Troubleshooting Port Redirection

Installing and Using OpenWrt Network and Wireless Configuration
1

I am trying to setup a slightly non-trivial network configuration.

I have:

  • one fast fiber uplink with floating address (eth3: 192.168.1.253/24 modem is 192.168.1.1).
  • one slower DSL uplink with fixed address (eth1: 192.168.2.253/24 modem is 192.168.2.1).
  • LAN on wired Ethernet (eth0: 192.168.7.253/24).
  • DMZ on wired Ethernet (eth2: 192.168.9.253/24).
  • webserver on wired Ethernet (DMZ: 192.168.9.110).
  • git repo on wired Ethernet (LAN: 192.168.7.90 on non-standard port 17022).

I need to have both uplink on at the same time and that most likely will require either mwan3 or pbr for handling.

I have read about Policy-Based Routing and I think I understand principle and needs, but I'm in the dark about how to practically set up such a beast.

ATM I'm have port redirect from both modems/WANs to webserver but, as expected, this works only from "default Gateway" because otherwise responses would be routed "the wrong way" and lost.

I can also reach webserver directly from lan via DNS redirection.

I am not currently able to reach git repo from webserver.

Target would be:

  • To have web ports (80, 443) open and serviced from both uplinks (nginx on webserver will take care of virtual sites and possibly reverse proxy).
  • To have all outgoing traffic (originating from either lan or dmz) through the fast interface (wa2).
  • Nice-to-have: fallback to use slower wan if the other is down for any reason.
  • To have git repo accessible from both uplinks and from DMZ (not currently working).
    Any specific pointer (or direct explanation, of course) would be welcome.

Current configuration is:

root@openwrt:~# ubus call system board; \
> uci export network; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
	"kernel": "6.1.0-17-amd64",
	"hostname": "openwrt",
	"system": "Intel(R) Core(TM) i3-4025U CPU @ 1.90GHz",
	"model": "Hewlett-Packard 300-0xx",
	"board_name": "hewlett-packard-300-0xx",
	"rootfs_type": "zfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "x86/64",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}
package network

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.7.253'
	option netmask '255.255.255.0'
	option device 'eth0'

config interface 'wan'
	option proto 'static'
	option device 'eth1'
	list ipaddr '192.168.2.253/24'
	option gateway '192.168.2.1'
	option metric '20'

config interface 'dmz'
	option proto 'static'
	option device 'eth2'
	list ipaddr '192.168.9.253/24'

config interface 'wa2'
	option proto 'static'
	option device 'eth3'
	list ipaddr '192.168.1.253/24'
	option gateway '192.168.1.1'
	option metric '10'

package firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'dmz'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'dmz'

config forwarding
	option src 'lan'
	option dest 'dmz'

config forwarding
	option src 'dmz'
	option dest 'wan'

config zone
	option name 'wa2'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wa2'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'wa2'

config forwarding
	option src 'dmz'
	option dest 'wa2'

config redirect
	option dest 'dmz'
	option target 'DNAT'
	option name 'web'
	list proto 'tcp'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.168.9.110'
	option dest_port '80'

config redirect
	option dest 'dmz'
	option target 'DNAT'
	option name 'web'
	list proto 'tcp'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.9.110'
	option dest_port '443'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'git'
	option src 'wan'
	option src_dport '17022'
	option dest_ip '192.168.7.90'
	option dest_port '17022'

config redirect
	option dest 'dmz'
	option target 'DNAT'
	option name 'web'
	list proto 'tcp'
	option src 'wa2'
	option src_dport '80'
	option dest_ip '192.168.9.110'
	option dest_port '80'

config redirect
	option dest 'dmz'
	option target 'DNAT'
	option name 'web'
	option src 'wa2'
	option src_dport '443'
	option dest_ip '192.168.9.110'
	option dest_port '443'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'git'
	option src 'wa2'
	option src_dport '17022'
	option dest_ip '192.168.7.90'
	option dest_port '17022'

head: /etc/firewall.user: No such file or directory
-ash: iptables-save: not found
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    inet 192.168.2.253/24 brd 192.168.2.255 scope global eth1
       valid_lft forever preferred_lft forever
4: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    inet 192.168.1.253/24 brd 192.168.1.255 scope global eth3
       valid_lft forever preferred_lft forever
27: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.7.253/24 brd 192.168.7.255 scope global eth0
       valid_lft forever preferred_lft forever
28: eth2@if29: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.9.253/24 brd 192.168.9.255 scope global eth2
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev eth3  metric 10 
default via 192.168.2.1 dev eth1  metric 20 
192.168.1.0/24 dev eth3 scope link  metric 10 
192.168.2.0/24 dev eth1 scope link  metric 20 
192.168.7.0/24 dev eth0 scope link  src 192.168.7.253 
192.168.9.0/24 dev eth2 scope link  src 192.168.9.253 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
local 192.168.1.253 dev eth3 table local scope host  src 192.168.1.253 
broadcast 192.168.1.255 dev eth3 table local scope link  src 192.168.1.253 
local 192.168.2.253 dev eth1 table local scope host  src 192.168.2.253 
broadcast 192.168.2.255 dev eth1 table local scope link  src 192.168.2.253 
local 192.168.7.253 dev eth0 table local scope host  src 192.168.7.253 
broadcast 192.168.7.255 dev eth0 table local scope link  src 192.168.7.253 
local 192.168.9.253 dev eth2 table local scope host  src 192.168.9.253 
broadcast 192.168.9.255 dev eth2 table local scope link  src 192.168.9.253 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
root@openwrt:~#

Many Thanks in Advance

2

Apparently this began working as intended without me doing any change (knowingly, at least).

No need to tweak further.

1 Like
3

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.