The content of this topic has been archived on 20 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.
I have define multiple zones in vlan with different ip,
let say 192.168.1.0/24 and 172.168.1.0/24
I have server on 192.168.1.10 running application on port 5003
and I want to access this application from my workstation on 172.168.1.10
How to configure firewall to enable this?
(Last edited by dony71 on 16 Oct 2017, 05:18)
I think, you don't need port forwarding in your case. Just enable forwarding from zone 172 to zone 192. Check ping initially.
I think, you don't need port forwarding in your case. Just enable forwarding from zone 172 to zone 192. Check ping initially.
forwarding zone meaning all ports will be forwarded
however I want only to forward/redirect port 5003 in my case
any idea?
(Last edited by dony71 on 16 Oct 2017, 21:53)
Well. No. You don't want any forwarding at all.
Forwarding means: Once a request hits the IP of your router targeting port 5003, the request should be forwarded to another IP. So no, you don't want forwarding.
You simply want to allow traffic from ZONE2 to LAN in case its destionation port is 5003 and its destionation ip is 192.168.1.10.
If we're talking LuCI Web UI, it's the section "Network / Firewall / Traffic Rules" you need to put your rule in, not the section "Network / Firewall / Port Forwarding".
If we're talking /etc/config/firewall, it's something lik this:
config rule
option target 'ACCEPT'
option src 'zone2'
option dest 'lan'
option name 'whatever that is'
option src_ip '*'
option dest_ip '192.168.1.10'
option dest_port '5003'Regards,
Stephan.
Well. No. You don't want any forwarding at all.
Forwarding means: Once a request hits the IP of your router targeting port 5003, the request should be forwarded to another IP. So no, you don't want forwarding.
You simply want to allow traffic from ZONE2 to LAN in case its destionation port is 5003 and its destionation ip is 192.168.1.10.
If we're talking LuCI Web UI, it's the section "Network / Firewall / Traffic Rules" you need to put your rule in, not the section "Network / Firewall / Port Forwarding".
If we're talking /etc/config/firewall, it's something lik this:
config rule option target 'ACCEPT' option src 'zone2' option dest 'lan' option name 'whatever that is' option src_ip '*' option dest_ip '192.168.1.10' option dest_port '5003'Regards,
Stephan.
How about if I want to access luci (openwrt config setting gui) from other zone?
Luci in router 192.168.1.1 in zone lan and my workstation is connected to zone2 172.168.1.0/24
I modify code like this below, but luci cannot be accessed
config rule
option target 'ACCEPT'
option src 'zone2'
option dest 'lan'
option name 'whatever that is'
option src_ip '*'
option dest_ip '192.168.1.1'
option dest_port '80'Please, provide output of
iptables -nvLPlease, provide output of
iptables -nvL
for this case below, lan zone 128.168.1.0/24 and voip zone 178.168.1.0/24
i have workstation on 128.168.1.75 and want to access voip device on 178.168.1.61 port 8084
my firewall rule related to this
config rule #5
option name 'Allow-DVG1120S-remote'
option src 'lan'
option src_ip '*'
option dest 'voip'
option dest_ip '178.168.1.61'
option dest_port '8084'
option target 'ACCEPT'iptables -nvL
root@MyNetN750:/etc/config# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
10280 1079K delegate_input all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:52413 flags:0x04/0x04
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
222K 146M delegate_forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
12833 9900K delegate_output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain MINIUPNPD (2 references)
pkts bytes target prot opt in out source destination
2185 118K ACCEPT tcp -- * * 0.0.0.0/0 128.168.1.50 tcp dpt:52413
1301 70607 ACCEPT udp -- * * 0.0.0.0/0 128.168.1.50 udp dpt:52413
Chain delegate_forward (1 references)
pkts bytes target prot opt in out source destination
222K 146M forwarding_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for forwarding */
217K 146M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
639 73390 zone_lan_forward all -- br-lan * 0.0.0.0/0 0.0.0.0/0
4323 239K zone_wan_forward all -- eth0.1 * 0.0.0.0/0 0.0.0.0/0
0 0 zone_voip_forward all -- eth0.3 * 0.0.0.0/0 0.0.0.0/0
0 0 zone_vpn_forward all -- tun0 * 0.0.0.0/0 0.0.0.0/0
0 0 zone_guest_forward all -- br-guest * 0.0.0.0/0 0.0.0.0/0
0 0 zone_tor_forward all -- br-tor * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain delegate_input (1 references)
pkts bytes target prot opt in out source destination
1377 128K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
8903 951K input_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for input */
7268 811K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
510 22524 syn_flood tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
857 98536 zone_lan_input all -- br-lan * 0.0.0.0/0 0.0.0.0/0
637 35312 zone_wan_input all -- eth0.1 * 0.0.0.0/0 0.0.0.0/0
0 0 zone_voip_input all -- eth0.3 * 0.0.0.0/0 0.0.0.0/0
18 870 zone_vpn_input all -- tun0 * 0.0.0.0/0 0.0.0.0/0
5 160 zone_guest_input all -- br-guest * 0.0.0.0/0 0.0.0.0/0
5 160 zone_tor_input all -- br-tor * 0.0.0.0/0 0.0.0.0/0
Chain delegate_output (1 references)
pkts bytes target prot opt in out source destination
1377 128K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
11456 9773K output_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for output */
10515 9473K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
631 270K zone_lan_output all -- * br-lan 0.0.0.0/0 0.0.0.0/0
287 19997 zone_wan_output all -- * eth0.1 0.0.0.0/0 0.0.0.0/0
0 0 zone_voip_output all -- * eth0.3 0.0.0.0/0 0.0.0.0/0
23 10341 zone_vpn_output all -- * tun0 0.0.0.0/0 0.0.0.0/0
0 0 zone_guest_output all -- * br-guest 0.0.0.0/0 0.0.0.0/0
0 0 zone_tor_output all -- * br-tor 0.0.0.0/0 0.0.0.0/0
