Creating isolated guest networks via VLANs, on a single-port AP

Installing and Using OpenWrt
1

I have two newly minted OpenWRT devices here, an ER-X and a Unifi AP. I'm going to be using the Unifi AP as a dumb AP. My router works perfectly fine, no issues at all. The AP also works fine as-is for standard wifi networks. But, I would like to isolate three different groups of wifi users, lan/untrusted/guest. Each of these groups has its own wifi network.

However, the UAP_AC only has a single network port. I don’t really see why this would be a problem, except that I don't seem to grasp the concepts enough to make things work. All of the tutorials & such that I've come across expect there to be a second interface, and I can't seem to extrapolate it down. The one thread that seemed on-point somehow didn't work for me (or at least, I didn’t understand it enough).

On the router, I created all 3 VLANs, set the "lan" to "untagged" on all interfaces, then on eth4, the other two VLANs are set as "tagged". I switched br-lan to br-lan.1, and everything seems fine.

On the AP, I am not wildly sure what to do here. I've got bridge devices, interfaces, and made a test wifi network, and it doesn't work. That is, I can connect, but only with a client using a static IP address, and its packets don't seem to go anywhere. I'm guessing they're not getting forwarded to the router, given that they aren't able to get a DHCP lease.

So, what combination of things do I need to plug into each other to send tagged packets back & forth to the router? I'm comfortable with Linux but I'm woefully stupid about networking anything, and I need some help :confused:

AP:

/etc/config/network 
config interface 'loopback'
option device 'lo'
option proto 'static'
list ipaddr '127.0.0.1/8'

config globals 'globals'
option dhcp_default_duid '00047dd6f960d14147f19e4e07f844864861'
option ula_prefix 'fd26:e1cc:2c3c::/48'
option packet_steering '1'

config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'

config interface 'lan'
option device 'br-lan.1'
option proto 'dhcp'
option ip6assign '60'
option multipath 'off'

config interface 'lan6'
option proto 'dhcpv6'
option device 'br-lan.1'
option reqaddress 'try'
option reqprefix 'auto'
option norelease '1'
option multipath 'off'

config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'eth0'

config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'eth0:t'

config bridge-vlan
option device 'br-lan'
option vlan '3'
list ports 'eth0:t'

config interface 'i_untrusted'
option proto 'static'
option device 'br-lan.2'
option ipaddr '192.168.1.70'
option netmask '255.255.255.0'
option multipath 'off'

config interface 'i_guest'
option proto 'static'
option device 'br-lan.3'
option ipaddr '192.168.1.72'
option netmask '255.255.255.0'
option multipath 'off'

config device
option type 'bridge'
option name 'br_untrusted'
list ports 'br-lan.2'
option bridge_empty '1'

config device
option type 'bridge'
option name 'br_guest'
list ports 'br-lan.3'
option bridge_empty '1
/etc/config/wireless 
config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option band '5g'
option channel '44'
option htmode 'VHT80'
option cell_density '0'
option country 'US'

config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/ahb/18100000.wmac'
option band '2g'
option channel 'auto'
option htmode 'HT20'
option cell_density '0'
option country 'US'

config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option ssid 'Aetheruntrusted'
option encryption 'psk2'
option key 'only a test'
option network 'i_untrusted'
/etc/config/dhcp

config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'hybrid'
option ra 'hybrid'
list ra_flags 'managed-config'
list ra_flags 'other-config'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option leasefile '/tmp/odhcpd.leases'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
option piodir '/tmp/odhcpd-piodir'
option hostsdir '/tmp/hosts'

/etc/config/firewall

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config zone
option name 'f_untrusted'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'i_untrusted'

config zone
option name 'f_guest'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'i_guest'

Router:

/etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
list ipaddr '127.0.0.1/8'

config globals 'globals'
option dhcp_default_duid '000455f4ce1025a14671ab374f1a5aeeff2e'
option ula_prefix 'fd74:533b:71d5::/48'
option packet_steering '1'

config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth2'
list ports 'eth3'
list ports 'eth4'
option bridge_empty '1'

config interface 'lan'
option device 'br-lan.1'
option proto 'static'
list ipaddr '192.168.1.1/24'
option ip6assign '60'
option multipath 'off'

config interface 'wan'
option device 'eth0'
option proto 'dhcp'

config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option norelease '1'
option peerdns '0'
list dns '2606:4700:4700::1111'
list dns '2606:4700:4700::1001'
option multipath 'off'

config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'eth1'
list ports 'eth2'
list ports 'eth3'
list ports 'eth4'

config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'eth4:t'

config bridge-vlan
option device 'br-lan'
option vlan '3'
list ports 'eth4:t'

config device
option type 'bridge'
option name 'br_guest'
list ports 'br-lan.3'

config interface 'int_devices'
option proto 'static'
option device 'br-lan'

config device
option type 'bridge'
option name 'br_untrusted'
list ports 'br-lan.2'

/etc/config/dhcp

config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ra_preference 'medium'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/odhcpd.leases'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
option piodir '/tmp/odhcpd-piodir'
option hostsdir '/tmp/hosts'

config host
option name 'smokey'
list mac '80:2A:A8:C3:3F:02'
option hostid '0004'
option ip '192.168.1.2'
list duid '00047dd6f960d14147f19e4e07f844864861%1'

/etc/config/firewall

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
option flow_offloading '1'
option flow_offloading_hw '1'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

2

You’re very close, but the main issue is architectural: you’re doing too much on the AP.

If you’re using the AP as a dumb AP, all Layer 3 logic (IP addresses, DHCP, firewall, isolation) must live on the router — not on the AP.

Right now your VLANs exist, but the router is not properly serving them as separate networks, which is why clients don’t get DHCP leases.

Fix the router first

On the router, you need a proper interface for each VLAN. For example:

config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.1.1/24'

config interface 'untrusted'
option device 'br-lan.2'
option proto 'static'
option ipaddr '192.168.2.1/24'

config interface 'guest'
option device 'br-lan.3'
option proto 'static'
option ipaddr '192.168.3.1/24'

Then enable DHCP on each network:

config dhcp 'untrusted'
option interface 'untrusted'
option start '100'
option limit '150'
option leasetime '12h'

config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'

Also make sure you create proper firewall zones and restrict access (e.g. guest/untrusted should not access LAN).

Then fix the AP

Only after the router is correctly set up:

  • remove any static IPs from VLAN interfaces on the AP

  • disable DHCP on the AP

  • set VLAN interfaces to proto 'none'

  • attach SSIDs to the correct VLANs (e.g. br-lan.2, br-lan.3)

The AP should only bridge traffic and tag VLANs — no routing.

show this:

3

I agree with @ncompact, but there are a few other things that need to be done...

On the router...

Delete the bridge_empty line:

Add :u* at the end of each port to indicate untagged + PVID for VLAN 1... for example:

list ports 'eth1:u*'

Apply the above to all ports here:

Delete these:

On the AP...

  • It can be a good idea to use a static IP on the AP's lan interface... not required, but helpful because if the AP doesn't have a working DHCP server upstream, it'll have no address at all.
  • You probably don't need the lan6 interface -- it can be deleted:
  • per what @ncompact said, make your additional interfaces unmanaged like this:
config interface 'i_untrusted'
    option proto 'none'
    option device 'br-lan.2'

config interface 'i_guest'
    option proto 'none'
    option device 'br-lan.3'
  • Delete these:
  • also per the previous advice, be sure to disable the DHCP server on the lan
  • Delete this:

That should do it.

4

Also, it should be noted that the configuration as described assumes a direct connection from port eth4 on the router to the AP (if you're using a PoE injector, that's the equivalent of a direct connection; if you have a PoE switch between them, it is not).

5

Thanks for the info so far :slight_smile: I picked a terrible day to post this, because I’m not able to poke at the machines much, but I did shake the router into a more reasonable shape, and it’s still happy! I went through with @ncompact ‘s stuff on normalizing the router, but promptly soft-locked myself out of the AP from a uci session, so that’s slowed things down. @psherman , I’m going to have to spend some more time with A/B config files in facing text editor panels to fully get a handle on your thoughts :slight_smile: Since I’m not vibe-coding my damn network (remember when we all just cut & pasted from Stack Overflow?), I need to get some learning in quick. Just didn’t want to ghost my own thread!

