[Solved] Guest network route to server in main network

lukaszdh · January 25, 2021, 5:28pm

My network is split to main and guest network.
On main network there is server hosting service by port forwarding.

From guest network its no possible to connect by public ip to this server.
There is access to internet every thing is working in guest accept this one.
For test purpose redirection all 443 traffic to server on main network works. I don't know why I cannot access it just by public ip

During configuration flowed official documentation

vgaetera · January 25, 2021, 5:30pm

Duplicate the port forwarding replacing the source zone with the guest zone.

lukaszdh · January 25, 2021, 5:38pm

lets assume this scenario, how to check it?

vgaetera · January 25, 2021, 5:42pm

iptables-save -c -t nat | grep -e 443

lukaszdh · January 25, 2021, 5:48pm

[1:60] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.130/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: razer_https (reflection)" -j SNAT --to-source 192.168.1.1
[1:60] -A zone_lan_prerouting -s 192.168.1.0/24 -d <remove_ip>/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: razer_https (reflection)" -j DNAT --to-destination 192.168.1.130:443
[16:700] -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: razer_https" -j DNAT --to-destination 192.168.1.130:443

vgaetera · January 25, 2021, 5:52pm

uci show firewall

lukaszdh · January 25, 2021, 5:55pm

firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].proto='tcp udp'
firewall.@redirect[0].src_dport='30022'
firewall.@redirect[0].dest_ip='192.168.1.130'
firewall.@redirect[0].dest_port='22'
firewall.@redirect[0].name='razer_ssh'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].proto='tcp'
firewall.@redirect[1].src_dport='80'
firewall.@redirect[1].dest_port='80'
firewall.@redirect[1].dest_ip='192.168.1.130'
firewall.@redirect[1].name='razer_http'
firewall.@redirect[2]=redirect
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].proto='tcp'
firewall.@redirect[2].src_dport='443'
firewall.@redirect[2].dest_port='443'
firewall.@redirect[2].dest_ip='192.168.1.130'
firewall.@redirect[2].name='razer_https'
firewall.@redirect[3]=redirect
firewall.@redirect[3].target='DNAT'
firewall.@redirect[3].src='wan'
firewall.@redirect[3].dest='lan'
firewall.@redirect[3].proto='tcp udp'
firewall.@redirect[3].src_dport='1194'
firewall.@redirect[3].dest_ip='192.168.1.130'
firewall.@redirect[3].dest_port='1194'
firewall.@redirect[3].name='razer_vpn'
firewall.@redirect[4]=redirect
firewall.@redirect[4].target='DNAT'
firewall.@redirect[4].src='wan'
firewall.@redirect[4].dest='lan'
firewall.@redirect[4].dest_ip='192.168.1.130'
firewall.@redirect[4].proto='gre'
firewall.@redirect[4].name='razer_vpn-grp'
firewall.@redirect[5]=redirect
firewall.@redirect[5].target='DNAT'
firewall.@redirect[5].src='wan'
firewall.@redirect[5].dest='lan'
firewall.@redirect[5].proto='tcp udp'
firewall.@redirect[5].src_dport='1723'
firewall.@redirect[5].dest_ip='192.168.1.130'
firewall.@redirect[5].dest_port='1723'
firewall.@redirect[5].name='razer_vpn-pptp'
firewall.@redirect[6]=redirect
firewall.@redirect[6].target='DNAT'
firewall.@redirect[6].src='wan'
firewall.@redirect[6].dest='lan'
firewall.@redirect[6].proto='tcp udp'
firewall.@redirect[6].src_dport='30024'
firewall.@redirect[6].dest_ip='192.168.1.140'
firewall.@redirect[6].dest_port='22'
firewall.@redirect[6].name='SSH_predator'
firewall.@redirect[6].enabled='0'
firewall.@redirect[7]=redirect
firewall.@redirect[7].dest_port='21'
firewall.@redirect[7].src='wan'
firewall.@redirect[7].name='blackpearl-ftp'
firewall.@redirect[7].src_dport='10621'
firewall.@redirect[7].target='DNAT'
firewall.@redirect[7].dest_ip='192.168.1.130'
firewall.@redirect[7].dest='lan'
firewall.@redirect[7].proto='tcp udp'
firewall.@redirect[7].enabled='0'
