WRT54GL OpenWrt 10.03.1, route only some IP's to wan

Hi,

I use a old WRT54GL with OpenWRT 10.03.01 and I want to route only some known IP's (192.168.2.6 and 192.168.2.3) to the wan site subnet. If use masquerading in the wan zone all traffic goes through the wan...

Config:

192.168.6.0/24(LAN/WLAN) - WRT54GL(WAN: 192.168.2.7) - 192.168.2.0/24

How can I implement it?

That's quite an old version you have there, ah, the memories! :slight_smile:

Anyhow, you could try adding a DNAT rule to rewrite the destination based on the source.

Replace the default LAN-to-WAN forwarding with custom forward rules.

2 Likes

Could you explain what do you want to achieve as the 2.6 and 2.3 are already in WAN?
Do you want to restrict access from LAN devices to only 2.3 and 2.6 in WAN?

Hi,

thanks for your replies!

@trendy

Do you want to restrict access from LAN devices to only 2.3 and 2.6 in WAN?

Yes, that's exactly what I want.

Then follow @vgaetera's advice above.

  • You remove the lan-to-wan rule
  • then add rules for 192.168.2.3 and 192.168.2.6 to allow forward to WAN
3 Likes

To avoid any misunderstanding, these rules are in Firewall configuration. Not port forward, but traffic rules.
Remove the part

config forwarding
        option dest 'wan'
        option src 'lan'

and add

config rule
        option enabled '1'
        option target 'ACCEPT'
        option src 'lan'
        option name 'test'
        option proto 'all'
        option dest 'wan'
        option dest_ip '192.168.2.3'

config rule
        option enabled '1'
        option target 'ACCEPT'
        option src 'lan'
        option name 'test'
        option proto 'all'
        option dest 'wan'
        option dest_ip '192.168.2.6'
2 Likes

I can not reach from 192.168.6.0/24 subnet the 192.168.2.6. Is something wrong in the rules above?

Do 2.3 and 2.6 have a route for 192.168.6.0/24 via the 2.7 of WRT54GL?

Shouldn't this be the source address?

Where should I exactly define the routes?

This post was flagged by the community and is temporarily hidden.

He said from LAN to WAN

Either directly on the .2.3 and .2.6
OR at their default gateway
OR (easiest) keep NAT on in WRT54GL on the WAN interface, so no routes will be needed.

1 Like

What the heck are you rocking such a old build of openwrt for? That old build is not safe to have on the internet in 2019.

4 Likes

After I define the route in the default gateway, I can reach 192.168.2.6 but also the full 192.168.2.0/24 subnet e. g. I can access the device 192.168.2.2 Is in my firewall config a problem?

firewall:

config 'rule'                                                                    
        option 'name' 'Allow-DHCP-Renew'                                         
        option 'src' 'wan'                                                       
        option 'proto' 'udp'                                                     
        option 'dest_port' '68'                                                  
        option 'target' 'ACCEPT'                                                 
        option 'family' 'ipv4'                                                   
                                                                                 
config 'rule'                                                                    
        option 'name' 'Allow-Ping'                                               
        option 'src' 'wan'                                                       
        option 'proto' 'icmp'                                                    
        option 'icmp_type' 'echo-request'                                        
        option 'family' 'ipv4'                                                   
        option 'target' 'ACCEPT'                                                 
                                                                                 
config 'rule'                                                                    
        option 'name' 'Allow-DHCPv6'                                             
        option 'src' 'wan'                                                       
        option 'proto' 'udp'                                                     
        option 'src_ip' 'fe80::/10'                                              
        option 'src_port' '547'                                                  
        option 'dest_ip' 'fe80::/10'                                             
        option 'dest_port' '546'                                                 
        option 'family' 'ipv6'                                                   
        option 'target' 'ACCEPT'                                                 
                                                                                 
config 'rule'                                                                    
        option 'name' 'Allow-ICMPv6-Input'                                       
        option 'src' 'wan'                                                       
        option 'proto' 'icmp'                                                    
        list 'icmp_type' 'echo-request'                                          
        list 'icmp_type' 'destination-unreachable'                               
        list 'icmp_type' 'packet-too-big'                                        
        list 'icmp_type' 'time-exceeded'                                         
        list 'icmp_type' 'bad-header'                                            
        list 'icmp_type' 'unknown-header-type'                                   
        list 'icmp_type' 'router-solicitation'                                   
        list 'icmp_type' 'neighbour-solicitation'                                
        option 'limit' '1000/sec'                                                
        option 'family' 'ipv6'                                                   
        option 'target' 'ACCEPT'