Chain forwarding_guest_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_tor_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_voip_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_vpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_guest_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_tor_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_voip_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_vpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_guest_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_tor_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_voip_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_vpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain reject (15 references)
pkts bytes target prot opt in out source destination
28 4056 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
619 31576 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain syn_flood (1 references)
pkts bytes target prot opt in out source destination
397 17552 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 25/sec burst 50
113 4972 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_guest_dest_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * br-guest 0.0.0.0/0 0.0.0.0/0
Chain zone_guest_dest_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * br-guest 0.0.0.0/0 0.0.0.0/0
Chain zone_guest_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 MINIUPNPD all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 forwarding_guest_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for forwarding */
0 0 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* forwarding guest -> wan */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* Accept port forwards */
0 0 zone_guest_dest_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_guest_input (1 references)
pkts bytes target prot opt in out source destination
5 160 input_guest_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for input */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* guest Allow DNS DHCP */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 /* guest Allow DNS DHCP */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 /* guest Allow DNS DHCP */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* Accept port redirections */
5 160 zone_guest_src_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_guest_output (1 references)
pkts bytes target prot opt in out source destination
0 0 output_guest_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for output */
0 0 zone_guest_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_guest_src_REJECT (1 references)
pkts bytes target prot opt in out source destination
5 160 reject all -- br-guest * 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_dest_ACCEPT (4 references)
pkts bytes target prot opt in out source destination
631 270K ACCEPT all -- * br-lan 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_dest_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * br-lan 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_forward (1 references)
pkts bytes target prot opt in out source destination
639 73390 forwarding_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for forwarding */
0 0 zone_voip_dest_ACCEPT tcp -- * * 0.0.0.0/0 178.168.1.61 tcp dpt:8084 /* Allow-DVG1120S-remote */
0 0 zone_voip_dest_ACCEPT udp -- * * 0.0.0.0/0 178.168.1.61 udp dpt:8084 /* Allow-DVG1120S-remote */
639 73390 zone_vpn_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* forwarding lan -> vpn */
639 73390 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* forwarding lan -> wan */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* Accept port forwards */
0 0 zone_lan_dest_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_input (1 references)
pkts bytes target prot opt in out source destination
857 98536 input_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for input */
10 320 ACCEPT 2 -- * * 0.0.0.0/0 0.0.0.0/0 /* Multicast IGMP */
180 60341 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.0/4 /* Multicast UDP */
394 18482 ACCEPT tcp -- * * 0.0.0.0/0 128.168.1.1 /* ROUTER transaction */
161 10798 ACCEPT udp -- * * 0.0.0.0/0 128.168.1.1 /* ROUTER transaction */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 128.168.1.44 /* DVR transaction */
0 0 ACCEPT udp -- * * 0.0.0.0/0 128.168.1.44 /* DVR transaction */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* lan Allow DNS DHCP NTP */
5 2096 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 /* lan Allow DNS DHCP NTP */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 /* lan Allow DNS DHCP NTP */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* Accept port redirections */
107 6499 zone_lan_src_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_output (1 references)
pkts bytes target prot opt in out source destination
631 270K output_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for output */
631 270K zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_src_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
107 6499 ACCEPT all -- br-lan * 0.0.0.0/0 0.0.0.0/0
Chain zone_tor_dest_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * br-tor 0.0.0.0/0 0.0.0.0/0
Chain zone_tor_dest_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * br-tor 0.0.0.0/0 0.0.0.0/0
Chain zone_tor_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 forwarding_tor_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for forwarding */
0 0 zone_lan_dest_ACCEPT tcp -- * * 0.0.0.0/0 128.168.1.1 tcp dpt:80 /* tor Router Access */
0 0 zone_lan_dest_ACCEPT udp -- * * 0.0.0.0/0 128.168.1.1 udp dpt:80 /* tor Router Access */
0 0 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* forwarding tor -> wan */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* Accept port forwards */
0 0 zone_tor_dest_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_tor_input (1 references)
pkts bytes target prot opt in out source destination
5 160 input_tor_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for input */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* tor Allow DNS DHCP */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 /* tor Allow DNS DHCP */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9040 /* tor Allow Tor Transparent */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9050 /* tor Allow SOCKS */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* Accept port redirections */
