Allowing access from "lan" to "iot"

Bug8 · November 15, 2024, 12:06pm

Hello everyone,
I'm using a dumb-esque access point This what I'm trying to achieve:
1 iot SSID that has access only to lan (will be narrowed only to my server in the future) for my iot devices.

1 lan SSID that have access to everything

I managed the first part using the guess network documentation, juste reversing the lan rule (rejecting !192.168.0.0/16), devices connected to my iot SSID have access to any 192.168.10.* (iot) or 192.168.1.* (lan).

But I can't access iot devices from my lan network... I'm a bit confused and I'm pretty sure it's going to be obvious but I'm stuck. I tried some configurations but never got it working so I'm asking for some help.

TLDR:
iot -> lan : (as intended)
iot -> internet : (as intended)
lan -> internet : (as intended)
lan -> iot : (not as intended)

Here is my config :

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '192.168.1.254'
	option gateway '192.168.1.254'

config device
	option type 'bridge'
	option name 'br-iot'
	option bridge_empty '1'

config interface 'iot'
	option proto 'static'
	option device 'br-iot'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/18000000.wifi'
	option channel '1'
	option band '2g'
	option htmode 'HE40'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'iot'
	option mode 'ap'
	option ssid 'iot'
	option encryption 'sae-mixed'
	option key '####!'

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'lan'

config zone
	option name 'iot'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot'

config forwarding
	option src 'iot'
	option dest 'lan'

config rule
	option src 'iot'
	option target 'ACCEPT'
	option name 'ap-access'
	list proto 'all'

config rule
	option name 'iot-restriction'
	option src 'iot'
	list dest_ip '!192.168.0.0/16'
	option target 'REJECT'
	list proto 'all'
	option dest 'lan'

Thank you and have a nice day

egc · November 15, 2024, 4:07pm

Try this to add to the firewall:

psherman · November 15, 2024, 4:15pm

Your current configuration will not allow it for 3 reasons:

You don't have the forwarding that @egc mentioned.
Masquerading is enabled on the lan firewall zone.
Most importantly, you will need to setup a static route on the main router. Not all routers support this. What is your main router? And can you find a static route option?

If (and only if) you can find a static route option in your main router, you'll:

add a static route to the main router: 192.168.10.0/24 via 192.168.1.2
turn off masquerading on the lan firewall zone
add the forwarding as @egc suggested.

Bug8 · November 15, 2024, 6:13pm

Than you both for your answer... sadly I can't add a static route to my router, I'm using the French ISP Free and their Freebox Pop.

I'm only going to be able to restrict my devices by ip then I guess... Any alternative ?

psherman · November 15, 2024, 6:18pm

Without static routes, you will not be able to have access via symmetric routing. The only other approach you can take is via port forwarding -- you'll setup port forwards for the services you want to reach, and you'll access it from your lan via 192.168.1.2:<port number>