Creating a local wireless network inside the main wired network: problems accessing LuCI and SSH from WAN

Hello,

I recently flashed OpenWrt 18.06.2 on a PC Engines APU2D4 board.

My goal would be to use it in order to generate a local WLAN network inside my main home local network.
I was able to successfully set up the network by assigning the eth2 interface to wan (for instance with IP 192.168.1.200, assigned through DHCP by my home router) and wlan0 to lan (for instance with IP 192.168.2.1).

After noticing that I could not access LuCI from the WAN (wired) side of the network, I was able to successfully open port 2222 in order to use SSH from the this side of the network too (after launching a new dropbear instance, listening on port 2222 and for the WAN only), but I am a bit concerned about opening other ports too.
As I have enabled LuCI over HTTPS, should I enable port 443 in the firewall? Is this safe enough? Or is it better to create an SSH tunnel for the HTTPS traffic?

Moreover, I noticed that after launching two dropbear instances:

1. Listening on port 22 for LAN (wireless "local-inside-local" network)
2. Listening on port 2222 for WAN (wired local network)

I can't access the device from port 22 anymore (even on the LAN side, where, before setting up the second instance, I could use this port). Now I should use 2222 no matter if I am connected to the LAN or WAN (and no matter which IP address I use: 192.168.1.200 or 192.168.2.1), as using port 22 results in a refused connection.

Do you know why this is happening?

Thank you very much in advance.

Since your main router is connected to the public internet not the APU2D4 you can relax the restrictions of the APU2D4 WAN Zone, including disabling NAT on the WAN to avoid double NAT

https://openwrt.org/docs/guide-user/network/switch_router_gateway_and_nat#device_as_router_with_disabled_nat_additional_routing_rules

Thank you very much!
I will relax the WAN zone restrictions and have a look at the page you posted.

Just as a matter of curiosity now, why do I observe the port problem when launching multiple dropbear instances? Shouldn't I be able to access the device using both instances?

Can you post the output of
uci show dropbear ; uci show firewall ; uci show network

Of course!

Here is the output I get (after enabling port 443 for WAN):

uci show dropbear:

dropbear.@dropbear[0]=dropbear
dropbear.@dropbear[0].Port='22'
dropbear.@dropbear[0].PasswordAuth='on'
dropbear.@dropbear[0].Interface='lan'
dropbear.@dropbear[1]=dropbear
dropbear.@dropbear[1].PasswordAuth='on'
dropbear.@dropbear[1].Interface='wan'
dropbear.@dropbear[1].Port='2222'

uci show firewall:

firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].network='wan wan6'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@rule[9]=rule
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].src='wan'
firewall.@rule[9].proto='tcp'
firewall.@rule[9].name='Enable-SSH-on-WAN'
firewall.@rule[9].dest_port='2222'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[0].src='lan'
firewall.@rule[10]=rule
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].src='wan'
firewall.@rule[10].proto='tcp'
firewall.@rule[10].dest_port='443'
firewall.@rule[10].name='Enable-LuCI-on-WAN'

uci show network:

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdf2:7831:d9c4::/48'
network.lan=interface
network.lan.ifname='wlan0'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.gateway='192.168.1.1'
network.lan.ipaddr='192.168.168.1'
network.wan=interface
network.wan.proto='static'
network.wan.ipaddr='192.168.1.250'
network.wan.netmask='255.255.255.0'
network.wan.gateway='192.168.1.1'
network.wan.broadcast='192.168.1.255'
network.wan.dns='8.8.8.8 8.8.4.4'
network.wan.ifname='eth2'
network.wan6=interface
network.wan6.ifname='eth0'
network.wan6.proto='dhcpv6'

LuCI configuration for dropbear:

LuCI_Dropbear.png639×767 22.5 KB

Remove this:

Fix this into eth2

Other than that your settings are fine.
Consider what @mbo2o said to relax the security settings. The device is already in your lan, so the firewall restrictions and the masquerade of wan zone are not so much needed.
Basically you are using it as a dumb ap, so maybe you'd want to convert it into one.

Thank you very much!
I will surely consider relaxing all the WAN security settings.

By the way, I just discovered that if I enable port 22 in the firewall, both the dropbear instances start working as they should!

This should matter only for the wan port, as lan is allowed by default in the firewall.

I tried creating again the double dropbear instance, and now it seems that port 22 is being accepted both by LAN and WAN devices when connecting to the PC Engines board, despite what I set in LuCI (the opposite situation as before).

Probably due to the forwarding mechanism, however, I can access both interfaces at their respective IP addresses, from any device connected to wireless network (i.e. to the LAN).
For instance, from a device in the LAN (with IP 192.168.2.100) I can ping without any problem both 192.168.1.200 and 192.168.2.1.

Can this be the explanation for what I'm observing?

It is normal, that you can ping from subnet to the subnet above. If your router is 192.168.2.1 and your ip is 192.168.2.100, then the router is connected to the 192.168.1.x subnet, you will see from 192.168.2.100 the subnet 192.168.2.x and 192.168.1.x, but not vice versa because of NAT in the 192.168.2.1 router.