I'm trying to null route traffic for 192.168 network on my router (TpLink Archer C50 running 23.05).
It seems to work fine for a network of 192.168.0.0/24 (I get request timed out from ping).
If I change just the subnet to 192.168.0.0/16 it doesn't appear to work any more (I can ping and get responses from 192.168.0.1 (for example) - current network doesn't have any 192.168.1.x addresses but production one will.
Am I doing something wrong? Should I just add an extra null route for 192.168.1.0/24?
This generally isn’t necessary, but what is the practical reason for this effort (so that we can understand exactly what you want to achieve)?
You should upgrade to 24.10.
Why would you use a /16 subnet?
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
Aware of the danger of stating the obvious…
The default subnet for OpenWrt's lan interface is 192.168.1.0/24, which would be at odds with null-routing 192.168.0.0/16 (which would include the former). Maybe you've changed your lan subnets accordingly, but, not enough information to tell.
Thanks, I'll look at upgrading and see about supplying the info.
The reason for wanting to do this is that I'm using the router on an existing network to make a guest wired network to be able to use ethernet over power adapters.
The building in question has a lift shaft between the incoming internet and one of the locations we need publicly available wifi.
There are no mains sockets where a repeater can be put to reliably extend the range of the public network and it's not feasible (significant cost) to run cat5/6 cable.
Additionally, it's on a Virgin Business connection where the router doesn't support more than 10 guest connections so we've got to run additional hardware for the guest wifi network.
AFAIK most standard routers don't allow for (securely) segmenting one of the LAN ports and putting on a 172.16 network with its own DHCP, hence openwrt.
Just for further info, the company is a charity and doesn't have a budget for any kind of mid-range kit that would allow this, I've considered using OpnSense or pfsense and have a PC it could run on but where the connection comes in doesn't have the space for a PC, it's on a shelf, six feet up on a wall, 16 inches wide and 4 inches deep.
I've got a WAN interface which has a static IP on the broadband router's LAN 192.168.0.0/24 network.
The LAN interfaces are on a 172.16.1.0/24 network with DHCP issuing IP addresses.
I want to block any traffic from 172.16.1.0 network from accessing the secure network (192.168.0.0/24), hence the blackhole routing, while still allowing internet traffic.
I also have a firewall rule blocking TCP/UDP from LAN to 192.168.0.0/24 (not tried this rule on /16).
This rule seems to work - with null routing disabled I can ping but not access (via http/s, ssh etc) the devices on the 192.168.0.0/24 network.
I'm not entirely sure I need both, though I would prefer the null routing to the firewall rule if I had to choose - partly it harks back to my training days on Novell Netware where if you didn't have access to a share on the server you simply did not see it - opposed to Windows where you see it but cannot access it. Makes sense to not be able to see which IP addresses are on the network you aren't allowed to access (to me at least).
Thanks, with that would you advise a firewall rule to block everything in addition to the TCP/UDP traffic?
It's not a public facing network, but is used by members of the public whose device we have no control over.
Just realised one of your initial questions was:
Why would you use a /16 subnet?
The answer is that it felt right to block traffic to any potential devices that could be on the secure network - unlikely there's ever going to be anything other than 192.168.0.0 and 192.168.1.0 but just in case thought /16 would cover all bases for the future.
I realist I could Google this, but while I have the attention of a guru, I might as well ask - should I be 'rejecting' or 'dropping' the traffic in the firewall rule and what's the difference in this context.
If you have a route for a /24 which is covered/within the supernet of a /16 then the more specific route to that /24 of course "wins"/get selected.
Null routes or black hole routes are used to avoid sending (local) traffic to the upstream ISP.
For example you use not ALL rfc1918 networks, but a client tries to send traffic to a network not in use locally then this traffic would use the default route.
To avoid routing that traffic via default you insert a null route for these rfc1918 routes.
