Arch Linux

cmonty14

Member

Registered: 2019-10-05

Posts: 51

No access to DMZ network segment with desktop PC having multiple NICs

Hello,
my desktop PC has 2 NICs.
Each NIC is connected to a dedicated router.
This means, in my network I have setup 2 routers.
Router A is provided by ISP, and desktop PC is connected to its LAN with network 192.168.1.0/24.
Router B is running OpenWRT, and on the downstream side there are 2 network segments: LAN (172.16.1.0/24) and DMZ (172.16.9.0/24).
Each network segment is setup on a dedicated NIC, means there's no VLAN.
The desktop PC is connected to LAN.

My main issue currently is that I cannot ping 172.16.9.1 that is router B's IP of DMZ, and conseqently I cannot ping any other client in subnet 172.16.9.0/24.

Can you please advise how to fix this issue?

THX

-thc

Member

Registered: 2017-03-15

Posts: 497

Re: No access to DMZ network segment with desktop PC having multiple NICs

Router B is running OpenWRT, and on the downstream side there are 2 network segments: LAN (172.16.1.0/24) and DMZ (172.16.9.0/24).
Each network segment is setup on a dedicated NIC, means there's no VLAN.

If I'm understanding your setup correctly, you have a "DMZ" that is simply a second IP segment on the same physical network.

OpenWRT -> LAN1 -> LAN IP -> physical LAN -> Arch box
OpenWRT -> LAN2 -> DMZ IP -> physical LAN -> Arch Box

If you want that (the concept of a "real" DMZ is different), you have to assign a secondary IP address (in the DMZ subnet) to the Arch box' LAN adapter.

GeorgeJP

Member

From: Czech Republic

Registered: 2020-01-28

Posts: 186

Re: No access to DMZ network segment with desktop PC having multiple NICs

The desktop PC is connected to LAN.

If I understand - PC is connected:

LAN1 = 192.168.1.xx/24
LAN2 = 172.16.1.yy/24

What is default gateway - 192.168.1.1 ?

In this case you can't ping nothing on 172.16.9.0/24 as your PC will send all routed packets to LAN1.

You can:
1) add static route for 172.16.9.0/24
2) extend mask for LAN2  (172.16.0.0/16)

please post results of
ip a
and
ip r

cmonty14

Member

Registered: 2019-10-05

Posts: 51

Re: No access to DMZ network segment with desktop PC having multiple NICs

The desktop PC is connected to LAN.

If I understand - PC is connected:

LAN1 = 192.168.1.xx/24
LAN2 = 172.16.1.yy/24

What is default gateway - 192.168.1.1 ?

In this case you can't ping nothing on 172.16.9.0/24 as your PC will send all routed packets to LAN1.

You can:
1) add static route for 172.16.9.0/24
2) extend mask for LAN2  (172.16.0.0/16)

please post results of
ip a
and
ip r

This is my current network configuration:

$ ip r
default via 192.168.1.1 dev br0 proto dhcp src 192.168.1.83 metric 10 
default via 172.16.1.1 dev enp5s0 proto dhcp src 172.16.1.100 metric 20 
172.16.1.0/24 dev enp5s0 proto kernel scope link src 172.16.1.100 metric 20 
172.16.1.1 dev enp5s0 proto dhcp scope link src 172.16.1.100 metric 20 
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.83 metric 10 
192.168.1.1 dev br0 proto dhcp scope link src 192.168.1.83 metric 10 
192.168.100.249 via 192.168.1.1 dev br0 proto dhcp src 192.168.1.83 metric 10 

I'm using metric to set priority gateway 192.168.1.1.

Traceroute confirms that this gateway is used when trying to access network 172.16.9.0/24:

$ traceroute 172.16.9.1
traceroute to 172.16.9.1 (172.16.9.1), 30 hops max, 60 byte packets
 1  _gateway (192.168.1.1)  0.269 ms  0.267 ms  0.283 ms
 2  192.168.1.2 (192.168.1.2)  90.875 ms  92.070 ms  92.043 ms
 3  192.168.1.2 (192.168.1.2)  92.023 ms  92.004 ms  91.983 ms

Tarqi

Member

From: Ixtlan

Registered: 2012-11-27

Posts: 179

Website

Re: No access to DMZ network segment with desktop PC having multiple NICs

Remove the second gateway and undo the metric settings.

