Hello everybody,
I had setup my raspberry Pi 3B with OpenWRT, I can access it through SSH and the LuCi interface. I connect it to Internet through an Ethernet cable using the Ethernet port. I connect a device using one USB port through an USB-Ethernet adapter.
I want to test the case of when my device is not working. To do this I tried to block the access to the port using IPTABLES. Even I block every port and the mac and the IP it's still working.
This is at this point I need some help to understand.
I removed all the firewall on OpenWRT to restart from scratch and I can't create new one, when I create one and apply the change it doesn't add it.
I have 2 interfaces : br-WAN and LAN, but I don't get any IP attributed to the LAN one. The device is still working. I setup WAN at eth0 and LAN at eth1. From the UI it says "Connected : No" for the LAN interface. But the device is connected and I know his IP : 192.168.178.182.
LAN and WAN interfaces are not assigned to any firewall zone, so they will use the default values. I think they are ACCEPT for INPUT and OUTPUT.
How did you remove the firewall exactly?
I don't see the point of bridging eth0 and eth1 under WAN, then having another interface (LAN) using eth1, and both interfaces running DHCP protocol.
My suggestion is to restore factory defaults as soon as possible before you lose access to the device.
Then explain what would you like to achieve and we'll help you with the configuration.
My device communicate with my amazon server using 443 TCP, 123 UDP and 53 UDP ports. I would like to test the effects of blocking them to see the behavior . From this, when the device is not working I want to make a diagnostic tool running on the device which could say "443 TCP" is not enable.
This is why I need to setup a firewall to blocks the data coming from and going to the device
Something is wrong here. The factory reset didn't work. You should have 192.168.1.1/24 in LAN and DHCP in WAN. LAN should be assigned to LAN firewall zone so it should be green color and WAN should be red.
Which image did you flash?
FYI, it's good practice to mask out your MAC address (and global IP if it's static).
Also, out of curiosity, where is your LAN interface getting IP from? What is its IP now? Ideally you would want a static IP for the LAN interface (not in the same subnet as the WAN interface).
It still doesn't look right.
WAN is bridging the eth0 and eth1, while LAN is also using DHCP on the eth0. I hope you didn't keep the settings after reflashing.
The LAN is interfacing to the WAN I guess ? This is where I have some trouble to understand. It's connect to internet via the WAN to another switch then to another box.
The IP is 192.168.178.29 using the following command :
nmap -sn 192.168.178.1/24 |grep OpenWrt
I setup the LAN to STATIC IP then applied, the result is I can't connect to it anymore (try to connect to the IP). I can have access to the RPI with the monitor and the keyboard.
If I understand well I should have :
WAN on ETH1 with DHCP
LAN on ETH0 with STATIC IP
WAN bridging eth0 to eth1
Why I can't connect to the LuCi interface anymore ? How can I reconfigure it using the commands ?
WAN is now part of the WAN firewall zone, which by default doesn't let any inbound connections, unless opened from firewall.
What you can do is remove the cable from WAN port, plug it in LAN, wait till LAN gets IP from router DHCP and connect to that IP.
I connected the cable from the WAN interface(ethernet port) to the LAN interface (USB ports), did the same commands, get the same IP, try to connect to it still not possible.
You need to tell us what your aim is. What your bigger network is like.
Technically, a router is a device that does the routing between the Wide Area Network (WAN) and the Local Area Network (LAN), or the outside an inside in plain English. If you don't want that separation, then you need to set the device as switch not router, so you have both ports at the LAN side.
If you want to bridge WAN and LAN then why make WAN in the first place?
You still have not explained what are you trying to achieve, so I cannot answer that yet.
If you want to separate the broadcast domains from wan side to lan side you don't need bridge.
If you want to have one broadcast domain between eth0 and eth1 make a bridge on LAN that covers both eth0 and eth1.
Verify that the LAN interface has go the IP address and not WAN, because WAN is blocking everything by default.
My suggestion is to restore factory defaults and start from scratch with a solid plan of what you want to achieve.
The RBPi is a router with which I want to control the data going to and from the device. The purpose of it is to understand the behavior of when I can't reach the device. From it, I'll make a tool to say "This port not activted" or "This domain is blacklisted". To do this I want to use the Firewall functionality. To me IPTABLES is a good start to DROP the packets going to certain ports or to certain web address to see the behavior of when something is not working. I tested the commands on another router but couldn't monitor what was going on so I know it's possible. Now with this setup I have been able to redirect the packet to my computer using :
Where IP_ADRESS_DEVICE_TO_MONITOR is mostly everything that comes to and from the router. But I can't use the Firewall nor IPTABLES properly and didn't understand why.
I don't know how to make it more clear but I can ask your questions.
I will restart over again but I need to know :
Do I need a WAN network ?
WAN can be eth0 and LAN is eth1 ?
Do I need to bridge my eth0 and eth1 so my LAN is connected to the internet through the WAN ?
I'm not entirely sure what DEvice on your graph is, but I will assume it's a laptop that you want it to take internet form the Pi via ethernet cable.
If your Pi is what connects your network to the outer world then yes, you need the WAN port and you need the firewall.
Yes. Though I'm not sure if it's fine like this or if you better make the USB adapter for the WAN and keep the on-board network port for the LAN to ensure access to the Pi even if the USB adaptor or driver misbehaves.
NO. You only bridge the LAN interface (whichever eth0 or eth1 you use for that) with the WiFi interface.
My router is still inside a larger but local network, so I don't need a WAN ?
I think I start understanding my mistakes. I still need ETH0 and ETH1 because they are two different interfaces.
I have LAN wich is DHCP and ETH0. Now I need another interface let's call it DEVICE with DHCP and ETH1 ?
In the scenario depicted above you can do the following:
LAN eth1 and DHCP if device runs DHCP server. Then you would have to switch off DHCP server on LAN port of Openwrt. If there is no other DHCP server, you need to assign static IP.
WAN eth0 and DHCP or PPPoE, depends on the provider. Allow port 22 on WAN interface in firewall section.
My mistakes came from the WAN. On the diagram "internet" isn't the provider connection, it's another LAN.
This is what I have and I can communicate with the device. I will try to drop the connections and If it works the problem will be solved
Your configuration still doesn't make sense. You have eth1 as interface DEVICE and also included in LAN interface.
OK, from the beginning:
You have internet connection, coming from a router right?
You want to connect the Pi to the router via an Ethernet cable?
You want to connect the Pi to another device by cable
And you want also to access the Pi by WiFi, right?
If you want the Pi network to be separate from the bigger network, then make one of the eth as WAN, and connect it to the bigger network. Bridge the other eth with the WiFi.
Else, if you want the Pi network to be part of the bigger network, then make one bridged interface of both eth0 an eth1, plus the WiFi.
It's essential to make sure that you have proper configuration as base case before you get into "what if" scenarios.