5 160 zone_tor_src_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_tor_output (1 references)
pkts bytes target prot opt in out source destination
0 0 output_tor_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for output */
0 0 zone_tor_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_tor_src_REJECT (1 references)
pkts bytes target prot opt in out source destination
5 160 reject all -- br-tor * 0.0.0.0/0 0.0.0.0/0
Chain zone_voip_dest_ACCEPT (3 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * eth0.3 0.0.0.0/0 0.0.0.0/0
Chain zone_voip_dest_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * eth0.3 0.0.0.0/0 0.0.0.0/0
Chain zone_voip_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 forwarding_voip_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for forwarding */
0 0 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* forwarding voip -> wan */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* Accept port forwards */
0 0 zone_voip_dest_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_voip_input (1 references)
pkts bytes target prot opt in out source destination
0 0 input_voip_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for input */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* Accept port redirections */
0 0 zone_voip_src_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_voip_output (1 references)
pkts bytes target prot opt in out source destination
0 0 output_voip_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for output */
0 0 zone_voip_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_voip_src_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth0.3 * 0.0.0.0/0 0.0.0.0/0
Chain zone_vpn_dest_ACCEPT (3 references)
pkts bytes target prot opt in out source destination
23 10341 ACCEPT all -- * tun0 0.0.0.0/0 0.0.0.0/0
Chain zone_vpn_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 forwarding_vpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for forwarding */
0 0 zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* forwarding vpn -> lan */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* Accept port forwards */
0 0 zone_vpn_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_vpn_input (1 references)
pkts bytes target prot opt in out source destination
18 870 input_vpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for input */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* Accept port redirections */
18 870 zone_vpn_src_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_vpn_output (1 references)
pkts bytes target prot opt in out source destination
23 10341 output_vpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for output */
23 10341 zone_vpn_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_vpn_src_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
18 870 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_dest_ACCEPT (5 references)
pkts bytes target prot opt in out source destination
926 93387 ACCEPT all -- * eth0.1 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_dest_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * eth0.1 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_forward (1 references)
pkts bytes target prot opt in out source destination
4311 233K MINIUPNPD all -- * * 0.0.0.0/0 0.0.0.0/0
837 50130 forwarding_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for forwarding */
837 50130 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* Accept port forwards */
0 0 zone_wan_dest_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_input (1 references)
pkts bytes target prot opt in out source destination
637 35312 input_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for input */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 /* Allow-DHCP-Renew */
0 0 reject icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Allow-Ping */
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /* Block TCP port 53 */
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8200 /* Block miniDLNA status port 8200 */
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:8200 /* Block miniDLNA status port 8200 */
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6000 /* Block uPNP port 6000 */
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:6000 /* Block uPNP port 6000 */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 /* OpenVPN Allow */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* Accept port redirections */
637 35312 zone_wan_src_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_output (1 references)
pkts bytes target prot opt in out source destination
287 19997 output_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for output */
287 19997 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_src_REJECT (1 references)
pkts bytes target prot opt in out source destination
637 35312 reject all -- eth0.1 * 0.0.0.0/0 0.0.0.0/0I can't see any 192.168 in output of iptables.
However 178.168 I see:
0 0 zone_voip_dest_ACCEPT tcp -- * * 0.0.0.0/0 178.168.1.61 tcp dpt:8084 /* Allow-DVG1120S-remote */
0 0 zone_voip_dest_ACCEPT udp -- * * 0.0.0.0/0 178.168.1.61 udp dpt:8084 /* Allow-DVG1120S-remote *Try to add forwarding rule manually. Try to add to input chain, to forward chain.
It is tricky question, where this rule should work, in input of forward chain. Input, because router itself has ip. Forward, because it is in another zone. Please, answer, who knows. I think, input, because the fact, that router itself has ip, suffices. The similar question is how to enable access to luci on local ip via wan, it was discussed here: https://forum.openwrt.org/viewtopic.php?id=69890
(Last edited by ulmwind on 20 Oct 2017, 10:02)
I can't see any 192.168 in output of iptables.
However 178.168 I see:0 0 zone_voip_dest_ACCEPT tcp -- * * 0.0.0.0/0 178.168.1.61 tcp dpt:8084 /* Allow-DVG1120S-remote */ 0 0 zone_voip_dest_ACCEPT udp -- * * 0.0.0.0/0 178.168.1.61 udp dpt:8084 /* Allow-DVG1120S-remote *Try to add forwarding rule manually. Try to add to input chain, to forward chain.
