and rebooting the router, it's still the case that nothing on the lan can see anything on the guest. An nmap ping scan (-sn) will correctly discover other things on the lan.

Board/network/firewall included below. Any thoughts are welcome.

//board
{
	"kernel": "5.15.167",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "Linksys E8450 (UBI)",
	"board_name": "linksys,e8450-ubi",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.5",
		"revision": "r24106-10cc5fcd00",
		"target": "mediatek/mt7622",
		"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
	}
}

//network
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd4e:39e5:5aa9::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '192.168.1.214'
	list dns 'fd4e:39e5:5aa9::a49'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config device
	option type 'bridge'
	option name 'br-guest'
	option bridge_empty '1'


// firewall
config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'pihole_dns'
	option src 'lan'
	option src_ip '!192.168.1.214'
	option src_dport '53'
	option dest_ip '192.168.1.214'
	option dest_port '53'

config nat
	option name 'pihole'
	list proto 'tcp'
	list proto 'udp'
	option src 'lan'
	option dest_ip '192.168.1.214'
	option dest_port '53'
	option target 'MASQUERADE'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'pihole_ip6'
	option family 'ipv6'
	option src 'lan'
	option src_dport '53'
	option dest_ip 'fd4e:39e5:5aa9::a49'
	option dest_port '53'
	option src_ip '!fd4e:39e5:5aa9::a49'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option name 'guest dns'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'guest dhcp'
	option target 'ACCEPT'
	option src 'guest'
	option dest_port '67-68'

config rule
	option name 'kodi'
	option src 'lan'
	list src_ip '192.168.1.247'
	option dest 'wan'
	option target 'REJECT'
	option enabled '0'

config forwarding
        option src 'lan'
        option dest 'guest'

I have this arrangement setup on my RT3200 and from your config I can’t see what’s missing. My use case is I wanted lan devices to use a guest printer.

Two things I can think of:

1. Your clients on the guest subnet have their own firewall and do not allow traffic from other subnets so not from 192.168.1.1, to remedy tweak/disable the firewall of your clients on the guest subnet.
2. There are settings on the wireless driver to block traffic between clients, I do not think that it should block between lan and guest wifi but you never know

Try monitoring traffic with tcpdump.

Okay, now I'm slightly more confused than I was before but local firewall(s) seems to be it. Guest test machine has firewall disabled. I swear I tried disabling both firewall and VPN on the lan test machine before posting...

Linux machine on lan, firewall disabled (even though it has carve outs for both lan and guest) but VPN up I can still get to other things on the lan but not guest. BOTH firewall and VPN down (which I could swear I tried already) I can now get to things on guest.

I'm not sure why lan works in this case and guest doesn't... but at least the OpenWrt component seems to be correct.

FWIW, on the lan test machine with both the firewall and VPN up, I can still get to other machines on the lan. I have the same test machine firewall entries for both 192.168.1.1 and 192.168.3.1 so I'm a little confused why one works and not the other with VPN up.

Test machine firewall starts with:

sudo ufw disable
sudo ufw reset

sudo ufw allow in to 192.168.1.0/24
sudo ufw allow in to 192.168.3.0/24

sudo ufw allow out to 192.168.1.0/24
sudo ufw allow out to 192.168.3.0/24

sudo ufw default deny outgoing
sudo ufw default deny incoming

I assume now it's not an OpenWrt issue but a VPN / client configuration issue.

Your VPN will route all unknown subnets out via its VPN.

If the VPN is on a client on the guest subnet then it does not know about 192.168.1.0/24 but only about its own 192.168.3.0/24 subnet and will route 192.168.1.0/24 via its VPN instead of via the router.

On that VPN client you can add a route something like add route 192.168.1.0/24 via 192.168.3.1

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.