Hi,
I use a old WRT54GL with OpenWRT 10.03.01 and I want to route only some known IP's (192.168.2.6 and 192.168.2.3) to the wan site subnet. If use masquerading in the wan zone all traffic goes through the wan...
Config:
192.168.6.0/24(LAN/WLAN) - WRT54GL(WAN: 192.168.2.7) - 192.168.2.0/24
How can I implement it?
That's quite an old version you have there, ah, the memories! 
Anyhow, you could try adding a DNAT rule to rewrite the destination based on the source.
Replace the default LAN-to-WAN forwarding with custom forward rules.
Could you explain what do you want to achieve as the 2.6 and 2.3 are already in WAN?
Do you want to restrict access from LAN devices to only 2.3 and 2.6 in WAN?
Hi,
thanks for your replies!
Do you want to restrict access from LAN devices to only 2.3 and 2.6 in WAN?
Yes, that's exactly what I want.
Then follow @vgaetera's advice above.
To avoid any misunderstanding, these rules are in Firewall configuration. Not port forward, but traffic rules.
Remove the part
config forwarding
option dest 'wan'
option src 'lan'
and add
config rule
option enabled '1'
option target 'ACCEPT'
option src 'lan'
option name 'test'
option proto 'all'
option dest 'wan'
option dest_ip '192.168.2.3'
config rule
option enabled '1'
option target 'ACCEPT'
option src 'lan'
option name 'test'
option proto 'all'
option dest 'wan'
option dest_ip '192.168.2.6'
I can not reach from 192.168.6.0/24 subnet the 192.168.2.6. Is something wrong in the rules above?
Do 2.3 and 2.6 have a route for 192.168.6.0/24 via the 2.7 of WRT54GL?
Shouldn't this be the source address?
Where should I exactly define the routes?
He said from LAN to WAN
Either directly on the .2.3 and .2.6
OR at their default gateway
OR (easiest) keep NAT on in WRT54GL on the WAN interface, so no routes will be needed.
What the heck are you rocking such a old build of openwrt for? That old build is not safe to have on the internet in 2019.
After I define the route in the default gateway, I can reach 192.168.2.6 but also the full 192.168.2.0/24 subnet e. g. I can access the device 192.168.2.2 Is in my firewall config a problem?
firewall:
config 'rule'
option 'name' 'Allow-DHCP-Renew'
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '68'
option 'target' 'ACCEPT'
option 'family' 'ipv4'
config 'rule'
option 'name' 'Allow-Ping'
option 'src' 'wan'
option 'proto' 'icmp'
option 'icmp_type' 'echo-request'
option 'family' 'ipv4'
option 'target' 'ACCEPT'
config 'rule'
option 'name' 'Allow-DHCPv6'
option 'src' 'wan'
option 'proto' 'udp'
option 'src_ip' 'fe80::/10'
option 'src_port' '547'
option 'dest_ip' 'fe80::/10'
option 'dest_port' '546'
option 'family' 'ipv6'
option 'target' 'ACCEPT'
config 'rule'
option 'name' 'Allow-ICMPv6-Input'
option 'src' 'wan'
option 'proto' 'icmp'
list 'icmp_type' 'echo-request'
list 'icmp_type' 'destination-unreachable'
list 'icmp_type' 'packet-too-big'
list 'icmp_type' 'time-exceeded'
list 'icmp_type' 'bad-header'
list 'icmp_type' 'unknown-header-type'
list 'icmp_type' 'router-solicitation'
list 'icmp_type' 'neighbour-solicitation'
option 'limit' '1000/sec'
option 'family' 'ipv6'
option 'target' 'ACCEPT'
config 'rule'
option 'name' 'Allow-ICMPv6-Forward'
option 'src' 'wan'
option 'dest' '*'
option 'proto' 'icmp'
list 'icmp_type' 'echo-request'
list 'icmp_type' 'destination-unreachable'
list 'icmp_type' 'packet-too-big'
list 'icmp_type' 'time-exceeded'
list 'icmp_type' 'bad-header'
list 'icmp_type' 'unknown-header-type'
option 'limit' '1000/sec'
option 'family' 'ipv6'
option 'target' 'ACCEPT'
config 'defaults'
option 'syn_flood' '1'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'ACCEPT'
option 'drop_invalid' '0'
config 'zone'
option 'name' 'lan'
option 'network' 'lan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'ACCEPT'
config 'zone'
option 'name' 'wan'
option 'network' 'wan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'ACCEPT'
config 'include'
option 'path' '/etc/firewall.user'
config 'rule'
option 'enabled' '1'
option 'target' 'ACCEPT'
option 'src' 'lan'
option 'name' 'test'
option 'proto' 'all'
option 'dest' 'wan'
option 'dest_ip' '192.168.2.11'
config 'rule'
option 'enabled' '1'
option 'target' 'ACCEPT'
option 'src' 'lan'
option 'name' 'test'
option 'proto' 'all'
option 'dest' 'wan'
option 'dest_ip' '192.168.2.6'
route:
You cannot block access to the 192.168.2.0/24 subnet since this would be switched, not routed. As a result, it never goes through the router/firewall, just the switch chip.
If you want to isolate those devices, you would be best served by setting up VLANs.
@psherman, it looks like separate interfaces and different firewall zones:
@maart, let's check the runtime configuration:
ip a; ip r; ip ru; iptables-save
It's possible I'm mis-interpreting this part of the issue... I'm reading it as "192.168.2.3 can reach 192.168.2.6 and can reach any other devices in 192.168.2.0/24 subnet." This would, of course, be expected behavior. But maybe I've got the interpretation wrong and we're talking about the LAN/WLAN subnet looking into the WRT54GL's network.
