Input of lan zone is set to accept, so you can access all services of the OpenWrt without the need to add any firewall rules.
Also, all IPs belonging to the OpenWrt are treated the same in terms of firewall rules, if not specified otherwise. Meaning the lan 192.168.1.1 and iot 192.168.10.1 will both respond to http from lan, and packets from iot to either IP will be blocked.
2 Likes
Unfortunately, 192.168.10.1 serves up the main router but shows the IP mentioned instead of 192.168.1.1
Edit: tried setting up a static route to "iot". No luck.
The main router automatically establishes static routes for all of the networks defined on it. It is then up to the firewall to selectively allow or block forwarding between those networks.
This is to be expected as @trendy said if you go to http://192.168.10.1 from the lan network, it will be routed to the IOT interface IP and accepted, even if you have http access blocked from the IOT network. The request came from the lan network so it is allowed.
192.168.10.1 is the main router's IP on the IOT network. In order to log into the APs through the IOT network they need to hold unique 192.168.10.0 IPs, i.e. they can't also be 192.168.10.1
1 Like
Did you mean "through the LAN network" (i.e. not IOT) or am I misunderstanding something? (likely the latter, I would bet).
The AP has no IP address on the IOT side as you recommended. On the LAN side, the AP is 192.168.10.1. I tried the following after reading your post but have had no luck:
First (on LAN):
- On IOT interface left IP of IOT at 192.168.10.1
- added static route using IOT interface for IOT at 192.168.10.2
- added static lease using MAC address of IOT router at 192.168.10.2
I get the error "This site can’t be reached" when trying to reach X.2 (shortening here) while X.1 loads the login page for the main router. Pinging X.1 works but X.2 yields:
Pinging 192.168.10.2 with 32 bytes of data:
Reply from 192.168.1.1: Destination host unreachable.
Ping statistics for 192.168.10.2:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss)
Second (on LAN):
Repeated the above but also changed IOT interface to 192.168.10.2
- The results were now switched for X.1 vs X.2 (X.2 showed the main router page, etc)
Switched to IOT for the following results.
Third (on IOT):
Setup same as "First" above but now on IOT.
- Neither admin page loads
- Ping X.1 - sent/received packets, lost 0
- Ping X.2 - no packet loss but "Destination host unreachable."
Fourth (on IOT):
Setup same as "Second" above but now on IOT.
- Neither admin page loads
- Ping X.1 packet loss
- Ping X.2 no packet loss but "Destination port unreachable."
I am going to look at firewall rules in the next day or so. I haven't made any changes to the firewall yet, beyond the guest wifi wiki (modified for IOT).
Can you post for all 3 devices the uci export network; uci export firewall ?
1 Like
@trendy, here's the output from the main router (192.168.1.1). Will post the other two in another post.
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdb2:fa56:c5db::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option delegate '0'
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
option delegate '0'
list dns '8.8.8.8'
list dns '8.8.4.4'
option peerdns '0'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
option reqprefix 'no'
option reqaddress 'none'
option delegate '0'
option peerdns '0'
option auto '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '5t 2 1 0'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '6t 4'
option vid '2'
config interface 'IOT'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option delegate '0'
option ifname 'eth0.33'
option ipaddr '192.168.10.1'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '5t 3'
option vid '33'
config route
option interface 'IOT'
option target '192.168.10.2'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option network 'IOT'
option name 'iot'
option output 'ACCEPT'
option input 'REJECT'
option forward 'REJECT'
config rule
option name 'IOT DHCP'
option target 'ACCEPT'
list proto 'udp'
option family 'ipv4'
option src 'iot'
option dest_port '67-68'
config rule
option name 'IOT DNS'
option target 'ACCEPT'
option dest_port '53'
option family 'ipv4'
option src 'iot'
config rule
option src 'iot'
option name 'IOT block IOT access to private network'
option dest 'lan'
option target 'DROP'
list dest_ip '192.168.1.0/24'
list proto 'all'
config forwarding
option dest 'wan'
option src 'iot'
config forwarding
option dest 'iot'
option src 'lan'
Output from the PEOP AP:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd8d:9e7e:eaaf::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.1.2'
list dns '192.168.1.1'
option delegate '0'
option gateway '192.168.1.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr '3c:84:6a:e8:4f:68'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
Unfortunately, I cannot get into IOT AP from either LAN or IOT network.
