Can access OpenWrt ssh/luci UI over WAN in LXC Container on Ubuntu Raspberry Pi

htoooh · July 26, 2021, 2:34am

I would like to run openwrt inside a lxc container on ubuntu on a rpi4. Openwrt should assign an ip address to the host rpi and other devices on the lan (switch, AP, etc).

I'm able to run the container and assign IPs to clients on the lan fine. The wan is also assigned an IP address.

The problem is I'm able to access the openwrt container from the wan (luci UI, ssh) without making any changes to the firewall settings. I have not changed or set any additional firewall rules set in openwrt or the host. The only setting I've changed is changing the default static ip for the lan in the openwrt container

Does this setup require some additional settings on the host?

setup:

USB ethernet adapter on rpi connected to the ONT from my ISP
- while testing this is connected to old router running openwrt acting as wan (to be replaced with this lxc container setup). old router is connected to ONT and lan port is connected to USB ethernet adapter
rpi4 running ubuntu 21.04.
- lxc container running openwrt router on ubuntu host
Ethernet port on rpi is connected to POE switch.
- Switch is connected to dumb AP running openwrt.

Using openwrt v21.02.0rc3 armvirt
https://downloads.openwrt.org/releases/21.02.0-rc3/targets/armvirt/64/openwrt-21.02.0-rc3-armvirt-64-default-rootfs.tar.gz

lxd version 4.16

roughly following the steps here
http://www.makikiweb.com/Pi/lxc_openwrt.html

# init container
lxc image import openwrt-meta.tar default-rootfs.tar.gz  --alias openwrt_aarch64
lxc init local:openwrt_aarch64 router

# assign profile with eth0 and eth1 interfaces
lxc profile assign router owrt-router

# adding eth1 to router container instance config
lxc config edit router
...
  volatile.eth0.hwaddr: xx:xx:xx:xx:xx:xx
  volatile.eth1.hwaddr: xx:xx:xx:xx:xx:xx # added this line
...


lxc start router

/etc/netplan/50-cloud-init.yaml

network:
    ethernets:
        eth0:
            dhcp4: true
            optional: false
        enx7cc2c61ee390:
            dhcp4: true
            optional: false
    bridges:
        br0:
            dhcp4: true
            dhcp6: true
            parameters:
                stp: false
                forward-delay: 0
            interfaces:
                - eth0
    version: 2

lxc container owrt-router profile

config: {}
description: openwrt router
devices:
  eth0:
    name: eth0
    nictype: bridged
    parent: br0
    type: nic
  eth1:
    name: eth1
    nictype: physical
    parent: enx7cc2c61ee390
    type: nic
  root:
    path: /
    pool: default
    type: disk
name: owrt-router

I've also tried a variety of configurations:

setting container eth1 nictype as bridged and creating corresponding br1 in netplan
setting lxc config set router security.privileged true
tried with older versions of ubuntu (18.04, 20.04), openwrt (19.07.7), lxd (3.0.3)

but I'm still able to access the luci UI over the wan. Appreciate any help on this.

anon50098793 · July 26, 2021, 11:27am

afaik...

armvirt does not appear to contain board.d 02_network... thus no 'uci_def wan'... thus no auto setup of wan firewalling etc. etc.

did you need to add the wan interface when you initially set it up in luci?
did you create a wan zone and assign the interface to it in luci? etc. etc. etc.

htoooh · July 26, 2021, 12:57pm

Thanks for your reply.

I did not need to add the wan interface, it is set up automatically on container start after adding volatile.eth1.hwaddr in the container config. Without that change the wan interface will not be created.

The wan zone is correctly assigned to the wan and wan6 interfaces and both are assigned IPs from the upstream router. At a quick glance through the luci UI everything appears to be initialized as expected. I have not changed any settings in openwrt other than the static ip address

Fwiw I do see in /etc/board.d/ directory with two files, 00_model and 99-default_network, but as you said 02_network does not exist

anon50098793 · July 26, 2021, 1:02pm

ok found it now apologies...

does

iptables -I INPUT -i eth1 -j DROP

block stuff?

htoooh · July 26, 2021, 1:13pm

ahh yes, can no longer access the luci UI after adding that rule.

another bit if interesting info:

root@router:~# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i eth1 -j DROP

so looks like iptables are not set up

anon50098793 · July 26, 2021, 1:15pm

right... so it's a lack of (running of) init.d/firewall thing...

htoooh · July 26, 2021, 1:42pm

great thank you! that appears to be it.

I ran /etc/init.d/firewall restart and now iptables are populated and I am no longer able to access the router over the wan. thank you so much for your help and quick replies.

any idea why the firewall was not running or how to debug? how can I find what services should run on boot? now I'm curious if there are other services which should be running but aren't. I want to make sure I don't introduce some security holes by switching to this new setup