Config Sanity Check

Modem -> Edgerouter X -> Netgear WAX202 OpenWrt 22.03.5

I was having a heck of a time accessing luci webgui while on vlan 121(Wifi) & was only able to access it while plugged into my management port (ethernet). After setting my interface lan121(device br-lan121) to dhcp & restarting it got an address from dhcp (Edgerouter) & I was able to access luci from vlan 121.

Is this the right way of setting this up? Do any of you have a better way of doing this?

WAN - trunk to Edgerouter
LAN1&2 - vlan120
LAN3 - management interface for emergency access
iotSSID & 2 other SSIDs for home use
OpenWrt - dhcp is only enabled on LAN3, firewall is turned off
Edgerouter X - handles dhcp, dns, firewall

network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fdc5:dcc4:228c::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'wan'

config device
        option name 'lan1'
        option macaddr 'xx:xx:xx:xx:9c:33'
        option ipv6 '0'

config device
        option name 'lan2'
        option macaddr 'xx:xx:xx:xx:9c:33'
        option ipv6 '0'

config device
        option name 'lan3'
        option macaddr 'xx:xx:xx:xx:9c:33'

config interface 'lan'
        option device 'br-lan'
        option proto 'none'

config device
        option name 'wan'
        option macaddr 'xx:xx:xx:xx:9c:34'

config interface 'wan'
        option device 'wan'
        option proto 'none'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config device
        option name 'eth0'
        option ipv6 '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '120'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '121'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '131'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '140'
        list ports 'wan:t'

config interface 'MgmtPort'
        option proto 'static'
        option device 'lan3'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option broadcast '192.168.1.255'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'

config interface 'lan121'
        option device 'br-lan.121'
        option proto 'dhcp'

config interface 'vlan131'
        option device 'br-lan.131'
        option type 'bridge'
        option proto 'none'

config interface 'vlan120'
        option proto 'none'
        option device 'br-lan.120'

config interface 'vlan140'
        option proto 'none'
        option device 'br-lan.140'

wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option band '2g'
        option channel 'auto'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'SSID1'
        option encryption 'psk2'
        option key 'PASSWORD'
        option network 'lan121'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
        option band '5g'
        option htmode 'HE80'
        option channel 'auto'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'SSID2'
        option encryption 'psk2'
        option key 'PASSWORD'
        option network 'lan121'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'iotSSID'
        option encryption 'psk2'
        option key 'PASSWORD'
        option network 'vlan131'

dhcp

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option band '2g'
        option channel 'auto'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'SSID1'
        option encryption 'psk2'
        option key 'PASSWORD'
        option network 'lan121'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
        option band '5g'
        option htmode 'HE80'
        option channel 'auto'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'SSID2'
        option encryption 'psk2'
        option key 'PASSWORD'
        option network 'lan121'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'iotSSID'
        option encryption 'psk2'
        option key 'PASSWORD'
        option network 'vlan131'

firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

ubus call system board
{
        "kernel": "5.10.176",
        "hostname": "HOSTNAME",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Netgear WAX202",
        "board_name": "netgear,wax202",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.5",
                "revision": "r20134-5f15225c1e",
                "target": "ramips/mt7621",
                "description": "OpenWrt 22.03.5 r20134-5f15225c1e"
        }
}

uci show uhttpd
uhttpd.main=uhttpd
uhttpd.main.listen_http='0.0.0.0:80' '[::]:80'
uhttpd.main.listen_https='0.0.0.0:443' '[::]:443'
uhttpd.main.redirect_https='0'
uhttpd.main.home='/www'
uhttpd.main.rfc1918_filter='1'
uhttpd.main.max_requests='3'
uhttpd.main.max_connections='100'
uhttpd.main.cert='/etc/uhttpd.crt'
uhttpd.main.key='/etc/uhttpd.key'
uhttpd.main.cgi_prefix='/cgi-bin'
uhttpd.main.lua_prefix='/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
uhttpd.main.script_timeout='60'
uhttpd.main.network_timeout='30'
uhttpd.main.http_keepalive='20'
uhttpd.main.tcp_keepalive='1'
uhttpd.main.ubus_prefix='/ubus'
uhttpd.defaults=cert
uhttpd.defaults.days='730'
uhttpd.defaults.key_type='ec'
uhttpd.defaults.bits='2048'
uhttpd.defaults.ec_curve='P-256'
uhttpd.defaults.country='ZZ'
uhttpd.defaults.state='Somewhere'
uhttpd.defaults.location='Unknown'
uhttpd.defaults.commonname='OpenWrt'

I am trying to understand your network architecture a bit more.

