Asking support in firewall configuration

Installing and Using OpenWrt
1

Hi everyone,
let me describe my configuration: to comply with my house layout, my ISP router is located in one room together with a Dumb AP (let name it #1) communicating with Main Router through an Ethernet trunk line. The connection from ISP router to Main Router is assured by a VLAN associated to the WAN port of AP#1 connecting the WAN port of Main Router; on the trunk line are running the WAN connection (via untagged VLAN) and LAN connection to AP#1 (via tagged LAN).
Main Router and APs are running OpenWrt 23.05.3.

Screenshot 2024-04-09 195810
Screenshot 2024-04-09 195810718×540 26.6 KB

Everything is working fine but for a detail: with firewall switched off on AP#1, it can be accessed from WAN (it's a Dumb AP); with firewall switched on, AP#1 is totally inaccessible from LAN, even if it's perfectly working.

Can you help me to write a firewall rule (running on AP#1) to make it accessible from LAN and protected from WAN?

Thanks,

2

I don't have much experience in this sort of configurations but IMO AP#1 is placed weirdly in the layout, between the ISP router and the main router. AP#2 then connects through what's supposed to be another dumb AP#1 to the WAN. With this configuration, you should be setting up the ISP router to properly function as a firewall, otherwise essentially you are exposing part of your network to the WAN. Then to mitigate that, you have to come up with firewall rules which should turn your "dumb" AP into a firewall + AP. Is there a good reason to not put the AP#1 and AP#2 behind the firewall of your main router?

3

Let's take a look at the configurations for AP#1 and the main router.

Also, how are you testing access to AP1 from the wan??

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like
4

The OP mentioned that this is necessary based on the physical layout of their home. As long as everything is properly configured, this does not present any significant risks (although there can be some nuanced issues beyond general configuration, but those do not arise in most situations).

1 Like
5

I missed the house layout part. They could set up a proper firewall on AP#1 and then there is no issue, I agree.

6

Yes, if AP#1 could be the main firewall, it would simplify things. But it is not necessary for this to be the case. As described, a VLAN based approach as drawn is totally fine and will not expose AP#1 assuming everything is properly configured.

1 Like
7

AP#1 should pass traffic from the ISP device to the main router on the layer 2, and not have any kind of layer 3 network interface configured on top of that.

1 Like
8

Thank for the first batch of comments. these are the information about the configuration:

AP#1

{
        "kernel": "5.15.150",
        "hostname": "AP1",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Netgear R6220",
        "board_name": "netgear,r6220",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}

Network config:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd9d:d24c:8533::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

config interface 'mnt'
	option proto 'static'
	option ipaddr '192.168.3.6'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'br-lan.1'
	option gateway '192.168.3.1'
	list ip6class 'local'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:t'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan3:t'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan3:t'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '35'
	list ports 'lan1'
	list ports 'wan'

config interface 'vlan1'
	option proto 'dhcp'
	option device 'br-lan.1'

config interface 'vlan10'
	option proto 'dhcp'
	option device 'br-lan.10'

config interface 'vlan30'
	option proto 'dhcp'
	option device 'br-lan.30'

config interface 'vlan35' # This is the VLAN conveying WAN to the Main Router
	option proto 'dhcp'
	option device 'br-lan.35'

Wireless config:


config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option band '2g'
	option htmode 'HT20'
	option txpower '0'
	option country 'IT'
	option cell_density '0'
	option channel '3'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid '...'
	option encryption 'psk2+ccmp'
	option key '...'
	option ieee80211r '1'
	option ft_over_ds '1'
	option ft_psk_generate_local '1'
	option isolate '1'
	option nasid 'ap3'
	option network 'vlan10'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option band '5g'
	option htmode 'VHT80'
	option country 'IT'
	option cell_density '1'
	option distance '15'
	option channel '153'
	option txpower '12'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid '...'
	option encryption 'wpa2+ccmp'
	option auth_server '192.168.3.10'
	option auth_port '1812'
	option acct_server '192.168.3.10'
	option acct_port '1813'
	option nasid 'ap3'
	option auth_secret '...'
	option acct_secret '...'
	option network 'vlan30'

