OpenWrt Forum Archive

Topic: LAN -> local WAN IP restrictions / rules - source file?

The content of this topic has been archived on 20 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Not sure if I can articulate this right, so I beg your tolerance.

I am not an OpenWRT developer, at least not yet - don't feel competent to be one, yet. But I'd appreciate it if someone could point me towards the correct source file to look at.

I'm playing with a router behind a router. Suppose, for example, I'm having a party, and I want to provide my guests internet access while permitting or restricting access to my home network.

So, I have an inner lan, with it's router WAN connected to my home LAN, and it's router connected to my ISP. Both routers are NATting. Machines on the inner LAN get out to the internet just fine. The inner router itself pings wherever desired - of course, it's on the outer lan. i.e. The issue below is not the router itself, but when transiting the router.

Sometimes these inner lan machines can ping the outer lan machines, sometimes not. There is a pattern here that I'm not entirely getting, which is to say, a ruleset I would like to better understand the specifics of. This 'ruleset' seems to revolve around the IP addresses being used. For example, if I set my inner lan to use bogon addresses, pings work fine. If I return to my normal network, they do not. Depending upon the particular set of guests, one day I may want those guests to have access to my home / outer lan, another day I might not. I'd like to better understand the rules in effect - and I presume I need to go to the source to accomplish that. (I tried to google on this topic, but can't find appropriate search terms.)

It seems to me that OpenWRT code is probably typical of the industry, in the sense of behaviour in this area. I'm guessing I could extrapolate from OpenWRT behaviour to the behaviour of most typical home internet routers.

What source file should I examine to find out what rules apply to this traffic - e.g. private vs. public addresses do / don't get passed.

TIA.

Joke wrote:

I start to think your issue is mine too
https://forum.openwrt.org/viewtopic.php?id=25159
Have nothing to propose :(

From my own testing, what you are trying, per your thread, at least between wan, lan, and pings, works.

I think you need to break down the issues between connectivity (be it NAT, or not), routing, firewall, and extra network. If you can, I would simplify back to square one and build up. Remove the firewall, focus on two networks (then all 3) at a time (connectivity), make sure the routing is in place (e.g. from the ISP LAN routing back to your OpenWRT LAN) [then between the two OpenWRT foreign networks]. I might try this all on the switch, then move the ISP to the WAN (no-NAT), then turn on NAT - see what works, connectivity and routing wise, then turn on NAT, etc. Finally, once all is working connectivity and routing wise, then play with iptables such that only the traffic you want gets through. That's what I would do. It sounds like you're in a production environment though - so you'd have to take down the firewall, judiciously, to verify the connectivity paths.

For myself - I'd just like to know what the rules of the game are. i.e. Traffic is/not passed depending upon the network numbers used - e.g. private address not (but that isn't my experience), and other networks yes. As in, some pings from LAN to local WAN network, NATted, are successful, some are not.

To know the rules for such, I'd have to read  the source - but nobody has pointed out which source file, to date.

The discussion might have continued from here.