Hello together,
I’m just learning OpenWRT and definitely fall in love with all its possibilities. I have been testing on my TP-Link AC1750 (OpenWrt 21.02.2 r16495-bf0c965af0) a lot of things and most of them worked pretty well.
But now I’m a bit confused:
Why can I access from my “IOT” wifi my Openwrt-Router? ( either over web-browser as well as ssh)
=> of course I rejected Input in the correct firewall-zone (IOT_Zone)
I also found out that my firewall-settings are not working properly (actually not affecting anything). e.g. I also can access the internet, although I do NOT have any forwarding to the wan-zone.
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
option metric '100'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t 3 4 5'
option description 'vlan_main'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 1'
option vid '2'
option description 'vlan_wan'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '0t 2'
option vid '3'
option description 'vlan_remote'
config device
option name 'eth0.3'
option type '8021q'
option ifname 'eth0'
option vid '3'
option macaddr 'E8:48:B8:E1:8A:93'
config device
option name 'eth0.1'
option type '8021q'
option ifname 'eth0'
option vid '1'
option macaddr 'E8:48:B8:E1:8A:91'
config interface 'IOT'
option proto 'static'
option ipaddr '10.5.20.1'
option netmask '255.255.255.0'
config defaults
option synflood_protect '1'
option forward 'REJECT'
option input 'REJECT'
option output 'REJECT'
config zone
option name 'Main'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'radio1.network1'
list device 'wlan1'
list device 'br-lan'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
list network 'wan'
list network 'wan6'
config forwarding
option dest 'wan'
option src 'Main'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option proto 'icmp'
option family 'ipv6'
option target 'ACCEPT'
list src_ip 'fe80::/10'
option src 'wan'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
option dest 'Main'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option dest 'Main'
config include
option path '/etc/firewall.user'
config zone
option name 'IOTZone'
option input 'REJECT'
option output 'REJECT'
option forward 'REJECT'
list network 'IOT'
How are you even accessing that IoT network? It is not associated with any devices (unless it is wifi only), and since it has all of the zone rules set to reject, it shouldn't work at all (you won't get a DHCP address, and it will not have access to any networks or the internet).
1 Like
IoT network is only for wifi.
correct, actually it shouldn't even get any IP, and it shouldn't have access to the internet
but it does! That's why I'm so confused.
What IP address info (IP, subnet mask, router/gateway, dns) do you see on the device that is connected to the IOT network? Are there any other connections on that device (such as wired ethernet or a secondary wifi radio)?
inet 10.5.20.111/24 brd 10.5.20.255 scope global dynamic noprefixroute wlan0
let's see the /etc/config/wireless
config file
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11a'
option path 'pci0000:00/0000:00:00.0'
option cell_density '0'
option htmode 'VHT40'
option txpower '20'
option channel 'auto'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option encryption 'psk2'
option key '...'
option ieee80211r '1'
option ft_over_ds '1'
option ft_psk_generate_local '1'
option ssid 'Stevo-Main-5G'
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11g'
option path 'platform/ahb/18100000.wmac'
option htmode 'HT20'
option cell_density '0'
option txpower '5'
option country 'DE'
option channel 'auto'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option ssid 'Stevo-IOT'
option encryption 'psk2'
option key '...'
option network 'IOT'
option ieee80211r '1'
option ft_over_ds '1'
option ft_psk_generate_local '1'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'Test'
option encryption 'psk2'
option key 'testtest'
I have added another wifi "test". In this case everything works as described!
remove these from the Main firewall zone.
1 Like
thanks, nice
What was my mistake? did i add all wlans to the "main" firewall zone?
I think you can look at it as adding all the networks associated with the radio1 device (which includes your IOT network) to the main firewall zone. In general, it usually is best to define networks (not devices) in the firewall zones (there are some exceptions, but those are typically for things like VPNs).
2 Likes
system
Closed
March 24, 2022, 12:31am
14
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.