[solved] No access to DMZ network segment from desktop PC connected to LAN

Report wireless and/or network connectivity problems in this forum.

Moderator: Moderators

Post Reply
cmonty14
Posts: 6
Joined: Fri May 06, 2022 2:46 am

[solved] No access to DMZ network segment from desktop PC connected to LAN

Post by cmonty14 »

Hello,
my desktop PC has 2 NICs.
Each NIC is connected to a dedicated router.
This means, my network has 2 routers.
Router A is provided by ISP, and desktop PC is connected to its LAN with network 192.168.1.0/24.
Router B is running Gargoyle, and on the downstream side there are 2 network segments: LAN (172.16.1.0/24) and DMZ (172.16.9.0/24).
Each network segment is setup on a dedicated NIC, means there's no VLAN.
The desktop PC is connected to LAN.

So, the bottom line is that desktop PC has 2 LAN connections; the relevant IPs are served by DHCP.

My main issue currently is that I cannot ping 172.16.9.1 that is router B's IP of DMZ, and consequently I cannot ping any other client in subnet 172.16.9.0/24.

Restriction is that DMZ must be only accessible from clients connected to LAN, subnet 172.16.1.0/24.
Can you please advise how to fix this issue?

Here's the route table:

Code: Select all

$ ip r
default via 192.168.1.1 dev br0 proto dhcp src 192.168.1.83 metric 10 
default via 172.16.1.1 dev enp5s0 proto dhcp src 172.16.1.100 metric 20 
172.16.1.0/24 dev enp5s0 proto kernel scope link src 172.16.1.100 metric 20 
172.16.1.1 dev enp5s0 proto dhcp scope link src 172.16.1.100 metric 20 
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.83 metric 10 
192.168.1.1 dev br0 proto dhcp scope link src 192.168.1.83 metric 10 
192.168.100.249 via 192.168.1.1 dev br0 proto dhcp src 192.168.1.83 metric 10
Last edited by cmonty14 on Wed May 11, 2022 4:34 am, edited 1 time in total.

Lantis
Moderator
Posts: 7172
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia
Contact:

Re: No access to DMZ network segment from desktop PC connected to LAN

Post by Lantis »

You need to set up forwarding between the LAN and DMZ as a firewall rule. This can't be controlled by Gargoyle and is a custom setup.
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.
https://lantisproject.com/blog

cmonty14
Posts: 6
Joined: Fri May 06, 2022 2:46 am

Re: No access to DMZ network segment from desktop PC connected to LAN

Post by cmonty14 »

Hello,
I have added some rules to firewall; here's the current config:

Code: Select all

root@clancy:~# uci export firewall
package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'dmz'
	list network 'dmz'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'dmz'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config forwarding
	option src 'lan'
	option dest 'dmz'
However, this is not the solution.

Code: Select all

thomas@homer:/etc/systemd/network
$ traceroute 172.16.9.1
traceroute to 172.16.9.1 (172.16.9.1), 30 hops max, 60 byte packets
 1  homer (172.16.1.100)  3043.313 ms !H  3043.281 ms !H  3043.267 ms !H

thomas@homer:/etc/systemd/network
$ traceroute 172.16.1.1
traceroute to 172.16.1.1 (172.16.1.1), 30 hops max, 60 byte packets
 1  _gateway (172.16.1.1)  0.339 ms  0.385 ms  0.660 ms

Lantis
Moderator
Posts: 7172
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia
Contact:

Re: No access to DMZ network segment from desktop PC connected to LAN

Post by Lantis »

Also add a route to the 172.16.9.0/24 subnet via the DMZ interface. You may be able to use the GUI but I don’t know if it will detect the interface.
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.
https://lantisproject.com/blog

cmonty14
Posts: 6
Joined: Fri May 06, 2022 2:46 am

Re: No access to DMZ network segment from desktop PC connected to LAN

Post by cmonty14 »

Regarding your recommendation for adding a route via DMZ interface I have this question.

My understanding is the DMZ interface is 172.16.9.1, however I cannot ping this IP.
And this means the route won't work, either.

Lantis
Moderator
Posts: 7172
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia
Contact:

Re: No access to DMZ network segment from desktop PC connected to LAN

Post by Lantis »

That doesn't sound right.
If your PC doesn't explicitly have a route set for that subnet, it will just fire it out onto the network and ask the router where it should go. If the router knows, it will send it over the DMZ (which is why we are adding the route). If it doesn't, it will fire it over the WAN and hope for the best.
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.
https://lantisproject.com/blog

cmonty14
Posts: 6
Joined: Fri May 06, 2022 2:46 am

Re: No access to DMZ network segment from desktop PC connected to LAN

Post by cmonty14 »

I managed to fix the issue, means I created a static route (in the router) with these settings:
interface
lan
target
172.16.9.0
netmask
255.255.255.0
gateway
172.16.1.1

Thanks for your support solving this issue.

Post Reply