Why does traffic rule based on source firewall zone not work correctly?

I am trying to mark and SNAT packets based on the port that receives packet with a specific source IP.

I have 3 physical ports configured as follows:
All ports bridged.
Bridge VLAN filtering enabled (port0 => VLAN1, port1 => VLAN2, port2 => VLAN3, all untagged).
VLAN interfaces are assigned separate firewall zones (VLAN1 => zone1, VLAN2 => zone2, VLAN3 => zone3). Forwarding is only allowed between zone2/3 and zone1. Forwarding is rejected between zone2 and zone3.

Goal is to send packets from physical ports 1 and 2 to port0 while separate devices connected to port1 and port2 uses the same IP address. The source IP of these packets will then be set with different marks based on the firewall zone that receive them and then be SNAT based on the marks set.

Result observed was that the packets received from both devices end up being SNAT to the same IP. This seems to indicate that the packets from both devices somehow arrived on the same firewall zone, despite the bridge VLAN interfaces being assigned different firewall zones?

Can someone tell me what I did wrong?

Thanks in advance.

Communication between devices on the same subnet cannot be controlled by the firewall because that data is switched (L2) not routed (L3).

Let's take a look at your config so we can better understand your current state:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
2 Likes

Oh right, I totally forgot about that. And to think I just learnt that in a separate post.

I have removed the bridging and the ports are now separate interfaces with no VLANs. This still does not work. The result is the same as my previous attempt with bridged VLANs. Why?

I am not currently able to get the configuration. Will post that when I can.

Can't guess without seeing the config... so yes, please post it wheny you can.

1 Like

/etc/config/network

config interface 'loopback'
option device 'lo'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd9b:c3e2:c879::/48'
option packet_steering '1'

config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option device 'br-lan'
option ipaddr '192.168.123.120'

config device
option name 'br-lan'
option type 'bridge'
option bridge_empty '1'
list ports 'lan0'
list ports 'lan3'

config interface 'lan1'
option proto 'static'
option device 'lan1'
option ipaddr '192.168.124.121'
option netmask '255.255.255.0'

config interface 'lan2'
option proto 'static'
option device 'lan2'
option ipaddr '192.168.124.122'
option netmask '255.255.255.0'

/etc/config/firewall

config defaults
option custom_chains '1'
option synflood_protect '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config include
option path '/etc/firewall.user'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'lan'

config nat
option src '*'
option src_ip '192.168.124.124'
option target 'SNAT'
option snat_ip '192.168.123.125'
option mark '9991'
list proto 'all'

config nat
option src '*'
option src_ip '192.168.124.124'
option target 'SNAT'
option snat_ip '192.168.123.126'
option mark '9992'
list proto 'all'

config zone
option name 'lan1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'lan1'

config zone
option name 'lan2'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'lan2'

config forwarding
option src 'lan'
option dest 'lan1'

config forwarding
option src 'lan'
option dest 'lan2'

config forwarding
option src 'lan1'
option dest 'lan'

config forwarding
option src 'lan2'
option dest 'lan'

config rule
option src 'lan1'
list src_ip '192.168.124.124'
option target 'MARK'
option set_mark '9991'
option dest '*'

config rule
option src 'lan2'
list src_ip '192.168.124.124'
option target 'MARK'
option set_mark '9992'
option dest '*'

/etc/firewall.user is empty

One sender (192.168.124.124) is connected to "lan1" port and another (also 192.168.124.124) to "lan2" port and the receiver (192.168.123.124) is connected to "lan0" port.

Since you can define SRC zone with the SNAT rule, why are you attempting to perform an extra [uncessary] step of [target] marking the packets first before [target] SNATting them?

1 Like

That's because I configured it via luci and there isn't a field for source zone, only destination zone, for SNAT. At least I didn't see one.

Specifiy by SRC IP or subnet (i.e., just fix your SNAT rules and delete the mark rules). Unless there's a reason to mark, I didn't understand the reply.

There's no need to make the rules so complicated.

?

(Whatever src is, seems configurable.)

Luci is the web user interface... There is no source zone option when configuring SNAT using the web user interface, only destination zone. I assumed that meant source zone is not configurable for SNAT.

I'm aware of this.

