hi,
I ran into various issues attempting to setup firewalld that would forward ip traffic between 2 subnets.
lets start with the network map.
+-- lan subnet 1 wan <---- router (firewalld) + +-- lan subnet 2
firewalld runs in the router box. the wan interface works well in
firewalld and is simply in the 'external' zone. it is simply
marked masquerade so that it is doing NAT for all traffic bound
for the internet. no issues with this
LAN 1 and LAN 2 are local ipv4 /24 subnets e.g. you can imagine one being 192.168.1.0 / 24 the other being 192.168.2.0 / 24.
the trouble is ip traffic is blocked between the 2 LAN subnets
you can imagine one being 'home' zone the other being 'work' zone.
all (http) connections are intercepted by the firewall setup by
firewalld and rejected. that happens even if i place both of them
in the same zone say 'home' or 'work'.
I went ahead and tried 'direct configuration' putting a rule like
However, this is to no avail and all traffic are still rejected. finally i did the deep dive and tried tracing using nftrace
https://wiki.nftables.org/wiki-nftables/index.php/Ruleset_debug/tracing
I found out something rather alarming, in that the rules setup in
'direct configuration' are based on iptables command while
firewalld setup its own large sets of nft rules. it turns out
firewalld is using the 'INET' ( ipv4 and/or ipv6) family for its
rules.
https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families
While the iptables rules done in 'direct configuration' goes into the IP family.
And the firewalld's own INET rules are evaluated *before* the IP rules setup in 'direct configuration'. the packets are rejected in the firewalld rules before they can even be evaluated by the 'direct configuration' iptables rules.
Is there anyway to configure forwarding between the 2 LAN subnets
using firewalld ? i've even tried 'rich rules' and 'sources' but
firewalld it seemed always patch the rules elsewhere in the input
and output nftables chains (this are intended for the router
itself) except the 'forward' chain which happens during routing
and are intended for other hosts than the router itself. i.e.
there seem to be no way to specify in firewalld to say that
traffic between the 2 subnets should be forwarded to each other.
Thanks in advance,
Andrew