6

Well, after all this, the ER-X bricked itself, so I’m back on an ancient (2010!) backup router, which, of course, doesn’t support dsa. I don’t see any real point in learning to set up machines with swconfig, so this is getting shelved for a while (har), until funding presents itself.

Thanks for the help, this will be an excellent reference when I have some new hardware, one of these days! :slight_smile:

7

Bummer :frowning:

But... it should be recoverable.

  • If it's config based, you should be able to use OpenWrt failsafe mode to fix or reset.
  • If it's deeper than just the OpenWrt config, there are methods to restore the device firmware using tftp and/or serial (pretty easy if you have the latest bootloader on it), See this doc from UI.

I disagree. swconfig still exists on some targets and it's not known if/when those remaining targets will transition to DSA. Being fluent in both methods is really useful. Additionally, everything beyond the actual configuration of the internal switch is the same for swconfig vs DSA -- network interfaces, firewall configurations, PBR (if relevant for you), etc.. And, beyond all of that, you can improve your network's security posture by having untrusted (guest/IoT) networks isolated from your trusted one(s).

If you'd like to get the swconfig setup working, it's really quite simple... just post the /etc/config/network config and indicate which port will be used to connect to the AP.

8

It’s an actual hardware fault. That’s why I pulled it in the first place (a bit ago) because it wouldn’t boot, but a few days later it was magically fixed. This time, same thing, except it broke itself randomly. When it’s not working, it doesn’t even get to the point of turning on the serial console. Now, suddenly, as I brought it back to hook it up to a local terminal and see if I can see anything anyway, suddenly it boots fine.

I suspect ghosts.

Since I don’t trust this thing, I’ll go ahead and settle into my Netgear WNDR3700v2 for a while, with its 2010 vibe, I suppose, even if it goes back to being a backup. So on this thing, the external ports & internal switch are lined up in a mostly reverse order. All I changed was the WAN IP address and reserved DHCP leases, so everything else is like it was, as far as I know.

I'd be using it such as:

  • WAN is on CPU eth1
  • WiFi AP is on switch port 0.
  • (unmanaged switch is on switch port 3)
/etc/config/network 
config globals 'globals'
	option dhcp_default_duid '00043367466e843f419f95af935c3eb88988'
	option ula_prefix 'fdae:cfd5:d9d3::/48'
	option packet_steering '1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	list ipaddr '192.168.1.1/24'
	option ip6assign '60'
	option multipath 'off'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option norelease '1'
	option multipath 'off'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config device
	option name 'eth0'
	option macaddr 'c6:3d:c7:8f:00:a9'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'
	option blinkrate '2'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5'

config switch_port
	option device 'switch0'
	option port '1'
	option led '6'

config switch_port
	option device 'switch0'
	option port '2'
	option led '9'

config switch_port
	option device 'switch0'
	option port '5'
	option led '2'
9

We do not have ghosts in router hardware. Only demons daemons (which are much harder to exorcise).

So... on to your WNDR3700v2...

Add the following to the router's network config:

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 5t'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 5t'

config device
	option name 'br-untrusted'
	option type 'bridge'
	list ports 'eth0.2'

config device
	option name 'br-guest'
	option type 'bridge'
	list ports 'eth0.3'

config interface 'untrusted'
	option device 'br-untrusted'
	option proto 'static'
	list ipaddr '192.168.2.1/24'

config interface 'guest'
	option device 'br-guest'
	option proto 'static'
	list ipaddr '192.168.3.1/24'

Be sure to add DHCP servers for those networks:

config dhcp 'untrusted'
    option interface 'untrusted'
    option start '100'
    option limit '150'
    option leasetime '12h'
    option dhcpv4 'server'

config dhcp 'guest'
    option interface 'guest'
    option start '100'
    option limit '150'
    option leasetime '12h'
    option dhcpv4 'server'

and then the firewall -- you can create zones and rules per the link I provided earlier:

or, you could temporarily just add those two new networks to the lan firewall zone for initial bringup/testing (this is just for checking that the network/dhcp/vlan config is working, it will not isolate the networks from a firewall perspective).

