1 Temat przez Graffy

  • Graffy
  • Użytkownik
  • Nieaktywny
  • Zarejestrowany: 2013-04-23
  • Posty: 310

Temat: OpenWrt VLAN i firewall

Post generalnie nawiązuje do tego tematu http://eko.one.pl/forum/viewtopic.php?id=8727
Zmieniła się adresacja sieci ale koncepcja ta sama.
Moja obecna konfiguracja :

network

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config interface 'lan'
    option ifname 'eth0.1'
    option type 'bridge'
    option proto 'static'
    option ipaddr '10.1.1.1'
    option netmask '255.255.255.0'

config interface 'lan2'
    option ifname 'eth0.3'
    option type 'bridge'
    option proto 'static'
    option ipaddr '10.1.2.1'
    option netmask '255.255.255.0'

config interface 'guest'
    option proto 'static'
    option ipaddr '10.1.3.1'
    option netmask '255.255.255.0'

config interface 'wan'
    option ifname 'eth0.2'
    option proto 'dhcp'
    option peerdns '0'
    option dns '208.67.222.222 208.67.220.220'
    option macaddr '1c:6f:65:a4:07:1e'

config switch
    option name 'eth0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'eth0'
    option vlan '1'
    option ports '0t 3 4 5'

config switch_vlan
    option device 'eth0'
    option vlan '2'
    option ports '0t 1'

config switch_vlan
    option device 'eth0'
    option vlan '3'
    option ports '0t 2'

dhcp

config dnsmasq
    option domainneeded '1'
    option boguspriv '1'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option local '/lan/'
    option domain 'mojadomena.pl'
    option expandhosts '1'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option noresolv '1'
    option logqueries '0'
    list server '127.0.0.1#2053'
    list server '/pool.ntp.org/208.67.222.222'

config dhcp 'lan'
    option interface 'lan'
    option start '150'
    option limit '51'
    option leasetime '12h'

config dhcp 'lan2'
        option interface 'lan2'
        option start '150'
        option limit '51'
        option leasetime '12h'

config dhcp 'guest'
    option interface 'guest'
    option start '10'
    option limit '11'
    option leasetime '1h'

config dhcp 'wan'
    option interface 'wan'
    option ignore '1'

# LAN
...

config host
        option name 'NAS'
        option mac '00:11:32:0f:a1:26'
        option ip '10.1.1.60'
...

# LAN2

...
config host
        option name 'NAS2'
        option mac '00:11:32:13:d9:d5'
        option ip '10.1.2.60'

config host
        option name 'Linbox'
        option mac '00:09:34:3b:25:ef'
        option ip '10.1.2.101'
...

firewall

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    list network 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan2'
    option network 'lan2'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'guest'
    option network 'guest'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'wan'
    list network 'wan'
    list network 'wan6'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'

config forwarding
    option src 'lan'
    option dest 'wan'

config forwarding
    option src 'lan2'
    option dest 'wan'

config forwarding
    option src 'guest'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fe80::/10'
    option src_port '547'
    option dest_ip 'fe80::/10'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'LAN2 DNS'
    option src 'lan2'
    option dest_port '53'
    option proto 'tcpudp'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'LAN2 DHCP'
    option src 'lan2'
    option src_port '67-68'
    option dest_port '67-68'
    option proto 'udp'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Guest DNS'
    option src 'guest'
    option dest_port '53'
    option proto 'tcpudp'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Guest DHCP'
    option src 'guest'
    option src_port '67-68'
    option dest_port '67-68'
    option proto 'udp'
    option target 'ACCEPT'
    option family 'ipv4'

config include
    option path '/etc/firewall.user'

config rule
        option name 'NAS2->NAS'
        option src 'lan2'
        option src_ip '10.1.2.60'
        option proto 'tcpudp'
        option dest 'lan'
        option dest_ip '10.1.1.60'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'NAS->LAN2'
        option src 'lan'
        option src_ip '10.1.1.60'
        option proto 'tcpudp'
        option dest 'lan2'
        option target 'ACCEPT'
        option family 'ipv4'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '80'
        option dest_port '80'
        option dest_ip '10.1.1.60'
        option name 'Syno HTTP'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '443'
        option dest_ip '10.1.1.60'
        option dest_port '443'
        option name 'Syno HTTPs'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '25'
        option dest_ip '10.1.1.60'
        option dest_port '25'
        option name 'Syno SMTP'

Sieci są odseparowane, pozwoliłem na ruch pomiędzy NAS-ami w LAN i LAN2
W LAN stoi NAS z przekierowanymi portami 25,80,443

Teraz zauważyłem problem i nie wiem jak sobie poradzić.