firewall.@redirect[8]=redirect
firewall.@redirect[8].dest_port='20'
firewall.@redirect[8].src='wan'
firewall.@redirect[8].name='blackpearl-ftp-data'
firewall.@redirect[8].src_dport='10620'
firewall.@redirect[8].target='DNAT'
firewall.@redirect[8].dest_ip='192.168.1.130'
firewall.@redirect[8].dest='lan'
firewall.@redirect[8].proto='tcp udp'
firewall.@redirect[8].enabled='0'
firewall.@redirect[9]=redirect
firewall.@redirect[9].dest_port='30000-30100'
firewall.@redirect[9].src='wan'
firewall.@redirect[9].name='blackpearl-ftp-range'
firewall.@redirect[9].src_dport='30000-30100'
firewall.@redirect[9].target='DNAT'
firewall.@redirect[9].dest_ip='192.168.1.130'
firewall.@redirect[9].dest='lan'
firewall.@redirect[9].proto='tcp udp'
firewall.@redirect[9].enabled='0'
firewall.@redirect[10]=redirect
firewall.@redirect[10].dest_port='22'
firewall.@redirect[10].src='wan'
firewall.@redirect[10].name='ssh_L340'
firewall.@redirect[10].src_dport='50622'
firewall.@redirect[10].target='DNAT'
firewall.@redirect[10].dest_ip='192.168.1.206'
firewall.@redirect[10].dest='lan'
firewall.@redirect[10].enabled='0'
firewall.@redirect[11]=redirect
firewall.@redirect[11].dest_port='8333'
firewall.@redirect[11].src='wan'
firewall.@redirect[11].name='razer_bitcoin'
firewall.@redirect[11].src_dport='8333'
firewall.@redirect[11].target='DNAT'
firewall.@redirect[11].dest_ip='192.168.1.130'
firewall.@redirect[11].dest='lan'
firewall.@zone[2]=zone
firewall.@zone[2].input='REJECT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].name='guest'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].network='guest'
firewall.@rule[7]=rule
firewall.@rule[7].dest_port='53'
firewall.@rule[7].src='guest'
firewall.@rule[7].name='guest dns'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].src='guest'
firewall.@rule[8].name='guest dhcp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[8].dest_port='67-68'
firewall.@rule[8].proto='udp'
firewall.@rule[9]=rule
firewall.@rule[9].dest='lan'
firewall.@rule[9].src='guest'
firewall.@rule[9].target='DROP'
firewall.@rule[9].dest_ip='192.168.1.0/24'
firewall.@rule[9].name='guest drop to lan'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='wan'
firewall.@forwarding[1].src='guest'
firewall.@zone[3]=zone
firewall.@zone[3].name='iot'
firewall.@zone[3].input='REJECT'
firewall.@zone[3].forward='REJECT'
firewall.@zone[3].network='iot'
firewall.@zone[3].output='ACCEPT'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].dest='wan'
firewall.@forwarding[2].src='iot'
firewall.@rule[10]=rule
firewall.@rule[10].dest_port='53'
firewall.@rule[10].src='iot'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].name='IoT dhns'
firewall.@rule[11]=rule
firewall.@rule[11].dest_port='67-68'
firewall.@rule[11].src='iot'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].proto='udp'
firewall.@rule[11].name='IoT dhcp'
firewall.@rule[12]=rule
firewall.@rule[12].src='iot'
firewall.@rule[12].dest='lan'
firewall.@rule[12].dest_ip='192.168.1.0/24'
firewall.@rule[12].target='DROP'
firewall.@rule[12].name='IoT drop to lan'

vgaetera · January 25, 2021, 6:21pm

uci set firewall.@rule[9].enabled="0"
uci -q delete firewall.guest_https
uci set firewall.guest_https="redirect"
uci set firewall.guest_https.name="Redirect-HTTPS-Guest"
uci set firewall.guest_https.src="guest"
uci set firewall.guest_https.src_dip="${WAN_IP}"
uci set firewall.guest_https.src_dport="443"
uci set firewall.guest_https.dest="lan"
uci set firewall.guest_https.dest_ip="192.168.1.130"
uci set firewall.guest_https.proto="tcp"
uci set firewall.guest_https.target="DNAT"
uci commit firewall
/etc/init.d/firewall restart

lukaszdh · January 25, 2021, 6:35pm

Reload configs from backup, applied again works!
Thank You very much!

system · February 4, 2021, 6:36pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.