config wifi-iface 'wifinet4'
	option device 'radio0'
	option mode 'ap'
	option ssid '...'
	option encryption 'sae'
	option key '...'
	option ieee80211r '1'
	option nasid 'ap3'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option network 'vlan10'

config wifi-iface 'wifinet5'
	option device 'radio0'
	option mode 'ap'
	option ssid '...'
	option encryption 'wpa2+ccmp'
	option auth_server '192.168.3.10'
	option auth_port '1812'
	option auth_secret '...'
	option acct_server '192.168.3.10'
	option acct_port '1813'
	option acct_secret '...'
	option network 'vlan1'

dhcp config:


config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

firewall config:

config defaults
	option syn_flood	1
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT

Main Rooter

{
        "kernel": "5.15.150",
        "hostname": "OpenWrt_Server",
        "system": "Intel(R) Atom(TM) CPU N2600   @ 1.60GHz",
        "model": "ICP / iEi B229",
        "board_name": "icp-iei-b229",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "x86/64",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}

Network config:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd25:0709:639d::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	option macaddr '...'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option device 'br-lan'
	option ifname 'eth0.1'

config interface 'vlan10'
	option proto 'static'
	option ipaddr '10.0.10.1'
	option netmask '255.255.255.0'
	option device 'br-lan10'
	option ifname 'eth0.10'

config interface 'vlan20'
	option proto 'static'
	option ipaddr '10.0.20.1'
	option netmask '255.255.255.0'
	option device 'br-lan20'
	option ifname 'eth0.20'

config interface 'vlan30'
	option proto 'static'
	option ipaddr '10.0.30.1'
	option netmask '255.255.255.0'
	option device 'br-lan30'
	option ifname 'eth0.30'

config interface 'vlan40'
	option proto 'static'
	option ipaddr '10.0.40.1'
	option netmask '255.255.255.0'
	option device 'br-lan40'
	option ifname 'eth0.40'

config device
	option name 'lan'
	option type 'bridge'
	list ports 'eth0.1'

config device
	option name 'br-lan10'
	option type 'bridge'
	list ports 'eth0.10'
	option macaddr '...'

config device
	option name 'br-lan20'
	option type 'bridge'
	list ports 'eth0.20'
	option macaddr '...'

config device
	option name 'br-lan30'
	option type 'bridge'
	list ports 'eth0.30'
	option macaddr '...'

config device
	option name 'br-lan40'
	option type 'bridge'
	list ports 'eth0.40'
	option macaddr '...'

config device
	option name 'eth0'
	option macaddr '...'

config device
	option name 'eth0.20'
	option type '8021q'
	option ifname 'eth0'
	option vid '20'
	option macaddr '...'

config device
	option name 'eth0.30'
	option type '8021q'
	option ifname 'eth0'
	option vid '30'
	option macaddr '...'

config device
	option name 'eth0.40'
	option type '8021q'
	option ifname 'eth0'
	option vid '40'
	option macaddr '...'

config device
	option name 'eth1'
	option macaddr '...'

config device
	option name 'eth0.10'
	option type '8021q'
	option ifname 'eth0'
	option vid '10'
	option macaddr '...'

