maart
August 13, 2019, 11:30am
1
Hi,
I use a old WRT54GL with OpenWRT 10.03.01 and I want to route only some known IP's (192.168.2.6 and 192.168.2.3) to the wan site subnet. If use masquerading in the wan zone all traffic goes through the wan...
Config:
192.168.6.0/24(LAN/WLAN) - WRT54GL(WAN: 192.168.2.7) - 192.168.2.0/24
How can I implement it?
That's quite an old version you have there, ah, the memories!
Anyhow, you could try adding a DNAT rule to rewrite the destination based on the source.
Replace the default LAN-to-WAN forwarding with custom forward rules.
2 Likes
trendy
August 13, 2019, 4:10pm
4
Could you explain what do you want to achieve as the 2.6 and 2.3 are already in WAN?
Do you want to restrict access from LAN devices to only 2.3 and 2.6 in WAN?
maart
August 13, 2019, 5:03pm
5
Hi,
thanks for your replies!
@trendy
Do you want to restrict access from LAN devices to only 2.3 and 2.6 in WAN?
Yes, that's exactly what I want.
Then follow @vgaetera 's advice above .
You remove the lan-to-wan rule
then add rules for 192.168.2.3 and 192.168.2.6 to allow forward to WAN
3 Likes
trendy
August 13, 2019, 6:06pm
7
To avoid any misunderstanding, these rules are in Firewall configuration. Not port forward, but traffic rules.
Remove the part
config forwarding
option dest 'wan'
option src 'lan'
and add
config rule
option enabled '1'
option target 'ACCEPT'
option src 'lan'
option name 'test'
option proto 'all'
option dest 'wan'
option dest_ip '192.168.2.3'
config rule
option enabled '1'
option target 'ACCEPT'
option src 'lan'
option name 'test'
option proto 'all'
option dest 'wan'
option dest_ip '192.168.2.6'
2 Likes
maart
August 13, 2019, 7:18pm
8
I can not reach from 192.168.6.0/24 subnet the 192.168.2.6. Is something wrong in the rules above?
trendy
August 13, 2019, 7:22pm
9
Do 2.3 and 2.6 have a route for 192.168.6.0/24 via the 2.7 of WRT54GL?
trendy:
option dest_ip
Shouldn't this be the source address?
maart
August 13, 2019, 7:35pm
11
Where should I exactly define the routes?
trendy
August 13, 2019, 8:17pm
13
He said from LAN to WAN
Either directly on the .2.3 and .2.6
OR at their default gateway
OR (easiest) keep NAT on in WRT54GL on the WAN interface, so no routes will be needed.
1 Like
tapper
August 13, 2019, 11:31pm
14
What the heck are you rocking such a old build of openwrt for? That old build is not safe to have on the internet in 2019.
4 Likes
maart
August 14, 2019, 7:35pm
15
After I define the route in the default gateway, I can reach 192.168.2.6 but also the full 192.168.2.0/24 subnet e. g. I can access the device 192.168.2.2 Is in my firewall config a problem?
