My network got 4 vlans (all untagged) , and a wan.
I am using 192.168.11.1 .. 192.168.14.1
Now in the 192.168.12.0 Vlan / Sub-Network, there is a (3d party)router as client with ip 192.168.12.253 .
This router is the only one that can reach a specific "hidden" internet network with specific services, in the range 84.38.113.0/24 (and 84.38.112.0/24).
I thougt this is an easy task.
I added a static route on that interface vlan (192.168.12.0) to the target network 84.38.113.0/24 with that 192.168.12.253 router as gateway.
Unfortunatly, completly unsuccessfull. It looks like openWRT ignores that route .. and tries to go over the standard gateway, and fails - and i have no idea why. I did reboot .. often.
I turned the firwall off ( allowed all zones to connect everywhere, all protocols ) to be sure that this is not the reason for failure.
Please see the screenshot with all configuration info and the unsuccessfull tracert.
If I configure the same route on one windows client (on machin 192.168.12.200) directly on the client .. it works.
I have no idea left, seems i am to dumb, many many thx 4 helping out in advance
As in your screenshot with tracert
no, it does NOT go to standard gateway
it is only step1 and step2 in tracert
so, i suppose that your primary router try to forward traffic to 192.168.12.253 (unknown router) and there is some kind of block/firewall on this unknown router
it is unknown how this second (unknown) router is attached to OWRT ?
thx 4 analyzing.
the router is on 192.168.12.253
the ip was set static in the router. no dhcp.
its connect over a switch with the openWRT device. openwrt device has the ip 192.168.12.1 and acts as dhcp etc , serves well for all machines in the 192.168.12.0 network
id did not add the static ip into the 3rd party router, a technician did it.
it seems that the 3rd-party router works.. see the screenshot from teh windows machine where i added the route manually on the machine.
hmm. yes i am sure the 3rd party router does NAT. if you look at the last screenshot where the windows machines is successfull, you see the 3rd party router translating the 84.. IP address into a 10.. adress
the question is:
how the second router is attached? with WAN port ?
if so (logical) then there must be some kind of firewall on this R#2 which prevent connection flowing from WAN to LAN/VPN/whatever
ok. lets try to answer it this way.
the windows machine that is successfull is in the 192.168.12.0 network connected through the same switch with the openwrt device (192.168.12.1) as the 3rd party router (192.168.12.253)
I opened a putty on openwrt device, pinged that 3rd party router. see screenshot pls
I did read your question again.
I must confess I cant tell you if the connection between openwrt and that 3rd party router is over WAN port or LAN port. but it seems clear that the 3rp party router does some NAT, as seen on the screenshot from the successfull windows machine.
I would like to add one more info, that might help.
If I ping the 3rdparty router (192.168.12.253) from a machine from the 192.168.11.0 Network, it does not answer. If I ping another windows machine in the 192.168.12.0 network, ping works.
Somehow the 3rd party router sees to be picky. It (maybe) only answers to packets that originate from "his" network (192.168.12.0)
The failing tracert .. originates from a machine in 192.168.12.0 network. it sends packets to the openwrt device that should route the packets to the 3rd party router 192.168.12.253. is it possible that the problem originates here? that the 3rd party router does for some reason not accept the routed packets from openwrt device (192.168.12.1)?
Ok, you don't provide answers ... how we can help you ?
almost every firewall allow ping on WAN side
almost every firewall block tracert
every firewall block WAN -> LAN flow with new connections incoming from WAN side
I really appreciate your analyses and questions and hints.
As I can not access the 3rd party router currently, lets assume you are right, we are connected to the WAN Port.
The question remains .. why does the tracert of the windows machine (that has a static route configured), being on the same switch as the openwrt device (and therefore also going through the wan port with its tracert) get through , and the openwrtdevice that acts as router does not get through, trying to route packets of another windows machine (without static route configured on that machine directly) in the 192.168.12.0 Network?
The default forwarding rule in your screenshot was set to Reject (not sure how that changed from the default)
Changing to Accept fixes this
To be clear the "Forward" rules for the zone mean "Intra-zone Forwarding" (i.e. across routers/interfaces in the same zone) - hence why it must be allowed.
if i understand right, this is also the setting that would forbid two devices on the same network (e.g. a guest network) to talk to each other (if they need to take a route over the router to talk to each other)
i alway thought that "forward" only makes sense if there are more than one network in a zone.
learned again something very usefull, thx.
Yes, this is correct in the case of clients on 2 different PHYs (e.g. Wireguard interface and Ethernet in the same LAN zone) - or as in your case, routing across 2 different Ethernet interfaces
It will not stop LAN talk on the same bridge, Ethernet, Layer 2 network, etc.
Correct, in this case you do have more than one network in the same zone.
