Static IP setup and forwarding between networks

dariosalviwork · January 24, 2024, 11:14am

Hello,

I have a pretty simple setup that I am using for teaching IP networking to engineering students. Consider that this is one of a series of exercises, where the objective is to learn about IP subnetting and forwarding.

We have a number of routers with OpenWRT (Linkstar-H68K), each used by a small group of students. The idea is that students need to configure a setup with static IPs and static routing.

Here is the schema of the network for two of such groups:

net_all.drawio

Each group gets a private, "lan", network with address like 192.168.10.X /29. In this network, the router assigns IP addresses to the hosts with DHCP and gets a static IP for itself. As a "wan" network, the routers use a statically assigned IP address within the network 192.168.20.0 /24.

I have managed to configure the static IP addresses and the DHCP from the web interface of the router, but I am struggling to make the subnetworks communicate with each other.

For example, I can ping from 192.168.10.6 to 192.168.20.4 (the second router on its wan interface), but not to 192.168.10.25 (the second router on its private lan), nor 192.168.10.30 (the host on the second network).

I suspect that it may be related to how firewall and static routes are configured, but having tried different options I cannot make this relatively simple scenario work.

Is any kind sould here able to help me?
The students and mysefl will be very thankful!

Dario

egc · January 24, 2024, 11:21am

The firewall will block incoming traffic, you can make a traffic rule to allow RFC1918 traffic (/etc/config/firewall), something like:

config rule
	option name 'allow_forward'
	option src 'wan'
	option dest '*'
	option target 'ACCEPT'
	list src_ip '10.0.0.0/8'
	list src_ip '192.168.0.0/16'
	list src_ip '172.16.0.0/12'
	option enabled '1'

trendy · January 24, 2024, 11:34am

If this is just for lab purposes and there is no Internet connectivity from the wan interface, it would be simpler to either disable firewall or reassign wan interface under lan firewall zone.

eduperez · January 24, 2024, 2:39pm

Are those routers doing NAT? Are they configured to allow incoming traffic? How were those static routes configured?

dariosalviwork · January 24, 2024, 3:39pm

To give some context: the exercise is totally in a lab, devices are not connected to the Internet.

Addresses: no NAT is needed, subnetting should guarantee no conflicts with addresses (each group gets a separate subnet with 8 addresses, 6 for hosts).

Routing: I would simply like packets to flow from one subnetwork to another without restrictions. As they have just learned the concept of forwarding (but not routing algorithms) I want them to setup the forwarding rules manually.

trendy · January 24, 2024, 6:38pm

Then you can disable the firewall altogether to avoid any disruptions.

dariosalviwork · January 26, 2024, 1:40pm

Hi all, thanks for the suggestions. In the end it was sufficien to setup a static route to the destination network. Firewall defeaults didn't block packets.