Hello all.
How can I forward a second wired network out of the WAN port? No Vlans. No wireless (AP).
-I have the LEDE 17.04 network 192.168.1.0
-Second router has 192.168.2.0.
-Both have STATIC ROUTES that work. x.x.2.x can ping x.x.1.1 and vise versa.
-Second router has firewall OFF. Forwarding both networks. Even proxy arp.
I don't need DHCP or DNS on 2nd network.
ROUTER1
me@lede:~# route -n
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 ISP 0.0.0.0 UG 0 0 0 eth0
ISP 0.0.0.0 255.255.224.0 U 0 0 0 eth0
ISP 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
192.168.2.0 192.168.1.250 255.255.255.0 UG 1 0 0 br-lan << STATIC ROUTE
cat /etc/config/network
config route << STATIC ROUTE
option interface 'lan'
option target '192.168.2.0'
option netmask '255.255.255.0'
option gateway '192.168.1.250'
option metric '1'
option mtu '1500'
me@Lede:~# ping -c1 192.168.2.233 < DHCP on x.x.2.0 network
PING 192.168.2.233 (192.168.2.233): 56 data bytes
64 bytes from 192.168.2.233: seq=0 ttl=127 time=0.887 ms WORKS
ROUTER 2
me@Router2:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route
S>* 0.0.0.0/0 [1/0] via 192.168.1.1, eth0 < STATIC ROUTE & DEFAULT GATEWAY
C>* 127.0.0.0/8 is directly connected, lo
C>* 192.168.1.0/24 is directly connected, eth0
C>* 192.168.2.0/24 is directly connected, switch0
2nd network client
x.x.2.233>ping -n1 192.168.1.1
Sent=1, Received =1, Lost = 0 (0% Loss) WORKS
1st network client
x.x.1.30>ping 192.168.2.233
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss), WORKS
But x.x.2.0 network can't go out to the Internet.
Please help if you can. Appreciated smile
if you connect the laptop to the LEDE box on its lan port and get a 192.168.1.x address, can you ping the internet, maybe 8.8.8.8 or something like that? Maybe you have a routing problem or firewall problem on the LEDE box?
You don't need a static route on router2, assuming you have a standard masquerade NAT configuration. Basically, the router at 192.168.2.1 already knows how to traverse up to the next level (192.168.1.1). Defining the static route may be what is messing that up.
Hello dlakelan
"if you connect the laptop to the LEDE box on its lan port and get a 192.168.1.x address, can you ping the internet,"
Absolutely. I'm on a PC on 192.168.1.0/24 now typing this.
I do think it's firewall related but not sure how to address it.
It's like the LEDE router is treating 192.168.2.x traffic like WAN traffic and drops it.
How can I tell the route to treat 192.168.2.x traffic on the lan interface like 192.168.1.1 traffic.
That seems like the root of the problem.
Hello psherman.
The static route for router2 is a default gateway. Maybe I should of called it just that.
"You don’t need a static route on router2, assuming you have a standard masquerade NAT configuration. "
192.168.2.x (router2) is a stub network.without routing protocols.
Since Router2 is directly connected to router1 and 192.168.1.x network, it does know that network, but nothing past that. i.e Internet/0.0.0.0/0
The IP info for router2 (subnet mask, etc) was assigned by me, not DHCP from router1.
Nodes on 192.168.2.1 can PING 192.168.1.1 and vise versa, but the LEDE router drops outgoing traffic, like it's considering it unknown or WAN traffic.
Is there a way to tell the LEDE router that 192.168.2.x is trusted and internal? It doesn't seem to be able tell this from it's own local routing table.
Let's back up a little bit so I understand the intent of your network setup. What are your goals? Why are you setting up two cascading routers (not challenging your setup, just trying to understand it)? What OS is each router running (if the picture is representative, you seem to have a Linksys facing the internet and a EdgeRouter in the middle -- is LEDE on both, or the stock OS on one or the other, etc.)? And how are they configured currently?
In general, double-NAT is not an ideal configuration, but it will typically work without too many issues. When both routers are in their standard/default operating mode (masquerade NAT), devices on the double-NAT layer will be able to reach the internet without issue (there are exceptions for certain protocols/applications, but general internet should be fine). Normally, in a SOHO type config (we're not talking internet backbone here), a router only needs to know about the network(s) it controls and the next hop out (i.e. the gateway). Here, because you are doing something else with the middle router, my statements don't totally apply... but I don't quite understand what you want to achieve and how things are setup right now.
Hello psherman
Goals: 2 wired local networks.
-default 192.168.1.1 unfiltered. Typical SOHO set-up
-192.168.2.1 filtered by Router2 but access to Internet via Router1(LEDE Router)
Reason: Special IP filtering of Network2 by Router2 fillwall (which is turned off). IOTs. Testing. etc.
OS:
Router1-LEDE 17.04
Router2-Ubiquity EdgeRouter 1.7.1
You guessed righted.
No special configs. LEDE install is fresh.
Static route. Some host file edits. Static dhcp leases. That's it. I got rid of all my openwrt confgis.
Only NAT on LEDE. Firewall on Edge is off. No NAT or masquerading. Purely routing in the 1980s sense of routing. This setup is simple. Like the first diagram you see in a Cisco class. A->B<-C
All I want is the LEDE router to treat 192.168.2.1 like 192.168.1.1.
It's treating it like WAN. That's why I see messages like this:
Sun Feb 11 13:49:35 2018 daemon.warn dnsmasq[31885]: Ignoring query from non-local network
"non-local" is the clue.