On LAN:
-
SSH into 192.168.10.1 logs me into main router (expected, as per @mk24's post)
-
SSH into 192.168.10.2 gives the error:
ssh: connect to host 192.168.10.2 port 22: Connection timed out
On IOT:
-
SSH into 192.168.10.1 gives the error:
ssh: connect to host 192.168.10.1 port 22: Connection refused -
SSH into 192.168.10.2 gives the error:
ssh: connect to host 192.168.10.2 port 22: Connection timed out
On main router, I had made the following changes:
- On IOT interface left IP of IOT at 192.168.10.1
- added static route using IOT interface for IOT at 192.168.10.2
- added static lease using MAC address of IOT router at 192.168.10.2
As an aside, the IOT AP should be identical to the PEOP AP except that it has no IP address. I don't recall making other changes. Unfortunately, holding down the reset button for 10+ or 30+ or 30-30-30 seconds doesn't reset it for some reason. Both APs are Archer A7 v5.
Main router:
Delete this
Remove from lan zone
dest_port 67 only
Needless, remove it
PEOP AP:
Delete vlan2. Then assign port 1 to vlan1 -> moar ports.
IOT AP:
Basically there can be no lan interface here. The IOT port 3 will be connected to a dedicated AP for IOT with similar configuration to the people AP.
1 Like
Thank you @trendy. I made the changes but unfortunately, I still cannot access the IOT AP admin interface. Will try to reset it this weekend and set it up again.
You should set it up as merely iot AP, no lan there.
Are you sure the IOT AP's IP is 192.168.10.2? This whole situation requires that. Either you've set it statically in the AP, or made the AP a DHCP client and reserved that address for it in the DHCP server on the main router. In that case you can examine the DHCP lease table (cat /tmp/dhcp.leases) and confirm that the AP has connected and took the IP.
If you connect your laptop to the IOT wifi, it should get a 192.168.10.0/24 address (and have Internet access, etc-- it's an IOT). Then http or ssh to 192.168.10.2. That connection goes directly to the AP-- it never touches the main router-- thus you can't firewall it.
That is good for a test but not a security best practice. A bare bones single-network dumb AP should only be used on trusted networks. But for now you're still getting a handle on the very basics of the networking, so it may be good to open up firewalls until you see how it works, then close the paths you don't want.
2 Likes
The AP on the LAN side is set statically as 192.168.10.2 (it was X.1). I've removed the IP on the IOT side as you had suggested. My laptop gets an IP address of 10.X on IOT wifi but can't get to the AP via ssh or http.
Will try opening up the firewalls. You're right - still learning and I truly appreciate the patience and help of everyone that has given me feedback 
Edit: cat /tmp/dhcp.leases does not show the IP address of either AP as both are static.
If you're only running one network to the IOT AP, it has to have an IP for you to be able to log in.
A more sophisticated approach is to have the main router offer both LAN and IOT networks on the Ethernet cable using two VLANs (trunked cable), and have two networks in the AP:
lan -- has a 192.168.1.X IP, used to log in from a LAN PC.
iot -- has no IP, used to bridge IOT Internet use from the main router to the wifi AP interface.
Note that from there it is simple to create a second wifi AP interface with a different SSID, attach it to the lan network, thus wirelessly provide both networks to the two kinds of users from one device.
1 Like
I suspect that on the iot ap the input of iot zone in firewall is set to drop, hence it is not accepting the ssh/http connections, but everything else is working. Either go to failsafe and fix that, or reset to defaults and start from scratch.
There is a hope if some port of the ap is still on lan zone, so you may want to try them all.