I have a server with Docker containers in a 192.168.3.0/24 subnet and I want to access them from LAN (192.168.1.0/24) and GUESTS (192.168.2.0/24) with the public domain but it doesn't work. If I access from the internet, I can access it.
root@enrutador:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option flow_offloading '1'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'telecentro'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'invitados'
option output 'ACCEPT'
list network 'invitados'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option src 'invitados'
option dest 'wan'
config rule
list dest_ip '224.0.0.251'
option dest_port '5353'
option target 'ACCEPT'
option src 'invitados'
list proto 'tcp'
list proto 'udp'
option name 'mDNS-Invitados'
option family 'ipv4'
config rule
option target 'ACCEPT'
option src 'invitados'
option dest 'lan'
option family 'ipv4'
list proto 'tcp'
list proto 'udp'
option dest_port '8008-8009 8443 32768-61000'
option name 'Chromecast para Invitados'
config zone
option name 'netbook'
option output 'ACCEPT'
list network 'netbook'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option src 'netbook'
option dest 'wan'
config redirect
option target 'DNAT'
option name 'wireguard-netbook'
list proto 'udp'
option src 'wan'
option src_dport '51820'
option dest_port '51820'
option dest_ip '192.168.3.11'
option dest 'netbook'
config redirect
option target 'DNAT'
option name '80-nginx-netbook'
list proto 'tcp'
option src 'wan'
option src_dport '80'
option dest_port '80'
option dest_ip '192.168.3.15'
option dest 'netbook'
config redirect
option target 'DNAT'
option name '443-nginx-netbook'
list proto 'tcp'
option src 'wan'
option src_dport '443'
option dest_port '443'
option dest_ip '192.168.3.15'
option dest 'netbook'
config redirect
option dest 'netbook'
option target 'DNAT'
option src 'lan'
option src_dport '53'
option dest_port '53'
option dest_ip '192.168.3.12'
option name 'Reenviar DNS de lan a AdGuardHome'
config redirect
option dest 'netbook'
option target 'DNAT'
option src 'invitados'
option src_dport '53'
option dest_port '53'
option dest_ip '192.168.3.12'
option name 'Reenviar DNS de invitados a AdGuardHome'
config rule
option name 'Bloquear servidores DNS en netbook'
option src 'netbook'
option dest 'wan'
option target 'DROP'
option dest_port '53 853'
list src_ip '!192.168.3.14'
config rule
option name 'DNS y DHCP para invitados'
option src 'invitados'
option dest_port '53 67'
option target 'ACCEPT'
config rule
option name 'DNS para netbook'
option src 'netbook'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Permitir entrada de WireGuard en netbook'
option src 'netbook'
list src_ip '192.168.3.11'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'netbook'
root@enrutador:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option peerdns '0'
list dns '45.90.28.46'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option device 'br-lan'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option description 'lan'
option ports '0t 3 2 1'
config device
option type 'bridge'
option name 'br-invitados'
config interface 'invitados'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option defaultroute '0'
option device 'br-invitados'
config interface 'telecentro'
option proto 'dhcp'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '2'
option description 'netbook'
option ports '0t 4'
config interface 'netbook'
option proto 'static'
option device 'eth0.2'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option defaultroute '0'
config device
option name 'eth1'
You haven't allowed forwarding from the LAN and guest networks (192.168.1.0/24 and 192.168.2.0/24) to the server network (192.168.3.0/24) in your firewall. You'll need to allow this forwarding, at least to the destination host.
You'll probably also want to create a DNS entry that points your public domain to your the private address of the server (your.public.domain > 192.168.3.x) -- this will point the hosts on the other two networks to the server network, and your firewall rules (described above) will allow the routing to happen.
1 Like
I have already set up forwarding to and from the server network. I have also bound the public domain to the internal IP of the server in AdGuardHome, but I still cannot access it from a client on LAN or GUESTS.
root@enrutador:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option flow_offloading '1'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'telecentro'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'invitados'
option output 'ACCEPT'
list network 'invitados'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option src 'invitados'
option dest 'wan'
config rule
list dest_ip '224.0.0.251'
option dest_port '5353'
option target 'ACCEPT'
option src 'invitados'
list proto 'tcp'
list proto 'udp'
option name 'mDNS-Invitados'
option family 'ipv4'
config rule
option target 'ACCEPT'
option src 'invitados'
option dest 'lan'
option family 'ipv4'
list proto 'tcp'
list proto 'udp'
option dest_port '8008-8009 8443 32768-61000'
option name 'Chromecast para Invitados'
config zone
option name 'netbook'
option output 'ACCEPT'
list network 'netbook'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option src 'netbook'
option dest 'wan'
config redirect
option target 'DNAT'
option name 'wireguard-netbook'
list proto 'udp'
option src 'wan'
option src_dport '51820'
option dest_port '51820'
option dest_ip '192.168.3.11'
option dest 'netbook'
config redirect
option target 'DNAT'
option name '80-nginx-netbook'
list proto 'tcp'
option src 'wan'
option src_dport '80'
option dest_port '80'
option dest_ip '192.168.3.15'
option dest 'netbook'
config redirect
option target 'DNAT'
option name '443-nginx-netbook'
list proto 'tcp'
option src 'wan'
option src_dport '443'
option dest_port '443'
option dest_ip '192.168.3.15'
option dest 'netbook'
config redirect
option dest 'netbook'
option target 'DNAT'
option src 'lan'
option src_dport '53'
option dest_port '53'
option dest_ip '192.168.3.12'
option name 'Reenviar DNS de lan a AdGuardHome'
config redirect
option dest 'netbook'
option target 'DNAT'
option src 'invitados'
option src_dport '53'
option dest_port '53'
option dest_ip '192.168.3.12'
option name 'Reenviar DNS de invitados a AdGuardHome'
config rule
option name 'Bloquear servidores DNS en netbook'
option src 'netbook'
option dest 'wan'
option target 'DROP'
option dest_port '53 853'
list src_ip '!192.168.3.14'
config rule
option name 'DNS y DHCP para invitados'
option src 'invitados'
option dest_port '53 67'
option target 'ACCEPT'
config rule
option name 'DNS para netbook'
option src 'netbook'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Permitir entrada de WireGuard en netbook'
option src 'netbook'
list src_ip '192.168.3.11'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'netbook'
config forwarding
option src 'netbook'
option dest 'lan'
config forwarding
option src 'invitados'
option dest 'netbook'
config forwarding
option src 'netbook'
option dest 'invitados'
It appears you've set them up as redirects... I'm pretty sure they should just be rules (i.e. config rule, not config redirect).