10

There's isn't really a 2010 vibe about that device, yes it's still swconfig (but as psherman said, that's not totally out of the picture for some contemporary devices either). Obviously its performance (and flash && RAM) are a bit on the low side, but it still does run current OpenWrt mostly fine, so based on that aspect -from the software side- it's completely fine and current (up to snapshots).

That's the beauty of OpenWrt, as long as the device is still supported (and meets minimum system requirements), you can stay fully up to date, including all security fixes and new features. Yes, at some point you may start to want upgrading the hardware (to gain faster wireless speed, profit from faster WAN speeds, etc.), but -current- OpenWrt will still continue to work quite a while.

11

Holy hell, I think I made it work. I wanted luci's revert feature, so I mostly set things up from there, with a tweak in the config files as necessary. And it goes! That is, all 3 zones can access the internet, and ping the internet & router (to check if broken); only lan can see the rest of my network. Awesome.

[eta]: Yeah, old hardware stays relevant for a long time! I picked up the AP after I'd had the WNDR3700v2 for a good number of years, for coverage and newer protocols, but it ticked along nicely for a while after that. I don't remember why I swapped out the router for the ER-X, I think it might have been speed [chuckles in firmware] or protocol support or something. Lo and behold, with the power of open source firmware, it's suddenly not only useful again, but works well enough that I don't see the need to replace it in the near future!
I mean, I will, but that's because I want a backup, as this whole hardware swap thing has taught me (also, a fiber modem entered the picture right around when the ER-X died for the second (?) time, so the ISP router was in use for a while).
Plus, in these modern times, I need to know that I actually own my hardware, and not a company.

I'll put my config files here as an exercise to the reader. Now I just need to figure out why a port forward between lan <- untrusted blocks all network access on untrusted :slight_smile:

Router network

config interface 'loopback'
option device 'lo'
option proto 'static'
list ipaddr '127.0.0.1/8'

config globals 'globals'
option dhcp_default_duid '00043367466e843f419f95af935c3eb88988'
option ula_prefix 'fdae:cfd5:d9d3::/48'
option packet_steering '1'

config interface 'lan'
option device 'br-lan'
option proto 'static'
list ipaddr '192.168.1.1/24'
option ip6assign '60'
option multipath 'off'

config interface 'wan'
option device 'eth1'
option proto 'dhcp'

config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option norelease '1'
option multipath 'off'

config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'

config device
option name 'eth0'
option macaddr 'c6:3d:c7:8f:00:a9'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
option blinkrate '2'
option enable_vlan4k '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
option description 'lan'

config switch_port
option device 'switch0'
option port '1'
option led '6'

config switch_port
option device 'switch0'
option port '2'
option led '9'

config switch_port
option device 'switch0'
option port '5'
option led '2'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 5t'
option description 'untrusted'

config switch_vlan
option device 'switch0'
option ports '0t 5t'
option vlan '3'
option description 'guest'

config device
option type 'bridge'
option name 'br-untrusted'
list ports 'eth0.2'

config device
option type 'bridge'
option name 'br-guest'
list ports 'eth0.3'

config interface 'untrusted'
option proto 'static'
option device 'br-untrusted'
list ipaddr '192.168.2.1/24'
option multipath 'off'

config interface 'guest'
option proto 'static'
option device 'br-guest'
list ipaddr '192.168.3.1/24'
option multipath 'off'

