hi,

I ran into various issues attempting to setup firewalld that would forward ip traffic between 2 subnets.

lets start with the network map.

                              +-- lan subnet 1
wan <----  router (firewalld) +
                              +-- lan subnet 2

firewalld runs in the router box. the wan interface works well in firewalld and is simply in the 'external' zone. it is simply marked masquerade so that it is doing NAT for all traffic bound for the internet. no issues with this

LAN 1 and LAN 2 are local ipv4 /24 subnets e.g. you can imagine one being 192.168.1.0 / 24 the other being 192.168.2.0 / 24.

the trouble is ip traffic is blocked between the 2 LAN subnets you can imagine one being 'home' zone the other being 'work' zone. all (http) connections are intercepted by the firewall setup by firewalld and rejected. that happens even if i place both of them in the same zone say 'home' or 'work'.

I went ahead and tried 'direct configuration' putting a rule like

• filter FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT

• filter FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT

However, this is to no avail and all traffic are still rejected. finally i did the deep dive and tried tracing using nftrace

https://wiki.nftables.org/wiki-nftables/index.php/Ruleset_debug/tracing

I found out something rather alarming, in that the rules setup in 'direct configuration' are based on iptables command while firewalld setup its own large sets of nft rules. it turns out firewalld is using the 'INET' ( ipv4 and/or ipv6) family for its rules.

https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families

While the iptables rules done in 'direct configuration' goes into the IP family.

And the firewalld's own INET rules are evaluated *before* the IP rules setup in 'direct configuration'. the packets are rejected in the firewalld rules before they can even be evaluated by the 'direct configuration' iptables rules.

Is there anyway to configure forwarding between the 2 LAN subnets using firewalld ? i've even tried 'rich rules' and 'sources' but firewalld it seemed always patch the rules elsewhere in the input and output nftables chains (this are intended for the router itself) except the 'forward' chain which happens during routing and are intended for other hosts than the router itself. i.e. there seem to be no way to specify in firewalld to say that traffic between the 2 subnets should be forwarded to each other.

Thanks in advance,
  Andrew