To test this, can you connect to the server from the other two networks when you do it by IP (rather than domain name)?
Isn't forwarding and redirecting the same thing? Which of the rules would have to change?
kind of...
Earlier, I was referring to zone forwarding (which is different than a redirect type forward)... those are the config forwarding stanzas and are what allow the lan to reach the wan, for example. If you setup those zone forwarding stanzas between the zones in question, you should have inter-VLAN routing working properly.
If you don't want to allow the entire zones to be forwarded, you should do it as a config rule which accepts the allowed protocols with the desired destination zone and address.
I have returned to the previous configuration of forwarding between zones since from LAN I do want to access the NETBOOK network to configure, ssh, etc. In GUEST no.
I have also added these rules. Cable clarify that I want to access a service with the IP 192.168.3.13 through the proxy with the IP 192.168.3.15. What IP should I redirect to?
config rule
option name 'nginx-80'
list proto 'tcp'
option src 'wan'
option dest 'netbook'
list dest_ip '192.168.3.15'
option dest_port '80'
option target 'ACCEPT'
option src_port '80'
config rule
option name 'nginx-443'
list proto 'tcp'
option src 'wan'
option dest 'netbook'
list dest_ip '192.168.3.15'
option dest_port '443'
option target 'ACCEPT'
option src_port '443'
Now I can no longer access from the internet with these rules and with the previous ones disabled.
the reason you're having an issue now is because the source zone is wan. Set it to lan or guest.
I had to re-enable the following redirects to be able to access from the internet.
config redirect
option target 'DNAT'
option name '80-nginx-netbook'
list proto 'tcp'
option src 'wan'
option src_dport '80'
option dest_port '80'
option dest_ip '192.168.3.15'
option dest 'netbook'
config redirect
option target 'DNAT'
option name '443-nginx-netbook'
list proto 'tcp'
option src 'wan'
option src_dport '443'
option dest_port '443'
option dest_ip '192.168.3.15'
option dest 'netbook'
I have also changed the source zone to Any zone.
config rule
option name 'nginx-80'
list proto 'tcp'
option dest_port '80'
option target 'ACCEPT'
option src_port '80'
option dest 'netbook'
list dest_ip '192.168.3.15'
option src '*'
config rule
option name 'nginx-443'
list proto 'tcp'
option dest_port '443'
option target 'ACCEPT'
option src_port '443'
option dest 'netbook'
list dest_ip '192.168.3.15'
option src '*'
I still can't access the service with your public domain.
can you access by IP (specifically 192.168.3.15) from your guest and lan networks?
From LAN yes, from GUEST no since it is not allowed to forward to the NETBOOK zone.
Good... that means that inter-VLAN routing is working as expected (assuming you have chosen not to allow the guest network to access the netbook zone, at least at this moment).
Go into your DNS settings and create a DNS entry for your domain and point it to 192.168.3.15
But that IP is that of the nginx proxy, not the "real" server that delivers a service.
but if the data is supposed to pass through the proxy, then you want to point there. If you don't need to pass through the proxy, then set the IP to the actual address of the server that has the relevant service.
But the Let's Encrypt certificate would no longer be used.
just try the proxy server (.15)... if it doesn't work, try pointing to the actual server.
But if I point the domains (there are several because they are different servers) to the same IP, the browser does not know where to connect. And if I point the domain that corresponds to the real server, one is accessible but the other is not. Also there is no green HTTPS.
Have you tried it?
What do you mean by this?
I am referring to pointing multiple domains to the proxy. I have now restarted the nginx container and it works (don't know if that's why) pointing the domains to nginx (192.168.3.15).
And I mean HTTPS green with which the browser recognizes that it is a secure site.
From LAN it works, but from GUESTS it doesn't.
config redirect
option target 'DNAT'
option name '80-nginx-netbook'
list proto 'tcp'
option src 'wan'
option src_dport '80'
option dest_port '80'
option dest_ip '192.168.3.15'
option dest 'netbook'
config redirect
option target 'DNAT'
option name '443-nginx-netbook'
list proto 'tcp'
option src 'wan'
option src_dport '443'
option dest_port '443'
option dest_ip '192.168.3.15'
option dest 'netbook'
config rule
option name 'nginx-80'
list proto 'tcp'
option dest_port '80'
option target 'ACCEPT'
option src_port '80'
option dest 'netbook'
list dest_ip '192.168.3.15'
option src '*'
config rule
option name 'nginx-443'
list proto 'tcp'
option dest_port '443'
option target 'ACCEPT'
option src_port '443'
option dest 'netbook'
list dest_ip '192.168.3.15'
option src '*'
It works because you entered the domains into the DNS records... nginx is responsible for figuring out the domains based on the http/https requests.
Is this the desired state, or do you want it to work from guest too?