Unable to ping device on seperate LAN

Hawaiian_1ce · July 16, 2023, 4:45am

Hey there! I've been working away at this for a while now, still no luck...
I looked at a bunch of documentation and other posts on the forum, still not sure what I'm missing.

I'm simulating networks using GNS3, I use OpenWRT for my routers and host all instances on a VM. There are currently 2 LANs, 192.168.1.0 and 172.60.2.0, each using an OpenWRT router. I refer to 192.168.1.0 as "Red" and 172.60.2.0 as "Blue."

As for the configs, this is what I have at the moment:

/etc/config/network (Red)

config interface
    option device 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1/8'

config globals 'globals'
    option ula_prefix 'fd05:321d:f12a::/48'

config interface 'lan0'
    option device 'eth0'
    option proto 'static'
    option ipaddr '192.168.1.254/24'

config interface 'lan1'
    option device 'eth1'
    option proto 'static'
    option ipaddr '1.1.1.1/29'

config route 'routeBlue'
    option interface 'lan1'
    option target '172.60.2.0/24'
    option gateway '1.1.1.2'

config interface 'wan'
    option device 'eth1'
    option proto 'dhcp'

config interface 'wan6'
    option device 'eth1'
    option proto 'dhcpv6'

/etc/config/network (Blue)

config interface
    option device 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1/8'

config globals 'globals'
    option ula_prefix 'fdae:a7dd:eae9::/48'

config interface 'lan0'
    option device 'eth0'
    option proto 'static'
    option ipaddr '172.60.2.254/24'

config interface 'lan1'
    option device 'eth1'
    option proto 'static'
    option ipaddr '1.1.1.2/29'

config route 'routeBlue'
    option interface 'lan1'
    option target '192.168.1.0/24'
    option gateway '1.1.1.1'

config interface 'wan'
    option device 'eth1'
    option proto 'dhcp'

config interface 'wan6'
    option device 'eth1'
    option proto 'dhcpv6'

/etc/config/firewall (Red and Blue)

config defaults
    option syn_flood 1
    option input ACCEPT
    option output ACCEPT
    option forward REJECT

config zone
    option name lan
    list network 'lan'
    option input ACCEPT
    option output ACCEPT
    option forward ACCEPT

config zone
    option name wan
    list network 'wan'
    list network 'wan6'
    option input REJECT
    option output ACCEPT
    option forward REJECT
    option masq 1
    option mtu_fix 1

confing forwarding
    option src 'lan'
    option dest 'wan'

config rule
    option name Allow-DHCP-Renew
    option src wan
    option proto udp
    option dest_port 68
    option target ACCEPT

config rule
    option name Allow-Ping
    option src wan
    option proto icmp
    option icmp_type echo-request
    option family ipv4
    option target ACCEPT

config rule
    option name Allow-IGMP
    option src wan
    option proto igmp
    option family ipv4
    option target ACCEPT

# *** IPv6 stuff that I don't think matters rn since I'm working with IPv4 ***

As for the topography, each LAN has a DHCP server, the router, and some devices (hosts 100 and 101) connected to a switch. The red and blue routers are physically connected and are supposed to communicate over the backbone 1.1.1.0.

In its current state, hosts 100 and 101 on either LAN can ping each other and their respective routers. The routers can ping each other. However, 100 red cannot ping 100 blue, nor can 100 red ping the blue router, and I don't know how to fix this.

Any and all help is appreciated!

123serge123 · July 16, 2023, 5:26am

In firewall rules lan zone contain lan network. But there are lan0 and lan1 networks only and no lan.

Ramon · July 16, 2023, 6:07am

What are you trying to achieve here? Simulate two private networks connected over the internet? If so then you need to make a tunnel with e.g. wireguard. Without it, with NAT/masq enabled you cannot reach the hosts on the private networks from °the internet°.

iplaywithtoys · July 16, 2023, 7:40am

I don't know GNS 3 but I do know EVE-NG, a similar product.

EVE shows a visual diagram of all simulated assets and their connections, which can be easily grabbed as a screenshot to help illustrate your query.

Does GNS3 have a similar visual representation available?

Hawaiian_1ce · July 16, 2023, 5:42pm

Just two networks with a physical connection, there's no internet involved. I'm helping out a professor of mine put together a series of labs that teach students basics for cybersecurity. We originally started with OpenWRT, but he switched to MikroTik.

This is the specific lab I'm trying to make but with OpenWRT:
https://eaglepubs.erau.edu/mastering-enterprise-networks-labs/chapter/lab-16-static-routing/

Sorry for the delay!

