Zone forwarding not working by traffic rule

flyerjet · March 9, 2023, 9:23pm

Hi everyone !

I am new to the OpenWRT world (and thus, the forum) and I am in love with it...

But I found something very puzzling.

I would like to allow a specific device in my network "LAN1" (firewall zone "LAN1") to connect to a specific device in my network "LAN2" (firewall zone "LAN2").

So I set up a firewall traffic rule to do that. But it did not work.
Trying to debug, I simplified things up to the point where I found this:

If I have this configuration :


config defaults
	option synflood_protect '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan1'
	list network 'lan1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan2'
	list network 'lan2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config rule
	option name 'test-rule'
	option src 'lan1'
	option dest 'lan2'
	option target 'ACCEPT'

It does NOT work (my device on LAN1 cannot ping device en LAN2).

But if I do that :


config defaults
	option synflood_protect '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan1'
	list network 'lan1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan2'
	list network 'lan2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option src 'lan1'
	option dest 'lan2'

It works.

Of course, this is not what I want because in this case any device on lan1 can reach any device on lan2.
What is even weirder : if I set up a traffic rule to reject traffic from lan1 to lan2, I can still do the ping.

What I am not understanding here ?

Thanks for your help !

Wallbanger · March 9, 2023, 9:28pm

What hardware we´re talking ´bout?

krazeh · March 9, 2023, 9:30pm

You need to put the source and destination device details in your forwarding rule.

flyerjet · March 9, 2023, 9:51pm

Sorry, I forgot to mention that : I am on a Netgear XR500 with OpenWRT 22.03.

flyerjet · March 9, 2023, 10:04pm

I did at first:

config rule
	option name 'test-rule'
	option src 'lan1'
	option dest 'lan2'
	option target 'ACCEPT'
        option src_ip '192.168.1.10'
        option dest_ip '192.168.2.10'

But it did not work so I tried to simplify the configuration for debugging and removed the src_ip and dst_ip... It still did not work.

With the

config forwarding
	option src 'lan1'
	option dest 'lan2'

It works but I cannot specify the source and destination IPs.

flyerjet · March 9, 2023, 10:08pm

I found something in the doc :

:!: The iptables rules generated for this section rely on the state match which needs connection tracking to work.

At least one of the src or dest zones needs to have connection tracking enabled through the masq option.

I cannot do any test right now but it can be a lead.

trendy · March 9, 2023, 10:33pm

If you don't specify protocol ALL, then tcp+udp is the default, but you are testing with icmp.

flyerjet · March 10, 2023, 8:34pm

That was it !
Seems obvious once you know it...

trendy · March 11, 2023, 9:44am

I think it can be confusing and instinctively I'd expect it to cover all protocols, if not specified, so don't blame yourself.
@jow maybe it would make sense to change it?

system · March 21, 2023, 9:45am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.