solved:
place 192.168.1.0/24 and 192.168.2.0/24 as 'sources' in the 'trusted'
zone ;)
On 10/12/2020 04:12, andrew goh wrote:
hi,
I ran into various issues attempting to setup firewalld that would
forward ip traffic between 2 subnets.
lets start with the network map.
+-- lan subnet 1
wan <---- router (firewalld) +
+-- lan subnet 2
firewalld runs in the router box. the wan interface works well in
firewalld and is simply in the 'external' zone. it is simply marked
masquerade so that it is doing NAT for all traffic bound for the
internet. no issues with this
LAN 1 and LAN 2 are local ipv4 /24 subnets e.g. you can imagine one
being 192.168.1.0 / 24 the other being 192.168.2.0 / 24.
the trouble is ip traffic is blocked between the 2 LAN subnets you can
imagine one being 'home' zone the other being 'work' zone. all (http)
connections are intercepted by the firewall setup by firewalld and
rejected. that happens even if i place both of them in the same zone
say 'home' or 'work'.
I went ahead and tried 'direct configuration' putting a rule like
* filter FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT
* filter FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT
However, this is to no avail and all traffic are still rejected.
finally i did the deep dive and tried tracing using nftrace
https://wiki.nftables.org/wiki-nftables/index.php/Ruleset_debug/tracing
I found out something rather alarming, in that the rules setup in
'direct configuration' are based on iptables command while firewalld
setup its own large sets of nft rules. it turns out firewalld is using
the 'INET' ( ipv4 and/or ipv6) family for its rules.
https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families
While the iptables rules done in 'direct configuration' goes into the
IP family.
And the firewalld's own INET rules are evaluated *before* the IP rules
setup in 'direct configuration'. the packets are rejected in the
firewalld rules before they can even be evaluated by the 'direct
configuration' iptables rules.
Is there anyway to configure forwarding between the 2 LAN subnets
using firewalld ? i've even tried 'rich rules' and 'sources' but
firewalld it seemed always patch the rules elsewhere in the input and
output nftables chains (this are intended for the router itself)
except the 'forward' chain which happens during routing and are
intended for other hosts than the router itself. i.e. there seem to be
no way to specify in firewalld to say that traffic between the 2
subnets should be forwarded to each other.
Thanks in advance,
Andrew