VLAN port forwarding

Hello,

I've recently created a VLAN to act as a DMZ on one port of my WRT1900ACv2. I have created a firewall rule for the new VLAN, and setup default forwarding from LAN to DMZ. I have also used the port forwarding tab to forward WAN ports 80 and 443 to the DMZ, however it has not worked and I can't connect from WAN. What do I need to do to fix the port forwarding to allow connection from WAN?

The network and firewall configs are shown below.

/etc/config/network

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '1 2 3 6t'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '100'
        option ports '4 5t'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '0 6t'

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdf3:6b18:a423::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ifname 'eth1.2'

config interface 'wan'
        option ifname 'eth0.100'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.100'
        option proto 'dhcpv6'

config interface 'DMZ'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option ifname 'eth1.3'
        option ip6assign '60'
        option netmask '255.255.255.253'

/etc/config/firewall

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'DMZone'
	option proto 'tcp'
	option src_dport '80'
	option dest_ip '192.168.2.2'
	option dest_port '80'
	option name 'DMZ-HTTP'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'DMZone'
	option proto 'tcp'
	option src_dport '443'
	option dest_ip '192.168.2.2'
	option dest_port '443'
	option name 'DMZ-HTTPS'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp udp'
	option src_dport '3074'
	option dest_ip '192.168.1.177'
	option dest_port '3074'
	option name 'xbox'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_ip '192.168.1.177'
	option dest_port '53'
	option name 'xbox'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'udp'
	option src_dport '88'
	option dest_ip '192.168.1.177'
	option dest_port '88'
	option name 'xbox'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '80'
	option dest_ip '192.168.1.177'
	option dest_port '80'
	option name 'xbox'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config defaults
	option syn_flood '1'
	option output 'ACCEPT'
	option drop_invalid '1'
	option input 'REJECT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config include
	option path '/etc/firewall.user'

config zone
	option output 'ACCEPT'
	option log '1'
	option name 'DMZone'
	option network 'DMZ'
	option input 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option dest 'wan'
	option src 'DMZone'

config rule
	option target 'ACCEPT'
	option dest_port '53'
	option name 'dmz-dns'
	option proto 'udp'
	option dest_ip '192.168.2.1'
	option src 'DMZone'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '67'
	option name 'dmz-dhcp'
	option src 'DMZone'

config rule
	option target 'ACCEPT'
	option name 'dmz-ping'
	option proto 'icmp'
	option icmp_type 'echo-reply'
	option src '*'
	option dest 'DMZone'
	option enabled '0'

config forwarding
	option dest 'DMZone'
	option src 'lan'

Make it a bridge:

config interface 'DMZ'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option ifname 'eth1.3'
        option ip6assign '60'
        option netmask '255.255.255.253'

For a start the netmask 255.255.255.253 in DMZ is invalid and I am not sure how Luci or the router didn't issue an error. If you want just 2 hosts in the DMZ, you should use the 255.255.255.252 netmask, but since there is no limitation on the address space you can also use the whole /24 with the 255.255.255.0 mask.

1 Like