I got Deco device from provider and want to use it as my AC. Everything works fine and just do not want to let ISP connect to the device and have access. Because based on my experience they can see my wifi network, maybe passworkd, all devices, macs, ip, etc...
I was looking the docs and added this config to block in/out by ip. Since i've dhcp static configured for that device
config rule
option name 'Block Incoming MAC'
option src 'wan'
option dest 'lan'
option target 'DROP'
list dest_ip '192.168.200.3'
list proto 'all'
config rule
option name 'Block Outgoing MAC'
option src 'lan'
option dest 'wan'
option target 'DROP'
list src_ip '192.168.200.3'
list proto 'all'
But it does not look like it's working... Because when try to connect to Deco app (no wifi just cellular) I still can connect to my cloud account and see all data such as name, mac, client connected etc.
As side note some how in Deco UI I see different mac in xxxxxxxx-74 vs xxxxxxxxx-75 which is registered in my network and I see request coming back and forth in pi.hole. When I doo arp -n correct IP associated expected mac (75) So cound be some ui bug or its doing something sketchy?
Anyway, looking for any suggestion on options to make sure there no access.
Are there multiple units, or just one? Also, have you confirmed that the device is indeed using this address and that it is not using IPv6?
Let's see the complete config:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
its only 1 unit
yes its using that address (confirmed by entering device UI at the same address)
Also I do not see any other ip on router network
ipv6 is disabled.
root@Router:~# ubus call system board
{
"kernel": "5.15.137",
"hostname": "Router",
"system": "ARMv7 Processor rev 0 (v7l)",
"model": "Netgear Nighthawk X4S R7800",
"board_name": "netgear,r7800",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.2",
"revision": "r23630-842932a63d",
"target": "ipq806x/generic",
"description": "OpenWrt 23.05.2 r23630-842932a63d"
}
}
root@Router:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.200.1'
option netmask '255.255.255.0'
option ip6assign '64'
option defaultroute '0'
option ip6ifaceid '::200:1'
option ipv6 'off'
list dns '208.67.222.222'
list dns '8.8.8.8'
config interface 'wan'
option proto 'pppoe'
option ipv6 'auto'
option username 'xxxxxxxxxxxx'
option password 'xxxxxxxxxxxxxxxxx'
option device 'eth0.40'
option peerdns '0'
config interface 'wan6'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option device '@wan'
option peerdns '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '6t 4 3 2 1'
option vid '1'
config interface 'modem'
option proto 'static'
option device '@wan'
option ipaddr '192.168.100.2'
option netmask '255.255.255.0'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '0t 5t'
option vid '40'
option description 'fiber'
root@Router:~# cat /etc/config/dhcp
config dnsmasq
option localise_queries '1'
option rebind_protection '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
list server '192.168.200.5'
list server 'fe80::xxxxxxxxxxxxxx'
list rebind_domain 'plex.direct'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ra_slaac '0'
option force '1'
list dns 'fe80::xxxxxxxxxxxxxx'
option ra_default '2'
list dhcp_option '6,192.168.200.5'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config domain
option name 'router'
option ip '192.168.200.1'
config host
option name 'pc-xxxxxxx'
option ip '192.168.200.10'
option mac 'xxxxxxxxxxxxxxxxxxxx'
option hostid '10'
option duid 'xxxxxxxxxxxxxxxx'
config host
option ip '192.168.200.11'
option mac 'xxxxxxxxx'
option name 'pc-xxxxx-wifi'
option hostid '11'
config host
option duid 'xxxxxxxxxxxxxxxx'
option mac 'xxxxxxxxxxxxxxxxxxxxxxxx'
option name 'pi.hole'
option ip '192.168.200.5'
option hostid '05'
config domain
option name 'modem'
option ip '192.168.100.1'
config domain
option name 'pi.hole'
option ip '192.168.200.5'
config domain
option name 'pc-xxxxx'
option ip '192.168.200.10'
config domain
option name 'sp1'
option ip '192.168.200.61'
config domain
option name 'sp2'
option ip '192.168.200.62'
config host
option name 'ac1'
option ip '192.168.200.3'
option mac 'xxxxxxxxxxxxxxxxxx'
config host
option name 'printer'
option ip '192.168.200.4'
option mac 'xxxxxxxxxxxxxxxxxx'
im in between ISP change and not sure if this one supports ipv6 so do not want to change entire config back and forth but we do if its actually required.
Does not this proove that ipv6 is turned off and there no ipv6 communation between rounter?
yeah... this did the trick. Now when I look into the app it says "We could not find Deco" (Hope same will get ISP as well :|)
thanks for such fast response.
I'm kinda not sure how does it went through router without noticing it...
I'm assume this is example on how global ipv6 works and can be "dangerous" for not fully configured system and its another reason to turn it off
In this case, the problem would also exist with IPv4 if you didn't explicitly block the outbound connectivity for the device. IPv6 is no different in that respect, you just have to block the device in question by its IPv6 address.
It is key that you reboot the router after making some of these changes. Although the blocking rule will prevent new connections, the firewall may continue to allow existing connections. Rebooting should clear this.
You have a modem network defined -- presumably to be able to connect to your modem for administration/statistics -- I haven't seen your firewall yet, but it's possible that this is causing a path for the leak.
Does the Deco have bluetooth? If so, is it possible that the app is actually connecting via BT to your AP and gathering the data that way?
If you physically disconnect the AP (ethernet and/or power) so that it cannot physically connect to the internet, does the app reflect the lost contact? It is possible that the app or cloud is showing historical or cached data, but not reflecting the loss of connectivity.
after changing from drop to reject again and doing another restart it seems like it's blocking traffic!
to summarize:
I've removed 'modem` since this was from by old isp/setup and it's never worked with new one
reject instead of drop
cleaning up all ipv6 network config
disabled all ipv6 firewall rules just in case
my current firewall config:
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Block Incoming Deco'
option src 'wan'
option dest 'lan'
option target 'REJECT'
list dest_ip '192.168.200.3'
list proto 'all'
config rule
option name 'Block Outgoing Deco'
option src 'lan'
option dest 'wan'
option target 'REJECT'
list src_ip '192.168.200.3'
list proto 'all'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option family 'ipv4'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'xx'
option src 'wan'
option src_dport 'xxxxx'
option dest_ip '192.168.200.5'
option dest_port 'xxxxx'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'xx'
option src 'wan'
option dest_ip '192.168.200.10'
option family 'ipv4'
option src_dport 'xxxx'
option dest_port 'xxxx'
list proto 'tcp'
list proto 'udp'
list proto 'icmp'
option enabled '0'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'dns'
option src 'wan'
option src_dport '6xxxx'
option dest_ip '192.168.200.5'
option dest_port 'xx'
option enabled '0'
it still has some ipv6 in it... I think it's make sense to just turn it off and do another restart...
upd: i've disabled all ipv6 related rules just in case and did another reboot