The goal is to reach from clients in 192.168.6.0/24 subnet only the client 192.168.2.6 and 192.168.2.3 in the 192.168.2.0/24 subnet. Now I changed the firewall in 192.168.2.7 und add a route in gateway from 192.168.2.0/24 subnet.
@vgaetera
I post later the output.
I do not have the ip command on the WRT54GL, only iptables-save.
# Generated by iptables-save v1.4.6 on Mon Sep 12 13:18:04 2011
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [16227:1233808]
:OUTPUT ACCEPT [16227:1233808]
:nat_reflection_in - [0:0]
:nat_reflection_out - [0:0]
:postrouting_rule - [0:0]
:prerouting_lan - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan - [0:0]
:zone_lan_nat - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_nat - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -j prerouting_rule
-A PREROUTING -i br-lan -j zone_lan_prerouting
-A PREROUTING -i eth0.1 -j zone_wan_prerouting
-A POSTROUTING -j postrouting_rule
-A POSTROUTING -o br-lan -j zone_lan_nat
-A POSTROUTING -o eth0.1 -j zone_wan_nat
-A postrouting_rule -j nat_reflection_out
-A prerouting_rule -j nat_reflection_in
-A zone_lan_prerouting -j prerouting_lan
-A zone_wan_prerouting -j prerouting_wan
COMMIT
# Completed on Mon Sep 12 13:18:04 2011
# Generated by iptables-save v1.4.6 on Mon Sep 12 13:18:04 2011
*raw
:PREROUTING ACCEPT [31284:7738250]
:OUTPUT ACCEPT [16481:1283593]
:zone_lan_notrack - [0:0]
:zone_wan_notrack - [0:0]
-A PREROUTING -i br-lan -j zone_lan_notrack
-A PREROUTING -i eth0.1 -j zone_wan_notrack
-A zone_lan_notrack -j NOTRACK
-A zone_wan_notrack -j NOTRACK
COMMIT
# Completed on Mon Sep 12 13:18:04 2011
# Generated by iptables-save v1.4.6 on Mon Sep 12 13:18:04 2011
*mangle
:PREROUTING ACCEPT [203849:50582027]
:INPUT ACCEPT [70811:6000889]
:FORWARD ACCEPT [19175:9971307]
:OUTPUT ACCEPT [114003:11698513]
:POSTROUTING ACCEPT [130594:21488417]
COMMIT
# Completed on Mon Sep 12 13:18:04 2011
# Generated by iptables-save v1.4.6 on Mon Sep 12 13:18:04 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:forward - [0:0]
:forwarding_lan - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan - [0:0]
:input - [0:0]
:input_lan - [0:0]
:input_rule - [0:0]
:input_wan - [0:0]
:nat_reflection_fwd - [0:0]
:output - [0:0]
:output_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan - [0:0]
:zone_lan_ACCEPT - [0:0]
:zone_lan_DROP - [0:0]
:zone_lan_REJECT - [0:0]
:zone_lan_forward - [0:0]
:zone_wan - [0:0]
:zone_wan_ACCEPT - [0:0]
:zone_wan_DROP - [0:0]
:zone_wan_REJECT - [0:0]
:zone_wan_forward - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A INPUT -j input_rule
-A INPUT -j input
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j forwarding_rule
-A FORWARD -j forward
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j output_rule
-A OUTPUT -j output
-A forward -i br-lan -j zone_lan_forward
-A forward -i eth0.1 -j zone_wan_forward
-A forwarding_rule -j nat_reflection_fwd
-A input -i br-lan -j zone_lan
-A input -i eth0.1 -j zone_wan
-A output -j zone_lan_ACCEPT
-A output -j zone_wan_ACCEPT
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
-A syn_flood -j DROP
-A zone_lan -j input_lan
-A zone_lan -j zone_lan_ACCEPT
-A zone_lan_ACCEPT -o br-lan -j ACCEPT
-A zone_lan_ACCEPT -i br-lan -j ACCEPT
-A zone_lan_DROP -o br-lan -j DROP
-A zone_lan_DROP -i br-lan -j DROP
-A zone_lan_REJECT -o br-lan -j reject
-A zone_lan_REJECT -i br-lan -j reject
-A zone_lan_forward -d 192.168.2.3/32 -j zone_wan_ACCEPT
-A zone_lan_forward -d 192.168.2.6/32 -j zone_wan_ACCEPT
-A zone_lan_forward -j forwarding_lan
-A zone_lan_forward -j zone_lan_ACCEPT
-A zone_wan -p udp -m udp --dport 68 -j ACCEPT
-A zone_wan -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A zone_wan -j input_wan
-A zone_wan -j zone_wan_ACCEPT
-A zone_wan_ACCEPT -o eth0.1 -j ACCEPT
-A zone_wan_ACCEPT -i eth0.1 -j ACCEPT
-A zone_wan_DROP -o eth0.1 -j DROP
-A zone_wan_DROP -i eth0.1 -j DROP
-A zone_wan_REJECT -o eth0.1 -j reject
-A zone_wan_REJECT -i eth0.1 -j reject
-A zone_wan_forward -j forwarding_wan
-A zone_wan_forward -j zone_wan_ACCEPT
COMMIT
# Completed on Mon Sep 12 13:18:04 2011
The discussion point was to not recommend buying devices in 2019 with single core SoC, fast ethernet, 802.11n wifi, 8 MB flash and 64 MB of RAM from generation 2013, when also devices with multi core SoC, gigabit ethernet, 802.11ac, 128 MB flash and 256 MB RAM are available for about the same price.
If the older device is already in possession the situation is different. As I still hope you will understand the difference: I still recommend to NOT buy generation 2013 hardware in 2019 when you can get recent hardware with good OpenWrt support for about the same price.