Allow access from main lan to guest devices

I have an asus AX53U running the latest openwrt

Yes, but first...

Is the AX53U the primary router, or just an AP + guest wifi?
If the latter, does your main router have support for static routes?

There is only one router , doing both main lan and guest network

Ok... easy enough.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
{
	"kernel": "5.15.162",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "ASUS RT-AX53U",
	"board_name": "asus,rt-ax53u",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.4",
		"revision": "r24012-d8dd03c46f",
		"target": "ramips/mt7621",
		"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
	}
}

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd5f:42c2:bc39::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'guest'
	option proto 'static'
	option device 'phy0-ap1'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config rule
	option name 'Guest DNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Guest DHCP'
	list proto 'udp'
	option src 'guest'
	option dest_port '67'
	option target 'ACCEPT'

config forwarding
	option src 'guest'
	option dest 'wan'

Add this to your firewall file:

config forwarding
	option src 'lan'
	option dest 'guest'

Unrelated, but remove the device line from your guest network interface (in /etc/config/network):

1 Like

Thx for fast response , are those all the steps needed?

Yup... should be.

Thx will try tomorrow and report back

I also enabled "client isolation" for the guest network , but that shouldnt interfere correct?

Correct, that will not cause any issues.

Thank you it works ! , but after using uci commit i also had to reboot , to make it work. or is that normal?

If you looked at the rules , is it sufficient from a security standpoint? or do i need to add something else?

Yes. Either reboot the device or restart the firewall service (/etc/init.d/firewall restart).

Yes. The guest network is isolated from the lan as well as the router itself (specifically the administration via ssh and web, and any other services you are running; only allowing DHCP and DNS). I would consider this sufficient and best practice, unless you have any specific requirements or other goals beyond this.

1 Like

I also read somewhere another option is to use vlans to separate lan & guest networks , i forgot which advantages it had.

VLANs are a subset of what you've already done. Specifically, VLANs apply when you are using ethernet and carrying multiple networks over the same physical port/cable.

1 Like

With the current setup so guest and lan network , how can tell openwrt to send dns requests to a raspberry pi connected on my lan or guest network?

For that, you want one of three methods:

  1. use DHCP option 6 to advertise the Pi as a DNS server.
  2. use DNS hijacking if you wish to redirect/force DNS that is destined for other DNS servers to be sent to your Pi.
  3. Set the router's own system resolver to the Pi, and have clients use the OpenWrt router as their DNS servers. This can be combined with #2 to enforce it.

Don't forget that if the Pi is on a different network than (some of) the clients, you need to ensure that the firewall allows forwarding of dns accordingly.

  • would it work if i uncheck "Use DNS servers advertised by peer" in the wan interface > advanced settings.
  • And enter my local pi ip in the custom DNS server field?

Yes, but...

  • it only works if your Pi's DNS server is working properly and that it isn't relying on the OpenWrt router for DNS.
  • it doesn't prohibit other DNS servers from being used (I.e. no hijacking).
  • generally, that field should be reserved for external/public DNS servers, not inside your network.

There is an option in the Dnsmasq settings to set the desired system resolver (separate from the wan), which allows you to specify another DNS address like your Pi.

Like this ? and the same for lan ?

config dhcp 'guest'
    option interface 'guest'
    option start '100'
    option limit '150'
    option leasetime '12h'
    list dns '192.168.1.100' # pi address