Virtual lab clients do not access internet

Particello · December 27, 2021, 1:24pm

Hello there!

I'm messing around with OpenWRT with very little network/routing experience and really want to learn.

This is my lab
nuc: Intel NUC with libvirt+QEMU+KVM as hypervisor
vrouter: VM with OpenWRT 21.02.1
vclient: VM with Centos7 as DHCP client of virtual OpenWRT router
laptop: the one that I'm using right now, running Fedora 33, on the same network of the nuc hypervisor

nuc has two virtual NIC:

eth0 on a private network (isolated network 192.168.99.0/24, NO DHCP)
eth1 on a bridge device (br0, so same network of the nuc/laptop)

What I'm trying to achieve:
I'm trying ot install a very simple network in order to understand routing between networks (in this example between my "real" wired network and the virtual one)

Fresh install of OpenWRT on vrouter, everything is set as default. The only thing I do:

uci set network.lan.ipaddr=192.168.99.1
uci commit
/etc/init.d/network restart
vrouter CAN ping 8.8.8.8
vrouer CAN resolve www.google.com
vclient receive DHCP address 192.168.99.135
vclient cannot ping 8.8.8.8
vclient cannot resolve www.google.com
vclient is accessible via SSH from laptop after adding local static route with sudo route add -net 192.168.99.0/24 gw 192.168.188.51

Also, I can reach vrourter via SSH or HTTP from laptop only if firewall on vrouter is turned off with /etc/init.d/firewall stop

This is my configuration:

root@vrouter:~# uci show network
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd6a:a58c:4054::/48'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth0'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.99.1'
network.wan=interface
network.wan.device='eth1'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.device='eth1'
network.wan6.proto='dhcpv6'

root@vrouter:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP qlen 1000
    link/ether 52:54:00:a5:0b:3b brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether 52:54:00:a9:32:32 brd ff:ff:ff:ff:ff:ff
    inet 192.168.188.51/24 brd 192.168.188.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fea9:3232/64 scope link 
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 52:54:00:a5:0b:3b brd ff:ff:ff:ff:ff:ff
    inet 192.168.99.1/24 brd 192.168.99.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd6a:a58c:4054::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fea5:b3b/64 scope link 
       valid_lft forever preferred_lft forever

root@vrouter:~# ip r
default via 192.168.188.1 dev eth1  src 192.168.188.51 
192.168.99.0/24 dev br-lan scope link  src 192.168.99.1 
192.168.188.0/24 dev eth1 scope link  src 192.168.188.51

Thank you to everyone who will be of any help

pavelgl · December 27, 2021, 2:42pm

The vclient cannot get Internet access if the firewall is stopped, because the masquerading is not active.

/etc/init.d/firewall start

Your laptop is connected from the wan side, so you need to open the firewall for management.

uci add firewall rule
uci set firewall.@rule[-1].dest_port='22 80 443'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].name='Allow-Management-From-WAN'
uci set firewall.@rule[-1].src_ip='192.168.188.0/24'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].src='wan'

That's pretty normal. In addition you'll have also to open the firewall from wan to lan and disable masquerading to the "real" wired network.

uci add firewall rule
uci set firewall.@rule[-1]=rule
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].name='Allow-Access-Wan-Lan'
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].src_ip='192.168.188.0/24'
uci set firewall.@rule[-1].proto='all'
uci set firewall.@zone[1].masq_dest="!192.168.188.0/24"
uci commit firewall
fw3 restart

Probably there are some DNS issues, but make the mentioned changes first.

Particello · December 27, 2021, 4:20pm

Ok, this helped A LOT. Thank you.
I've restarted firewall and added the rule Allow-Management-From-WAN, vclient DOES ping 8.8.8.8 and DOES resolve www.google.com correctly.
I've added the second rule but somehow it broke the whole thing: I lost access to LUCI and ssh to vrouter. So I re-flashed vrouter with same settings, added the first rule you posted... For now it works and it will allow me to dive in real study. Anyway, I've tested this simple rule in order to access http services inside LAN from WAN:

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-Access-80-From-LAN'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].dest_port='80'
uci set firewall.@rule[-1].target='ACCEPT'
uci commit firewall
fw3 restart

I think I can work with some basic stuff now. Thank you again!

system · January 6, 2022, 4:21pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.