It is tricky question, where this rule should work, in input of forward chain. Input, because router itself has ip. Forward, because it is in another zone. Please, answer, who knows. I think, input, because the fact, that router itself has ip, suffices. The similar question is how to enable access to luci on local ip via wan, it was discussed here: https://forum.openwrt.org/viewtopic.php?id=69890
like i said in previous post,
for this case, lan zone 128.168.1.0/24 and voip zone 178.168.1.0/24
i have workstation on 128.168.1.75 and want to access voip device on 178.168.1.61 port 8084, so lan is not 192.168.1.0/24
OK, you should correct your rule:
639 73390 zone_lan_forward all -- br-lan * 0.0.0.0/0 0.0.0.0/0Now it works only for br-lan, but I think, it is not so in your case.
OK, you should correct your rule:
639 73390 zone_lan_forward all -- br-lan * 0.0.0.0/0 0.0.0.0/0Now it works only for br-lan, but I think, it is not so in your case.
Could you tell me in details what to add in /config/firewall to achieve this?
What is name of network for 128 and 178 networks? zone2 and lan? Please, provide content of /etc/config/network, output of
iptables -nvL -t natiptables -SWhat is name of network for 128 and 178 networks? zone2 and lan? Please, provide content of /etc/config/network, output of
iptables -nvL -t natiptables -S
root@MyNetN750:~# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 4067 packets, 260K bytes)
pkts bytes target prot opt in out source destination
5 320 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1883 to:128.168.1.40
2346 178K REDIRECT udp -- br-lan * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 redir ports 123
412K 29M delegate_prerouting all -- * * 0.0.0.0/0 0. 0.0.0/0
Chain INPUT (policy ACCEPT 1958 packets, 124K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 540 packets, 50653 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 13109 packets, 734K bytes)
pkts bytes target prot opt in out source destination
344K 19M delegate_postrouting all -- * * 0.0.0.0/0 0 .0.0.0/0
Chain MINIUPNPD (2 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:58050 to:128.168.1.40:58050
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:58051 to:128.168.1.40:58051
52457 3046K DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:52413 to:128.168.1.50:52413
10823 582K DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:52413 to:128.168.1.50:52413
Chain delegate_postrouting (1 references)
pkts bytes target prot opt in out source destination
344K 19M postrouting_rule all -- * * 0.0.0.0/0 0.0.0 .0/0 /* user chain for postrouting */
308K 17M zone_lan_postrouting all -- * br-lan 0.0.0.0/0 0 .0.0.0/0
32944 2154K zone_wan_postrouting all -- * eth0.1 0.0.0.0/0 0 .0.0.0/0
1 84 zone_voip_postrouting all -- * eth0.3 0.0.0.0/0 0.0.0.0/0
0 0 zone_vpn_postrouting all -- * tun0 0.0.0.0/0 0 .0.0.0/0
0 0 zone_guest_postrouting all -- * br-guest 0.0.0.0/0 0.0.0.0/0
0 0 zone_tor_postrouting all -- * br-tor 0.0.0.0/0 0 .0.0.0/0
Chain delegate_prerouting (1 references)
pkts bytes target prot opt in out source destination
412K 29M prerouting_rule all -- * * 0.0.0.0/0 0.0.0. 0/0 /* user chain for prerouting */
93893 12M zone_lan_prerouting all -- br-lan * 0.0.0.0/0 0. 0.0.0/0
318K 17M zone_wan_prerouting all -- eth0.1 * 0.0.0.0/0 0. 0.0.0/0
2 656 zone_voip_prerouting all -- eth0.3 * 0.0.0.0/0 0 .0.0.0/0
8 416 zone_vpn_prerouting all -- tun0 * 0.0.0.0/0 0. 0.0.0/0
0 0 zone_guest_prerouting all -- br-guest * 0.0.0.0/0 0.0.0.0/0
0 0 zone_tor_prerouting all -- br-tor * 0.0.0.0/0 0. 0.0.0/0
Chain postrouting_guest_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_tor_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_voip_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_vpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_guest_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_tor_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_voip_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_vpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain zone_guest_postrouting (1 references)
pkts bytes target prot opt in out source destination
0 0 postrouting_guest_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for postrouting */
Chain zone_guest_prerouting (1 references)
pkts bytes target prot opt in out source destination
0 0 MINIUPNPD all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 prerouting_guest_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for prerouting */
Chain zone_tor_postrouting (1 references)
pkts bytes target prot opt in out source destination
