Subnet Firewall Restrictions LAN/dmz1/dmz2/dmzX

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi,

I want to run a second subnet. For the sake of discussion, no VLAN in use. Everything untagged.
The hosts/servers in the second network should be able to be accessed via:

Wanted Connections 192.168.100.0/24 -> 192.168.6.0/28

  • PING
  • SSH - Port 22
  • Web Port 80/443

192.168.6.0/28 <-- no access outside of 192.168.6.0/28 should be granted.
(not even WAN/gateway for the moment)

             +-----+
             |Modem|
             +--+--+
                |                 Network Address:          192.168.100.0/246
             WAN|                 Usable Host IP Range:     192.168.100.1 - 192.168.100.254
          eth0.2|                 Broadcast Address:        192.168.100.255
            DHCP|                 Total Number of Hosts:    256
           +----+----+            Number of Usable Hosts:   254
           |ROUTER #1|            Subnet Mask:              255.255.255.0
           +----+----+
             LAN|
          eth0.1|
192.168.100.1/24|                          +---------+                   +--------------+
                +--------------------------+ROUTER #0+----------------+--+SERVER #1     |
                |                      LAN +---------+DMZ             |  |192.168.6.2/28|
             LAN|                   eth0.1            eth0.2          |  |192.168.6.2:80|
            eth0|        192.168.100.20/24            192.168.6.1/28  |  +--------------+
192.168.100.5/24|                                                     |
         +------+------+                                              |  +--------------+                           +
         |Client Laptop|                                              +--+SERVER #2     |
         +-------------+                                                 |192.168.6.3/28|
                                                                         |192.168.6.3:80|
                                                                         +--------------+
                                  Network Address:             192.168.6.0/28
                                  Usable Host IP Range:        192.168.6.1 - 192.168.6.14
                                  Broadcast Address:           192.168.6.15
                                  Total Number of Hosts:       16
                                  Number of Usable Hosts:      14
                                  Subnet Mask:                 255.255.255.240

Settings on Router#1 are so far easy.

I just added a static route.
Target 192.168.6.0 => Gateway 192.168.100.20

root@router1:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.6.0     router2         255.255.255.240 UG    0      0        0 br-lan

On Router#2

root@router2:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.100.1   0.0.0.0         UG    0      0        0 eth0
192.168.6.0     *               255.255.255.240 U     0      0        0 net3
192.168.100.0   *               255.255.255.0   U     0      0        0 eth0

Firewall Settings: 
config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

DMZ Settings.

config interface 'dmz'
        option proto 'static'
        option device 'net3'
        option gateway '192.168.100.1'
        option ipaddr '192.168.6.1'
        option netmask '255.255.255.240'
        option broadcast '192.168.6.15'

On Router2 - Firewall Settings

config zone
        option name 'dmz'
        list network 'dmz'
        option output 'REJECT'
        option input 'REJECT'
        option forward 'REJECT'

# Allow all LAN stations to SSH to DMZ stations
config rule
       option name 'ACCEPT-SSH-LAN-2-DMZ'
       option src 'lan'
       option dest 'dmz'
       option proto 'tcp'
       option family 'ipv4'
       option dest_port '22'
       option target 'ACCEPT'
       option enabled '1'

# Allow all LAN stations to :80 to DMZ stations
config rule
       option name 'ACCEPT-:80-LAN-2-DMZ'
       option src 'lan'
       option dest 'dmz'
       option proto 'tcp'
       option family 'ipv4'
       option dest_port '80'
       option target 'ACCEPT'
       option enabled '1'

# Allow all LAN stations to ICMP/Ping to DMZ stations
config rule
        option name 'Allow-Ping LAN-2-DMZ'
        option src 'lan'
        option dest 'dmz'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '1'

That works perfect. So Far.
From LAN i have access to the DMZ zone.

I want now to create more DMZ Zones and separate and firewall them against each other.

One of the DMZ Zones should be a central APT-MIRROR WebServer for my Debian systems.
So all the DMZ Zones should also be able to connect to the APT-MIRROR System via port 80. Port 80 only.

The DMZ Lan is using following network, 192.168.6.16/28, Router#2 Interface at 192.168.6.17, the APT Server at 192.168.6.18.

It's more or less a direct copy from DMZ to DMZ_APT.

