Drop / Reject Entire Subnet on Dumb AP

Installing and Using OpenWrt Network and Wireless Configuration
1

I can't seem to figure out how to implement a solution to what I want.

In short, all clients connected to the WiFi should have normal access to the 192.168.0.X network. Currently Wifi clients can access and ping 192.168.0.200 device (which is what I want).

But I want to STOP wifi clients from being able to access any device on the 192.168.2.X network. If I connect my laptop to the wifi and set a static IP address ie 192.168.2.20, I am able to ping 192.168.2.200. I do not want this to be the case. I want all traffic from any WiFi client to any 192.168.2.X address to be dropped / rejected.

I have a basic network diagram shown below.

The Dump AP is running OpenWRT on an Archer A6 (details of version etc are on the bottom of this post)
NetworkDiagram

Screenshots of my current configuration can be found: https://imgur.com/a/zhYi8IA
(Forum doesn't allow me to post more than 1 image)

I feel like I must be missing something very small or criticial as I can't seem to get this to work!

Device is a TP-Link Archer A6
Powered by LuCI Master (git-20.186.79919-0c47989)/ OpenWrt SNAPSHOT r13869-ed087cba8a

2

See if installing kmod-br-netfilter and enable "bridge call iptables" helps

opkg install kmod-br-netfilter
# edit /etc/sysctl.d/11-br-netfilter.conf
3

Tried with no success. Cannot install kmod-br-netfilter:

Collected errors:
 * satisfy_dependencies_for: Cannot satisfy the following dependencies for kmod-br-netfilter:
 * 	kernel (= 5.4.52-1-7088f695112953c6065247e81d1535bb)
 * opkg_install_cmd: Cannot install package kmod-br-netfilter.

EDIT for those who got the same error.

I fixed it by running the following command to install

opkg install --force-depends kmod-br-netfilter

4
1 Like
5

As suggested by @vgaetera, you may want to switch to using stable release images, e.g. 19.07. SNAPSHOT images can have kernel versions and configs changing fairly often

1 Like
6

I've simply used the snapchat listed on:
https://openwrt.org/toh/views/toh_fwdownload?dataflt[Model*~]=archer+a6

Have tried using --force-depends on the kmod-br-netfilter and then having my zones configured as the following on /etc/config/firewall

config zone
	option name ’lan-block’
	list network ‘lan’
	option input ‘DROP’
	option output ‘DROP’
	option forward ‘DROP’
	option subnet ‘192.168.2.0/24’

config zone
	option name ‘lan’
	list network ‘lan’
	option input ‘ACCEPT’
	option output ‘ACCEPT’
	option forward ’ACCEPT’
	option subnet ‘192.168.0.0/24’

Unfortunately it does not seem to have worked / applied.

Is there anything else I am missing, or any commands I can run to show more details.

7

It's important the "bridge call iptables" sysctl has been set. Check it with the following command. Persistent it by editing it in /etc/sysctl.d/11-br-netfilter.conf

sysctl net.bridge.bridge-nf-call-iptables
2 Likes
8

All the values in the file have been edited from 0 (disabled) to 1 (enabled).

sysctl net.bridge.bridge-nf-call-iptables
sysctl: error: 'net.bridge/bridge-nf-call-iptables' is an unknown key
9

This means that --force-depends is not working for you.

10

What would be my next step to get these packages working?

Compiling them myself, or compiling my own system firmware.

I'm not sure what the best approach may be and I apologize for being a complete noob.

11

It seems support for this device is only available in the master branch. So 19.07 is not an option.

See if persistent kmods repo config is in use by checking /etc/opkg/distfeeds.conf. More details in the following forum post.

Before that, check if kmods for your currently running is available in the downloads site. You can find the kernel version with the following command

opkg list-installed | grep kernel

If we can get matching builds of kmods, remove previous force installation of br-netfilter, then install new ones.

2 Likes
12 
opkg list-installed | grep kernel
kernel - 5.4.51-1-7088f695112953c6065247e81d1535bb

I can find my version in the downloads site link you showed. What would be the next steps to install it. I want to make sure I follow the correct approach.

13 
sed -i -e "/\sopenwrt_kmods\s/s/^/#/" /etc/opkg/*.conf
cat << EOF >> /etc/opkg/customfeeds.conf
src/gz openwrt_kmods http://downloads.openwrt.org/snapshots/targets/ath79/generic/kmods/5.4.51-1-7088f695112953c6065247e81d1535bb
EOF
opkg update
opkg --force-reinstall install kmod-br-netfilter
14

I ran

opkg remove kmod-br-netfilter
opkg remove kmod
opkg kmod-ebtables

prior to reading your comment.