config 'rule'                                                                    
        option 'name' 'Allow-ICMPv6-Forward'                                     
        option 'src' 'wan'                                                       
        option 'dest' '*'                                                        
        option 'proto' 'icmp'                                                    
        list 'icmp_type' 'echo-request'                                          
        list 'icmp_type' 'destination-unreachable'                               
        list 'icmp_type' 'packet-too-big'                                        
        list 'icmp_type' 'time-exceeded'                                         
        list 'icmp_type' 'bad-header'                                            
        list 'icmp_type' 'unknown-header-type'                                   
        option 'limit' '1000/sec'                                                
        option 'family' 'ipv6'                                                   
        option 'target' 'ACCEPT'                                                 
                                                                                 
config 'defaults'                                                                
        option 'syn_flood' '1'                                                   
        option 'input' 'ACCEPT'                                                  
        option 'output' 'ACCEPT'                                                 
        option 'forward' 'ACCEPT'                                                
        option 'drop_invalid' '0'                                                
                                                                                 
config 'zone'                                                                    
        option 'name' 'lan'                                                      
        option 'network' 'lan'                                                   
        option 'input' 'ACCEPT'                                                  
        option 'output' 'ACCEPT'                                                 
        option 'forward' 'ACCEPT'                                                
                                                                                 
config 'zone'                                                                    
        option 'name' 'wan'                                                      
        option 'network' 'wan'                                                   
        option 'input' 'ACCEPT'                                                  
        option 'output' 'ACCEPT'                                                 
        option 'forward' 'ACCEPT'                                                
                                                                                 
config 'include'                                                                 
        option 'path' '/etc/firewall.user'                                       
                                                                                 
config 'rule'                                                                    
        option 'enabled' '1'                                                     
        option 'target' 'ACCEPT'                                                 
        option 'src' 'lan'                                                       
        option 'name' 'test'                                                     
        option 'proto' 'all'                                                     
        option 'dest' 'wan'                                                      
        option 'dest_ip' '192.168.2.11'                                          
                                                                                 
config 'rule'                                                                    
        option 'enabled' '1'                                                     
        option 'target' 'ACCEPT'                                                 
        option 'src' 'lan'                                                       
        option 'name' 'test'                                                     
        option 'proto' 'all'                                                     
        option 'dest' 'wan'                                                      
        option 'dest_ip' '192.168.2.6'

route:

You cannot block access to the 192.168.2.0/24 subnet since this would be switched, not routed. As a result, it never goes through the router/firewall, just the switch chip.

If you want to isolate those devices, you would be best served by setting up VLANs.

@psherman, it looks like separate interfaces and different firewall zones:

@maart, let's check the runtime configuration:

ip a; ip r; ip ru; iptables-save

It's possible I'm mis-interpreting this part of the issue... I'm reading it as "192.168.2.3 can reach 192.168.2.6 and can reach any other devices in 192.168.2.0/24 subnet." This would, of course, be expected behavior. But maybe I've got the interpretation wrong and we're talking about the LAN/WLAN subnet looking into the WRT54GL's network.

The goal is to reach from clients in 192.168.6.0/24 subnet only the client 192.168.2.6 and 192.168.2.3 in the 192.168.2.0/24 subnet. Now I changed the firewall in 192.168.2.7 und add a route in gateway from 192.168.2.0/24 subnet.

@vgaetera
I post later the output.

I do not have the ip command on the WRT54GL, only iptables-save.

