Hello, I want to configure my network to achieve these:
- IoT devices should be able to access WAN
- IoT devices should NOT be able to access LAN
- LAN devices should be able to access IoT
- Devices of IoT and LAN connect via different SSID
I use VLAN and multiple SSIDs to divide my network to achieve those and have accomplished 1, 2, 4, except the 3.
I tested 3 using the ping
command, from devices in LAN or IoT, resulting in request timeout.
Please help me find out what is wrong, thank you
My network looks like this:
OpenWRT(router) --- Switch --- APs --- all devices
Below are the configurations of the interfaces and firewall on the OpenWRT router.
Please let me know if I should attach any other info.
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd30:9dd4:8530::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
config device 'lan_dev'
option name 'eth0.1'
option macaddr '6c:b0:ce:11:98:ef'
config interface 'wan'
option ifname 'eth0.2'
option proto 'pppoe'
option username 'REMOVED'
option password 'REMOVED'
option ipv6 'auto'
option peerdns '0'
config device 'wan_dev'
option name 'eth0.2'
option macaddr '6c:b0:ce:11:98:f0'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
option auto '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t 2 4'
config switch_vlan
option device 'switch0'
option vlan '4'
option ports '0t 1t'
option vid '8'
config interface 'IOT'
option proto 'static'
option ifname 'eth0.8'
option ipaddr '192.168.8.1'
option netmask '255.255.255.0'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option target 'ACCEPT'
option src 'lan'
option name 'LAN2IOT'
option dest 'IOT'
config rule
option enabled '1'
option target 'ACCEPT'
option name 'IOT2LAN'
option src 'IOT'
option dest 'lan'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option network 'IOT'
option name 'IOT'
option forward 'REJECT'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding
option dest 'lan'
option src 'IOT'
config forwarding
option dest 'wan'
option src 'IOT'
config forwarding
option dest 'IOT'
option src 'lan'
All APs broadcasts 2 SSID:
SSID-IoT
, of VLAN ID 8, for IoT devices
SSID-LAN
, of VLAN ID 1, for LAN devices