[LEDE-DEV] LEDE static routes not working when masquerade/firewall is on
openwrt at ezplanet.net
Tue Jan 10 08:16:57 PST 2017
When I switched from OpenWrt to LEDE static routes configured on my
network stopped working.
My configuration is as follows:
Internet ADSL Router C
[Dynamic IP] [Public Subnet P]
| Address on Subnet P
Router B Router A -------------- VPN to 192.168.2.0
--------------------------- [Private LAN 192.168.1.0]
Default Router 192.168.1.5
Router A is configured to Masquerade traffic from 192.168.1.0 through
its port on Subnet P
Router C is the default router for Public Subnet P
Router B is configured with a static route to Public Subnet P through
I want traffic from Hosts with 192.168.1.5 default route to Public
Subnet P to go via 192.168.1.1 (instead of through the internet)
I want traffic from Hosts with 192.168.1.5 default route to VPN
192.168.2.0 to go via 192.168.1.1
On Router B I configure a static route directing traffic for Public
Subnet P through 192.168.1.1
On Router B I configure a static route directing traffic for VPN
192.168.2.0 through 192.168.1.1
Behaviour from Host X:
- Using OpenWRT (any version including latest trunk):
I can ping any host on Public Subnet P or VPN 192.168.2.0
I can http/https, use any protocol to any host on Public Subnet P or
- Using LEDE up to build r2713 (the latest i tried)
I can ping any host on Public Subnet or VPN 192.168.2.0
Any attempt to connect using any other internet protocol to any host
in Public Subnet P or VPN 192.168.2.0 fails.
However if I disable Masquerading or the firewall altogether in Router B
my connections succeed.
It looks as if response packets are somehow blocked by the firewall
before they reach Host X (I can see connections coming on the hosts in
Public Subnet P, and responses returning, but not reaching Host X).
I tried to add s specific directive to the Router B firewall to let
through packets from Public Subnet P, but it is not working.
The only workaround I found working is to create a SNAT rule on Router B
to Rewrite the source IP to 192.168.1.5 with destination Public Subnet
P. This however should be un-necessary if the routing worked properly.
When I use OperWRT and I ping hosts on Subnet P from Host X I get an
initial notification that the router is 192.168.1.1.
With LEDE installed I do not get such notification.
Are you aware of what was changed in LEDE that makes static routes no
longer work properly?
Thank you in advance.
More information about the Lede-dev