Static route from WAN to LAN

Hi all, been having a bit of trouble trying to set this up, this is my desired goal.

Untitled Diagram.drawio461×571 33.7 KB

I want to be able to hit servers located within the 192.168.100.0/24 subnet from my PC.

I have set up a static route on the ASUS AC68U with the following details:

Network: 192.168.100.0
Netmask: 255.255.255.0
Gateway: 192.168.1.100

I have tried heaps of different configurations, during which if I hit any address in the 192.168.100.0/24 it would just take me to the LUCI interface of OpenWRT. I have tried adding a static route in OpenWRT from the WAN interface to the LAN Gateway. I tried bridging the WAN and LAN interface. I tried making the WAN interface a LAN interface. I have the firewall rules as open as possible. I noticed when I add static routes in the UI, they do not show up with an 'ip route'.

Any help is much appreciated

Did you turn off masquerading on the WAN zone? And did you allow forwarding from WAN > LAN? Those are both important.

If those don't fix the issues, let's see your configuration...

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

Dam. I was confident when you said to disable masquerade that would be the issue, didn't realize that was a NAT. Heres the output

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd69:59cc:2541::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.100.1'

config interface 'wan'
        option device 'wan'
        option proto 'static'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        option ipaddr '192.168.1.100'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option mtu_fix '1'
        list network 'wan'
        option input 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config rule
        option src 'wan'
        option target 'ACCEPT'

config forwarding
        option src 'wan'
        option dest 'lan'

config rule
        option src 'wan'
        option dest 'lan'
        option target 'ACCEPT'

config rule
        option src 'lan'
        option dest 'wan'
        option target 'ACCEPT'

The route to 192.168.100.0/24 via 192.168.1.100 has to go on the Asus.

You do not need the above (leave the forwarding wan > lan).

Check the local firewalls on your computers - windows in particular will not accept connections from other networks - only the local subnet is allowed by default.

That is where the route is.

Let's verify the way that is entered into the Asus. Can you show a screenshot of that?

Also, make sure you restart your firewall (or the entire router) on OpenWrt to ensure all the settings have taken effect.

I deleted the 2nd and 3rd, I believe I need the 1st to access the LUCI interface from my PC

No, in your case you don't. The reason is because you have the zone-level INPUT rule on the wan zone set to accept.

I have an unraid server as one of the servers and had been using that to determine if it all was working or not, clearly that was the mistake, I couldn't use tcpdump to determine if I was actually hitting it. I plugged in a linux laptop and hosted a python webserver and can hit that, so this just seems to be an unraid server issue now.

Thanks heaps for the help! Once I work out the unraid issue Ill add it here as well for completeness.

Glad the routing is working. As I said above, the local firewall rules on the various hosts can make it appear that the routing is not working... but the good news is now you know that's what you need to resolve.

Ah yeah that makes sense, I will eventually tighten up all the rules once I get past testing.

Yeah you saying that, prompted me to try the laptop because I can at least dump the traffic on that, but I didn't even need to get that far once I plugged it in and set up a test server.

Ah I solved it. The unraid server had a second interface on with a 192.168.1.1/24, disabled that and it works now.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.