firewall:
config 'rule'
option 'name' 'Allow-DHCP-Renew'
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '68'
option 'target' 'ACCEPT'
option 'family' 'ipv4'
config 'rule'
option 'name' 'Allow-Ping'
option 'src' 'wan'
option 'proto' 'icmp'
option 'icmp_type' 'echo-request'
option 'family' 'ipv4'
option 'target' 'ACCEPT'
config 'rule'
option 'name' 'Allow-DHCPv6'
option 'src' 'wan'
option 'proto' 'udp'
option 'src_ip' 'fe80::/10'
option 'src_port' '547'
option 'dest_ip' 'fe80::/10'
option 'dest_port' '546'
option 'family' 'ipv6'
option 'target' 'ACCEPT'
config 'rule'
option 'name' 'Allow-ICMPv6-Input'
option 'src' 'wan'
option 'proto' 'icmp'
list 'icmp_type' 'echo-request'
list 'icmp_type' 'destination-unreachable'
list 'icmp_type' 'packet-too-big'
list 'icmp_type' 'time-exceeded'
list 'icmp_type' 'bad-header'
list 'icmp_type' 'unknown-header-type'
list 'icmp_type' 'router-solicitation'
list 'icmp_type' 'neighbour-solicitation'
option 'limit' '1000/sec'
option 'family' 'ipv6'
option 'target' 'ACCEPT'
config 'rule'
option 'name' 'Allow-ICMPv6-Forward'
option 'src' 'wan'
option 'dest' '*'
option 'proto' 'icmp'
list 'icmp_type' 'echo-request'
list 'icmp_type' 'destination-unreachable'
list 'icmp_type' 'packet-too-big'
list 'icmp_type' 'time-exceeded'
list 'icmp_type' 'bad-header'
list 'icmp_type' 'unknown-header-type'
option 'limit' '1000/sec'
option 'family' 'ipv6'
option 'target' 'ACCEPT'
config 'defaults'
option 'syn_flood' '1'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'ACCEPT'
option 'drop_invalid' '0'
config 'zone'
option 'name' 'lan'
option 'network' 'lan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'ACCEPT'
config 'zone'
option 'name' 'wan'
option 'network' 'wan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'ACCEPT'
config 'include'
option 'path' '/etc/firewall.user'
config 'rule'
option 'enabled' '1'
option 'target' 'ACCEPT'
option 'src' 'lan'
option 'name' 'test'
option 'proto' 'all'
option 'dest' 'wan'
option 'dest_ip' '192.168.2.11'
config 'rule'
option 'enabled' '1'
option 'target' 'ACCEPT'
option 'src' 'lan'
option 'name' 'test'
option 'proto' 'all'
option 'dest' 'wan'
option 'dest_ip' '192.168.2.6'
route:
You cannot block access to the 192.168.2.0/24 subnet since this would be switched, not routed. As a result, it never goes through the router/firewall, just the switch chip.
If you want to isolate those devices, you would be best served by setting up VLANs.
@psherman , it looks like separate interfaces and different firewall zones:
@maart , let's check the runtime configuration:
ip a; ip r; ip ru; iptables-save
It's possible I'm mis-interpreting this part of the issue... I'm reading it as "192.168.2.3 can reach 192.168.2.6 and can reach any other devices in 192.168.2.0/24 subnet." This would, of course, be expected behavior. But maybe I've got the interpretation wrong and we're talking about the LAN/WLAN subnet looking into the WRT54GL's network.
maart
August 15, 2019, 9:14am
20
The goal is to reach from clients in 192.168.6.0/24 subnet only the client 192.168.2.6 and 192.168.2.3 in the 192.168.2.0/24 subnet. Now I changed the firewall in 192.168.2.7 und add a route in gateway from 192.168.2.0/24 subnet.
@vgaetera
I post later the output.
maart
August 15, 2019, 2:42pm
21
I do not have the ip command on the WRT54GL, only iptables-save.
# Generated by iptables-save v1.4.6 on Mon Sep 12 13:18:04 2011
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [16227:1233808]
:OUTPUT ACCEPT [16227:1233808]
:nat_reflection_in - [0:0]
:nat_reflection_out - [0:0]
:postrouting_rule - [0:0]
:prerouting_lan - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan - [0:0]
:zone_lan_nat - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_nat - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -j prerouting_rule
-A PREROUTING -i br-lan -j zone_lan_prerouting
