Hi all,
I have deployed OpenWRT 15.05.1 r48532 (Chaos Calmer) as a virtual machine (VM), as part of a test/lab environment. The setup is as follows:
Client VM (192.168.60.147/24) ----> OpenWRT WAN (192.168.60.146/24) ==== OpenWRT LAN (172.16.1.8/24)-----> Server VM (172.16.1.3/24)
The firewall configuration is as follows:
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-SSH
option src wan
option proto tcp
option dest_port 22
option target ACCEPT
option family ipv4
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fe80::/10
option src_port 547
option dest_ip fe80::/10
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
# port redirect port coming in on wan to lan
config redirect
option src wan
option src_dport 80
option dest lan
option dest_ip 172.16.1.3
option dest_port 80
option proto tcp
option target DNAT
# port redirect of remapped ssh port (22001) on wan
config redirect
option src wan
option src_dport 22001
option dest lan
option dest_ip 172.16.1.3
option dest_port 22
option proto tcp
option target DNAT
# allow IPsec/ESP and ISAKMP passthrough
config rule
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
Route and network configuration:
root@OpenWrt:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.16.1.1 0.0.0.0 UG 0 0 0 br-lan
172.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
172.16.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 br-lan
192.168.60.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.60.11 0.0.0.0 255.255.255.255 UH 0 0 0 eth1
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option ifname 'eth0'
option type 'bridge'
# option ipaddr '192.168.1.1'
# option netmask '255.255.255.0'
# option ip6assign '60'
option proto 'dhcp'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
config globals 'globals'
option ula_prefix 'fdd9:1062:ac9f::/48'
I am able to connect to port 80 and 22 of the server from the router's LAN interface. The issue is when I try to do it from the Client side (WAN). I can't seem to find an issue with the configuration. Could anyone help in pointing out what could be the problem ?
Thanks.