OpenWrt Forum Archive

Topic: Need firewall help for routing in client wireless mode.

The content of this topic has been archived on 22 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
kjkeefe
4 Dec 2011, 19:14

I'm trying to set up an openwrt router to route between its lan and wifi networks. Lan is 192.168.2.0 and Wifi is 192.168.1.0. I want traffic to be freely routed both directions. I think I'm close because I can ssh into my openwrt box from either network and talk to both networks from the router. However, I can't get the router to route any traffic between the two networks. I have set up a static route on the wireless AP to point 192.168.2.0 traffic to the openwrt box. I'm betting that my firewall config is messed up because I'm a bit of a noob at linux firewalls. Here is the firewall config:

config 'defaults'
    option 'syn_flood' '1'
    option 'input' 'ACCEPT'
    option 'output' 'ACCEPT'
    option 'forward' 'REJECT'
    option 'drop_invalid' '1'

config 'zone'
    option 'name' 'lan'
    option 'network' 'lan'
    option 'input' 'ACCEPT'
    option 'output' 'ACCEPT'
    option 'forward' 'REJECT'

config 'include'
    option 'path' '/etc/firewall.user'

config 'zone'
    option 'input' 'ACCEPT'
    option 'output' 'ACCEPT'
    option 'name' 'wifi'
    option 'network' 'wwan'
    option 'forward' 'REJECT'

config 'forwarding'
    option 'src' 'wifi'
    option 'dest' 'lan'



Here's my ifconfig output:

br-lan    Link encap:Ethernet  HWaddr 00:0F:66:E3:9D:C6 
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2292 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1378 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:178885 (174.6 KiB)  TX bytes:151243 (147.6 KiB)

eth0      Link encap:Ethernet  HWaddr 00:0F:66:E3:9D:C6 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2284 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2262 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:228597 (223.2 KiB)  TX bytes:530887 (518.4 KiB)
          Interrupt:5

eth0.0    Link encap:Ethernet  HWaddr 00:0F:66:E3:9D:C6 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2292 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1378 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:188053 (183.6 KiB)  TX bytes:156755 (153.0 KiB)

eth0.1    Link encap:Ethernet  HWaddr 00:0F:66:E3:9D:C6 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:883 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:359381 (350.9 KiB)

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:17 errors:0 dropped:0 overruns:0 frame:0
          TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1465 (1.4 KiB)  TX bytes:1465 (1.4 KiB)

wlan0     Link encap:Ethernet  HWaddr 00:0F:66:E3:9D:C8 
          inet addr:192.168.1.10  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:29 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4534 (4.4 KiB)  TX bytes:2177 (2.1 KiB)

Post #2
MacBruins
5 Dec 2011, 06:35

You probably have a good answer for this, but why not bridge your LAN and wifi?  If they are on the same subnet (192.168.1.x for example), you don't need routing.

Post #3
kjkeefe
9 Dec 2011, 22:57

That would be great! How can I do this?

Post #4
MacBruins
10 Dec 2011, 19:40

That's odd ,since by default LAN and wireless are bridged.

Take a look at these

Routed AP is what you have now:  http://wiki.openwrt.org/doc/recipes/routedap
Bridged AP is what you want:   http://wiki.openwrt.org/doc/recipes/bridgedap.  The difference is that you want to leave DNS enabled.

If you can't figure out what to change, I suggest that you make a backup of your current configuration, and then re-start from a default created by "wifi detect" command.  To see an example, go to my blog at http://blog.macbruins.com/2011/12/01/se … ess-point/ and skip to the section "OpenWrt First Boot"

If nothing works, try re-installing.  As I said, the wireless and LAN are in the same subnet by default.

To debug your prblem, post your /etc/config/network and /etc/config/wireless.

Post #5
fyi
23 Dec 2011, 17:03 
config 'forwarding'
    option 'src' 'lan'
    option 'dest' 'wifi'

config 'forwarding'
    option 'src' 'wifi'
    option 'dest' 'lan'

The discussion might have continued from here.