Creating a wireless DMZ, routing broken[Solved]

James664 · January 20, 2019, 12:11am

Hi,
I'm running OpenWrt 18.06.1 ona netgearACM3200. What I'm trying to do is create an additional wireless network(bigwideworld), on a separate network (DMZ). I don't even want to bridge or do anything else yet. Unfortunately this breaks all connectivity to the outside world(WAN) from any internal network. The only files I'm altering are /etc/config/wireless and /etc/config/firewall. The changes I've introduced are the ones commented out below. I've included the output from the route command from before and after at the bottom. It looks like the root command is changing to route everything to the 192.168.2.0 network, which is the last thing I want. If anyone has got any suggestions on how to make this work as expected, please let me know, as I'm getting desperate!

cat /etc/wireless
config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
        option htmode 'VHT80'
        option country 'GB'
        option legacy_rates '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'bigwideworld'
        option encryption 'psk2+ccmp'
        option key 'example'
        option wpa_disable_eapol_key_retries '1'
#       option network 'DMZ'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
        option htmode 'HT20'
        option country '00'
        option legacy_rates '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option encryption 'psk2+ccmp'
        option key 'example'
        option ssid 'greyarea'
        option network 'lan'

config wifi-device 'radio2'
        option type 'mac80211'
        option hwmode '11a'
        option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
        option htmode 'VHT80'
        option channel '153'
        option country 'US'
        option legacy_rates '1'

config wifi-iface 'default_radio2'
        option device 'radio2'
        option mode 'ap'
        option encryption 'psk2+ccmp'
        option key 'example'
        option ssid 'BigWideWorld'
        option disabled '1'
        option network 'lan'

root@Magic:/etc/config# cat network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdea:5a10:7985::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ifname 'eth0.1'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

#config interface 'DMZ'
#        option _orig_ifname 'wlan0-1'
#        option _orig_bridge 'false'
#        option proto 'static'
#        option ipaddr '192.168.2.1'
#        option netmask '255.255.255.0'
#        option gateway '192.168.2.1'
#        option broadcast '192.168.2.255'

root@Magic:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         <outside>       0.0.0.0         UG    0      0        0 eth1.2
<outside network>     *               255.255.254.0   U     0      0        0 eth1.2
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan

Changes to above config leads to

root@Magic:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.2.1     0.0.0.0         UG    0      0        0 wlan0
<outside network>     *               255.255.254.0   U     0      0        0 eth1.2
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.2.0     *               255.255.255.0   U     0      0        0 wlan0

vgaetera · January 20, 2019, 12:19am

You're missing option network.DMZ.ifname.

James664 · January 20, 2019, 12:22am

You mean I should put an option ifname 'default_radio0' in the network.DMZ block?

Thanks

vgaetera · January 20, 2019, 12:30am

No, you need to specify network interface name, the one from the ip link output.

James664 · January 20, 2019, 12:40am

Ok, used "ip link show" to get the following output;

root@Magic:~# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 532
    link/ether 60:38:e0:cb:62:30 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 532
    link/ether 62:38:e0:cb:62:30 brd ff:ff:ff:ff:ff:ff
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 62:38:e0:cb:62:30 brd ff:ff:ff:ff:ff:ff
9: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 62:38:e0:cb:62:30 brd ff:ff:ff:ff:ff:ff
10: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 60:38:e0:cb:62:30 brd ff:ff:ff:ff:ff:ff
11: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 60:38:e0:cb:62:32 brd ff:ff:ff:ff:ff:ff
12: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
    link/ether 60:38:e0:cb:62:31 brd ff:ff:ff:ff:ff:ff

wlan0 corresponds to the device I want to use for DMZ, so would
option ifname wlan0

be OK?

Thanks again!

mk24 · January 20, 2019, 12:59am

Do not put an 'option gateway' in the DMZ network.

By default the router's default gateway is received on the WAN via dhcp, which is usually what you want.

If you want the "DMZ" to be what is commonly called a guest network, make firewall rules to forward it to the WAN. Users of DMZ can then access the Internet but not your LAN.

trendy · January 20, 2019, 7:34am

Also, not sure if it is a typo or mistake, radio2 is named BigWideWorld but it is assigned in LAN.
Other than that, follow @mk24's advice and remove default gateway from the DMZ.

James664 · January 23, 2019, 9:52pm

Thanks so much! Was under the impression that each interface needed a gateway and these were joined together.

tmomas · February 2, 2019, 9:52pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.