0 0 postrouting_tor_rule all -- * * 0.0.0.0/0 0 .0.0.0/0 /* user chain for postrouting */
Chain zone_tor_prerouting (1 references)
pkts bytes target prot opt in out source destination
0 0 prerouting_tor_rule all -- * * 0.0.0.0/0 0. 0.0.0/0 /* user chain for prerouting */
0 0 REDIRECT tcp -- * * 0.0.0.0/0 !168.168.1.0/ 24 tcp dpt:80 /* Transparent Proxy Redirect 168.168.1.0/24 */ redir ports 8118
0 0 REDIRECT tcp -- * * 0.0.0.0/0 !168.168.1.1 /* tor Redirect TCP */ redir ports 9040
0 0 REDIRECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* tor Redirect DNS */ redir ports 9053
Chain zone_voip_postrouting (1 references)
pkts bytes target prot opt in out source destination
1 84 postrouting_voip_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for postrouting */
Chain zone_voip_prerouting (1 references)
pkts bytes target prot opt in out source destination
2 656 prerouting_voip_rule all -- * * 0.0.0.0/0 0 .0.0.0/0 /* user chain for prerouting */
Chain zone_vpn_postrouting (1 references)
pkts bytes target prot opt in out source destination
0 0 postrouting_vpn_rule all -- * * 0.0.0.0/0 0 .0.0.0/0 /* user chain for postrouting */
0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_vpn_prerouting (1 references)
pkts bytes target prot opt in out source destination
8 416 prerouting_vpn_rule all -- * * 0.0.0.0/0 0. 0.0.0/0 /* user chain for prerouting */
Chain zone_wan_postrouting (1 references)
pkts bytes target prot opt in out source destination
32944 2154K postrouting_wan_rule all -- * * 0.0.0.0/0 0 .0.0.0/0 /* user chain for postrouting */
32944 2154K MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0
root@MyNetN750:~# iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N MINIUPNPD
-N delegate_forward
-N delegate_input
-N delegate_output
-N forwarding_guest_rule
-N forwarding_lan_rule
-N forwarding_rule
-N forwarding_tor_rule
-N forwarding_voip_rule
-N forwarding_vpn_rule
-N forwarding_wan_rule
-N input_guest_rule
-N input_lan_rule
-N input_rule
-N input_tor_rule
-N input_voip_rule
-N input_vpn_rule
-N input_wan_rule
-N output_guest_rule
-N output_lan_rule
-N output_rule
-N output_tor_rule
-N output_voip_rule
-N output_vpn_rule
-N output_wan_rule
-N reject
-N syn_flood
-N zone_guest_dest_ACCEPT
-N zone_guest_dest_REJECT
-N zone_guest_forward
-N zone_guest_input
-N zone_guest_output
-N zone_guest_src_REJECT
-N zone_lan_dest_ACCEPT
-N zone_lan_dest_REJECT
-N zone_lan_forward
-N zone_lan_input
-N zone_lan_output
-N zone_lan_src_ACCEPT
-N zone_tor_dest_ACCEPT
-N zone_tor_dest_REJECT
-N zone_tor_forward
-N zone_tor_input
-N zone_tor_output
-N zone_tor_src_REJECT
-N zone_voip_dest_ACCEPT
-N zone_voip_dest_REJECT
-N zone_voip_forward
-N zone_voip_input
-N zone_voip_output
-N zone_voip_src_ACCEPT
-N zone_vpn_dest_ACCEPT
-N zone_vpn_forward
-N zone_vpn_input
-N zone_vpn_output
-N zone_vpn_src_ACCEPT
-N zone_wan_dest_ACCEPT
-N zone_wan_dest_REJECT
-N zone_wan_forward
-N zone_wan_input
-N zone_wan_output
-N zone_wan_src_REJECT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j DROP
-A INPUT -j delegate_input
-A FORWARD -j delegate_forward
-A OUTPUT -j delegate_output
-A MINIUPNPD -d 128.168.1.40/32 -p tcp -m tcp --dport 58050 -j ACCEPT
-A MINIUPNPD -d 128.168.1.40/32 -p tcp -m tcp --dport 58051 -j ACCEPT
-A MINIUPNPD -d 128.168.1.50/32 -p udp -m udp --dport 52413 -j ACCEPT
-A MINIUPNPD -d 128.168.1.50/32 -p tcp -m tcp --dport 52413 -j ACCEPT
-A delegate_forward -m comment --comment "user chain for forwarding" -j forwarding_rule
-A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_forward -i br-lan -j zone_lan_forward
-A delegate_forward -i eth0.1 -j zone_wan_forward
-A delegate_forward -i eth0.3 -j zone_voip_forward
-A delegate_forward -i tun0 -j zone_vpn_forward
-A delegate_forward -i br-guest -j zone_guest_forward
-A delegate_forward -i br-tor -j zone_tor_forward
-A delegate_forward -j reject
-A delegate_input -i lo -j ACCEPT
-A delegate_input -m comment --comment "user chain for input" -j input_rule
-A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A delegate_input -i br-lan -j zone_lan_input
-A delegate_input -i eth0.1 -j zone_wan_input
-A delegate_input -i eth0.3 -j zone_voip_input
-A delegate_input -i tun0 -j zone_vpn_input
-A delegate_input -i br-guest -j zone_guest_input
-A delegate_input -i br-tor -j zone_tor_input
-A delegate_output -o lo -j ACCEPT
-A delegate_output -m comment --comment "user chain for output" -j output_rule
-A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_output -o br-lan -j zone_lan_output
-A delegate_output -o eth0.1 -j zone_wan_output
-A delegate_output -o eth0.3 -j zone_voip_output