Firewall config:



config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'allowPrint'
	option src 'vlan30'
	option dest 'lan'
	list dest_ip '192.168.3.10'
	option target 'ACCEPT'
	list proto 'all'

config zone
	option name 'vlan10'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'vlan10'

config forwarding
	option src 'vlan10'
	option dest 'wan'

config zone
	option name 'vlan20'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'vlan20'

config forwarding
	option src 'vlan20'
	option dest 'wan'

config zone
	option name 'vlan30'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'vlan30'

config forwarding
	option src 'vlan30'
	option dest 'wan'

config zone
	option name 'vlan40'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'vlan40'

config rule
	option name 'Allow-mob-DNS'
	option dest_port '53'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	option src 'vlan10'

config rule
	option name 'Allow-mob-DHCP'
	list proto 'udp'
	option dest_port '67-68'
	option target 'ACCEPT'
	option src 'vlan10'

config rule
	option name 'Allow-work-DNS'
	option dest_port '53'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	option src 'vlan30'

config rule
	option name 'Allow-work-DHCP'
	list proto 'udp'
	option dest_port '67-68'
	option target 'ACCEPT'
	option src 'vlan30'

config rule
	option name 'Allow-streamnet-DNS'
	option dest_port '53'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	option src 'vlan40'

config rule
	option name 'Allow-streamnet-DHCP'
	list proto 'udp'
	option dest_port '67-68'
	option target 'ACCEPT'
	option src 'vlan40'

config rule
	option name 'Allow-voip-DNS'
	option dest_port '53'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	option src 'vlan20'

config rule
	option name 'Allow-voip-DHCP'
	list proto 'udp'
	option dest_port '67-68'
	option target 'ACCEPT'
	option src 'vlan20'

config rule
	option name 'allow_SIP_traffic'
	option src 'vlan20'
	option dest 'wan'
	option dest_port '5060'
	option target 'ACCEPT'

config rule
	option name 'allow_RTP_traffic'
	list proto 'udp'
	option src 'vlan20'
	option dest 'wan'
	option dest_port '10000-20000'
	option target 'ACCEPT'

config rule
	option src 'vlan10'
	list src_ip '10.0.10.0/24'
	option dest 'wan'
	list dest_ip '192.168.1.254'
	option name 'noAccess_to_ISP_mobnet'
	option target 'REJECT'

config rule
	option name 'noAccess_to_ISP_work'
	option src 'vlan30'
	list src_ip '10.0.30.0/24'
	option dest 'wan'
	list dest_ip '192.168.1.254'
	option target 'REJECT'

config rule
	option name 'noAccess_to_ISP_streamnet'
	option src 'vlan40'
	option dest 'wan'
	list dest_ip '192.168.1.254'
	option target 'REJECT'
	list src_ip '10.0.40.0/24'
	list src_ip '10.0.40.111'

config redirect
	option target 'DNAT'
	option name 'Intercept-DNS'
	option src 'lan'
	option src_dport '53'

config redirect
	option target 'DNAT'
	option name 'Intercept-DNS_mobnet'
	option src 'vlan10'
	option src_dport '53'

config redirect
	option target 'DNAT'
	option name 'Intercept-DNS_worknet'
	option src 'vlan30'
	option src_dport '53'

config redirect
	option target 'DNAT'
	option name 'Intercept-DNS_streamnet'
	option src 'vlan40'
	option src_dport '53'

config forwarding
	option src 'vlan40'
	option dest 'wan'

config redirect 'adblock_vlan1053'
	option name 'Adblock DNS (vlan10, 53)'
	option src 'vlan10'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'
	option family 'any'

config redirect 'adblock_vlan10853'
	option name 'Adblock DNS (vlan10, 853)'
	option src 'vlan10'
	option proto 'tcp udp'
	option src_dport '853'
	option dest_port '853'
	option target 'DNAT'
	option family 'any'

config redirect 'adblock_vlan105353'
	option name 'Adblock DNS (vlan10, 5353)'
	option src 'vlan10'
	option proto 'tcp udp'
	option src_dport '5353'
	option dest_port '5353'
	option target 'DNAT'
	option family 'any'

config redirect 'adblock_vlan4053'
	option name 'Adblock DNS (vlan40, 53)'
	option src 'vlan40'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'
	option family 'any'

config redirect 'adblock_vlan40853'
	option name 'Adblock DNS (vlan40, 853)'
	option src 'vlan40'
	option proto 'tcp udp'
	option src_dport '853'
	option dest_port '853'
	option target 'DNAT'
	option family 'any'

config redirect 'adblock_vlan405353'
	option name 'Adblock DNS (vlan40, 5353)'
	option src 'vlan40'
	option proto 'tcp udp'
	option src_dport '5353'
	option dest_port '5353'
	option target 'DNAT'
	option family 'any'

