Hello,
I recently set up a basic OpenWRT configuration that mainly acts as a router.
Here is my config:
OpenWRT (version 21.02.1) running on a Raspberry Pi 4 model B (version 4GB).
I use an USB to Ethernet adapter to get a second RJ45 port.
On a native port, it's the LAN interface, and WAN for the adapter.
The DHCP server service is enabled for the LAN interface, while the WAN interface is set up as a DHCP client.
LAN network is 192.168.1.0/24, OpenWRT has the static IP @ 192.168.1.1 and serves as the LAN's gateway.
I have a local DNS server and want to use another public DNS as a fallback if the former stop responding.
- First questions regarding DNS.
If i want to use specific DNS servers, should I enter their IP addresses for the WAN, the LAN or both?
Let's see the situation the point of view of a device connected to my LAN that will get its network conf via DHCP.
Also, for DHCP, I'd like that OpenWRT indicates to the clients that they should use this local DNS server instead of seamingly * having OpenWRT performing DNS resolutions on the behalf of said client.
- On a Windows device at least, DNS obtained from DHCP are listed as 192.168.1.1, but I'd rather have the PC use 192.168.1.30 directly instead of forwarding requests to OpenWRT.
Now, what if I enable OpenVPN client on OpenWRT and want local devices to access the internet only via the VPN connection. Will they use the DNS servers specified in the OpenVPN config file, or OpenWRT DNS servers will still prevail ?
As mentioned earlier, if I set 2 DNS servers for an interface, the order specified will be use like a priority?
Or will requests be randomly or alternatively forwarded to each server an equal number of times?
- In this scenario, I'd like to isolate a device on the LAN (meaning it could not see other devices on the LAN, and vice versa) but still allow it to access the internet. Let's call it EvilDevice.
I guess I could use a separate VLAN to achieve this, but I'm not a network guy, and I feel like that's too much hassle for just 1 device. If I had ten's of such EvilDevice, then I would probably reconsider the option.
I can't install any software on EvilDevice. Besides, EvilDevice will be accessing the LAN via a WiFi Access Point on the LAN.
Unfortunately, I don't see any other option, but perhaps you have some ideas?
The FW will be useless here, right? Since devices on the LAN can access each other without having to go through the gateway.
- Next, EvilDevice, will need to access some other devices on the LAN (at least one, but I suppose at this point it is less critical if it can access other local devices). But, access to the Internet must be blocked. All communications are restricted to the LAN.
I assume I can now benefit from using the FW, maybe iptables?
For guidelines given in 2) and 3), DHCP should be allowed regardless of the rest of the specified restrictions. And although EvilDevice will be configured via DHCP, I can assign it a static IP address to make the overall set up easier (I just hope it won't generate on its own a new random MAC address each time it is powered on or after X seconds ).
EvilDevice : 192.168.1.13
Maybe something like that?
iptables -A FORWARD -s 192.168.10.13 -j DROP # forbid WAN connections
iptables -I INPUT 1 -p udp --dport 67:68 --sport 67:68 -j ACCEPT # allow DHCP protocol, but I'm not sure that's actually required ? The rule above should not interfere with DHCP requests?
Please let me know if you need any clarification.
Thanks.