Unexpected ping reply from 192.168.1.1 over wan

peterfromswe · February 16, 2024, 2:18pm

Hi
I have a linksys wrt3200 that replies to ping on 192.168.1.1 coming over wan.
The wrt3200 uses static ip 192.168.2.1 and is connected to a wndr4700 wan, also static 192.168.2.2 and I ping from there.

root@WNDR4700:~# ip r
default via 192.168.2.1 dev eth0.2
192.168.2.0/24 dev eth0.2 scope link  src 192.168.2.2
192.168.3.0/24 dev br-lan scope link  src 192.168.3.1
root@WNDR4700:~# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: seq=0 ttl=64 time=0.424 ms
64 bytes from 192.168.1.1: seq=1 ttl=64 time=0.353 ms

Expected result is that 192.168.2.1 would reply only, being wan interface and not 192.168.1.1 that should be protected from outside access.

Config for wrt3200 below

root@WRT3200:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fa71:2081:2c54::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr '<this and that>'

config interface 'wan'
        option device 'wan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option gateway '192.168.2.1'

root@WRT3200:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Allow-HTTP'
        list proto 'tcp'
        option src 'wan'
        option dest_port '80'
        option target 'ACCEPT'

config rule
        option name 'Allow-SSH'
        list proto 'tcp'
        option src 'wan'
        option dest_port '22'
        option target 'ACCEPT'

Openwrt 23.05.2

frollic · February 16, 2024, 2:35pm

I'd be more interested in the config of the 4700.

lleachii · February 16, 2024, 3:40pm

No need, the ip r was enough.

peterfromswe:

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

Believe it or not - this Traffic Rule Allows ping from:

WNDR4700 (R2) 192.168.2.2 WAN <> WAN <192.168.2.1 R1 WRT3200> LAN 192.168.1.1

Because you sent traffic to the device. This is expected behavior.

screen706

this_device == LAN_192.168.1.1_of_WRT3200

And yes - the response packet is un-masqueraded because the SRC packet wasn't masqueraded.

frollic · February 16, 2024, 5:20pm

I didn't realize this.

Guess I can undelete my initial post