Connections from LAN->DMZ_APT work super.

config zone
        option name 'dmz_apt'
        list network 'dmz_apt'
        option output 'REJECT'
        option input 'REJECT'
        option forward 'REJECT'

config rule
        option src 'lan'
        option dest 'dmz_apt'
        option proto 'tcp'
        option family 'ipv4'
        option dest_port '22'
        option target 'ACCEPT'
        option name 'ACCEPT-SSH-LAN-2-APT_DMZ'

config rule
        option src 'lan'
        option dest 'dmz_apt'
        option proto 'tcp'
        option family 'ipv4'
        option dest_port '80'
        option target 'ACCEPT'
        option name 'ACCEPT-:80-LAN-2-APT_DMZ'

config rule
        option src 'lan'
        option dest 'dmz_apt'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option name 'Allow-Ping LAN-2-APT_DMZ'
        list icmp_type 'echo-request'

Now comes my issue.



  Network Address:             192.168.6.0/28
  Usable Host IP Range:        192.168.6.1 - 192.168.6.14
  Broadcast Address:           192.168.6.15
  Total Number of Hosts:       16
  Number of Usable Hosts:      14
  Subnet Mask:                 255.255.255.240

  Network Address:             192.168.6.16/28
  Usable Host IP Range:        192.168.6.17 - 192.168.6.30
  Broadcast Address:           192.168.6.31
  Total Number of Hosts:       16
  Number of Usable Hosts:      14
  Subnet Mask:                 255.255.255.240

              +---------+                   +--------------+
            --+ROUTER #2+----------------+--+SERVER #1     |
              +-+-------+DMZ1            |  |192.168.6.2/28|
                |        eth0.2          |  |192.168.6.2:80|
           DMZ2 |        192.168.6.1/28  |  +--------------+
         eth0.3 |                        |
192.168.6.17/28 |                        |  +--------------+
                |                        +--+SERVER #2     |
                | +---------------+         |192.168.6.3/28|
                +-+SERVER #3      |         |192.168.6.3:80|
                  |192.168.6.18/28|         +--------------+
                  |192.168.6.18:80|
                  +---------------+

I want now my DMZ-Zone Systems to connect to port 80 to the systems in the DMZ_APT System.
So my DMZ-Servers may do their update from another DMZ-Zone.

  • I want now to be able to connect from DMZ->DMZ_APT with Port 80.
    And
  • From DMZ to the Gateway, to have a DNS lookup.
    The dnsmasq on Router#2 binds to 192.168.6.17/28:53

apt.mydomain.lan ->

config rule
	option name 'http-80-APT'
	list proto 'tcp'
	option dest_port '80'
	option target 'ACCEPT'
	option family 'ipv4'
	option dest 'dmz_apt'
	option src 'dmz'

config rule
        option name 'ACCEPT-DNS-DMZ-2-LAN'
        option src 'dmz'
        option proto 'tcp udp'
        option family 'ipv4'
        option dest_port '53'
        option target 'ACCEPT'
        option dest '*'

I still do not get it, what else needs to be set to have port 80/http to DMZ_APT and port 53/dns to the gateway.

Any idea which setting i miss here?

2

Your post is a bit hard to read -- it's very long and the network and firewall files are fragmented.

I'm not sure I really understand the questions you are asking... can you tell us in simple bullets what you are trying to do that is not working?

Then, please post the complete network and firewall files (don't fragment them) -- this will make it much easier to understand the current state of your network.

3

hmm, you are right.

Let's rephrase it.

Three Ethernet ports are connected to three different Subnets.

LAN  192.168.100.0/24 
DMZ1 192.168.6.0/28
DMZ2 192.168.6.16/28

             +---------+                   +--------------+
LAN eth0.1 --+ROUTER #2+----------------+--+SERVER #1     |
             +-+-------+ DMZ1              |192.168.6.2/28|
           DMZ2|         eth0.2            |192.168.6.2:80|
         eth0.3|         192.168.6.1/28    +--------------+
192.168.6.17/28|
               |
               |
               | +---------------+
               +-+SERVER #3      |
                 |192.168.6.18/28|
                 |192.168.6.18:80|
                 +---------------+

  • I have managed to give access from LAN -> DMZ for ssh/22, http/80 and ping. Thats working. From LAN i can access hosts in DMZ1 or DMZ2. Hosts in their DMZ are not able to access anything outside of their DMZ.

  • I want now to give hosts from DMZ1 access to hosts in DMZ2 on Port 80.
    Debian System in DMZ1 should do apt update to apt mirror in DMZ2.
    What is the firewall rule and/or zone config setting to enable a connection from 192.168.6.2 to 192.168.6.18 on Port 80.

