Look to port forward accross two subnets on OpenWRT

vamprobozombie · March 29, 2024, 1:47am

ok trying access RDP on 192.168.2.148, gateway 192.168.2.1, network name guest from 192.168.1.247, gateway 192.168.1.1, network name Lan. Will settle for being able to ping as a test first as know there are many ports with RDP. Let me know the black magic I need. Idiots updating linux kernel broke bhyve vnc mouse on Truesnas Core and wont have a fix from them until June. There goes my completely isolated networks. Guest is ethernet bridged with Minions Wifi marked as isolate in case combining those creates some sort of weirdness. OpenWrt on APU2 on top level of network rest is dumb switches.

Network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd26:e904:3d1a::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'
config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix '56'

config device
        option type 'bridge'
        option name 'br-guest'
        list ports 'eth2'
        option mtu '1500'


config interface 'Guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

Firewall
config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
 option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config zone
        option name 'guest'option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Guest'

config forwarding
        option src 'guest'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

psherman · March 29, 2024, 1:53am

You don’t need port forwarding. This will work with just a standard traffic rule.

vamprobozombie · March 29, 2024, 2:21am

ok list the rule. I tried adding ICMP in both directions and did not work on Guest and Lan.

psherman · March 29, 2024, 5:00am

There are two main ways to do this... granular or broad.

Granular looks generally like this:

config rule
	option name 'allow-RDP'
	list proto 'all'
	option src 'lan'
	list src_ip '192.168.1.247'
	option dest 'guest'
	list dest_ip '192.168.2.148'
	option target 'ACCEPT'

Whereas the broad one is this:

config forwarding
        option src 'lan'
        option dest 'guest'

The granular one can be made even more specific by restricting the protocol and the port so that only RDP can be accessed.

The broad one basically just allows all lan hosts to initiate connections to those on the guest network (but not the other way around.

Also... I noticed this looks strange:

It could be just a typo as it was copied/pasted into the forum, but make sure it looks like this:

config zone
        option name 'guest'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Guest'

vamprobozombie · March 31, 2024, 12:33am

That did it thanks. Even when did with the gui it needed a reboot to take affect which was weird. Might have more to do with the APU2 than OpenWRT. Things do always act a little weird but generally work. Probably jump ship to a Banana PI wifi 7 at some point when that is ready. Could really use some more ports although may hold tight until 2.5 gbps switches is the norm.

psherman · March 31, 2024, 12:34am

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

system · April 10, 2024, 12:35am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.