I'm new to OpenWRT, but not to networking/linux in general. I've successfully set up a Raspberry Pi 4 running OpenWRT with a Netgear GS305E managed switch providing four VLAN sub-nets - Green (LAN), Blue, Orange and Red (WAN). Green, Blue and Orange sub-nets have DHCP enabled and have access to the red sub-net. The red sub-net is connected to the internet via a BT Smarthub 2 that provides the red sub-net DHCP service and the WiFi for our mobile devices.
I've installed Adblock, which serves the Green, Blue and Orange sub-nets admirably.
So far so good, all live and functioning as expected, but I have a question....
I'd like to disable the BT Smarthub DHCP server and enable OpenWRT to provide DHCP/DNS services to the red sub-net so our mobile devices also benefit from the use of Adblock. At present if I do this it doesn't work, which is what I expected from the default firewall rule. I've googled this for a while but not found the answer. Can someone who is familiar with OpenWRT please describe how I achieve this, preferably with the Luci interface, although I'm quite happy to edit the config files if need be.
I'm very wary of experimenting as this is currently live in our home network and I can't afford to lock us out, especially the younger members of the family as my life would probably be in danger
Thanks for your reply. I've added traffic rules to allow WAN DHCP (port 67) and DNS (port 53) as per the instructions you suggested, disabled the BT Smarthub DHCP server and enabled the OpenWRT WAN DHCP server. A Raspberry Pi on the red sub-net, set as a DHCP client, doesn't receive a response when rebooted and defaults to a 169... local IP address instead of the IP address I've entered in the DHCP static leases table.
I assume the firewall traffic rules are applied ahead of the general rules, which remain as default, i.e. WAN => reject. I tried changing the WAN general rule to accept Input and Output but reject Forwarding as this seemed logical but still no joy I assume I'm still missing something ?
Can I post images to the forum ? If so I can't see how at present.
owrt by default assumes the role of main router and firewall, gateway to internet via it's WAN port and provider of DNS/DHCP services for home users via LAN interface (either wired or wireless).
if owrt is 2nd in row and there is another device assuming WAN gw role (in your case the BT device) but you connect the main gw to owrt WAN port it will still do what it is supposed to but not what you expect. i.e. WAN port will not turn to LAN port without modifications.
so i assume your setup looks like this:
internet --- BT hub --- managed switch --R-- Rpi4
| | | | -GBO-
| | | |
Wifi G B O
note: Rpi4 has single NIC so --R-- and -GBO- is just logical separation (=VLANs) but single wired connection.
if you want wifi clients to connect to BT hub but served from Rpi4 you just need 4 VLANs all in their respective firewall zone, none of them in wan zone. then they will act as normal lan zones without the usual wan zone restrictions.
you can decide how restrictive you want your vlan zones: e.g. you can play with input accept/deny concept which controls if traffic coming into owrt device will be accepted by the device or not. typically this traffic can be dhcp, dns. if you restrict it (input=deny) you'll need to add firewall rules to punch hole to get dhcp/dns working. or set input=accept then it you can access services/ports open on the device from the vlan. it is up to you.
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user
Yes I've enabled the DHCP server on the WAN interface.
For historical reasons my network has evolved, rather than been designed as a whole, and is like this at present :
internet --- BT hub --+-- managed switch -RGBO- Rpi4
| | | | |
| | | | |
Wifi R G B O
...where the RPi4 has a dedicated trunk connection to the 5 port switch, the Red sub-net is currently set up as the WAN and Green, Blue and Orange are setup as LANs. The red network has several servers (print/media/games etc.) available to all the networks along with a VPN which is available to my extended family. A DMZ would be ideal for the latter but as I said earlier, it's evolved rather than being designed as a whole !
I hadn't considered your suggestion of just having four LAN connections and not using the WAN connection at all. That would certainly make a lot more sense, DHCP/DNS would be straightforward and I can adjust the routing to suit. I think I'll give that a try rather than pursuing the problems with using the WAN interface as it is, so thanks for the suggestion.
Ok - I've deleted the WAN interface, created a new Red LAN in it's place and set it up in the same way as the other LANs with DHCP enabled. I've updated the firewall rules to reflect the changes, replacing the wan interface with the red interface. The general rule for the red interface is Accept/Accept/Accept but no destination(s) specified so it shows 'red => reject'.
Disabling the BT Smarthub DHCP server and re-booting my sacrificial Raspberry Pi on the red network does now indeed receive the correct IP address.
Now it gets a little confusing: In order to access the internet from the green, blue or orange networks, via the red interface and the BT hub, I've had to enable masquerading on the red firewall zone and set the gateway address of the green, blue and orange networks to the IP address of the red interface, not the address of the BT hub as I had set up originally. The red interface gateway address still points to the BT hub. Is this what would be expected ?
It all now appears to be working as I wanted with one oddity, devices on the red network have internet access Ok, but the DNS lookup for local devices that exist in the OpenWRT hosts file return 'Name or service not known'. I was expecting the DNS lookup to work and report the correct IP address but report the device was not accessible due to the red firewall rule rejecting the connection. This suggests DNS isn't working correctly on the red interface ??
This is the content of my /etc/config/firewall file now ...
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config include
option path '/etc/firewall.user'
config zone
option name 'blue'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'Blue'
config zone
option name 'orange'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'Orange'
config forwarding
option src 'lan'
option dest 'blue'
config forwarding
option src 'lan'
option dest 'orange'
config zone
option name 'red'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'red'
option forward 'ACCEPT'
option masq '1'
config forwarding
option src 'lan'
option dest 'red'
config forwarding
option src 'blue'
option dest 'red'
config forwarding
option src 'orange'
option dest 'red'
Any further comments before I put this one to bed and mark it solved ??
