[LEDE-DEV] LEDE static routes not working when masquerade/firewall is on

Tue, 10 Jan 2017 08:18:16 -0800 

Hello,
When I switched from OpenWrt to LEDE static routes configured on my network stopped working. 

My configuration is as follows:


                          Internet ADSL
                                |
                                |
Internet ADSL                Router C
[Dynamic IP]              [Public Subnet P]
      |                         |
      |                 Address on Subnet P
  Router B                   Router A -------------- VPN to 192.168.2.0
 192.168.1.5               192.168.1.1
      |                         |
      |                         |
      --------------------------- [Private LAN 192.168.1.0]
        |
     Host X
    Default Router 192.168.1.5



Router A is configured to Masquerade traffic from 192.168.1.0 through 
its port on Subnet P

Router C is the default router for Public Subnet P

Router B is configured with a static route to Public Subnet P through 
192.168.1.1
I want traffic from Hosts with 192.168.1.5 default route to Public 
Subnet P to go via 192.168.1.1 (instead of through the internet)
I want traffic from Hosts with 192.168.1.5 default route to VPN 
192.168.2.0 to go via 192.168.1.1
On Router B I configure a static route directing traffic for Public 
Subnet P through 192.168.1.1
On Router B I configure a static route directing traffic for VPN 
192.168.2.0 through 192.168.1.1


Behaviour from Host X:

- Using OpenWRT (any version including latest trunk):
  I can ping any host on Public Subnet P or VPN 192.168.2.0

  I can http/https, use any protocol to any host on Public Subnet P or 
VPN 192.168.2.0


- Using LEDE up to build r2713 (the latest i tried)
I can ping any host on Public Subnet or VPN 192.168.2.0

  Any attempt to connect using any other internet protocol to any host 
in Public Subnet P or VPN 192.168.2.0 fails.



However if I disable Masquerading or the firewall altogether in Router B 
my connections succeed.



It looks as if response packets are somehow blocked by the firewall 
before they reach Host X (I can see connections coming on the hosts in 
Public Subnet P, and responses returning, but not reaching Host X).



I tried to add s specific directive to the Router B firewall to let 
through packets from Public Subnet P, but it is not working.
The only workaround I found working is to create a SNAT rule on Router B 
to Rewrite the source IP to 192.168.1.5 with destination Public Subnet 
P. This however should be un-necessary if the routing worked properly.



When I use OperWRT and I ping hosts on Subnet P from Host X I get an 
initial notification that the router is 192.168.1.1.

With LEDE installed I do not get such notification.



Are you aware of what was changed in LEDE that makes static routes no 
longer work properly?


Thank you in advance.

_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev






















					Reply via email to