PoP
December 4, 2021, 10:46pm
1
Hi all, been having a bit of trouble trying to set this up, this is my desired goal.
I want to be able to hit servers located within the 192.168.100.0/24 subnet from my PC.
I have set up a static route on the ASUS AC68U with the following details:
Network: 192.168.100.0
Netmask: 255.255.255.0
Gateway: 192.168.1.100
I have tried heaps of different configurations, during which if I hit any address in the 192.168.100.0/24 it would just take me to the LUCI interface of OpenWRT. I have tried adding a static route in OpenWRT from the WAN interface to the LAN Gateway. I tried bridging the WAN and LAN interface. I tried making the WAN interface a LAN interface. I have the firewall rules as open as possible. I noticed when I add static routes in the UI, they do not show up with an 'ip route'.
Any help is much appreciated
Did you turn off masquerading on the WAN zone? And did you allow forwarding from WAN > LAN? Those are both important.
If those don't fix the issues, let's see your configuration...
Please copy the output of the following commands and post it here using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
PoP
December 4, 2021, 11:32pm
3
Dam. I was confident when you said to disable masquerade that would be the issue, didn't realize that was a NAT. Heres the output
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd69:59cc:2541::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.100.1'
config interface 'wan'
option device 'wan'
option proto 'static'
option netmask '255.255.255.0'
option gateway '192.168.1.1'
option ipaddr '192.168.1.100'
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option mtu_fix '1'
list network 'wan'
option input 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config rule
option src 'wan'
option target 'ACCEPT'
config forwarding
option src 'wan'
option dest 'lan'
config rule
option src 'wan'
option dest 'lan'
option target 'ACCEPT'
config rule
option src 'lan'
option dest 'wan'
option target 'ACCEPT'
The route to 192.168.100.0/24 via 192.168.1.100
has to go on the Asus.
1 Like
You do not need the above (leave the forwarding wan > lan).
Check the local firewalls on your computers - windows in particular will not accept connections from other networks - only the local subnet is allowed by default.
PoP
December 5, 2021, 1:29am
6
That is where the route is.
Let's verify the way that is entered into the Asus. Can you show a screenshot of that?
Also, make sure you restart your firewall (or the entire router) on OpenWrt to ensure all the settings have taken effect.
PoP
December 5, 2021, 1:47am
8
I deleted the 2nd and 3rd, I believe I need the 1st to access the LUCI interface from my PC
No, in your case you don't. The reason is because you have the zone-level INPUT rule on the wan zone set to accept.
PoP
December 5, 2021, 1:48am
10
I have an unraid server as one of the servers and had been using that to determine if it all was working or not, clearly that was the mistake, I couldn't use tcpdump to determine if I was actually hitting it. I plugged in a linux laptop and hosted a python webserver and can hit that, so this just seems to be an unraid server issue now.
Thanks heaps for the help! Once I work out the unraid issue Ill add it here as well for completeness.
Glad the routing is working. As I said above, the local firewall rules on the various hosts can make it appear that the routing is not working... but the good news is now you know that's what you need to resolve.
PoP
December 5, 2021, 1:50am
12
Ah yeah that makes sense, I will eventually tighten up all the rules once I get past testing.
PoP
December 5, 2021, 1:51am
13
Yeah you saying that, prompted me to try the laptop because I can at least dump the traffic on that, but I didn't even need to get that far once I plugged it in and set up a test server.
PoP
December 5, 2021, 2:02am
14
Ah I solved it. The unraid server had a second interface on with a 192.168.1.1/24, disabled that and it works now.
system
Closed
December 15, 2021, 2:03am
15
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.