Hawaiian_1ce · July 16, 2023, 5:43pm

I have tried adding lan0 and lan1 interfaces to my firewall in the past, but after restarting it, nothing seemed to change... I can try rebooting the vms after the changes have been made again and get back to you on it.

Hawaiian_1ce · July 16, 2023, 5:54pm

It does, yes.

Similarly, this lab may help since that's what I'm following:

iplaywithtoys · July 16, 2023, 6:12pm

@123serge123 has probably hit the nail on the head. You can attach lan0 and lan1 to the same zone if you wish, to allow intra-zone traffic. If you add them to different zones, then you'll also have to set up appropriate rules to control the inter-zone traffic.

Hawaiian_1ce · July 16, 2023, 6:38pm

I've made the changes and added the lan0 and lan1 interfaces to my lan zone, they still aren't talking...

/etc/config/firewall.lan (Red and Blue)

config zone
    option name lan
    list network 'lan0'
    list network 'lan1'
    option input ACCEPT
    option output ACCEPT
    option forward ACCEPT

@123serge123 I tried both restarting the firewalls and restarting the vms, no luck

iplaywithtoys · July 16, 2023, 7:19pm

Possibly a dumb question: does OpenWRT support the assignment of IP addresses to interfaces using CIDR notation, or does OpenWRT only support address/netmask notation?

I've always used address/netmask notation to assign addresses to interfaces when using OpenWRT, but I've never tried CIDR notation.

Hawaiian_1ce · July 16, 2023, 7:32pm

You're good man, I'm full of possibly dumb questions myself lol. Yeah OpenWRT supports CIDR.

psherman · July 16, 2023, 7:33pm

Yes it does. You can use either CIDR or netmask notation, but you should only use one or the other, not both.

iplaywithtoys · July 16, 2023, 7:34pm

Right. I'm ditching that netmask nonsense, and sticking with CIDR from now on. I use CIDR all the time in my day job, so I prefer it. Thanks!

iplaywithtoys · July 16, 2023, 8:02pm

As mentioned earlier, I don't know GNS3, but I did get the lab working in EVE-NG:

RED PC

mint@mint:~$ ifconfig ens3 | grep inet
        inet 115.20.20.219  netmask 255.255.255.0  broadcast 115.20.20.255

mint@mint:~$ ping -c 1 68.110.45.174
PING 68.110.45.174 (68.110.45.174) 56(84) bytes of data.
64 bytes from 68.110.45.174: icmp_seq=1 ttl=62 time=0.772 ms

--- 68.110.45.174 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.772/0.772/0.772/0.000 ms

BLUE PC

mint@mint:~$ ifconfig ens3 | grep inet
        inet 68.110.45.174  netmask 255.255.255.0  broadcast 68.110.45.255

mint@mint:~$ ping -c 1 115.20.20.219
PING 115.20.20.219 (115.20.20.219) 56(84) bytes of data.
64 bytes from 115.20.20.219: icmp_seq=1 ttl=62 time=2.43 ms

--- 115.20.20.219 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.427/2.427/2.427/0.000 ms

RED OpenWRT

root@OpenWrt_RED:~# ip route
10.10.10.0/29 dev eth1 scope link  src 10.10.10.1
68.110.45.0/24 via 10.10.10.2 dev eth1
115.20.20.0/24 dev br-lan scope link  src 115.20.20.254

root@OpenWrt_RED:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fde2:fc3d:4972::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '115.20.20.254'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'static'
        option ipaddr '10.10.10.1'
        option netmask '255.255.255.248'

config interface 'wan6'
        option device 'eth1'
        option proto 'none'

config route
        option interface 'wan'
        option target '68.110.45.0/24'
        option gateway '10.10.10.2'

root@OpenWrt_RED:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Allow all traffic from Blue to Red'
        list proto 'all'
        option src 'wan'
        option dest 'lan'
        option src_ip '68.110.45.0/24'
        option dest_ip '115.20.20.0/24'
        option target 'ACCEPT'

BLUE OpenWRT

root@OpenWrt_BLUE:~# ip route
10.10.10.0/29 dev eth1 scope link  src 10.10.10.2
68.110.45.0/24 dev br-lan scope link  src 68.110.45.254
115.20.20.0/24 via 10.10.10.1 dev eth1

root@OpenWrt_BLUE:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdae:480b:6e50::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '68.110.45.254'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'static'
        option ipaddr '10.10.10.2'
        option netmask '255.255.255.248'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config route
        option interface 'wan'
        option target '115.20.20.0/24'
        option gateway '10.10.10.1'

root@OpenWrt_BLUE:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Allow all traffic from Red to Blue'
        list proto 'all'
        option src 'wan'
        option dest 'lan'
        option src_ip '115.20.20.0/24'
        option dest_ip '68.110.45.0/24'
        option target 'ACCEPT'

