I have a setup with three VLANS.
eth.1 - 192.168.1.0/24 - Default/OOBM
eth.2 - 192.168.2.0/24 - IoT/Guest
eth.3 - 192.168.3.0/24 - Private Data
I can get to router management from the following addresses:
192.168.1.1
192.168.2.1
192.168.3.1
However, I'd like to disable management access on 192.168.2.1 because nothing on this network should ever access network managment.
Where is this done? Is this a firewall setting?
Absolutely possible, and yes, via the firewall.
The details of what you will want to do may depend on your current configuration and your goals, but broadly speaking you simply want to reject input from the network(s) in question. To do this, often the best/simpliest method is to set input to REJECT and then add two rules -- one for DHCP and one for DNS -- so that the devices can still connect and use those two critical services, while not having access to any other services that are running on the network.
The recipe for this is in the guest network tutorial:
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface#firewall
If you want a review of your current config and/or if you've taken a different firewall approach and need help adapting, then we'll want to see that here:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
root@MainGate:/etc/config# ubus call system board
{
"kernel": "5.15.167",
"hostname": "MainGate",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "Linksys E7350",
"board_name": "linksys,e7350",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "ramips/mt7621",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
}
}
root@MainGate:/etc/config# cat network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd9a:89ce:b19d::/48'
option packet_steering '1'
config device
option name 'lan1'
option macaddr
config device
option name 'lan2'
option macaddr
config device
option name 'lan3'
option macaddr
config device
option name 'lan4'
option macaddr
config interface 'lan'
option device 'eth.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'wan'
option macaddr
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config route
option interface 'lan'
option target '192.168.1.0/24'
option gateway '192.168.1.1'
config device
option type 'bridge'
option name 'eth'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config bridge-vlan
option device 'eth'
option vlan '1'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config bridge-vlan
option device 'eth'
option vlan '2'
list ports 'lan1:t'
config interface 'IoT'
option proto 'static'
option device 'eth.2'
option gateway '192.168.1.1'
list dns '192.168.1.1'
list dns '8.8.8.8'
list dns '8.8.4.4'
option type 'bridge'
list ipaddr '192.168.2.1/24'
config interface 'PRIV'
option proto 'static'
option device 'eth.3'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option gateway '192.168.1.1'
list dns '192.168.1.1'
list dns '8.8.8.8'
list dns '8.8.4.4'
option type 'bridge'
config bridge-vlan
option device 'eth'
option vlan '3'
list ports 'lan1:t'
config device
option name 'eth.2'
option type '8021q'
option ifname 'eth'
option vid '2'
option ipv6 '0'
config device
option name 'eth.3'
option type '8021q'
option ifname 'eth'
option vid '3'
option ipv6 '0'
config device
option name 'eth.1'
option type '8021q'
option ifname 'eth'
option vid '1'
option ipv6 '0'
root@MainGate:/etc/config# cat wireless
config wifi-device 'radio0'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
option channel 'auto'
option band '2g'
option htmode 'HE40'
option cell_density '0'
option country 'US'
config wifi-device 'radio1'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
option channel 'auto'
option band '5g'
option htmode 'HE80'
option cell_density '0'
option country 'US'
config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option ssid 'IoT_SSID'
option encryption 'psk2'
option key 'barelyapassword'
option network 'IoT'
option ieee80211r '1'
option mobility_domain '4df7'
option ft_over_ds '0'
option ft_psk_generate_local '1'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'Private_SSID'
option encryption 'sae'
option key 'ridiculouslystrongpassword'
option network 'PRIV'
option ieee80211r '1'
option ft_over_ds '0'
option mobility_domain '13ef'
root@MainGate:/etc/config# cat dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '2m'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'IoT'
option interface 'IoT'
option start '100'
option limit '150'
option leasetime '2m'
config dhcp 'PRIV'
option interface 'PRIV'
option start '100'
option limit '150'
option leasetime '2m'
config host
option name 'NAS'
option ip '192.168.3.7'
option mac
config host
option name 'RPi1'
