I've followed this tutorial (https://www.youtube.com/watch?v=UvniZs8q3eU&list=PLZXNpqQDHIJrgzaR7h1V1AT4bdaNjS0zZ&index=3 ) for getting multiple networks (private, guest, and IoT) and a dedicated SSID for each. I believe I've done everything correctly, but all wifi connections have access to the internet and the router's web interface despite the firewall rules that should be applied to each interface.
The one step from the tutorial that doesn't match the recent version of OpenWrt is the interface setting for "bridge interface" and "interface" are gone and instead I have "Device" which has "bridge: br-lan" as one of the options, so I've selected that. I suspect that is related to my issue. If I set the device to a specific port on the router and plug a laptop in there, I get the firewall behaviour and IP assignments I expect, but then I can't get an IP address at all on the SSIDs.
In the tutorial, separate DHCP ranges were set for each interface which I have also repeated. I've noticed that one device on one SSID picked up an appropriate IP address but is not restricted as expected by the firewall. Another device is getting an IP from the default lan range when it should be getting something different. I'm not sure if this is related. Maybe it is due to connecting to that network before changing the IP range and so an IP reservation got stuck?
What might I be doing wrong here?
I'm running OpenWrt SNAPSHOT r17693-c2222f74c8 / LuCI Master git-21.226.86205-376af36 on a Linksys E8450.
If your device supports an official stable release, I'd recommend using that. However, the best way for us to help is to see your config files.
Please copy the output of the following commands and post it here using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
It looks like my router only supports snapshots at this time: https://openwrt.org/toh/linksys/e8450
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd32:0d63:e7ab::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option device 'br-lan'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'vpn'
<redacted>
config interface 'iot'
option proto 'static'
option ipaddr '172.16.0.1'
option netmask '255.255.255.0'
option device 'br-lan'
config interface 'guest'
option proto 'static'
option ipaddr '10.10.10.10'
option netmask '255.255.255.0'
option device 'br-lan'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/18000000.wmac'
option channel '1'
option band '2g'
option htmode 'HT20'
option cell_density '0'
option country 'CA'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid 'good-old-wifi'
option encryption 'sae-mixed'
option key '<redacted>'
option ieee80211w '1'
option network 'guest'
option ieee80211r '1'
option ft_over_ds '0'
option ft_psk_generate_local '1'
config wifi-device 'radio1'
option type 'mac80211'
option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option channel '36'
option band '5g'
option htmode 'HE80'
option cell_density '0'
option country 'CA'
config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option ssid 'good-old-wifi'
option encryption 'sae-mixed'
option key '<redacted>'
option ieee80211w '1'
option network 'guest'
option ieee80211r '1'
option ft_over_ds '0'
option ft_psk_generate_local '1'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'good-old-private'
option encryption 'sae-mixed'
option hidden '1'
option key '<redacted>'
option network 'lan'
option ieee80211r '1'
option ft_over_ds '0'
option ft_psk_generate_local '1'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'good-old-private'
option encryption 'sae-mixed'
option hidden '1'
option key '<redacted>'
option network 'lan'
option ieee80211r '1'
option ft_over_ds '0'
option ft_psk_generate_local '1'
config wifi-iface 'wifinet4'
option device 'radio0'
option mode 'ap'
option ssid 'good-old-iot'
option encryption 'sae-mixed'
option hidden '1'
option key '<redacted>'
option network 'iot'
option ieee80211r '1'
option ft_over_ds '0'
option ft_psk_generate_local '1'
config wifi-iface 'wifinet5'
option device 'radio1'
option mode 'ap'
option ssid 'good-old-iot'
option encryption 'sae-mixed'
option hidden '1'
option key '<redacted>'
option network 'iot'
option ieee80211r '1'
option ft_over_ds '0'
option ft_psk_generate_local '1'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'iot'
option interface 'iot'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
list network 'lan'
list network 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'guest'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
list network 'guest'
config zone
option name 'iot'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'iot'
config forwarding
option src 'lan'
option dest 'iot'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'Guest DHCP and DNS'
option src 'guest'
option dest_port '53 67 68'
option target 'ACCEPT'
You have assigned your new network to br-lan, which means that they are all associated with the lan firewall zone and are actually all mixed together as if you've used an unmanaged switch to link multiple networks.
If you are not using these networks with wired connections, you can simply remove the br-lan device from the iod and guest networks. If you are using wired connections, you will need to create additional bridge devices, separate from the br-lan.
1 Like
Thank you for the help! I now have it fixed.
For anyone stumbling across this later, just clicking "save and apply" in LuCI was not enough for this to take effect. I needed to also restart my router. I had tried removing the devices from all three networks previously but I did not reboot and just assumed I didn't change the right thing.
system
Closed
October 20, 2021, 1:03am
6
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.