[FS#382] Simple static routes not working when firewall+masquerading is active

LEDE Bugs lede-bugs at lists.infradead.org
Wed Jan 11 06:04:08 PST 2017 

A new Flyspray task has been opened.  Details are below. 

User who did this - Mauro Mozzarelli (ezplanet) 

Attached to Project - LEDE Project
Summary - Simple static routes not working when firewall+masquerading is active
Task Type - Bug Report
Category - Base system
Status - Unconfirmed
Assigned To - 
Operating System - All
Severity - High
Priority - Very Low
Reported Version - Trunk
Due in Version - Undecided
Due Date - Undecided
Details - Supply the following if possible:
 - Device problem occurs on: all devices
 - Software versions of LEDE release, packages, etc. trunk all releases up to the latest
 - Steps to reproduce: see below:

When I switched from OpenWrt to LEDE static routes configured on my network stopped working.

My configuration is as follows (please use fixed characters size to read the diagram below):


                           Internet ADSL
                                 |
                                 |
Internet ADSL                Router C
[Dynamic IP]              [Public Subnet P]
       |                         |
       |                 Address on Subnet P
   Router B                   Router A -------------- VPN to 192.168.2.0
  192.168.1.5               192.168.1.1
       |                         |
       |                         |
       --------------------------- [Private LAN 192.168.1.0]
         |
      Host X
     Default Router 192.168.1.5


Router A is configured to Masquerade traffic from 192.168.1.0 through its port on Subnet P
Router C is the default router for Public Subnet P
Router B is configured with a static route to Public Subnet P through 192.168.1.1
I want traffic from Hosts with 192.168.1.5 default route to Public Subnet P to go via 192.168.1.1 (instead of through the internet)
I want traffic from Hosts with 192.168.1.5 default route to VPN 192.168.2.0 to go via 192.168.1.1
On Router B I configure a static route directing traffic for Public Subnet P through 192.168.1.1
On Router B I configure a static route directing traffic for VPN 192.168.2.0 through 192.168.1.1

Behaviour from Host X:

- Using OpenWRT (any version including latest trunk):
   I can ping any host on Public Subnet P or VPN 192.168.2.0
   I can http/https, use any protocol to any host on Public Subnet P or VPN 192.168.2.0

- Using LEDE up to build r2713 (the latest i tried)
   I can ping any host on Public Subnet or VPN 192.168.2.0
   Any attempt to connect using any other internet protocol to any host in Public Subnet P or VPN 192.168.2.0 fails.
   However if I disable the firewall altogether in Router B my connections succeed.

It looks as if in LEDE response packets are somehow blocked by the firewall 
before they reach Host X (I can see connections coming on the hosts in Public Subnet P, and responses returning, but not reaching Host X).

I tried to add s specific directive to the Router B firewall to let through packets from Public Subnet P, but it is not working.
The only workaround I found working is to create a SNAT rule on Router B to Rewrite the source IP to 192.168.1.5 with destination Public Subnet P. This however should be un-necessary if the routing worked properly.

This simple static routing configuration should work seamlessly as it does in OpenWRT and any Linux flavour.


More information can be found at the following URL:
https://bugs.lede-project.org/index.php?do=details&task_id=382

More information about the lede-bugs mailing list