OpenWrt Forum Archive

Topic: try to seperate LAN, Wifi and DMZ

The content of this topic has been archived on 30 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
jonje611
15 Aug 2008, 22:19

Hello!

I used the guide http://forum.openwrt.org/viewtopic.php?id=12452 on this forum to seperate the LAN and WIFI ridge to LAN, DMZ and WIFI ports on a wrt GL router.

Seperating the diferent interface i easy, but the routing is not working properly and the firewall is not forwarding the clients requests from the internal network to the WAN. When disabling the firawall it is possibly to ping external sites from the router but not from internal network.

Please if someone could help me.

/J

Post #2
jonje611
16 Aug 2008, 08:03

Hi

I get a error message when running shorewall start i don't now what to do.

root@OpenWrt:~# shorewall start
/sbin/shorewall: /sbin/shorewall: 177: hostname: not found
Compiling...
Initializing...
Determining Zones...
   IPv4 Zones: wan loc eth dmz wifi
   Firewall Zone: fw
Validating interfaces file...
Validating hosts file...
Pre-processing Actions...
   Pre-processing /usr/share/shorewall/action.Drop...
   Pre-processing /usr/share/shorewall/action.Reject...
Validating Policy file...
Determining Hosts in Zones...
   wan Zone: eth0.1:0.0.0.0/0
   eth Zone: eth0.0:172.16.10.0/24
   dmz Zone: eth0.2:172.16.30.0/24
   wifi Zone: wl0:172.16.20.0/24
   loc Zone: eth0.0:0.0.0.0/0 eth0.2:0.0.0.0/0 wl0:0.0.0.0/0
Deleting user chains...
Compiling /etc/shorewall/routestopped ...
Creating Interface Chains...
Compiling Common Rules
Adding Anti-smurf Rules
Adding rules for DHCP
Enabling RFC1918 Filtering
Compiling TCP Flags checking...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling IP Forwarding...
Compiling /etc/shorewall/rules...
Compiling Actions...
Compiling /usr/share/shorewall/action.Drop for Chain Drop...
Compiling /usr/share/shorewall/action.Reject for Chain Reject...
Compiling /etc/shorewall/policy...
Compiling Masquerading/SNAT
Compiling Traffic Control Rules...
Compiling Rule Activation...
Shorewall configuration compiled to /var/lib/shorewall/.start
Giving up on lock file /var/lib/shorewall/lock
Processing /etc/shorewall/params ...
Starting Shorewall....
Initializing...
Processing /etc/shorewall/init ...
Clearing Traffic Control/QOS
/var/lib/shorewall/.start: /var/lib/shorewall/.start: 1399: ip: not found
Deleting user chains...
Processing /etc/shorewall/continue ...
Enabling Loopback and DNS Lookups
Creating Interface Chains...
Setting up SMURF control...
Processing /etc/shorewall/initdone ...
Setting up Black List...
Adding Anti-smurf Jumps...
Setting up rules for DHCP...
Setting up RFC1918 Filtering...
Setting up TCP Flags checking...
Setting up ARP filtering...
Setting up Route Filtering...
   WARNING: Cannot set route filtering on wl0
/var/lib/shorewall/.start: /var/lib/shorewall/.start: 1399: ip: not found
Setting up Martian Logging...
   WARNING: Cannot set Martian logging on wl0
Setting up Accept Source Routing...
IP Forwarding Enabled
Setting up SYN Flood Protection...
Setting up Rules...
Setting up Actions...
Creating action chain Drop
Creating action chain Reject
Creating action chain dropBcast
Creating action chain dropInvalid
Creating action chain dropNotSyn
Applying Policies...
Setting up Masquerading/SNAT...
   ERROR: Unable to determine the routes through interface "eth0.1"
Processing /etc/shorewall/stop ...
/var/lib/shorewall/.start: /var/lib/shorewall/.start: 1399: ip: not found
   ERROR: Command "ip link list" Failed
/var/lib/shorewall/.start: /var/lib/shorewall/.start: 1399: ip: not found
   ERROR: Command "ip link list" Failed


My routingtable looks like this:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0.1
172.16.30.0     *               255.255.255.0   U     0      0        0 eth0.2
172.16.10.0     *               255.255.255.0   U     0      0        0 eth0.0
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0.1


Pleas help me se what is wrong.

/J

Post #3
izaak
1 Sep 2008, 04:12

there are a few holes/mistakes in this guide:

1) there are bogus router/DNS IPs in the config/network file, but i see you avoided that trap.

2) install the 'ip' package:

# ipkg update
# ipkg install ip

3) most importantly, which will really trip us shorewall newbies, the /etc/shorewall/masq config is completely wrong.  instead of:

eth0.0        eth0.1
wl0        eth0.1

it should be:

eth0.1        eth0.0
eth0.1        wl0

The discussion might have continued from here.