What is the role of your edgerouter x? I assume this is doing your routing/firewalling and the WAX202 is a dumb access point? Can the WAX202 be a full-fledged router/firewall/AP? Is there something the edgerouter x is doing that the WAX202 cannot? If so, why not take the edgerouter out of the mix and go from the modem to the WAX202 directly?

Homelab/Work testing is why I have it setup this way.

I have 1gbps home internet & the netgear maxes out around 700mbps with software & hardware offloading enabled. I verified 1gbps from the modem.

Plus we're getting a Juniper infrastructure at work that I'm in charge of so I'll be putting a juniper switch in between the edgerouter & the netgear eventually.

Maybe someone else can help with the problem you posted about originally.

I am trying to come up with a way where you have an OpenWrt device directly connected to your modem routing/firewalling is all.

I hear ya & I appreciate it!

Continuing down my path is there a way you can satisfy your test conditions and work related stuff with the architecture I am pitching? Perhaps use VLAN segregation for your work stuff. A RPi4 can do gigabit routing if you can find one. I am not a fan of closed source devices.

Modem <--> RPi4 <--> managed switch ---> WAX202 (as dumb AP)
                        |     |
                        |     |
                       /       \
                 work stuff   home lab

Haha I hear you on the open source part, I was originally to go with a mini pc with pfsense but the price point is roughly the same as the edgerouter so I opted for that instead. It's a bigger bonus for me because we have a few at work so I can gain more familiarity with it. I might pick up a rpi4 though & use that for a second network.

Are you using a pi4 with openwrt in your environment? How is it?

I was for a few years. Totally stable and reliable. I switched to an AMD 5800U based miniPC recently for the sole reason of being able to run snort in IPS mode @ gigalan speeds. The RPi4 could not cut it. If it weren't for that, I would happily be running the RPi4B. It can do Giglan speeds with SQM just fine.

That's awesome, I love those things. I still have my Pi1 with a/v out & 3.5mm audio somewhere

There are numerous issues with your current config.

• I'd recommend starting from scratch (reset to defaults) and then build up one network at a time.

• You can actually keep the main lan config in place as your emergency management network and then make sure it is assigned only to lan3.

• You have VLANs 120, 121, 131, and 140 in your configs (although the syntax is wrong), but you only talk about VLAN 120 on in your description. I assume those are realted to the 3 SSIDs you mentioned and presumably are part of the trunk on the wan port? Is that correct? do they need to be present on any other ports or wifi only?

• Do you want this device to be accessible (for admin) on any of the other networks/VLANs? Your "emergency" management port is the only network that can access the router for admin purposes. That means you always have to physically connect to port 3 and cannot currently administer/configure the device from your trusted lan.

• Is the ER-X running EdgeOS or OpenWrt?

• Has its configuration been verified to work properly with respect to your VLANs?

Sorry youre right, my config isnt fully complete at the moment. I forgot to mention that SSID1&2 are VLAN121 & iot SSID is on VLAN 131. The config is currently working, traffic is segmented on the two enabled VLANS I am able to access the web gui from vlan 121 as well as LAN port 3. The ER-X is running EdgeOS

VlAN120 will be wired, so LAN1,2,& 3 eventually

VLAN 121 is working, it is for my main home WiFi & I am able to access the web gui from SSID1 SSID2 at the moment.

VLAN 131 is for my iot SSID & working as well.

VLAN 140 wont be on any physical ports so we can ignore it, i just added it out of habit.
Once i got things semi working i didnt want to progress further if I had made a complete botched job of my setup.

Whats wrong with the syntax of my config with the VLANs? I set them to unmanaged on purpose, with the exception of 121 to dhcp just to make sure i could access the gui from it. I plan on doing static addressing later

actually, now that I look at it again, I think most of it is okay...

I do see a few issues, though...

The option type bridge does not belong in an interface config.

to achieve this, you need to make the bridge vlan look like this:

config bridge-vlan
        option device 'br-lan'
        option vlan '120'
        list ports 'wan:t'
        list ports 'lan1:u*'
        list ports 'lan2:u*'

You don't have any networks that have explicit zone based access to the router... since you want the MgmtPort and vlan121 networks to have access, make your firewall lan zone look like this:

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'MgmtPort'
        list network 'vlan121'