How about this. How can I create an Firewall Zone WITHOUT an associated interface/bridge?
When I try in the luci GUI, it takes the lan interfaces from lan and leaves lan empty. Or stays empty itself.
Can I create a zone from a static route or another non-lan interface?
If no, then this request might be beyond the ability of this OS..
If I can add 192.168.2.1 to the Lan zone or it's own zone, that might do it.
The log file you're seeing sounds like dnsmasq is seeing a DNS request coming from 192.168.2.x and refusing to respond to it because of permissions. Probably you should look into how to tell dnsmasq to respond to these DNS requests.
if you go to your second network and just try to ping something by ip address say ping 8.8.8.8 does it work? Perhaps the only issue is dnsmasq isn't responding to DNS requests?
Ok, some thoughts...
First, upgrade your EdgeRouter to the latest firmware (1.10.0 was just released)... fixes bugs, improves security, adds features. Unless you have a very specific reason for sticking with the old version, I would highly recommend the upgrade.
Next, I'm really not sure what you are trying to do when it comes to IP filtering if there is no firewall enabled. What kind of filtering are you doing (or trying to do)? If you aren't using a firewall, there is little or no reason to have a second router unless you need a second address range. But if you don't have a firewall between the two 'zones,' there isn't really any filtering that will happen.
It really sounds like what you want is a VLAN config. The ER can absolutely setup VLANs, and presumably the LEDE device can, as well (depending on the hardware, but if it is recent, it almost certainly will). By setting up VLANs, you can have a unique address scope for your IoT/lab network (or make several, if you want) with full access to the internet that runs parallel to your trusted LAN but you can then control the level of inter-VLAN routing with the use of the LEDE firewall. You can have it open for full bi-directional communication, or limit it to one-way (2-way, really, but limiting it to just one side being able to initiate a connection), or completely isolate them, or really whatever you want. The VLANs can be associated 1-per port or you can trunk multiple VLANs over a single port.
As far as the firewall zones are concerned, they have to be associated with an interface, else they are useless, AFAIK. The basic idea of a firewall is that it evaluates each connection as one of three things (maybe not the best description, but these are the 3 basic criteria):
- coming into the firewall from a network/zone destined for the firewall/router itself (Input).
- coming into the firewall from a network/zone going to another network/zone (Forward)
- leaving the firewall destined for a network/zone (Output)
1 Like
Hello dlakelan
"if you go to your second network and just try to ping something by ip address say ping 8.8.8.8 does it work?"
No, the LEDE router acting as the Internet gateway drops ALL packets from the 192.168.2.0 network. DNS, PING(ICMP), http, etc.
Hello psherman.
Thank you for assisting.
"I’m really not sure what you are trying to do when it comes to IP filtering if there is no firewall enabled."
For now, I'm trying to get the LEDE router to route.. The diagram has 3 nodes including a PC.
I would turn the other firewall on when I can properly configure the LEDE router to route&NAT 192.168.2.0 to the Internet.
I have the Edge firewall off for troubleshooting sake. The goal would be to enable it of-course.
The EdgeRouter is operating like a hub and is routing anything sent to it.
I added multiple networks to the EdgeRouter and node-tested those and they're routing fine. It's the LEDE.
The LEDE drops any lan-traffic not 192.168.1.0.
The LEDE Router is treating ANY network traffic OTHER then 192.168.1.0 as un-established WAN and dropping it even though the static clearly says lan. See uci config.
root@LEDERouter:~# uci show network | grep route
network.@route[0]=route
network.@route[0].interface='lan' < LEDE ignore is
network.@route[0].netmask='255.255.255.0'
network.@route[0].gateway='192.168.1.250' < 192.168.1.0 facing port on Edge
network.@route[0].type='local' < LEDE ignore it
network.@route[0].target='192.168.2.1' < Edge other network with laptop.
network.@route[0].mtu='1500'
network.@route[0].metric='1' < doesn't seem to matter
"It really sounds like what you want is a VLAN config"
Not really what I want but I assume that's going to be required because LEDE can't associate zones with networks that are NOT directly connected i.e switchports.
If it really requires this OS to be a router-on-a-stick vlan solution. I might just use the Edge as the gateway and mothball the LEDE router or ebay it.
Hardware is Linksys 1900AC.
Thank you.
I updated the static route to have the target as 192.168.2.0 (and reloaded networking) and it still won't enter the LEDE's routing table:
config route
option interface 'lan'
option netmask '255.255.255.0'
option gateway '192.168.1.250'
option type 'local'
option mtu '1500'
option metric '1'
option target '192.168.2.0'
root@LEDERouter:/etc/config# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 ISP 0.0.0.0 UG 0 0 0 eth1 <wan
ISP 0.0.0.0 255.255.224.0 U 0 0 0 eth1 <wan
ISP 0.0.0.0 255.255.255.255 UH 0 0 0 eth1 <wan
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan < lan
Before I updated to LEDE from OpenWRT it WOULD enter the routing table. Now it's not even doing that.
I wonder if this is some sort of bug.
Your LEDE router probably believes that only 192.168.1.x is accessible via its LAN interface, and as such for security reasons it drops any IPs from another subnet. Your best bet is to do a VLAN setting for a second VLAN, create a new interface on LEDE connected to the VLAN, and give the LEDE box an ip in the 192.168.2.x range, then plug the second box into that port so it joins that VLAN... and set up a firewall rule for the appropriate forwarding. This should work fine.
Fixing the static route fixed the issue to some degree.
I had to set up dns forwarding on router2 but good enough.
Thank you.