option ip '192.168.3.12'
option mac
config host
option name 'SWITCH1'
option ip '192.168.1.3'
option mac
config host
option name 'SWITCH2'
option ip '192.168.1.4'
option mac
config host
option name 'RPi2'
option ip '192.168.3.17'
option mac
config host
option name 'WAP'
option ip '192.168.1.2'
option mac
root@MainGate:/etc/config# cat firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'lan3'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'PRIV'
config zone
option name 'lan2'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'IoT'
config forwarding
option src 'lan3'
option dest 'lan'
config forwarding
option src 'lan3'
option dest 'lan2'
config forwarding
option src 'lan3'
option dest 'wan'
config forwarding
option src 'lan2'
option dest 'wan'
config redirect
option dest 'lan3'
option target 'DNAT'
option name 'Cloud SSH'
list proto 'tcp'
option src 'wan'
option src_dport '22'
option dest_ip '192.168.3.7'
option dest_port '22'
config redirect
option dest 'lan3'
option target 'DNAT'
option name 'Cloud rsync'
list proto 'tcp'
option src 'wan'
option src_dport '873'
option dest_ip '192.168.3.7'
option dest_port '873'
config redirect
option dest 'lan3'
option target 'DNAT'
option name 'http'
option src 'wan'
option src_dport '8880'
option dest_ip '192.168.3.12'
option dest_port '80'
config redirect
option dest 'lan3'
option target 'DNAT'
option name 'ssh'
list proto 'tcp'
option src 'wan'
option src_dport '2212'
option dest_ip '192.168.3.12'
option dest_port '22'
Definitely more info than you need, but there shouldn't be any real numbers on any of those.
I may end up taking the 192.168.1.0/24 route out. It's currently there so I can get to the OOBM network from the PRIV network. Once I'm set up, I don't mind forcing myself to use CAT5e to access the OOBM.
One note, the WAP device is a second router being used as a roaming WiFi bridge. Located on the other side of the house from the main router/AP. I'm also trying to get rid of all IPv6 options, but they keep coming up. I've no reason to mess with IPv6 on this network.
This is unnecessary and can be deleted:
Remove the bridge line, gateway, and dns lines as well:
Same here:
You can delete all of the 802.1q stanzas:
Why are you using 2 minute DHCP leases? That's unnecessarily short (true also for your lan).
If you want to prohibit the iot network from reaching the router itself, change accept to REJECT:
Then, add two traffic rules that accept input for DHCP (udp port 67) and DNS (tcp+udp port 53).
Wouldn't removing the 802.11q stanzas kill my VLANs?
I have them trunked over a single 1G fiber from one side of the house to the other (SWITCH1 to SWITCH2)
Nope. The bridge-vlan definitions create the 802.1q stanzas under the hood.
Another note:
These files were built by the GUI. I haven't changed them manually yet.
wouldn't removing
config route
option interface 'lan'
option target '192.168.1.0/24'
option gateway '192.168.1.1'
remove my ability to reach management for
192.168.1.2 - WAP
192.168.1.3 - SWITCH1
192.168.1.4 - SWITCH2
from 192.168.3.0/24
?
It should have no effect at all. 192.168.1.0/24 is directly connected to the router, so doesn't need a route to locate that subnet.
I do notice that you have the network interface name as CUI but that is not assigned to a firewall zone, nor does it have a DHCP server (there is PRIV, but no CUI). Likewise, there is no PRIV network interface.
Add CUI to the lan3 firewall zone and fix the DHCP server and it should work.
For the rest of the questions.
I'm using 2m lease times for now because I'm still in setup. When I add something to the DHCP network it grabs an IP, I set it to static, change the static, and in 2 minutes it starts using the new address. Sure beats waiting a day or rebooting everything a few times until the new address takes.
I want IoT devices to reach the WAN and connect to the world. (Houseguests, Cameras, TVs, Lightswitches)
I just don't want them to have access to the PRIV or OOBM networks.
Also eth.3 should have full access to eth.2, but eth.2 should be blocked from eth.3.
That was an editing mistake... should have been PRIV
Please clarify - an editing mistake with respect to what was posted here, or a mistake in the configuration that you've now fixed?
The other really important thing is that the other infrastructure devices (AP, switches) must have not only the IP and subnet masks, but also the gateway defined (192.168.1.1), otherwise they will not be able to route their replies back to your other network.
editing mistake should be fixed now.
AP and Switches are all running Static DHCP Leases from the MainGate.
