FS#382 - Simple static routes not working when firewall+masquerading is active #5422
Comments
|
ezplanet: Unfortunately the character based diagram is not rendered properly above. I rewrite the top section here horizontally: Router B ---> [Dynamic IP] Internet ADSL B Router C ---> [Public Subnet P] Internet ADSL A |
|
jow-: Please provide the network and firewall config of router B. |
|
arjendekorte: Assuming Host X receives an address through DHCP, rather than attempting to fix this have you considered adding DHCP option 121 to add the static routing in the clients instead? This would bypass Router B entirely when the traffic should go through Router A in the first place (https://tools.ietf.org/html/rfc3442). |
|
ezplanet: Yes I have considered setting the routes statically on every host, however this defeats the purpose of a "router" which should take care of routing on behalf of the network's hosts. The primary purpose of a router is to "route" packets according to rules configured into the router. This issue practically turns off routing capabilities in LEDE. |
|
ezplanet: Jo-Phillip, please provide a secure eMail where to post the configuration files. |
|
jow-: LEDE has a stricter firewall rule layout compared to OpenWrt CC which will likely drop unrelated return traffic by default. Unrelated return traffic might occur after ICMP redirects. If this is the case you should add firewall accept rules for both directions and not rely on established/related processing to catch return packets. You can find secure contact details at http://mein.io |
|
ezplanet: Jo, I sent you the original configuration files by eMail, please let me know should you not receive them. I tried too to add firewall accept rules for both directions. It does not work and in fact it can't work unless I open every port because responses can use unpredictable ports. |
|
jow-: Huh? |
|
ezplanet: Jo, You will see that I had to add SNAT rules in the firewall to make routing work. This is NOT a correct configuration because in this way hosts reached by packets no longer can run ACL rules based on the client IP as the source IP becomes the same for every packet. I am considering seriously to go back to OpenWRT as this issue affects seriously the purpose of the router. If it weren't because I have just moved to a BT Home Hub 5 which is not properly supported in OpenWRT, I would have already done it. |
|
jow-: The fact that SANT rules make things work only underlines my assumption that you're dealing with assymetrical routing and ICMP redirects here. |
|
ezplanet: I tried the configuration posted above, unfortunately it does not work in my case.
config rule
option target 'ACCEPT'
option proto 'all'
option name 'my-dmz-subnet'
option src '*'
option src_ip 'A.B.C.D/28'
option dest '*'
So far it worked only with SNAT. |
|
ezplanet: I restored OpenWrt on my Netgear router. Sad because LEDE is quite good, but I cannot do without proper routing and the firewall workarounds are a nightmare with network routing complexity beyond a simple home/office single router configuration. I am now considering the same on BtHomeHub5. Please let me know when the issue is fixed. |
|
jow-: Thank you for the configuration files. I tracked down the problem to the fact that forwarded local subnet traffic carries conntrack state INVALID, which causes it to get rejected since the zone_*_dest_ACCEPT chains only consider NEW and UNTRACKED traffic. I applied updates to the firewall source (https://git.lede-project.org/37cb4cb) and package (https://git.lede-project.org/920170a) which will address the local subnet forwarding problem. Updated firewall binary packages should be available within the next 24 hours. |
|
dtaht: cool. I think I was seeing something like this. will fiddle. |
|
ezplanet: I just built LEDE r2960 for BtHomeHub5. The release includes your patch. Many thanks Jo. Thank you for this fast fix! |
ezplanet:
Supply the following if possible:
When I switched from OpenWrt to LEDE static routes configured on my network stopped working.
My configuration is as follows (please use fixed characters size to read the diagram below):
Internet ADSL Router C
[Dynamic IP] [Public Subnet P]
| |
| Address on Subnet P
Router B Router A -------------- VPN to 192.168.2.0
192.168.1.5 192.168.1.1
| |
| |
--------------------------- [Private LAN 192.168.1.0]
|
Host X
Default Router 192.168.1.5
Router A is configured to Masquerade traffic from 192.168.1.0 through its port on Subnet P
Router C is the default router for Public Subnet P
Router B is configured with a static route to Public Subnet P through 192.168.1.1
I want traffic from Hosts with 192.168.1.5 default route to Public Subnet P to go via 192.168.1.1 (instead of through the internet)
I want traffic from Hosts with 192.168.1.5 default route to VPN 192.168.2.0 to go via 192.168.1.1
On Router B I configure a static route directing traffic for Public Subnet P through 192.168.1.1
On Router B I configure a static route directing traffic for VPN 192.168.2.0 through 192.168.1.1
Behaviour from Host X:
Using OpenWRT (any version including latest trunk):
I can ping any host on Public Subnet P or VPN 192.168.2.0
I can http/https, use any protocol to any host on Public Subnet P or VPN 192.168.2.0
Using LEDE up to build r2713 (the latest i tried)
I can ping any host on Public Subnet or VPN 192.168.2.0
Any attempt to connect using any other internet protocol to any host in Public Subnet P or VPN 192.168.2.0 fails.
However if I disable the firewall altogether in Router B my connections succeed.
It looks as if in LEDE response packets are somehow blocked by the firewall
before they reach Host X (I can see connections coming on the hosts in Public Subnet P, and responses returning, but not reaching Host X).
I tried to add s specific directive to the Router B firewall to let through packets from Public Subnet P, but it is not working.
The only workaround I found working is to create a SNAT rule on Router B to Rewrite the source IP to 192.168.1.5 with destination Public Subnet P. This however should be un-necessary if the routing worked properly.
This simple static routing configuration should work seamlessly as it does in OpenWRT and any Linux flavour.
The text was updated successfully, but these errors were encountered: