Provavelmente isso já foi perguntado antes, mas não tenho ideia de como isso se chama ou quais termos de pesquisa usar
( essa resposta parecia o que eu precisava, mas não tenho certeza)
Eu tenho um WRT1900ACS executando o OpenWrt 23.05 que possui cinco sub-redes LAN:
lan:10.1.0.0/19net1:10.1.15.0/28net2:10.1.20.0/27net3:10.1.25.0/27net4:10.1.25.28/30
Eu queria que as net1 - 4sub-redes fossem numeradas de maneira correta, e é por isso que lano CIDR é /19, já que meu entendimento (que pode estar incorreto) é que se lanfosse definido como uma máscara de sub-rede abrangendo as sub-redes de net3 - 4e net3definido como uma máscara de sub-rede abrangendo net4, eu estaria capaz de acessar dispositivos neles a partir de um dispositivo ligado lane um dispositivo ligado net3:
- PC [
lan] → Servidor Airplay [net3] - PC [
lan] → Impressora [net4] - PC [
net3] → Impressora [net4]
O que tentei no firewall separadamente e em conjunto (comentado na configuração do firewall) :
- permitindo encaminhamento entre zonas
- especificando regras individuais de encaminhamento entre zonas
Configurações:
/etc/config/network:# ##::[[--- OpenWrt WAN Network Config ---]]::## # =========================================================== ##----- Global -----## # =========================================================== # https://jodies.de/ipcalc?host=10.0.0.1&mask1=19&mask2= # =========================================================== ##----- Active Networks w/ WAN -----## # =========================================================== # Loopback # # ----------------------------------------------------------- config interface 'loopback' option device 'lo' option proto 'static' option ipaddr 127.0.0.1 option netmask 255.0.0.0 # =========================================================== # vLAN: WAN # # ----------------------------------------------------------- config device option name 'wan' config interface 'wan' option device 'wan' option proto 'dhcp' config interface 'wan6' option ifname 'wan' option proto 'dhcpv6' # =========================================================== # vLAN: LAN # # ----------------------------------------------------------- config device option name 'br-lan' option type 'bridge' list ports 'lan1' list ports 'lan4' config interface 'lan' option device 'br-lan' option proto 'static' option dns '208.67.222.222 208.67.220.220' option force_link 1 option ip6assign 60 option broadcast 10.1.31.255 option ipaddr 10.1.0.1 option netmask 255.255.224.0 # =========================================================== # vLAN: net1 # # ----------------------------------------------------------- config interface 'net1' option ifname 'net1' option type 'bridge' option proto 'static' option dns '208.67.222.222 208.67.220.220' option broadcast 10.1.15.15 option delegate 0 option ipaddr 10.1.15.1 option netmask 255.255.255.240 # vLAN: net2 # # ----------------------------------------------------------- config device option name 'br-net2' option type 'bridge' list ports 'lan2' config interface 'net3' option device 'br-net2' option proto 'static' option dns '208.67.222.222 208.67.220.220' option broadcast 10.1.20.31 option ipaddr 10.1.20.1 option netmask 255.255.255.224 # vLAN: net3 # # ----------------------------------------------------------- config device option name 'br-net3' option type 'bridge' list ports 'lan3' config interface 'net3' option device 'br-net3' option proto 'static' option dns '208.67.222.222 208.67.220.220' option broadcast 10.1.25.31 option ipaddr 10.1.25.1 option netmask 255.255.255.224 # vLAN: net4 # # ----------------------------------------------------------- config interface 'net4' option ifname 'net4' option type 'bridge' option proto 'static' option broadcast 10.1.25.31 option delegate 0 option ipaddr 10.1.25.29 option netmask 255.255.255.252
/etc/config/firewall:# ##::[[--- OpenWrt WAN Firewall Config ---]]::## # =========================================================== ##----- Scripts -----## # =========================================================== config include option path '/etc/firewall. User' # =========================================================== ##----- Default Zone -----## # =========================================================== config defaults option input 'ACCEPT' option forward 'REJECT' option output 'ACCEPT' option log_limit '10/second' option custom_chains 1 option drop_invalid 1 option log 1 option synflood_protect 1 option tcp_syncookies 1 option tcp_window_scaling 1 # =========================================================== ##----- NAT Redirects -----## # =========================================================== # SSH # # ----------------------------------------------------------- # =========================================================== ##----- Zones -----## # =========================================================== # WAN # # ----------------------------------------------------------- config zone option name 'wan' list network 'wan' list network 'wan6' option input 'REJECT' option forward 'REJECT' option output 'ACCEPT' option masq 1 option mtu_fix 1 # =========================================================== # LAN # # ----------------------------------------------------------- config zone option name 'lan' list network 'lan' option input 'ACCEPT' option forward 'ACCEPT' option output 'ACCEPT' config rule option target 'ACCEPT' option proto 'udp' option src 'lan' option dest '*' option dest_port '67:68' option name 'Allow LAN → WRT1900ACS (DHCP Requests)' config rule option target 'ACCEPT' option proto 'udp' option src '*' option dest 'lan' option dest_port '67:68' option name 'Allow WRT1900ACS → LAN (DHCP Renew)' config rule option target 'ACCEPT' option proto 'tcp udp' option src 'lan' option dest '*' option dest_port '53' option name 'Allow LAN → WRT1900ACS (DNS)' config rule option target 'ACCEPT' option proto 'icmp' option src 'lan' option dest '*' option name 'Allow LAN → WRT1900ACS (ICMP)' config rule option target 'ACCEPT' option proto 'all' option src 'lan' option dest '*' option name 'Allow LAN → WRT1900ACS' # config rule # option target 'ACCEPT' # option proto 'all' # option src 'lan' # option dest 'net3' # option name 'Allow LAN → net3' # =========================================================== ##----- Rules -----## # =========================================================== # vLAN: net1 # # ----------------------------------------------------------- config zone option name 'net1' list network 'net1' option input 'REJECT' option forward 'REJECT' option output 'ACCEPT' config rule option target 'ACCEPT' option proto 'udp' option src 'net1' option dest '*' option dest_port '67:68' option name 'Allow net1 → WRT1900ACS (DHCP Requests)' config rule option target 'ACCEPT' option proto 'udp' option src '*' option dest 'net1' option dest_port '67:68' option name 'Allow WRT1900ACS → net1 (DHCP Renew)' config rule option target 'ACCEPT' option proto 'tcp udp' option src 'net1' option dest '*' option dest_port '53' option name 'Allow net1 → WRT1900ACS (DNS)' config rule option target 'ACCEPT' option proto 'icmp' option src 'net1' option dest '*' option name 'Allow net1 → WRT1900ACS (ICMP)' config rule option target 'DROP' option proto 'all' option src 'net1' option dest '*' option dest_ip '10.1.15.15' option name 'Drop net1 → WRT1900ACS (Broadcast)' config rule option target 'REJECT' option proto 'all' option src 'net1' option dest 'lan' option name 'Reject net1 → LAN' config rule option target 'REJECT' option proto 'all' option src 'net1' option dest 'net2' option name 'Reject net1 → net2' config rule option target 'REJECT' option proto 'all' option src 'net1' option dest 'net3' option name 'Reject net1 → net3' config rule option target 'REJECT' option proto 'all' option src 'net1' option dest 'net4' option name 'Reject net1 → net4' # =========================================================== # vLAN: net2 # # ----------------------------------------------------------- config zone option name 'net2' list network 'net2' option input 'ACCEPT' option forward 'REJECT' option output 'ACCEPT' config rule option target 'ACCEPT' option proto 'udp' option src 'net2' option dest '*' option dest_port '67:68' option name 'Allow net2 → WRT1900ACS (DHCP Requests)' config rule option target 'ACCEPT' option proto 'udp' option src '*' option dest 'net2' option dest_port '67:68' option name 'Allow WRT1900ACS → net2 (DHCP Renew)' config rule option target 'ACCEPT' option proto 'tcp udp' option src 'net2' option dest '*' option dest_port '53' option name 'Allow net2 → WRT1900ACS (DNS)' config rule option target 'ACCEPT' option proto 'icmp' option src 'net2' option dest '*' option name 'Allow net2 → WRT1900ACS (ICMP)' config rule option target 'REJECT' option proto 'all' option src 'net2' option dest 'net1' option name 'Reject net2 → net1' # =========================================================== # vLAN: net3 # # ----------------------------------------------------------- config zone option name 'net3' list network 'net3' option input 'ACCEPT' option forward 'REJECT' option output 'ACCEPT' config rule option target 'ACCEPT' option proto 'udp' option src 'net3' option dest '*' option dest_port '67:68' option name 'Allow net3 → WRT1900ACS (DHCP Requests)' config rule option target 'ACCEPT' option proto 'udp' option src '*' option dest 'net3' option dest_port '67:68' option name 'Allow WRT1900ACS → net3 (DHCP Renew)' config rule option target 'ACCEPT' option proto 'tcp udp' option src 'net3' option dest '*' option dest_port '53' option name 'Allow net3 → WRT1900ACS (DNS)' config rule option target 'ACCEPT' option proto 'icmp' option src 'net3' option dest '*' option name 'Allow net3 → WRT1900ACS (ICMP)' config rule option target 'REJECT' option proto 'all' option src 'net3' option dest 'lan' option name 'Reject net3 → LAN' config rule option target 'REJECT' option proto 'all' option src 'net3' option dest 'net1' option name 'Reject net3 → net1' # =========================================================== # vLAN: net4 # # ----------------------------------------------------------- config zone option name 'net4' list network 'net4' option input 'ACCEPT' option forward 'REJECT' option output 'ACCEPT' config rule option target 'ACCEPT' option proto 'udp' option src 'net4' option dest '*' option dest_port '67:68' option name 'Allow net4 → WRT1900ACS (DHCP Requests)' config rule option target 'ACCEPT' option proto 'udp' option src '*' option dest 'net4' option dest_port '67:68' option name 'Allow WRT1900ACS → net4 (DHCP Renew)' config rule option target 'ACCEPT' option proto 'tcp udp' option src 'net4' option dest '*' option dest_port '53' option name 'Allow net4 → WRT1900ACS (DNS)' config rule option target 'ACCEPT' option proto 'icmp' option src 'net4' option dest '*' option name 'Allow net4 → WRT1900ACS (ICMP)' # =========================================================== ##----- Interzone Forwarding -----## # =========================================================== # vLAN: LAN # # ----------------------------------------------------------- config forwarding option src 'lan' option dest 'wan' # config forwarding # option src 'lan' # option dest 'net3' # config forwarding # option src 'lan' # option dest 'net4' # =========================================================== # vLAN: net1 # # ----------------------------------------------------------- config forwarding option src 'net1' option dest 'wan' # =========================================================== # vLAN: net2 # # ----------------------------------------------------------- config forwarding option src 'net2' option dest 'wan' # =========================================================== # vLAN: net3 # # ----------------------------------------------------------- config forwarding option src 'net3' option dest 'wan' # config forwarding # option src 'net3' # option dest 'net4' # =========================================================== # vLAN: net4 # # ----------------------------------------------------------- # config forwarding # option src 'net4' # option dest 'lan' # config forwarding # option src 'net4' # option dest 'net3'
/etc/config/dhcp:# ##::[[--- OpenWrt WAN DHCP #config ---]]::## # =========================================================== ##----- IPv4 DNS Server -----## # =========================================================== # DNS Masq # # ----------------------------------------------------------- config dnsmasq option domain 'WRT' option configdir '/tmp/dnsmasq.d' option local '/lan/' option leasefile '/tmp/dhcp.leases' option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto' option ednspacket_max 1232 option authoritative 1 option boguspriv 1 option domainneeded 1 option cachesize 1000 option expandhosts 1 option filter_aaaa 0 option filter_a 0 option filterwin2k 1 option localise_queries 1 option localservice 1 option logquerries 0 option nonegcache 0 option