OpenWrt Forum Archive

Topic: Iptables / routing / switch access to WAN-port?

The content of this topic has been archived on 27 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Got a question regarding iptables-configuration!

I've got a weird setup at home in which both my cable modem and my printer is connected to the WAN-port on my WRT54GL with the help of a switch!

-----------            ----------
| WRT54GL |--wan-port--| Switch |
-----------            ----------
 | | | | |               |    |
 local/wifi          Cable    Printer
                  public ip   192.168.0.202

The WRT54GL box is running Kamikaze 7.09 (kernel 2.4 brcm, the standard stuff), and got no fancy packages or configuration yet. I just set the local IP (on the WRT54GL) to 192.168.0.254, and the dhcp range is from 1 to 150, other that that I have not edited much. The printer is configured with a static ip, 192.168.0.202. It has to be connected through wan because of physical placement, as the cable modem and printer is in one room, and the WRT54GL is in another.

And here the fun begins!

I manage, when I've ssh'ed myself into kamikaze, to ping the printer if I manually make a new interface on the WAN-interface and then make a route:

root@Ruter:~# ifconfig eth0.1:1 192.168.0.200 netmask 255.255.255.0 up
root@Ruter:~# route add -net 192.168.0.202 netmask 255.255.255.255 dev eth0.1:1

But accessing the printer from shell is of course not enough! How should I configure iptables to allow requests to 192.168.0.202 to get routed the right way? I want everyone on the local net to be able to access the printer...

Would be greatly thankful if anyone could help me with this :)

Hi,

at first you made a mistake in your route commando.

#wrong
root@Ruter:~# route add -net 192.168.0.202 netmask 255.255.255.255 dev eth0.1:1
#correct
root@Ruter:~# route add -net 192.168.0.0 netmask 255.255.255.0 dev eth0.1:1

2.
Please give us more information about your network. Is the provider (cable) connection with pppoe or pptp or something else ???

The route command is correct because the printer isn't in it's own subnet. Output of route before adding that specific one (gateway-address and public ip is scrambled):

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     *               255.255.255.0   U     0      0        0 br-lan
62.x.x.x        *               255.255.255.0   U     0      0        0 eth0.1
default         xxxx.gateway    0.0.0.0         UG    0      0        0 eth0.1

And after the commands:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.202   *               255.255.255.255 UH    0      0        0 eth0.1
192.168.0.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0.1
62.x.x.x        *               255.255.255.0   U     0      0        0 eth0.1
default         xxxx.gateway    0.0.0.0         UG    0      0        0 eth0.1

Pinging 192.168.0.202 works when the routing table is like this.

My /etc/config/network:

#### VLAN configuration 
config switch eth0
        option vlan0    "0 1 2 3 5*"
        option vlan1    "4 5"


#### Loopback configuration
config interface loopback
        option ifname   "lo"
        option proto    static
        option ipaddr   127.0.0.1
        option netmask  255.0.0.0


#### LAN configuration
config interface lan
        option type     bridge
        option ifname   "eth0.0"
        option proto    static
        option ipaddr   192.168.0.254
        option netmask  255.255.255.0

#### WAN configuration
config interface        wan
        option ifname   "eth0.1"
        option proto    dhcp

Standard DHCP from the cable modem, nothing special.

I asked the same thing on #openwrt, and I got this reply:

fm3 wrote:

the clients will never use the router to reach an ip address which is in their local network. i think you'd better use a different subnet for the printer (even better would be to run an extra cable to the printer, or if that's not possible, use the single cable for 2 connections by rewiring)

This makes very much sence when I think about it, but how can I solve it?

The wiring solution is kinda hard to manage, because I know that not all 8 wires in the network cable are working, so splitting it in two won't work...

Should I set the static ip on the printer to 192.168.1.something? Still can't see how traffic should get through iptables... I could manually add the route to 192.168.0.202 via 192.168.0.200 on every client (that's a dhcp option, isn't it?) if that solves anything, but as fm3 in the quote mentions, traffic with 192.168.0. doesn't get through iptables at all...

I guess I'm just rambling here... Making an own subnet for the printer is no hassle for me either, but how can I configure it?

hi

I think you should at first add the eth0.1 device to the bridge then it should be possible to contact the printer. Add you wlan to the bridge, too. Simply add "option network lan" and if you use madawifi driver in your hostapd.conf the u must add "bridge=br-lan"
(deactivting the firewall and disconnect the internet from the switch)

Now you setup the Internet connection through the iptables rules.


#### VLAN configuration 
config switch eth0
        option vlan0    "0 1 2 3 5*"
        option vlan1    "4 5"


#### Loopback configuration
config interface loopback
        option ifname   "lo"
        option proto    static
        option ipaddr   127.0.0.1
        option netmask  255.0.0.0


#### LAN configuration
config interface lan
        option type     bridge
        option ifname   "eth0.0"
        option proto    static
        option ipaddr   192.168.0.254
        option netmask  255.255.255.0

#### Printer configuration
config interface printer
        option ifname "eth0.1:0"
        option network lan

#### WAN configuration #### Internet
config interface        wan
        option ifname   "eth0.1:1"
        option proto    dhcp

Thanks for the reply :) But there's just one thing... bridging virtual devices doesn't work, you can't bridge eth0.1:0 without including eth0.1:1, I tried that one... but maybe it will work anyway thanks to just one device receiving an address from the cable modem! I won't know before... well, Friday, because I won't be home to test it before then (don't want to test this setup remotely and screw up the connection till friday)

But to be sure I can test more things than this on Friday, how should firewall.user or /etc/config/firewall or even /etc/init.d/firewall look like if I would like iptables to accept connections to the 192.168.1.x-range both ways through eth0.1 (e.g. I set the printer IP to 192.168.1.2 and eth0.1:1 to 192.168.1.1)? Should this work by default?

This setup had a very easy fix to get it to work :) Didn't do any magic at all with either /etc/config/firewall, /etc/init.d/firewall or /etc/config/network. Just added "ifconfig eth0.1:0 192.168.1.1 netmask 255.255.255.0 up" to a script which starts at boot, and set the static IP of the printer to 192.168.1.2, and then everything worked like a charm :) The trick was, of course, to keep things away from each other by dividing it into subnets.

Thanks for help anyway :)

The discussion might have continued from here.