DHCP config:


config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'vlan10'
	option start '100'
	option limit '150'
	option interface 'vlan10'
	option leasetime '1h'

config dhcp 'vlan20'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option interface 'vlan20'

config dhcp 'vlan30'
	option start '100'
	option limit '150'
	option interface 'vlan30'
	option leasetime '1h'

config dhcp 'vlan40'
	option start '100'
	option interface 'vlan40'
	option limit '150'
	option leasetime '12h'

"Also, how are you testing access to AP1 from the wan??"
I'm not meaning from internet... I mean connecting directly to ISP Moden and calling the AP WAN IP address, the router reply and it's accessible (with password).

My goal is to REJECT connections from ISP Modem but ACCEPT connections for maintenance and sysupgrading from LAN.Thank you in advance for the help

9

This should be unmanaged:

config interface 'vlan35' 
	option proto 'none'
	option device 'br-lan.35'

I would recommend that you tag vlan35 on the way to the main router (i.e. port lan1), and that you explicitly specify that the wan is untagged.

Based on my recommendations, it would look like this:

config bridge-vlan
	option device 'br-lan'
	option vlan '35'
	list ports 'lan1:t'
	list ports 'wan:u*'

Your other VLANs should also be unmanaged (option proto 'none') except for the VLAN that is used to administer the device.

If you follow my advice about tagging VLAN35 on AP#1, you need to modify the wan interface on the main router, although I am confused about how that is working in the first place. it looks like your wan is using eth1, but all your other networks are specified against eth0, so I'm not sure what is happening here. Is there a managed switch between the router and AP#1?

Now, for all of your interfaces, they should not include the ifname line:

This should be deleted:

And you can delete all the 802.1q stanzas:

These two rules only make sense if your upstream (wan) is actually on the subnet 192.168.1.0/24 and there is some device that should be inaccessible at 192.168.1.254.

There is no need to specify the .111 source IP -- the .0/24 covers it.

This rule can be deleted -- it is already covered by allowing vlan20 > wan forwarding:

2 Likes
10

"Is there a managed switch between the router and AP#1?"
Yes, it is. Main Rooter is a two-port PC, so I need a managed switch.

"These two rules only make sense if your upstream (wan) is actually on the subnet 192.168.1.0/24 and there is some device that should be inaccessible at 192.168.1.254."
Yes, the subnet 192.168.1.0/24 is the WAN and 192.168.1.254 is the IP address of ISP Modem. I want to make it not accessible from VLAN... Maybe it exist a more elegant syntax but the rule its working.

Let me digest all your suggestions, I need some time to modify the configuration without jeopardize my network access... I will reply as soon as possible. Thanks for now.
C

11

Ok... so if you take my advice about tagging from AP#1, you would also want to change the port configuration on the managed switch to expect tagged VLAN 35 on the port that connects to the AP, and then that VLAN would be also configured on the port going to the router's eth1 port. VLAN 35 should only be present on those two ports, no others. On the port that goes to the router's eth1 port, you can make that tagged or untagged, but you also need to match that with the router's configuration. If untagged, leave the router as is. If tagged, change eth1 to eth1.35

12

So, I did all the modifications you suggested, including tagging of VLAN35. Everything is working fine.
I didn't try to restart AP#1 firewall yet... Should I?

13

Ap1 firewall is not involved anymore. It shouldn’t matter.

1 Like
14

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

15

You are welcome. It's always a pleasure to deal with you.

16

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.