nonwildcard 1 option quietdhcp 1 option readethers 1 option rebind_localhost 1 option rebind_protection 1 option sequential_ip 1 # =========================================================== ##----- IPv6 DNS Server -----## # =========================================================== # oDHCPd # # ----------------------------------------------------------- config odhcpd 'odhcpd' option leasefile '/tmp/hosts/odhcpd' option leasetrigger '/usr/sbin/odhcpd-update' option loglevel 4 option maindhcp 0 # =========================================================== ##----- DHCP Settings -----## # =========================================================== # WAN # # ----------------------------------------------------------- config dhcp 'wan' option interface 'wan' option ignore 1 # =========================================================== # VLAN: LAN # # ----------------------------------------------------------- config dhcp 'lan' option interface 'lan' option dhcpv4 'server' option dhcpv6 'server' option leasetime '24h' option ra 'server' list ra_flags 'managed-config' list ra_flags 'other-config' option force 1 option limit 1 option ra_management 1 option ra_slaac 1 option start 21 # Static IPs # ----------------------------------------------------------- # =========================================================== # vLAN: net1 # # ----------------------------------------------------------- config dhcp 'net1' option interface 'net1' option leasetime '24h' option force 1 option limit 12 option start 3 # =========================================================== # vLAN: net2 # # ----------------------------------------------------------- config dhcp 'net2' option interface 'net2' option leasetime '24h' option force 1 option limit 12 option start 2 # Static IPs # ----------------------------------------------------------- # =========================================================== # vLAN: net3 # # ----------------------------------------------------------- config dhcp 'net3' option interface 'net3' option leasetime '24h' option force 1 option limit 1 option start 25 # Static IPs # ----------------------------------------------------------- # =========================================================== # vLAN: net4 # # ----------------------------------------------------------- config dhcp 'net4' option interface 'net4' option leasetime '24h' option force 1 option limit 1 option start 30 # Static IPs # -----------------------------------------------------------
No, that's the exact opposite of what you want; subnets should never overlap in any way. Don't think of
lanas a "parent" of other subnets. (Routes can overlap though; it's still valid to have a single /19 or /16 route 'via some other gateway' that encompasses all subnets.)Subnets are connected only through the router; in order for hosts from subnet A to access anything in subnet B, they must go through the router (i.e. send packets to the router's MAC address).
But if the subnets overlap, then hosts in subnet A will think that the destination (belonging to subnet B) is in the same subnet as them (i.e. looking as if it's part of subnet A) – and same-subnet hosts by definition are accessible without going through the gateway, in general.
So the source host will instead try to make ARP queries for the destination IP directly, coming up with nothing – well, unless the router had proxy-ARP enabled (which is normally not enabled; I think only ancient Cisco IOS defaulted to enabling it).
It doesn't matter that the router knows the correct routes (
10.1.15.0/28 via net1will take priority over10.1.0.0/17 via lan) if the packets never make it to the router to begin with.That aside, this doesn't quite look "sanely numbered" in general. With only five subnets, you have plenty of space to make all of them nice round /24's; there is no need to squeeze them to the smallest possible size – there is exactly zero difference in performance between a /16 with five hosts and a /29 with five hosts.
Also, as I recall, AirPlay was strongly reliant on mDNS-based auto-discovery, which does not work across subnets unless the router has a repeater specifically for that. (Regular IP routing won't do it, not even multicast routing.) For OpenWrt, umdns seems to do this; for general Linux, avahi-daemon can act as a relay.