-A PREROUTING -i eth0.1 -j zone_wan_prerouting
-A POSTROUTING -j postrouting_rule
-A POSTROUTING -o br-lan -j zone_lan_nat
-A POSTROUTING -o eth0.1 -j zone_wan_nat
-A postrouting_rule -j nat_reflection_out
-A prerouting_rule -j nat_reflection_in
-A zone_lan_prerouting -j prerouting_lan
-A zone_wan_prerouting -j prerouting_wan
COMMIT
# Completed on Mon Sep 12 13:18:04 2011
# Generated by iptables-save v1.4.6 on Mon Sep 12 13:18:04 2011
*raw
:PREROUTING ACCEPT [31284:7738250]
:OUTPUT ACCEPT [16481:1283593]
:zone_lan_notrack - [0:0]
:zone_wan_notrack - [0:0]
-A PREROUTING -i br-lan -j zone_lan_notrack
-A PREROUTING -i eth0.1 -j zone_wan_notrack
-A zone_lan_notrack -j NOTRACK
-A zone_wan_notrack -j NOTRACK
COMMIT
# Completed on Mon Sep 12 13:18:04 2011
# Generated by iptables-save v1.4.6 on Mon Sep 12 13:18:04 2011
*mangle
:PREROUTING ACCEPT [203849:50582027]
:INPUT ACCEPT [70811:6000889]
:FORWARD ACCEPT [19175:9971307]
:OUTPUT ACCEPT [114003:11698513]
:POSTROUTING ACCEPT [130594:21488417]
COMMIT
# Completed on Mon Sep 12 13:18:04 2011
# Generated by iptables-save v1.4.6 on Mon Sep 12 13:18:04 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:forward - [0:0]
:forwarding_lan - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan - [0:0]
:input - [0:0]
:input_lan - [0:0]
:input_rule - [0:0]
:input_wan - [0:0]
:nat_reflection_fwd - [0:0]
:output - [0:0]
:output_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan - [0:0]
:zone_lan_ACCEPT - [0:0]
:zone_lan_DROP - [0:0]
:zone_lan_REJECT - [0:0]
:zone_lan_forward - [0:0]
:zone_wan - [0:0]
:zone_wan_ACCEPT - [0:0]
:zone_wan_DROP - [0:0]
:zone_wan_REJECT - [0:0]
:zone_wan_forward - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A INPUT -j input_rule
-A INPUT -j input
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j forwarding_rule
-A FORWARD -j forward
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j output_rule
-A OUTPUT -j output
-A forward -i br-lan -j zone_lan_forward
-A forward -i eth0.1 -j zone_wan_forward
-A forwarding_rule -j nat_reflection_fwd
-A input -i br-lan -j zone_lan
-A input -i eth0.1 -j zone_wan
-A output -j zone_lan_ACCEPT
-A output -j zone_wan_ACCEPT
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
-A syn_flood -j DROP
-A zone_lan -j input_lan
-A zone_lan -j zone_lan_ACCEPT
-A zone_lan_ACCEPT -o br-lan -j ACCEPT
-A zone_lan_ACCEPT -i br-lan -j ACCEPT
-A zone_lan_DROP -o br-lan -j DROP
-A zone_lan_DROP -i br-lan -j DROP
-A zone_lan_REJECT -o br-lan -j reject
-A zone_lan_REJECT -i br-lan -j reject
-A zone_lan_forward -d 192.168.2.3/32 -j zone_wan_ACCEPT
-A zone_lan_forward -d 192.168.2.6/32 -j zone_wan_ACCEPT
-A zone_lan_forward -j forwarding_lan
-A zone_lan_forward -j zone_lan_ACCEPT
-A zone_wan -p udp -m udp --dport 68 -j ACCEPT
-A zone_wan -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A zone_wan -j input_wan
-A zone_wan -j zone_wan_ACCEPT
-A zone_wan_ACCEPT -o eth0.1 -j ACCEPT
-A zone_wan_ACCEPT -i eth0.1 -j ACCEPT
-A zone_wan_DROP -o eth0.1 -j DROP
-A zone_wan_DROP -i eth0.1 -j DROP
-A zone_wan_REJECT -o eth0.1 -j reject
-A zone_wan_REJECT -i eth0.1 -j reject
-A zone_wan_forward -j forwarding_wan
-A zone_wan_forward -j zone_wan_ACCEPT
COMMIT
# Completed on Mon Sep 12 13:18:04 2011
odrt
August 15, 2019, 2:44pm
23
The discussion point was to not recommend buying devices in 2019 with single core SoC, fast ethernet, 802.11n wifi, 8 MB flash and 64 MB of RAM from generation 2013, when also devices with multi core SoC, gigabit ethernet, 802.11ac, 128 MB flash and 256 MB RAM are available for about the same price .
If the older device is already in possession the situation is different. As I still hope you will understand the difference: I still recommend to NOT buy generation 2013 hardware in 2019 when you can get recent hardware with good OpenWrt support for about the same price.
1 Like