Matching ping in bridged lan?

okoolo · January 27, 2023, 10:52pm

I have a wired interface bridged to the wireless interface (br-lan)in a bridged AP setup (https://openwrt.org/docs/guide-user/network/wifi/bridgedap. Its connected via ethernet cable to isp gateway ethernet port. Both gateway and wrt router have different ssid. wrt router has dhcp off.

I'd like to have a ping matching rule but so far I only managed to get routing working through bridge filtering which doesn't support icmp (rules defined in ip/inet don't seem to affect br-lan att all)

So this doesn't work: (prerouting/input/output/forward doesn't either)

nft add rule bridge table_bridge chain_postrouting icmp type \{ echo-request \} goto chain_accept_ping

Rules in inet or ip tables don't have any effect at all

any ideas?

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd29:f09c:2a8d::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.2'
        option gateway '192.168.1.1'
        list dns '192.168.1.1'

config device
        option name 'eth0.2'
        option macaddr '98:da:c4:98:88:58'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

psherman · January 27, 2023, 11:09pm

Genereally speaking, you cannot use the firewall when you are using a bridge (L2), since the firewall only normally works with L3 (routed) connections.

You might look at the bridge firewall which is supposed to allow you to setup the firewall on a bridge. I have never personally tried it and I don't know if it has any specific limitations or quirks.

okoolo · January 27, 2023, 11:22pm

After a lot of reading I came to conslusion that I might be better off trying to get regular firewall going.

I have a isp gateway and and a rwrt router connected via ethernet cable. my only requirements are different ssid on each and a functional firewall on the wrt eouter. I saw someone mention symmetric routing -is there a guide I can read and see what is that about?

psherman · January 27, 2023, 11:31pm

I'm not sure if there is a guide or not, but for symmetric routing to work, your main (ISP) router needs to have the ability to add static routes -- does your device have that capability exposed?

okoolo · January 28, 2023, 12:09am

Sadly I just checked and looks like a no . Its arris TG3452A if anyone cares. I wonder if I plugged gateway ethernet cable from it lan to the router wan port.

psherman · January 28, 2023, 12:12am

Without symmetric routing, you can still do standard NAT masquerading based routing. The default state for most standard routers on OpenWrt will have the wan port set for DHCP and associated with the wan firewall zone with masquerading turned on.

The only thing you need to do is ensure that you don't have a subnet overlap between the upstream router and the OpenWrt one. Specifically, OpenWrt has a default address of 192.168.1.1 -- if your upstream router uses the same 192.168.1.0/24 network (and in your case, based on the previous config you shared, it appears to be the case), you need to change one or the other. You can easily do this -- for example, 192.168.2.1 will work perfectly in this case.

okoolo · January 28, 2023, 12:23am

So I'd plug router wan port into the gateway lan port and change router's subnet to say 192.168.2.1. Do I use masquerading in the zones lan --> wan section?

edit: just thought about it for a second and I definetly need that masquerading . After all no private ips on the internet

psherman · January 28, 2023, 12:25am

Yup.

Yes. Do this before you connect the OpenWrt router to the ISP gateay.

Exactly... but the masquerading belongs on the wan zone.

If you start with your router reset to defaults, it likely is setup exactly as you need aside from the lan subnet.

okoolo · January 28, 2023, 12:41am

Looks like I get the ip from the gateway not the router too (I got 192.168.1.11)
I guess the only hassle will be accessing ssh on the router to set up some routing

I actually wonder if it would be possible to force router to give me the ip rather than the gateway

psherman · January 28, 2023, 12:59am

The upstream router is using the 192.168.1.0/24 network, which means the wan of your OpenWrt router will get an address in that network (192.168.1.11). You must change your OpenWrt lan to some other non-overlapping RFC1918 address... I suggested 192.168.2.1, but you can use any RFC1918 address that is not 192.168.1.x.

Again, if you start with the default configuration, you won't need to do anything special aside from the lan address change. OpenWrt is configured to do NAT masquerade based routing out of the box. You can use ssh or the web interface for this purpose.

What do you mean by this? You can set the wan address to use a static IP, but it must be in the 192.168.1.0/24 subnet that the ISP router is using. Is that what you'd like to do?

okoolo · January 28, 2023, 1:00am

Yeah I'm just gonna do as tyou suggested and start from scratch with default config

ifconfig
enp8s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.11 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::60d5:a590:b26f:6088 prefixlen 64 scopeid 0x20

What I meant earlier is that now I will try to go back to my original quest - matching ping packets
"meta nfproto ipv4 icmp type { echo-request } goto output_is_ping" . Hopefully now I will be able to use ip/net tables as I'm not bridging anymore

its just gonna have to be a bit of a hassle to ssh to the router as I am now on a different subset - I can live with that though
edit - funnily enough wireless clients are getting 192.168.2 subset ips -perfect

thanks so much for your help . And patience..

psherman · January 28, 2023, 1:53am

If you need to be able to ssh to the router from the upstream (192.168.1.0/24) network... this is easy to accommodate. You can do this in a few ways, but fundamentally if your upstream network is trusted, you can simply set the "input" wan zone to accept. NEVER do this if your router is connected to an untrusted network such as the internet.

that's exactly what is expected in this configuration.

Is your problem now solved?

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.