-A delegate_output -o tun0 -j zone_vpn_output
-A delegate_output -o br-guest -j zone_guest_output
-A delegate_output -o br-tor -j zone_tor_output
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
-A syn_flood -j DROP
-A zone_guest_dest_ACCEPT -o br-guest -j ACCEPT
-A zone_guest_dest_REJECT -o br-guest -j reject
-A zone_guest_forward -j MINIUPNPD
-A zone_guest_forward -m comment --comment "user chain for forwarding" -j forwarding_guest_rule
-A zone_guest_forward -m comment --comment "forwarding guest -> wan" -j zone_wan_dest_ACCEPT
-A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_guest_forward -j zone_guest_dest_REJECT
-A zone_guest_input -m comment --comment "user chain for input" -j input_guest_rule
-A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_guest_input -j zone_guest_src_REJECT
-A zone_guest_output -m comment --comment "user chain for output" -j output_guest_rule
-A zone_guest_output -j zone_guest_dest_ACCEPT
-A zone_guest_src_REJECT -i br-guest -j reject
-A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
-A zone_lan_dest_REJECT -o br-lan -j reject
-A zone_lan_forward -m comment --comment "user chain for forwarding" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "forwarding lan -> vpn" -j zone_vpn_dest_ACCEPT
-A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_lan_forward -j zone_lan_dest_REJECT
-A zone_lan_input -m comment --comment "user chain for input" -j input_lan_rule
-A zone_lan_input -p igmp -m comment --comment "Multicast IGMP" -j ACCEPT
-A zone_lan_input -d 224.0.0.0/4 -p udp -m comment --comment "Multicast UDP" -j ACCEPT
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_lan_input -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "user chain for output" -j output_lan_rule
-A zone_lan_output -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -j ACCEPT
-A zone_tor_dest_ACCEPT -o br-tor -j ACCEPT
-A zone_tor_dest_REJECT -o br-tor -j reject
-A zone_tor_forward -m comment --comment "user chain for forwarding" -j forwarding_tor_rule
-A zone_tor_forward -m comment --comment "forwarding tor -> wan" -j zone_wan_dest_ACCEPT
-A zone_tor_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_tor_forward -j zone_tor_dest_REJECT
-A zone_tor_input -m comment --comment "user chain for input" -j input_tor_rule
-A zone_tor_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_tor_input -j zone_tor_src_REJECT
-A zone_tor_output -m comment --comment "user chain for output" -j output_tor_rule
-A zone_tor_output -j zone_tor_dest_ACCEPT
-A zone_tor_src_REJECT -i br-tor -j reject
-A zone_voip_dest_ACCEPT -o eth0.3 -j ACCEPT
-A zone_voip_dest_REJECT -o eth0.3 -j reject
-A zone_voip_forward -m comment --comment "user chain for forwarding" -j forwarding_voip_rule
-A zone_voip_forward -m comment --comment "forwarding voip -> wan" -j zone_wan_dest_ACCEPT
-A zone_voip_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_voip_forward -j zone_voip_dest_REJECT
-A zone_voip_input -m comment --comment "user chain for input" -j input_voip_rule
-A zone_voip_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_voip_input -j zone_voip_src_ACCEPT
-A zone_voip_output -m comment --comment "user chain for output" -j output_voip_rule
-A zone_voip_output -j zone_voip_dest_ACCEPT
-A zone_voip_src_ACCEPT -i eth0.3 -j ACCEPT
-A zone_vpn_dest_ACCEPT -o tun0 -j ACCEPT
-A zone_vpn_forward -m comment --comment "user chain for forwarding" -j forwarding_vpn_rule
-A zone_vpn_forward -m comment --comment "forwarding vpn -> lan" -j zone_lan_dest_ACCEPT
-A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_vpn_forward -j zone_vpn_dest_ACCEPT
-A zone_vpn_input -m comment --comment "user chain for input" -j input_vpn_rule
-A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_vpn_input -j zone_vpn_src_ACCEPT
-A zone_vpn_output -m comment --comment "user chain for output" -j output_vpn_rule
-A zone_vpn_output -j zone_vpn_dest_ACCEPT
-A zone_vpn_src_ACCEPT -i tun0 -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.1 -j ACCEPT
-A zone_wan_dest_REJECT -o eth0.1 -j reject
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "user chain for forwarding" -j forwarding_wan_rule
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_wan_forward -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "user chain for input" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment Allow-DHCP-Renew -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment Allow-Ping -j reject
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_wan_input -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "user chain for output" -j output_wan_rule