Hawaiian_1ce · July 16, 2023, 10:20pm

I tried out what you showed me, still no results... Configs are below the image. However, I did notice something interesting. When I pull an ip address from my DHCP server, it shows a gateway as the DHCP server's address? Here's my probably dumb question: Is this just the gateway for a route to the DHCP server?

/etc/config/network Red

config interface
    option device 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1/8'

config globals 'globals'
    option ula_prefix 'fd05:321d:f12a::/48'

config device
    option name 'br-lan'
    option type 'bridge'
    list ports 'eth0'

config interface 'lan0'
    option device 'br-lan'
    option proto 'static'
    option ipaddr '192.168.1.254/24'

config interface 'wan'
    option device 'eth1'
    option proto 'static'
    option ipaddr '1.1.1.1/29'

config route 'routeRed'
    option interface 'wan'
    option target '172.60.2.0/24'
    option gateway '1.1.1.2'

config interface 'wan6'
    option device 'eth1'
    option proto 'dhcpv6'

/etc/config/network Blue

config interface
    option device 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1/8'

config globals 'globals'
    option ula_prefix 'fd05:321d:f12a::/48'

config device
    option name 'br-lan'
    option type 'bridge'
    list ports 'eth0'

config interface 'lan0'
    option device 'br-lan'
    option proto 'static'
    option ipaddr '172.60.2.254/24'

config interface 'wan'
    option device 'eth1'
    option proto 'static'
    option ipaddr '1.1.1.2/29'

config route 'routeBlue'
    option interface 'wan'
    option target '192.168.1.0/24'
    option gateway '1.1.1.1'

config interface 'wan6'
    option device 'eth1'
    option proto 'dhcpv6'

/etc/config/firewall Red and Blue

config defaults
    option syn_flood 1
    option input ACCEPT
    option output ACCEPT
    option forward REJECT

config zone
    option name lan
    list network 'lan0'
    option input ACCEPT
    option output ACCEPT
    option forward ACCEPT

config zone
    option name wan
    list network 'wan'
    list network 'wan6'
    option input REJECT
    option output ACCEPT
    option forward REJECT
    option masq 1
    option mtu_fix 1

confing forwarding
    option src 'lan'
    option dest 'wan'

config rule
    option name Allow-DHCP-Renew
    option src wan
    option proto udp
    option dest_port 68
    option target ACCEPT

config rule
    option name Allow-Ping
    option src wan
    option proto icmp
    option icmp_type echo-request
    option family ipv4
    option target ACCEPT

config rule
    option name Allow-IGMP
    option src wan
    option proto igmp
    option family ipv4
    option target ACCEPT

# *** IPv6 stuff that I don't think matters rn since I'm working with IPv4 ***

iplaywithtoys · July 17, 2023, 6:13am

Check your firewall settings.

You didn't copy my example exactly. You might find it helpful to do a diff between the two to identify what is still different.

iplaywithtoys · July 17, 2023, 6:26am

In your lab, which device is performing DHCP duties? 192.168.1.250 isn't represented in either router's configuration.

Edit: looked back at the diagram. You have a separate DHCP server at .250. That's fine, but you must configure that server's scope with .254 in the Option 3 data. At the moment it has .250 as Option 3.

Also, in case you might not have done it already, you should disable OpenWRT's own DHCP server to avoid possible conflicts.

123serge123 · July 17, 2023, 9:13am

Check ip route and kernel net.ipv4.conf.default.forwarding too.

Hawaiian_1ce · July 20, 2023, 4:49am

You're right, they are different...
Aside from the artifacts left behind from an older version (the lan interface name), the difference was a default config setting and the synflood setting. I'm guessing the synflood config I'm using is deprecated probably, but I digress.

250 Red/Blue are doing all the DHCP duties. I disabled OpenWRT's DHCP to be safe like you said. In addition, I did reconfigure the DHCP server to not force the gateway to be .250, but .254 instead... I'm assuming that's what's meant by Option 3. That worked! They now talk to each other. Thanks a million for your help and patience!

Hawaiian_1ce · July 20, 2023, 4:50am

I didn't quite get to this one, but thanks for your help too.