[solved] Routing between zones

first lan is on 10.1.1.x
second lan is on 10.10.1.x

from openwrt shell I can ping 10.10.1.2
from 10.1.1.15 ping to 10.1.1.2 says destination host unreachable

how can I add roules to allow traffic to flow between two zones ?

Not enough information here... where is the first lan? Where is the second lan? Are there two routers involved here? If so, how are they connected?

3 Likes

Assuming both lans are on the same router with their own firewall zone, you’ll need to have the lans listed in the “allow forward to destination zones” in each lans respective firewall zone.

But @psherman has valid questions. If your lans are on separate routers, then you’ll need to add routes so the subnets can talk to each other and how to add those routes depends on if the routers are connected locally or over the internet.

3 Likes

Also it is very possible that 10.10.1.2 has its own firewall blocking requests from non local networks. So the packets are not blocked on the OpenWrt firewall, but on the host firewall.

1 Like

Yep, I was tired and wrote the question without presenting the whole problem

Both networks are in the same router on different interfaces.
lan network uses eth0 10.1.1.0/24
quarantine uses eth1 10.10.1.0/24

I tried adding forwarding rules lan zone to quarantine zone but when I ping 10.10.1.2 I get destination host unreachable

config forwarding
	option src 'lan'
	option dest 'Quarantine'

This suggests that @trendy's point is the next thing to look at... this could be a local Windows firewall issue.

You could allow forwarding from quarantine > lan so that you can test pings in the other direction (or quarantine > wan, but remember that this is XP so it lacks all modern security controls).... if those work, it would suggest that the issue is that everything is working on the router and that there is a problem on the XP system.

from the router console ping to 10.10.1.2 works

so general networking is functioning as expected. This means that it is a problem with the XP system... try disabling the firewall on windows.

so general networking is functioning as expected. This means that it is a problem with the XP system... try disabling the firewall on windows.

I'm having trouble understanding this reply. My understanding of this situation is that seeing windows xp on 10.10.1.2 replies to echo requests lets me know that xp firewall does not block echo requests and the problem is actually in the router.

ping from the router shell to 10.10.1.2 works so the router knows how to route to 10.10.1.0/24
ping from 10.1.1.15 to 10.10.1.2 does not work this means that the router blocks the traffic from lan to Quarantine

Trying to figure this one out I clicked all the buttons and somehow Quarantine zone was empty.
I added Quarantine interface to covered networks of Quarantine zone and now destination host unreachable is gone but now I get 100% loss

What @psherman said is that Windows machine may reply to pings from inside its own LAN but not from a different LAN.

Running tcpdump on the quarantine interface should show pings going out.

2 Likes

Actually, the is not routing at all. This is switching. This could be done between any two devices on the same network (10.10.1.0/24) without a router at all -- just a switch or a physically direct ethernet connection. The router has an address on that network, so it is not necessary for it to route.

In this case, we know that the router firewall is configured to allow this. We also know that windows (modern versions anyway) specifically block ping requests (possibly in general) and certainly from other subnets by default Therefore, attention needs to go to the windows firewall.

If you want to prove that the router is working properly, put another host like a Mac, linux box, or even a raspberry pi on the quarantine network and then try the ping test.

I created another vm (10.10.1.3) with finnix live cd and connected it to the same network as XP

Ping from 10.10.1.3 to 10.10.1.1 works
Ping from 10.1.1.1 (OpenWrt shell) to 10.10.1.3 works
Ping from 10.1.1.15 to 10.10.1.3 .... 100% loss

root@OpenWrt:~# uci export network
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd17:5726:3a19::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.1.1.1'
	option ipv6 'off'

config interface 'wan'
	option proto 'pppoe'
	option username ''
	option password ''
	option device 'eth2'
	option ipv6 'off'

config interface 'wan6'
	option device 'eth2'
	option proto 'dhcpv6'


config device
	option name 'eth2'

config interface 'Quarantine'
	option device 'eth1'
	option proto 'static'
	option ipaddr '10.10.1.1'
	option netmask '255.255.255.0'
	option delegate '0'

root@OpenWrt:~# uci export firewall
package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option log '1'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config zone
	option name 'Quarantine'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'Quarantine'

config forwarding
	option src 'lan'
	option dest 'Quarantine'

I've never used finnix... are you positive that it has its firewall disabled or at least is permissive of pings from other subnets? (I'm not saying that this is the problem, but it would be good to verify since we are trying to rule this issue out entirely. I know ubuntu doesn't block pings from other subnets).

I'll review the config files and can spot any issues.

I am pretty sure that both xp and finnix can reply to ping fi the router allows that

I found this topic Zone Forwarding not Working - #4 by pavelgl that reports a similar issue

The router doesn't have anything to do with 'allowing' (or not) the return of pings at the host level... obviously the router can prevent the traffic from flowing, but the question is if the host will respond in the first place (this is not always a given).

actually, the origin of these pings is 10.10.1.1 because it is coming from the router which has an address (10.10.1.1) on that network.

I'm not spotting any errors in your configuration. Have you restarted the router recently to make sure it's got the latest configuration loaded?

just a few seconds ago after moving all the config zone declarations all the way to the top of the file but got the same results

does this distro have an ssh server enabled? You could try ssh'ing from your lan > quarantine. Or really any other simple service (lie a web server) could be used. Sometimes pings can be an edge case that can cause false impressions of what is happening.

after moving the confing zone declarations to the top of the /etc/config/firewall file ping to 10.10.1.3 is now working

firewall on windows xp is turned off but windows xp replies to ping only from the router console

dsl400@10.1.1.15:~$ nmap -sT -Pn -p 3389 10.10.1.2

PORT     STATE    SERVICE
3389/tcp filtered ms-wbt-server

root@OpenWrt:~# nmap -sT -Pn -p 3389 10.10.1.2

PORT     STATE SERVICE
3389/tcp open  ms-wbt-server