Admin access via wifi

jeef · January 14, 2022, 4:50am

I've connected to a wifi network in client mode...

But once I'm on that network other devices can't access the router via its wifi-network ip.

What settings do I need to mod to allow this?

Thanks

psherman · January 14, 2022, 5:10am

I am pretty sure I can guess what needs to be done, but I'd like to see your config before I make any recommendations (to verify that my hunch is correct; I don't want to give you bad info).

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/firewall

jeef · January 15, 2022, 1:44pm

I’m on vacation for a few days. Will do when I get back.

I’m assuming it’s a firewall setting as I’m starting from scratch right out of the box and by default probably doesn’t let traffic in from the betaken to the confit interfaces (22/80)

jeef · January 17, 2022, 9:40pm

NETWORK

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd8d:fcbd:ea79::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.2.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '4 6t'

config interface 'wwan'
	option proto 'dhcp'

Wireless


config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/10300000.wmac'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'sta'
	option network 'wwan'
	option ssid 'xxxxxxx'
	option encryption 'psk2'
	option key 'xxxxxxxx'

Firewall


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config zone
	option name 'AllIn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option src 'AllIn'
	option dest 'lan'

config forwarding
	option src 'AllIn'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'AllIn'

psherman · January 17, 2022, 10:29pm

Is the upstream network trusted? If it is, the solution is simple. If not, I wouldn't recommend moving opening the admin interface to that upstream network.

jeef · January 17, 2022, 11:27pm

Yea it’s just a local network. No outside access

psherman · January 17, 2022, 11:38pm

Ok... then this is simple:

on the wan zone, set input to "ACCEPT" and you should gain access via the upstream network. This enables the upstream network to access all services on the OpenWrt device. Never plug this into the internet or any untrusted networks in this state.

ovizii · May 10, 2022, 11:54am

I have hit the same problem and was wondering, if following your advice, when I try to access the luci interface via Wi-Fi which IP would I use? As far as I can see, out of the box the OpenWrt router gives out IPs for Wi-Fi from the WAN range but itself does not have another IP to access luci except the fixed 192.168.1.1 and that one is not reachable from anywhere in my LAN.

psherman · May 10, 2022, 10:44pm

No, it most certainly does not. At least by default it doesn't. Maybe you changed something.

This can be changed, but it is the default address on the OpenWrt LAN.

It should be reachable from the OpenWrt LAN... But you haven't given any info about your topology or configuration, so it's really hard to know what is going on.

I'd suggest starting your own thread. Feel free to tag me and I'll try to help you there.

anon89577378 · May 10, 2022, 11:36pm

If you're trying to access LuCI from a device connected to a guest/IoT network, and that network has been set up correctly (has its own subnet, firewall rules), any device on that network should never be able to access the main network, or any device on any other network.

If you use the "main" 2.4 or 5 GHz network, you can access LuCI.

I just tested it, and it works.

ovizii · May 11, 2022, 1:57pm

Thanks, @anon89577378 and @psherman it's definitely me who messed up. I think I reset this device and started from scratch at least 5 times yesterday and I posted here prematurely. I thought I had nailed it down, but boy was I wrong.

Not only that, but I'm going to spend another evening/night to get this working and will open my own thread if I get stuck somewhere again.