Use a different/specific Interface to send remote logs

I have openwrt configured to send logs to a remote syslog server. However I would like to configure it to use a specific interface because of the way my network is segmented/configured.

Interfaces:

  • default lan - br-lan - 192.168.99.1 (emergency / anti lockout only)
  • mgmt: eth0.33 - 192.168.33.1 (this the admin UI is accessed from normally)
  • etc...

Openwrt's log service binds to the br-lan to send out the logs, but the way I have my set up this interface isn't accessible on the network. Is there a way to tell openwrt/logd to bind to the mgmt interface instead.

I'm still pretty new to openwrt but didn't see anything in the UI. Maybe by CLI or conf file?

I know if I disable the br-lan, the log service will then bind to the mgmt interface but I need the br-lan one active for emergency.

What's the DST IP of this syslog server?

1 Like

As it would do with any other traffic, the router will send the logs using the interface that best matches the destination address; it does not bind anything to any interface just because. If this does not clarify the issue, post the full list of interfaces, their addresses and masks, and the address for the syslog server.

2 Likes

In case it matters, I have openwrt configured as a backup managed switch. Pfsense router is upstream and holds all the firewall rules.

The syslog server is on 192.168.11.xxx.

Oh yes it matters. So you're saying that the OpenWrt isn't a router; but has a connection to 2 networks (with gateways)?

And neither network is 192.167.11.0/24?

Then more information is needed.

Can you show the OpenWrt config?

cat /etc/config/network

FYI, this is starting to sound like a Pfsense solution.

Sorry was trying to keep description short and not distract from the main question. I have troubleshoot already and can see the network traffic but want to change openwrt's behaviour. These are vlans btw.

I don't think it's a pfsense thing b/c:

  • I can see in pfsense logs it's 192.168.99.1 (br-lan interface) trying to connect to remote syslog server which the firewall doesn't allow
  • if I disable br-lan, openwrt falls to the only other interface 192.168.33.1 (mgmt), the syslogs are passed through the expected firewall rule and syslogs show up fine

TLDR - here's a fuller explanation of my setup. I don't believe any of the below should impact the main question, let me know if it does.

Pfsense => Main Switch - trunk B port => WAN port - on OpenWrt Switch (ie it's upstream trunk)

br-lan 99 -> configured with static ip
mgmt 33 -> configured to get dhcp ip from pfsense

trunk B - has vlan 33 and other various vlans tagged, but no vlan 99 at all
wan port - has vlan 33 and others tagged, and vlan 99 untagged

Why? Since this is old 4 port router, I didn't want to take up 1 of the 4 ports to use as a emergency / anti lockout port. So instead I'm piggy backing the emergency vlan on the WAN port. Since it's not tagged upstream, no traffic is passed through - its all blocked plus it's not used at all (except for this unexpected syslog traffic).

If/when I mess up, I can just unplug openwrt switch from main switch, plug my computer into WAN with a static IP, and access the admin UI to reset stuff.

As an alternative to configuring openwrt to use a specific interface for syslog, I can create a firewall rule on pfsense to allow syslog traffic from 192.168.99.1 to the remote syslog server. But that maybe undesirable for other reasons. I'd like to weigh both options.

Maybe I missed it in the post - and perhaps you don't understand why it's necessary.

But - you still haven't explained where the 192.168.11.0/24 network exists.

Was that a typo, or did you just forget to describe it in your subsequent post?

Providing the config is probably best:

You're right, pls help me understand how this is involved. As a rule, I thought it's good practice not to share actual specific ip/network for security. Maybe I'm being overly paranoid.

Anyhow here's the config, modified to hide my actual vlan numbering.

The remote syslog server is on vlan 11 which exists on the main switch & pfsense but NOT on the openwrt switch. Openwrt only knows of the ip address of the remote syslog server. If openwrt communicates through the mgmt interface (on vlan 33) with the remote syslog server (on vlan 11), there's a pfsense firewall rule which will allow this (confirmed this works).

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxx:xxxx:xxxx::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.99'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.99.1'
        option gateway '192.168.99.2' 
        list dns '192.168.99.2'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'
        option auto '0'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '99'

config switch_vlan
        option device 'switch0'
        option vlan '99'
        option description 'Lan'
        option ports '8t 0'

config switch_vlan
        option device 'switch0'
        option vlan '33'
        option description 'Mgmt'
        option ports '8t 2 3 4 0t'

config switch_vlan
        option device 'switch0'
        option vlan '66'
        option description 'Media'
        option ports '8t 1 0t'

config interface 'Mgmt'
        option proto 'dhcp'
        option device 'eth0.33'

config interface 'Media'
        option proto 'none'
        option device 'eth0.66'

They're private IPs and a private network, not sure what to be paranoid about. It just makes it extremely difficult to assist you.

Because it's the DST IP on a private network, yet it wasn't mentioned anywhere when seeking help with an OpenWrt device (i.e. and it's not the router). The current route (i.e. where's the router) needs to be understood in order to understand how to change it to the desired interface.

In any case, there's only one network with a gateway defined, and that's your management network that you don't wanna use.

I assume VLAN 33 is the network ans that it receives it's IP and gateway via DHCP.

Make a static route for:

192.168.11.xxx/32 via mgmt gw 192.168.33.1

(This assumes 192.168.33.1 is the gateway.)

This rule can be created via the LuCI web GUI. Hope this helps (given the vagueness and obscurity).

2 Likes

Ah I think I understand, static routes are something I still need to learn more on. But basically tell openwrt for this ip use the mgmt gw 192.168.33.1.

Thank you for coming along this strange journey with me lol :).

1 Like

This is all the info I need to diagnose the issue, and this is the info you still have not shared with us.

1 Like

Now that I understand what the eventual solution is (not a config of the logd), I understand why this info is necessary and faster. Will do for next time.

For now, I'm going to firewall adjustment route.

Thank you.

FYI - adjustments to the firewall won't change the route (or gateway) the OpenWrt uses. I wasn't sure if you were referring to our discussion or another idea you might be considering - so I just wanted to make a note.

1 Like

Yup understood. It's a quick temp fix to get it work on on current interface, while I work on some other things and get more up to speed.

Thanks for the help.