  • I want to give a Host in DMZ1 access to the dnsmasq/53 server in the same DMZ1 subnet.
    What is the firewall rule and/or zone config setting to enable a connection from 192.168.6.2 to 192.168.6.1 Port 53.

4

Don’t forget about this:

1 Like
5

Network and Firewall configs as requested @psherman

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option gateway '192.168.100.1'
	option broadcast '192.168.100.255'
	option device 'veth0'
	option ipaddr '192.168.100.20'

config interface 'dmz1'
	option proto 'static'
	option device 'veth1'
	option ipaddr '192.168.6.1'
	option netmask '255.255.255.240'
	option gateway '192.168.100.1'
	option broadcast '192.168.6.15'

config route
	option interface 'lan'
	option target '192.168.6.0/28'
	option gateway '192.168.100.1'

config interface 'dmz2'
	option proto 'static'
	option device 'veth2'
	option ipaddr '192.168.6.17'
	option netmask '255.255.255.240'
	option gateway '192.168.100.1'
	option broadcast '192.168.6.31'

config route
	option interface 'lan'
	option target '192.168.6.16/28'
	option gateway '192.168.6.17'

Firewall settings. WAN Interface is not connected/created.

root@vopenwrt:~# cat /etc/config/firewall 

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'

#DMZ1 Settings 
config zone
	option name 'dmz1'
	list network 'dmz1'
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'

#LAN to DMZ1 Connections
config rule
	option name 'ACCEPT-SSH-LAN-2-DMZ1'
	option src 'lan'
	option dest 'dmz1'
	option proto 'tcp'
	option family 'ipv4'
	option dest_port '22'
	option target 'ACCEPT'

config rule
	option name 'ACCEPT-:80-LAN-2-DMZ1'
	option src 'lan'
	option dest 'dmz1'
	option proto 'tcp'
	option family 'ipv4'
	option dest_port '80'
	option target 'ACCEPT'

config rule
	option name 'Allow-Ping LAN-2-DMZ1'
	option src 'lan'
	option dest 'dmz1'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'


#DMZ1 DNS Lookup inside DMZ1
config rule
	option name 'ACCEPT-DMZ1-2-DNS'
	option src 'dmz1'
	option proto 'tcp udp'
	option family 'ipv4'
	option dest_port '53'
	option target 'ACCEPT'
	option dest '*'


#DMZ2 Setting
config zone
	option name 'dmz2'
	list network 'dmz2'
	option output 'REJECT'
	option input 'REJECT'
	option forward 'REJECT'

#LAN to DMZ2 Connections
config rule
	option src 'lan'
	option dest 'dmz2'
	option proto 'tcp'
	option family 'ipv4'
	option dest_port '22'
	option target 'ACCEPT'
	option name 'ACCEPT-SSH-LAN-2-APT_DMZ2'

config rule
	option src 'lan'
	option dest 'dmz2'
	option proto 'tcp'
	option family 'ipv4'
	option dest_port '80'
	option target 'ACCEPT'
	option name 'ACCEPT-:80-LAN-2-APT_DMZ2'

config rule
	option src 'lan'
	option dest 'dmz2'
	option proto 'icmp'
	option family 'ipv4'
	option target 'ACCEPT'
	option name 'Allow-Ping LAN-2-APT_DMZ2'
	list icmp_type 'echo-request'

#DMZ to DMZ connections
#Host in DMZ1 connects via http/80 to apt-mirror webserver in DMZ2
config rule
	option name 'http-80-APT'
	option src 'dmz1'
	option dest 'dmz2'
	list proto 'tcp'
	option dest_port '80'
	option target 'ACCEPT'
	option family 'ipv4'

The rule for #DMZ1 DNS Lookup inside DMZ1 is not working as expected/wanted.

The rule for #DMZ to DMZ connections #Host in DMZ1 connects via http/80 to apt-mirror webserver in DMZ2 is not working as expected/wanted.

6

The static routes are not necessary and can be deleted.

Remove the gateway and broadcast addresses...
When not specified, the gateway will be automatically assigned using the system default gateway (which is the upstream in most cases). Broadcast address, while correct, doesn't need to be specified since it is automatically calculated.

Do the same for dm2

If you want traffic to be routable, you typically want output = ACCEPT.

same for dmz2

1 Like