-A zone_wan_output -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0.1 -j rejectroot@MyNetN750:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdca:d38e:c856::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option force_link '1'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '128.168.1.1'
option gateway '128.168.1.1'
option ifname 'eth0.2 tun0 wlan0 wlan1'
config interface 'wan'
option proto 'dhcp'
option ifname 'eth0.1'
config interface 'wan6'
option proto 'dhcpv6'
option ifname 'eth0.1'
option reqaddress 'try'
option reqprefix 'auto'
config interface 'wwan'
option proto 'dhcp'
config interface 'voip'
option proto 'static'
option ifname 'eth0.3'
option netmask '255.255.255.0'
option ipaddr '178.168.1.1'
option gateway '178.168.1.1'
config interface 'vpn'
option proto 'none'
option ifname 'tun0'
config interface 'guest'
option proto 'static'
option type 'bridge'
option netmask '255.255.255.0'
option ipaddr '158.168.1.1'
option gateway '158.168.1.1'
option ifname 'eth0.5 wlan0-2'
config interface 'tor'
option proto 'static'
option type 'bridge'
option netmask '255.255.255.0'
option ipaddr '168.168.1.1'
option gateway '168.168.1.1'
option ifname 'eth0.4 wlan0-1 wlan1-1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 5'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 1 2 3'
option vid '2'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '0t 4'
option vid '3'
config switch_vlan
option device 'switch0'
option vlan '4'
option ports '0t'
option vid '4'
config switch_vlan
option device 'switch0'
option vlan '5'
option ports '0t'
option vid '5'(Last edited by dony71 on 24 Oct 2017, 20:59)
OK, it is correct, br-lan has correct IP, so it should work. However in firewall zone names are specified, but not interfaces from network. Please, provide content of /etc/config/firewall. Could you check one more time? Please:
1) check ping 178.168.1.161 from command line of router.
2)
config rule #5
option name 'Allow-DVG1120S-remote'
option src 'lan'
option dest 'voip'
option dest_ip '178.168.1.61'
option proto '0'
option target 'ACCEPT'Try to ping from computer from lan, see counters in output of
iptables -nvL | grep 178.168.1.161(Last edited by ulmwind on 24 Oct 2017, 22:31)
OK, it is correct, br-lan has correct IP, so it should work. However in firewall zone names are specified, but not interfaces from network. Please, provide content of /etc/config/firewall. Could you check one more time? Please:
1) check ping 178.168.1.161 from command line of router.
2)config rule #5 option name 'Allow-DVG1120S-remote' option src 'lan' option dest 'voip' option dest_ip '178.168.1.61' option proto '0' option target 'ACCEPT'Try to ping from computer from lan, see counters in output of
iptables -nvL | grep 178.168.1.161
It's still not working
root@MyNetN750:/etc/config# cat firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option forward 'REJECT'
option input 'REJECT'
list network 'wan'
list network 'wan6'
list network 'wwan'
config zone
option name 'voip'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'voip'
config zone
option name 'vpn'
option masq '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'vpn'
config zone
option name 'guest'
option network 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
config zone
option name 'tor'
option network 'tor'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
option conntrack '1'
config forwarding
option dest 'vpn'
option src 'lan'
config forwarding
option dest 'lan'
option src 'vpn'
config forwarding
option dest 'wan'
option src 'guest'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding
option dest 'wan'
option src 'voip'
config forwarding
option dest 'wan'
option src 'tor'
config include
option path '/etc/firewall.user'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'REJECT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Block miniDLNA status port 8200'
option src 'wan'
option dest_port '8200'
option target 'REJECT'
config rule
option name 'Multicast IGMP'
option src 'lan'
option proto 'igmp'
option target 'ACCEPT'
config rule
option name 'Multicast UDP'
option src 'lan'
option proto 'udp'
option dest_ip '224.0.0.0/4'
option target 'ACCEPT'
config rule
option name 'No track NetBIOS Service'
option src 'lan'
option src_port '137-139'
option dest 'lan'
option target 'NOTRACK'
config rule
option name 'No track NetBIOS Service'
option src 'lan'
option dest 'lan'
option dest_port '137-139'
option target 'NOTRACK'
config rule
option name 'No track Windows Filesharing'
option src 'lan'
option src_port '445'
option dest 'lan'
option target 'NOTRACK'
config rule