It's called "outbound zone" in LuCI.

Consider the configuration as the following: "specifying the destination where the SNAT has to be used."

I'm trying to understand why you're trying to mark the SRC zone, instead of just making a SNAT rule. In other words to be clear: you don't need to mark nor specify the SRC zone.

Im trying to SNAT the same source IP to different IPs based on the physical port the frame is received on.

1 Like
  • IP (Layer 3) are packets/datagrams, not Ethernet frames (Layer 2)
  • Hence I asked if you can specify the SRC IP/range instead of interface/port?

screen905

Edit to the specify the SRC IP or SRC range of the network.

Apologies, I meant packets.

I have two devices with the same IP address. The devices are connected to different ports.

I have specified the source IP. This is shown in the config I posted.

Edited as reply to user

Would still appreciate if someone can help.

Just to reiterate,

I have 2 sender of the exact same IP and a receiver of a different IP in a different subnet.

I want to translate the source IP of packets from both senders to different source IPs before the packets reach the receiver.

The reason why I used MARK then SNAT (based on mark set), instead of SNAT only, is because LuCI did not give me an option to specify source zone when configuring SNAT.

Unless you know for certain this is the cause of the problem or are sure SNAT rules allow specification of source zone and does not just ignore such configuration, please focus on the problem instead of questioning the choices of my past attempt.

Traffic only routes once passing the firewall. So you can't both mark and SNAT without routing the packets again. You can kludge it by marking and DST the packets to an interface where they route again - then SNAT.

Yes, we know you cannot specify the SRC zone/interface for an SNAT rule.

Sorry, thought that was already clear.

Maybe your wording (as it's still not clear why the avaliable SRC IP field isn't usable)?

Are these 2 different devices, with different IPs that you want to use the exact same IP with SNAT?

Or

One device (1 SRC IP) - mark - SNAT - 2 DST IPs?

Or

:cross_mark: (Invalid) You have 2 interfaces/zone identically numbered - hence 2 devices in 2 different network having the same IP and you're trying to SNAT to different DST IPs?

The latter seems best describe the statement in Post No. 1:

I can and I have.

You are seriously contradicting yourself.

What do you mean by DST? Destination? If so, why would I be SNAT-ing to different destination IPs? SNAT is literally Source NAT...

The senders (PCs) are two different devices with the same IP, that I want to use different source IPs via SNAT.

The interfaces/zones the two senders are connected to are different.

The reason why I have two senders with the same IP has got nothing to do with the configuration of my router.

My problem is not why my senders have the same IP but how can I configure my router to SNAT the same source IP (from the two senders) differently based on which sender the packets are from.

To make it even clearer, here is my setup:
Sender A (IP = 192.168.123.123)
Sender B (IP = 192.168.123.123)
Receiver (IP = 192.168.124.123)
Receiver connects to port0
Sender A connects to port1
Sender B connects to port2

I want to change packets from Sender A to have source IP 192.168.124.124 and packets from Sender B to have source IP 192.168.124.125.

This is invalid.

Im not sure where you interpreted further confusion. I was merely trying to glean that you had an invalid SRC config. I apologize for the poor verbose wording.

In other words - you cannot identically number 2 different VLANs/networks - which is why there's no ability to select SRC interfaces or zones, only SRC IPs. No contradiction - I originally referred to the mark, not the SNAT (I mistakenly assumed you saw a SRC interface field and it cause me confusion).

Initially, (in good faith) I hadn't considered invalid network configurations. I hope that clarifies things now.

Yes, in general, duplicate addresses suck. (I could mumble about this but I spare myself this time.)

@nokoru could try to use a seperate network namespace, and if this should not be enough, to try VRF.

1 Like

I see...no wonder there were so much confusion...

What exactly do you mean by 'identically number" 2 different VLANs/networks? I don't remember setting the same "number" or even name for different VLANs/networks. Are you referring to the two VLANs/networks using the same subnet? What is this "number" you have been referring to exactly?

Yes. "Numbing" is how you address a subnet/network/interface/VLAN (pick the term you wish).

You generally don't give the same subnet numbering/ranges/CIDR/addressing (pick the term you wish) to 2 different networks on the same system.

@_bernd suggested namespaces to solve your issue.