# Generated by iptables-save v1.4.6 on Mon Sep 12 13:18:04 2011
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [16227:1233808]
:OUTPUT ACCEPT [16227:1233808]
:nat_reflection_in - [0:0]
:nat_reflection_out - [0:0]
:postrouting_rule - [0:0]
:prerouting_lan - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan - [0:0]
:zone_lan_nat - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_nat - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -j prerouting_rule 
-A PREROUTING -i br-lan -j zone_lan_prerouting 
-A PREROUTING -i eth0.1 -j zone_wan_prerouting 
-A POSTROUTING -j postrouting_rule 
-A POSTROUTING -o br-lan -j zone_lan_nat 
-A POSTROUTING -o eth0.1 -j zone_wan_nat 
-A postrouting_rule -j nat_reflection_out 
-A prerouting_rule -j nat_reflection_in 
-A zone_lan_prerouting -j prerouting_lan 
-A zone_wan_prerouting -j prerouting_wan 
COMMIT
# Completed on Mon Sep 12 13:18:04 2011
# Generated by iptables-save v1.4.6 on Mon Sep 12 13:18:04 2011
*raw
:PREROUTING ACCEPT [31284:7738250]
:OUTPUT ACCEPT [16481:1283593]
:zone_lan_notrack - [0:0]
:zone_wan_notrack - [0:0]
-A PREROUTING -i br-lan -j zone_lan_notrack 
-A PREROUTING -i eth0.1 -j zone_wan_notrack 
-A zone_lan_notrack -j NOTRACK 
-A zone_wan_notrack -j NOTRACK 
COMMIT
# Completed on Mon Sep 12 13:18:04 2011
# Generated by iptables-save v1.4.6 on Mon Sep 12 13:18:04 2011
*mangle
:PREROUTING ACCEPT [203849:50582027]
:INPUT ACCEPT [70811:6000889]
:FORWARD ACCEPT [19175:9971307]
:OUTPUT ACCEPT [114003:11698513]
:POSTROUTING ACCEPT [130594:21488417]
COMMIT
# Completed on Mon Sep 12 13:18:04 2011
# Generated by iptables-save v1.4.6 on Mon Sep 12 13:18:04 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:forward - [0:0]
:forwarding_lan - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan - [0:0]
:input - [0:0]
:input_lan - [0:0]
:input_rule - [0:0]
:input_wan - [0:0]
:nat_reflection_fwd - [0:0]
:output - [0:0]
:output_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan - [0:0]
:zone_lan_ACCEPT - [0:0]
:zone_lan_DROP - [0:0]
:zone_lan_REJECT - [0:0]
:zone_lan_forward - [0:0]
:zone_wan - [0:0]
:zone_wan_ACCEPT - [0:0]
:zone_wan_DROP - [0:0]
:zone_wan_REJECT - [0:0]
:zone_wan_forward - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood 
-A INPUT -j input_rule 
-A INPUT -j input 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -j forwarding_rule 
-A FORWARD -j forward 
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -j output_rule 
-A OUTPUT -j output 
-A forward -i br-lan -j zone_lan_forward 
-A forward -i eth0.1 -j zone_wan_forward 
-A forwarding_rule -j nat_reflection_fwd 
-A input -i br-lan -j zone_lan 
-A input -i eth0.1 -j zone_wan 
-A output -j zone_lan_ACCEPT 
-A output -j zone_wan_ACCEPT 
-A reject -p tcp -j REJECT --reject-with tcp-reset 
-A reject -j REJECT --reject-with icmp-port-unreachable 
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN 
-A syn_flood -j DROP 
-A zone_lan -j input_lan 
-A zone_lan -j zone_lan_ACCEPT 
-A zone_lan_ACCEPT -o br-lan -j ACCEPT 
-A zone_lan_ACCEPT -i br-lan -j ACCEPT 
-A zone_lan_DROP -o br-lan -j DROP 
-A zone_lan_DROP -i br-lan -j DROP 
-A zone_lan_REJECT -o br-lan -j reject 
-A zone_lan_REJECT -i br-lan -j reject 
-A zone_lan_forward -d 192.168.2.3/32 -j zone_wan_ACCEPT 
-A zone_lan_forward -d 192.168.2.6/32 -j zone_wan_ACCEPT 
-A zone_lan_forward -j forwarding_lan 
-A zone_lan_forward -j zone_lan_ACCEPT 
-A zone_wan -p udp -m udp --dport 68 -j ACCEPT 
-A zone_wan -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A zone_wan -j input_wan 
-A zone_wan -j zone_wan_ACCEPT 
-A zone_wan_ACCEPT -o eth0.1 -j ACCEPT 
-A zone_wan_ACCEPT -i eth0.1 -j ACCEPT 
-A zone_wan_DROP -o eth0.1 -j DROP 
-A zone_wan_DROP -i eth0.1 -j DROP 
-A zone_wan_REJECT -o eth0.1 -j reject 
-A zone_wan_REJECT -i eth0.1 -j reject 
-A zone_wan_forward -j forwarding_wan 
-A zone_wan_forward -j zone_wan_ACCEPT 
COMMIT
# Completed on Mon Sep 12 13:18:04 2011