---

Knowing others is wisdom, knowing yourself is enlightenment. ~Lao Tse

cmonty14

Member

Registered: 2019-10-05

Posts: 51

Re: No access to DMZ network segment with desktop PC having multiple NICs

Remove the second gateway and undo the metric settings.

What's the second gateway that you're referring to?

FYI the gateway of subnet 172.16.1.0/24 is provided by DHCP.
And the restriction is that DMZ is only available from clients connected to LAN, subnet 172.16.1.0/24.

Tarqi

Member

From: Ixtlan

Registered: 2012-11-27

Posts: 179

Website

Re: No access to DMZ network segment with desktop PC having multiple NICs

The second default gateway. However, there is no route to the subnet you want to access, so you need to add routes too. The DHCP handout looks like to be used exclusively, to test your current config, disconnect the non "DMZ" connection and try to access the subnet. If that works, you need to take the steps mentioned.

Last edited by Tarqi (2022-05-04 21:10:46)

---

Knowing others is wisdom, knowing yourself is enlightenment. ~Lao Tse

cmonty14

Member

Registered: 2019-10-05

Posts: 51

Re: No access to DMZ network segment with desktop PC having multiple NICs

I have disconnected LAN with network 192.168.1.0/24.
This is the routing table:

$ ip r
default via 172.16.1.1 dev enp5s0 proto dhcp src 172.16.1.100 metric 1024 
172.16.0.0/20 dev enp5s0 proto kernel scope link src 172.16.1.100 metric 1024 
172.16.1.1 dev enp5s0 proto dhcp scope link src 172.16.1.100 metric 1024 

This routing table has a larger network /20 that includes 172.16.1.0/24 and 172.16.9.0/24.

However, I still cannot reach DMZ network 172.16.9.0/24 and its router interface IP 172.16.9.1:

$ ping -c 3 172.16.9.1
PING 172.16.9.1 (172.16.9.1) 56(84) Bytes an Daten.
Von 172.16.1.100 icmp_seq=1 Zielhost nicht erreichbar
Von 172.16.1.100 icmp_seq=2 Zielhost nicht erreichbar
Von 172.16.1.100 icmp_seq=3 Zielhost nicht erreichbar

--- 172.16.9.1 ping-Statistik ---
3 Pakete übertragen, 0 empfangen, +3 Fehler, 100% packet loss, time 2020ms
pipe 3

$ traceroute 172.16.9.1
traceroute to 172.16.9.1 (172.16.9.1), 30 hops max, 60 byte packets
 1  homer (172.16.1.100)  3042.097 ms !H  3042.074 ms !H  3042.067 ms !H

Koatao

Member

Registered: 2018-08-30

Posts: 92

Re: No access to DMZ network segment with desktop PC having multiple NICs

Hello,

Your routing table is wrong. You are not on the same segment than 172.16.0.0/20 and definitely not on 172.16.9.0/24, right?
ARP is failing to resolve 172.16.9.1 I guess (ip n will confirm).

How did you set up the network configuration on 172.16.1.100?
The route:

172.16.0.0/20 dev enp5s0 proto kernel scope link src 172.16.1.100 metric 1024

should be:

172.16.1.0/24 dev enp5s0 proto kernel scope link src 172.16.1.100 metric 1024

And from there, when the NIC on 192.168.1.0/24 network will be up again, you will need to set a route to 172.16.9.0/24 via 172.16.1.1 or to lower the metric on the default route via 172.16.1.1.

Else I don't understand what your DMZ is for if there is no access policy whats so ever between you DMZ and LAN.

EDIT: modified 172.16.20.0/24 to 172.16.0.0/20 (else it doesn't make sense)

Last edited by Koatao (2022-05-09 04:48:53)

cmonty14

Member

Registered: 2019-10-05

Posts: 51

Re: No access to DMZ network segment with desktop PC having multiple NICs

Hello,

Your routing table is wrong. You are not on the same segment than 172.16.0.0/20 and definitely not on 172.16.9.0/24, right?

