Troubleshooting Forwarding Between Firewall Zones

Hello - I'm trying to set up two firewall zones so that I can access devices in the shared zone from the lan zone, but not in reverse. (I.e. no access to lan from shared.)

My assumption was that, given that I have forwarding from the lan zone to the shared zone, that I would be able to ping a device in the shared zone from the lan zone, but the ping just hangs. (No timeout error.)

Presumably something isn't configured correctly, but I'm not sure what the issue is? Is it because of the bridge setup?

Output from cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'guest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option name 'shared'
	list network 'SHARED'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option dest 'wan'
	option src 'shared'

config forwarding
	option src 'lan'
	option dest 'shared'

config forwarding
	option src 'guest'
	option dest 'shared'

Output from cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fddd:f73e:eb33::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.0.1'

config device
	option name 'eth0.2'
	option macaddr 'c0:c9:e3:4f:bf:7a'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option description 'LAN'
	option ports '0t 2t 3 5'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 1'
	option vid '2'
	option description 'WAN'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option description 'GUEST'
	option ports '0t 2t'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '4'
	option description 'SHARED'
	option ports '0t 2t 4'

config device
	option type 'bridge'
	option name 'br-guest'
	list ports 'eth0.3'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config device
	option type 'bridge'
	option name 'br-shared'
	list ports 'eth0.4'

config interface 'SHARED'
	option proto 'static'
	option device 'br-shared'
	option netmask '255.255.255.0'
	option ipaddr '192.168.4.1'

Where are you pinging from (the router, or a host on the lan)? What are the hosts involved (what operating system or type of device)? Do they respond to pings when tested from the same network?

Hi

as i see, your port 2 is tagged (trunk) port with vlan 3 & vlan 4
and port4 is access port for (maybe) shared NAS ?

does GUEST network (vlan3) works as expected ?

could you try to ping 8.8.8.8 from your (shared) NAS ?

looks like you want to SHARED device access WAN, so it is good test for connectivity

I was trying to ping it from a laptop on the lan network. After your comment, I did try logging into the router directly and pining from the router. That works find. And yes, if I move the device from the shared network to the lan network, I can ping it, ssh in, etc.

as i see, your port 2 is tagged (trunk) port with vlan 3 & vlan 4
and port4 is access port for (maybe) shared NAS ?

Yeah, that's basically the idea. I have some downstream dumb access points; hence the vlans and tagging, and then some shared resources that I want everything to be able to access.

does GUEST network (vlan3) works as expected ?

Guest network works fine.

could you try to ping 8.8.8.8 from your (shared) NAS ?

I'm able to access the wan from all three networks (lan, guest, and shared). I just can't access the networks from each other. This is fine for lan/guest, because I don't want those interacting, but I want my them both to be able to access the shared network, which I can't seem to figure out.

You still haven't said what OS's are involved here.

Specifically, if it is Windows, you probably need to change the firewall settings since it will, by default, block connections from other subnets. You can turn off the firewall temporarily to see if that is the problem.

My bad. OS is debian.

maybe you have some PBR package or similar which intercept/mess with routing ?

according to your write,
lan,guest,shared all have access to wan
lan,guest,shared could not communicate with each other

looks like the 3 networks have a good GW pointing on OWRT

so i have no other clue, maybe some L2 bridge filtering or some routing package could interfere

I finally figured this out, and - well - suffice to say, I'm an idiot.

I was running a VPN on my local machine, the one that I was pinging from. I could still reach other local resources on the same subnet, but when I tried to ping those with a different subnet, the VPN didn't know what to do with the packet. Turning off the VPN and everything works just fine.

Now I just need to figure out how to get the VPN to realize those ip addresses are also local.

Edit: My missing the obvious aside, thank you for for your help on this!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.