option name 'lan Allow DNS DHCP NTP'
option src 'lan'
option proto 'udp'
option dest_port '53 67 123'
option target 'ACCEPT'
config rule
option name 'tor Allow DNS DHCP'
option src 'tor'
option proto 'udp'
option dest_port '53 67'
option target 'ACCEPT'
config rule
option name 'guest Allow DNS DHCP'
option src 'guest'
option proto 'udp'
option dest_port '53 67 68'
option target 'ACCEPT'
config rule
option name 'tor Allow Tor Transparent'
option src 'tor'
option proto 'tcp'
option dest_port '9040'
option target 'ACCEPT'
config rule
option name ' tor Allow SOCKS'
option src 'tor'
option proto 'tcp'
option dest_port '9050'
option target 'ACCEPT'
config rule
option name 'Allow-DVG1120S-remote'
option src 'lan'
option dest 'voip'
option dest_ip '178.168.1.61'
option proto '0'
option target 'ACCEPT'
option enabled '1'
config redirect
option name 'tor Redirect TCP'
option proto 'tcp'
option target 'DNAT'
option src 'tor'
option src_dip '!168.168.1.1'
option dest_port '9040'
option enabled '1'
config redirect
option name 'tor Redirect DNS'
option proto 'udp'
option target 'DNAT'
option src 'tor'
option src_dport '53'
option dest_port '9053'
option enabled '1'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'root@MyNetN750:/etc/config# ping 178.168.1.61
PING 178.168.1.61 (178.168.1.61): 56 data bytes
64 bytes from 178.168.1.61: seq=0 ttl=30 time=1.571 ms
64 bytes from 178.168.1.61: seq=1 ttl=30 time=0.757 ms
64 bytes from 178.168.1.61: seq=2 ttl=30 time=0.756 ms
64 bytes from 178.168.1.61: seq=3 ttl=30 time=0.769 ms
64 bytes from 178.168.1.61: seq=4 ttl=30 time=0.738 msroot@MyNetN750:/etc/config# iptables -nvL | grep 178.168.1.61
0 0 zone_voip_dest_ACCEPT all -- * * 0.0.0.0/0 178.168.1.61 /* Allow-DVG1120S-remote */Try to ping FROM lan network! Not from the router itself!
See instruction above: from computer from lan.
Try to ping FROM lan network! Not from the router itself!
See instruction above: from computer from lan.
Tried ping from 2 different workstation on LAN network
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\>ping 178.168.1.61
Pinging 178.168.1.61 with 32 bytes of data:
Reply from 178.168.1.61: bytes=32 time=205ms TTL=44
Reply from 178.168.1.61: bytes=32 time=204ms TTL=44
Reply from 178.168.1.61: bytes=32 time=204ms TTL=44
Ping statistics for 178.168.1.61:
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum =root@RetrOrangePi:~# ping 178.168.1.61
PING 178.168.1.61 (178.168.1.61) 56(84) bytes of data.
64 bytes from 178.168.1.61: icmp_seq=1 ttl=29 time=1.13 ms
64 bytes from 178.168.1.61: icmp_seq=2 ttl=29 time=0.876 ms
64 bytes from 178.168.1.61: icmp_seq=3 ttl=29 time=0.776 ms
64 bytes from 178.168.1.61: icmp_seq=4 ttl=29 time=0.878 ms
64 bytes from 178.168.1.61: icmp_seq=5 ttl=29 time=0.805 ms
64 bytes from 178.168.1.61: icmp_seq=6 ttl=29 time=0.974 msalso counter iptables from router while pinging from computer on LAN network
root@MyNetN750:~# iptables -nvL | grep 178.168.1.61
3 252 zone_voip_dest_ACCEPT all -- * * 0.0.0.0/0 178.168.1.61 /* Allow-DVG1120S-remote */
(Last edited by dony71 on 27 Oct 2017, 20:18)
It shows, that it works. If you can't use voip server, see firewall settings of voip server.
It shows, that it works. If you can't use voip server, see firewall settings of voip server.
I think you misunderstood what I'm trying to achieve
VOIP server is always working, because it's using iptables kmod NAT to/from WAN
But there is management web interface which hosted at port 8084 on 178.168.1.61
and now I cannot access that web from LAN network 128.168.1.0/24
No response using web browser http://178.168.1.61:8084
Basically it's the same problem like trying to access LUCI web hosted at http://128.168.1.1 from VOIP network 178.168.1.0/24
(Last edited by dony71 on 28 Oct 2017, 03:22)
No, I've understood you correctly. Access to management interface in your case is restricted BY VOIP SERVER ITSELF. You can configure separate web-server, put it into this network, configure port 8084 and verify yourself.
No, I've understood you correctly. Access to management interface in your case is restricted BY VOIP SERVER ITSELF. You can configure separate web-server, put it into this network, configure port 8084 and verify yourself.
How about accessing luci from voip network?
I try firewall rule below, but still cannot access
config rule #5
option name 'Allow-Luci-remote'
option src 'voip'
option dest 'lan'
option dest_ip '128.168.1.1'
option proto '0'
option target 'ACCEPT'https://forum.openwrt.org/viewtopic.php … 58#p367058
(Last edited by ulmwind on 31 Oct 2017, 09:36)
The discussion might have continued from here.