Actually I don't agree with this statement.
Network segment 172.16.0.0/20 starts with IP 172.16.0.1 and ends with IP 172.16.15.254.
This means 172.16.9.0/24 is covered.

Let's assume there are multiple network segments, e.g.
Wifi: 172.16.10.0/24
Guest: 172.16.11.0/24
Office: 172.16.12.0/24
IoT: 172.16.13.0/24

If I want to access any of these subnets from LAN, I would need a static route for each network segment via 172.16.1.1, e.g.
172.16.10.0/24 via 172.16.1.1
172.16.11.0/24 via 172.16.1.1
etc.

Why is it impossible to setup exact one static route the includes all network segments instead
172.16.0.0/20 via 172.16.1.1?

And would you agree that the static route, whatever it will look like, can either be placed on the LAN client or on the router?

Last edited by cmonty14 (2022-05-09 07:55:12)

GeorgeJP

Member

From: Czech Republic

Registered: 2020-01-28

Posts: 186

Re: No access to DMZ network segment with desktop PC having multiple NICs

Router B is running OpenWRT, and on the downstream side there are 2 network segments: LAN (172.16.1.0/24) and DMZ (172.16.9.0/24).

On OpenWRT - are both segments in one firewall zone? If not, do you have configured/enabled packet forwarding between zones?

cmonty14

Member

Registered: 2019-10-05

Posts: 51

Re: No access to DMZ network segment with desktop PC having multiple NICs

Router B is running OpenWRT, and on the downstream side there are 2 network segments: LAN (172.16.1.0/24) and DMZ (172.16.9.0/24).

On OpenWRT - are both segments in one firewall zone? If not, do you have configured/enabled packet forwarding between zones?

Certainly the 2 network segments are configured in seperated firewall zones.
Otherwise it makes no sense to setup a DMZ with restrictions.

And I have enable packet forwarding between the relevant zones LAN and DMZ.
Here's the current firewall configuration:

root@clancy:~# uci export firewall
package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'dmz'
	list network 'dmz'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'dmz'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config forwarding
	option src 'lan'
	option dest 'dmz'

GeorgeJP

Member

From: Czech Republic

Registered: 2020-01-28

Posts: 186

Re: No access to DMZ network segment with desktop PC having multiple NICs

Can you post also:

/etc/config/network from OpenWRT (you can hide WAN IP)
archlinux networking configuration.

Edit:

config forwarding
	option src 'lan'
	option dest 'dmz'

You have enabled forwarding from lan to dmz. I think, you need also enable oposite direction to get reply.

Last edited by GeorgeJP (2022-05-09 10:35:38)

Koatao

Member

Registered: 2018-08-30

Posts: 92

Re: No access to DMZ network segment with desktop PC having multiple NICs

Hello,

Your routing table is wrong. You are not on the same segment than 172.16.0.0/20 and definitely not on 172.16.9.0/24, right?

Actually I don't agree with this statement.
Network segment 172.16.0.0/20 starts with IP 172.16.0.1 and ends with IP 172.16.15.254.
This means 172.16.9.0/24 is covered.

Why is it impossible to setup exact one static route the includes all network segments instead
172.16.0.0/20 via 172.16.1.1?

And would you agree that the static route, whatever it will look like, can either be placed on the LAN client or on the router?

I think you misunderstood what I trying to say.

The rule:

172.16.0.0/20 dev enp5s0 proto kernel scope link src 172.16.1.100 metric 1024

is stating that every hosts on 172.16.0.0/20 are available on-link, so no routing needed.
That is why I talked about ARP, because that is what happens when your host (172.16.1.100) is trying to send an IP packet to any remote host on the 172.16.0.0/20 network. It asks for the remote host MAC address to send him a frame directly. It doesn't send a packet to the OpenWRT router to communicate with them.
This behavior I'm trying to describe is consistent with ICMP error (destination host unreachable) received with ping and tracepath result.
ip n will print your ARP table so you can see (or not if I'm wrong) that 172.16.9.1 failed to resolve to a MAC address.

You don't need to set a specific route to 172.16.0.0/20 because it would be covered already by the default route via 172.16.1.1 if you had set up the network on the host correctly (which comes from DHCP).

Last edited by Koatao (2022-05-09 20:47:37)