Bridges / Switches / Interfaces / Devices

Installing and Using OpenWrt
1

Hello!
I've been playing with Zerotier in OpenWRT as a method to expose LAN in support scenarios.
My goal is to have Zerotier provide a tunnel to both the OpenWRT router and all the devices on the same LAN as said router.
Currently I am running OpenWRT on a Vocore 2 POE and almost all is working except I have the following issues:
I cannot access the router when connecting remotely (don't see issues with the firewall but the connection is refused) both on its Zerotier address or its DHCP address. I can see all network devices though (except it?).
When connected locally on the DHCP address the plugin TTYD does not work (refused connection), LUCI and SSH are working though.

Other notes: I also have a wireless LAN setup for local access to the device - this works but doesn't provide access to the network.

Here is my /etc/config/network:

config interface 'WAN'
        option proto 'dhcp'
        option device 'br-wan'

config device
        option name 'br-wan'
        option type 'bridge'
        list ports 'eth0.1'
        list ports 'ztfovzuj6z'

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd6:603a:85c5::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '6t 0 2'

config interface 'Zerotier'
        option proto 'none'
        option device 'ztfovzuj6z'

config switch_vlan
        option device 'switch0'
        option ports '6t'
        option vlan '2'
        option description 'WAN'

Here is my /etc/config/firewall:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        list network 'ETH0'
        list network 'Zerotier'
        list network 'WAN'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config forwarding
        option src 'wan'
        option dest 'lan'

Here is the /etc/config/wireless:

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/10300000.wmac'
        option band '2g'
        option htmode 'HT20'
        option channel 'auto'
        option country 'CA'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWRT'
        option encryption 'psk2'
        option key 'OpenWRT'

What crap can be removed from the configurations? What is missing to properly bridge the zerotier interface with the ethernet port network?

Also the version is: "Powered by LuCI openwrt-21.02 branch (git-22.119.37126-a993714) / OpenWrt 21.02.3 r16554-1d4dea6d4f"

Thanks,

--Phil

2

I'm not a zerotier expert, so there are possibly some things I'll get wrong here... but..

I'm not sure why you've made your wan a bridge with ZT. You've also got 2 interfaces where ZT exists, so I think this is wrong...

Recommended changes from the above: remove the br-wan device definition entirely, revert wan to use device eth0.1, and change the name of the interface from WAN -> wan (lowercase recommended).

Meanwhile, VLAN 1 (which is the WAN) is assigned to logical ports 0 and 2, and VLAN 2 (associated with br-lan) is not connected to any ports (6t is the CPU). Is that the desired configuration. The description field in VLAN 2 is probably inaccurate -- it doesn't have a functional impact, but will be confusing at a human level.

The lan zone should not be masqueraded in most cases. Remove that line.

There are a number of things wrong with your wan zone

:warning: you probably don't want input set to accept as it exposes your router directly to the internet (or whatever the upstream network is, unless this is actually connected to a trusted lan). This should almost always be reject. Same with forward.

Remove network ETH0 (which does nothing), and Zerotier (which we'll move into another zone). Also remove network WAN (because 'wan' is already in there, and it is recommended to use lowercase names per my earlier comment).

Create another firewall zone for your zerotier network and setup forwarding to your lan zone (and probably your wan zone, but don't know if you need that). I don't know if ZT needs masquerading enabled... you can experiment with that on/off.

config zone
        option name 'zerotier'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        list network 'Zerotier'
        option masq '1'

config forwarding
        option src 'zerotier'
        option dest 'wan'

config forwarding
        option src 'zerotier'
        option dest 'lan'
3

Hey Psherman,

I'll check this out - thanks!

Some notes:
This is a single ethernet outlet device, is it meant to attach to a router and not actually connected directly to open internet (hence the use of zerotier).
Zerotier UDP punches through firewalls to allow me remote access to this device and anything it can see but for that it does require bridging. Firewalls really don't do much I assume as there is no direct external access to this device.
I have this working successfully on some other OpenWRT devices (RPi, GL.inet) but every device has either a different OpenWRT version or different unlying function making it hard to understand why things working on one device don't on another....

Thanks,

--Phil