W LAN2 mam np. tuner SAT, który ściąga paczki z repo opkg znajdującego się na NAS-ie

ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=46 time=39.5 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=39.9 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=46 time=39.3 ms

/tmp > ping mojadomena.pl
PING mojadomena.pl (xx.xx.xx.244): 56 data bytes

--- mojadomena.pl ping statistics ---
14 packets transmitted, 0 packets received, 100% packet loss


/tmp > wget  http://mojadomena.pl/e2/mipsel/Packages.gz
Connecting to mojadomena.pl[xx.xx.xx.244]:80
wget: Unable to connect to remote host (xx.xx.xx.244): Connection refused
APU2 @ OpenWrt 18.06-SNAPSHOT, r7852-7ac6044632

2 Odpowiedź przez Cezary

  • Skąd: Warszawa
  • Zarejestrowany: 2006-02-25
  • Posty: 115,840

Odp: OpenWrt VLAN i firewall

Druga strona odrzuciła połączenie po prostu.

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

Cezary's Strona

3 Odpowiedź przez Graffy

  • Graffy
  • Użytkownik
  • Nieaktywny
  • Zarejestrowany: 2013-04-23
  • Posty: 310

Odp: OpenWrt VLAN i firewall

Z każdej innej lokalizacji nie ma problemu.
Dla testów wyłączyłem firewall na NAS-ie

NAS> iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Cały czas z LAN2 nie mogę dostać się na NAS-a przez domenę.

Tu test z LAN

root@vusolo2:/var/volatile/tmp# wget  http://mojadomena.pl/e2/mipsel/Packages.gz
Connecting to mojadomena.pl (xx.xx.xx.244:80)
root@vusolo2:/var/volatile/tmp# ls
Packages.gz     camd.socket     hotplug.socket  smb.log

A tu test z pracy smile

[/tmp] # wget  http://mojadomena.pl/e2/mipsel/Packages.gz
--2014-06-26 10:11:35--  http://mojadomena.pl/e2/mipsel/Packages.gz
Resolving mojadomena.pl... xx.xx.xx.244
Connecting to mojadomena.pl|xx.xx.xx.244|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 254 [application/x-gzip]
Saving to: `Packages.gz'

100%[============================================================================================================>] 254         --.-K/s   in 0s

2014-06-26 10:11:35 (6.94 MB/s) - `Packages.gz' saved [254/254]
APU2 @ OpenWrt 18.06-SNAPSHOT, r7852-7ac6044632

4 Odpowiedź przez Cezary

  • Skąd: Warszawa
  • Zarejestrowany: 2006-02-25
  • Posty: 115,840

Odp: OpenWrt VLAN i firewall

Więc może przez ten vpn nie wypuszcza cię w swiat lub jest wyfiltrowany ruch. Zrób tak samo dla

wget -O - eko.one.pl/host.php

i zobacz co będzie z tej i tej lokalizacji.

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

Cezary's Strona

5 Odpowiedź przez Graffy (edytowany przez Graffy 2014-06-26 11:34:39)

  • Graffy
  • Użytkownik
  • Nieaktywny
  • Zarejestrowany: 2013-04-23
  • Posty: 310

Odp: OpenWrt VLAN i firewall

Z wyjściem na zewnątrz z LAN2 nie ma problemu.

/tmp > wget -O - http://eko.one.pl/host.php
<html>
<style type="text/css">
 body {
  font-family: "Lucida Grande", Verdana, Helvetica, Arial, sans-serif;
  font-size: 90%;
 }
</style>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>eko.one.pl - sprawdzenie portu</title>
</head>
<body>
TwĂłj adres IP: xx.xxx.xx.244 (host-xx.xx.xx.244.xx.pl)</body>
</html>
/tmp >

Z LAN jest to samo

root@vusolo2:/var/volatile/tmp# wget -O - eko.one.pl/host.php
Connecting to eko.one.pl (176.119.32.213:80)
<html>
<style type="text/css">
 body {
  font-family: "Lucida Grande", Verdana, Helvetica, Arial, sans-serif;
  font-size: 90%;
 }
</style>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>eko.one.pl - sprawdzenie portu</title>
</head>
<body>
TwĂłj adres IP: <strong>xx.xx.xx.244</strong> (host-xx.xx.xx.244.xxx.pl)</body>
</html>



Żeby wykluczyć problem z firewall-em NAS-a zrobiłem test na innym hoście.
Przekierowałem SSH z tunera SAT znajdującego się w LAN na WAN

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '34567'
        option dest_ip '10.1.1.100'
        option dest_port '22'
        option name 'solo2 ssh'

No i z innej lokalizacji ani z LAN po domenie nie ma problemu z połączeniem.
Teraz zalogowałem się do NAS2, który znajduje się w LAN2 no i po domenie :

DiskStation> ssh root@mojadomena.pl -p 34567
ssh: connect to host mojadomena.pl port 34567: Connection refused

Także problem jest raczej w mojej konfiguracji OpenWrt.

APU2 @ OpenWrt 18.06-SNAPSHOT, r7852-7ac6044632