But they are still unreachable? Let's review the updated configs.
root@MainGate:/etc/config# cat firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'eth.3'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'PRIV'
config zone
option name 'eth.2'
option input 'REJECT'
option output 'REJECT'
option forward 'REJECT'
list network 'IoT'
config forwarding
option src 'lan3'
option dest 'lan'
config forwarding
option src 'lan3'
option dest 'lan2'
config forwarding
option src 'lan3'
option dest 'wan'
config forwarding
option src 'lan2'
option dest 'wan'
config redirect
option dest 'lan3'
option target 'DNAT'
option name 'Cloud SSH'
list proto 'tcp'
option src 'wan'
option src_dport '22'
option dest_ip '192.168.3.7'
option dest_port '22'
config redirect
option dest 'lan3'
option target 'DNAT'
option name 'Cloud rsync'
list proto 'tcp'
option src 'wan'
option src_dport '873'
option dest_ip '192.168.3.7'
option dest_port '873'
config redirect
option dest 'lan3'
option target 'DNAT'
option name 'http'
option src 'wan'
option src_dport '8880'
option dest_ip '192.168.3.12'
option dest_port '80'
config redirect
option dest 'lan3'
option target 'DNAT'
option name 'ssh'
list proto 'tcp'
option src 'wan'
option src_dport '2212'
option dest_ip '192.168.3.12'
option dest_port '22'
config rule
option name 'ALLOW DHCP VLAN2'
list proto 'tcp'
option src 'lan2'
option src_port '67'
option dest_port '67'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'ALLOW DNS VLAN2'
option family 'ipv4'
option src 'lan2'
option src_port '53'
option dest_port '53'
option target 'ACCEPT'
I made the changes one at a time to see what each one would do. All of the changes to /etc/config/network didn't seem to have any effect.
However, changing the /etc/config/firewall file to the above causes my IoT network to lose connectivity to the world. The PRIV network retains connection.
remove the src_port from both of these:
Then reboot and test again.
I got a few pings to 8.8.8.8, then nothing.
VLAN3 still connects
VLAN2 does not provide an IP address.
wireshark is showing just broadcast DHCP traffic that goes unasnswered.
From where? What subnet were you connected to for this test?
I noticed another error (sorry I missed it before)...
This should be UDP (not TCP), and as I had said before, the src_port needs to be removed.
Reboot and test again.
Seems to be doing the same thing.
I am allowing traffic to VLAN2, then SSHing into openWRT to make the changes. (see below).
When I reboot the router, I can ping 8.8.8.8 while connected to VLAN2, but this eventually stops, and I no longer get an IP address on devices connected to VLAN2.
VLAN3 continues to work as expected.
root@MainGate:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'lan3'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'PRIV'
config zone
option name 'lan2'
option input 'REJECT'
option output 'REJECT'
option forward 'REJECT'
list network 'IoT'
config forwarding
option src 'lan3'
option dest 'lan'
config forwarding
option src 'lan3'
option dest 'lan2'
config forwarding
option src 'lan3'
option dest 'wan'
config forwarding
option src 'lan2'
option dest 'wan'
config redirect
option dest 'lan3'
option target 'DNAT'
option name 'Cloud SSH'
list proto 'tcp'
option src 'wan'
option src_dport '22'
option dest_ip '192.168.3.7'
option dest_port '22'
config redirect
option dest 'lan3'
option target 'DNAT'
option name 'Cloud rsync'
list proto 'tcp'
option src 'wan'
option src_dport '873'
option dest_ip '192.168.3.7'
option dest_port '873'
config redirect
option dest 'lan3'
option target 'DNAT'
option name 'http'
option src 'wan'
option src_dport '8880'
option dest_ip '192.168.3.12'
option dest_port '80'
config redirect
option dest 'lan3'
option target 'DNAT'
option name 'ssh'
list proto 'tcp'
option src 'wan'
option src_dport '2212'
option dest_ip '192.168.3.12'
option dest_port '22'
config rule
option name 'ALLOW DHCP VLAN2'
list proto 'udp'
option src 'lan2'
option dest_port '67'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'ALLOW DNS VLAN2'
option family 'ipv4'
option src 'lan2'
option dest_port '53'
option target 'ACCEPT'