Router firewall

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
option flow_offloading '1'
option flow_offloading_hw '1'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config zone
option name 'untrusted'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'untrusted'

config forwarding
option src 'untrusted'
option dest 'wan'

config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'

config forwarding
option src 'guest'
option dest 'wan'

config rule
option src 'guest'
option name 'Allow DHCP-DNS guest'
option dest_port '53 67 68'
option target 'ACCEPT'

config rule
option src 'untrusted'
option name 'Allow DHCP-DNS untrusted'
option dest_port '53 67 68'
option target 'ACCEPT'

config rule
option src 'untrusted'
option name 'Allow Ping untrusted-router'
list proto 'icmp'
option target 'ACCEPT'

config rule
option src 'untrusted'
option name 'Allow Ping untrusted-wan'
list proto 'icmp'
option target 'ACCEPT'
option dest 'wan'

config rule
option src 'guest'
option name 'Allow Ping guest-router'
list proto 'icmp'
option target 'ACCEPT'

config rule
option src 'guest'
option name 'Allow Ping guest-router'
list proto 'icmp'
option target 'ACCEPT'
option dest 'wan'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'Samba from untrusted'
list proto 'tcp'
option src 'untrusted'
option src_dport '443'
option dest_ip '192.168.1.7'
option enabled '0'

AP network

config interface 'loopback'
option device 'lo'
option proto 'static'
list ipaddr '127.0.0.1/8'

config globals 'globals'
option dhcp_default_duid '00047dd6f960d14147f19e4e07f844864861'
option ula_prefix 'fd26:e1cc:2c3c::/48'
option packet_steering '1'

config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'

config interface 'lan'
option device 'br-lan.1'
option proto 'dhcp'
option ip6assign '60'
option multipath 'off'

config interface 'lan6'
option proto 'dhcpv6'
option device 'br-lan.1'
option reqaddress 'try'
option reqprefix 'auto'
option norelease '1'
option multipath 'off'

config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'eth0'

config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'eth0:t'

config bridge-vlan
option device 'br-lan'
option vlan '3'
list ports 'eth0:t'

config interface 'untrusted'
option proto 'none'
option device 'br-lan.2'

config interface 'guest'
option proto 'none'
option device 'br-lan.3'

AP firewall

config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option drop_invalid '1'

AP wireless

config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option band '5g'
option channel 'auto'
option htmode 'VHT80'
option cell_density '0'

config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/ahb/18100000.wmac'
option band '2g'
option channel 'auto'
option htmode 'HT20'
option cell_density '0'
option country 'US'

config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option ssid 'trusted-wifi'
option encryption 'psk2'
option key ''
option network 'lan lan6'

config wifi-iface 'wifinet1'
option device 'radio1'
option mode 'ap'
option ssid 'trusted-wifi'
option encryption 'psk2'
option key ''
option network 'lan lan6'

config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option ssid 'untrusted-wifi'
option encryption 'psk2'
option wmm '0'
option key ''
option network 'untrusted'

config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid 'guest-wifi'
option encryption 'psk2'
option key ''
option network 'guest'

12

Please describe what you mean by blocking all network access?

  • What exactly stops working?
    • for example, access to the router itself? access to the internet? something else
  • Does the entire untrusted network have the problem, or just certain hosts?

Is the rule below the one that is causing the issue?

If so, a few thoughts:

  • This should be a traffic rule, not a port forward/redirect.
  • unless you changed it (unlikely), the port is wrong -- it should be port 445 (443 is https, and that would likely explain if you're loosing internet access when you enable this rule)

Together, the two problems noted would reasonably cause Internet access issues from the untrusted network.

13

ffs. Well that's just embarrassing. Guess which number I type more often. And yes, things worked much better once I wasn't redirecting https directly into a brick wall.
This traffic rule seems to be doing exactly what I want, namely, allowing devices in untrusted to access my server on lan, with the ip address 192.168.1.7, and only port 445. This rule seems to work just fine, I just thought I'd double-check to make sure I'm not hiding any fun problems for future me!

config rule
	option src 'untrusted'
	option dest 'lan'
	option name 'Samba'
	list proto 'tcp'
	list dest_ip '192.168.1.7'
	option dest_port '445'
	option target 'ACCEPT'
14

That looks good!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

15

Hooray :slight_smile: And so my long stumble down fairly-easy-complicated-networking comes to an end. The family is pretty tired of me killing either the wifi or internet altogether. I greatly appreciate your help, I never would have figured all of this out!