I have tried running the following command to no success:

root@OpenWrt:~# opkg remove kmod
No packages removed.
root@OpenWrt:~# opkg remove kmod-br-netfilter
No packages removed.
root@OpenWrt:~# opkg remove kmod-ebtables
No packages removed.
root@OpenWrt:~# sed -i -e "/\sopenwrt_kmods\s/s/^/#/" /etc/opkg/*.conf
root@OpenWrt:~# opkg update
Downloading http://downloads.openwrt.org/snapshots/targets/ath79/generic/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_core
Downloading http://downloads.openwrt.org/snapshots/targets/ath79/generic/packages/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/snapshots/packages/mips_24kc/base/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_base
Downloading http://downloads.openwrt.org/snapshots/packages/mips_24kc/base/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/snapshots/packages/mips_24kc/freifunk/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_freifunk
Downloading http://downloads.openwrt.org/snapshots/packages/mips_24kc/freifunk/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/snapshots/packages/mips_24kc/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_luci
Downloading http://downloads.openwrt.org/snapshots/packages/mips_24kc/luci/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/snapshots/packages/mips_24kc/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_packages
Downloading http://downloads.openwrt.org/snapshots/packages/mips_24kc/packages/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/snapshots/packages/mips_24kc/routing/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_routing
Downloading http://downloads.openwrt.org/snapshots/packages/mips_24kc/routing/Packages.sig
Signature check passed.
Downloading http://downloads.openwrt.org/snapshots/packages/mips_24kc/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_telephony
Downloading http://downloads.openwrt.org/snapshots/packages/mips_24kc/telephony/Packages.sig
Signature check passed.
root@OpenWrt:~# opkg install kmod-br-netfilter
Installing kmod-br-netfilter (5.4.52-1) to root...
Downloading http://downloads.openwrt.org/snapshots/targets/ath79/generic/packages/kmod-br-netfilter_5.4.52-1_mips_24kc.ipk
Collected errors:
 * satisfy_dependencies_for: Cannot satisfy the following dependencies for kmod-br-netfilter:
 * 	kernel (= 5.4.52-1-7088f695112953c6065247e81d1535bb)
 * opkg_install_cmd: Cannot install package kmod-br-netfilter.
root@OpenWrt:~#

Do I have to add --force-depends?

I can see that I've added the correct feed to the customfeeds.conf file.

It's still throwing that my kernel version is too low.
My version is 5.4.51,
the opkg install command is saying I need 5.4.52

I can feel like we are getting closer to a solution. Thank you for all the help so far this community has been great!

15

Just sysupgrade with latest snapshot and then install packages.

1 Like
16

I'm using the latest snapshot listed for my device on the OpenWRT hardware page.

https://openwrt.org/toh/views/toh_fwdownload?dataflt[Model*~]=archer+a6

Is there a difference between install and upgrade .bin files?

17

Update:

Successfully install kmod-br-netfilter by downloading the package manually and installing it.
This was done with the following commands:

wget http://downloads.openwrt.org/snapshots/targets/ath79/generic/kmods/5.4.51-1-7088f695112953c6065247e81d1535bb/kmod-br-netfilter_5.4.51-1_mips_24kc.ipk
opkg install kmod-br-netfilter_5.4.51-1_mips_24kc.ipk

Running the command

sysctl net.bridge.bridge-nf-call-iptables

now returns

net.bridge.bridge-nf-call-iptables = 1

Rebooting the device and will see if my pre-existing rules will work. Will update this comment if they do.

EDIT:
Yeap it did the job!
Just manually download the ipk for your kernel version like shown above and install it.
My pre-existing zone:

config zone
	option name ’lan-block’
	list network ‘lan’
	option input ‘DROP’
	option output ‘DROP’
	option forward ‘DROP’
	option subnet ‘192.168.2.0/24’

Now works and blocks all traffic on the 192.168.2.0/24

Thank you all for your help and guidance. This is the 2nd day I've ever used openwrt.

Plan on converting all my devices over now as the support and functionality is awesome!

1 Like
19

One thing weird though, the persistent kmods repo should be present in distfeeds.conf by default and should be working.

I just downloaded the current snapshot of the archer-c6-v2-us squashfs factory image, and it is indeed there

➜  ~/git-repo/openwrt/openwrt/z git:(master) ls
m  extra-para  file-system  openwrt-ath79-generic-tplink_archer-c6-v2-us-squashfs-factory.bin  os-image  partition-table  soft-version  support-list
➜  ~/git-repo/openwrt/openwrt/z git:(master) cat m/etc/os-release
NAME="OpenWrt"
VERSION="SNAPSHOT"
ID="openwrt"
ID_LIKE="lede openwrt"
PRETTY_NAME="OpenWrt SNAPSHOT"
VERSION_ID="snapshot"
HOME_URL="https://openwrt.org/"
BUG_URL="https://bugs.openwrt.org/"
SUPPORT_URL="https://forum.openwrt.org/"
BUILD_ID="r13902-5e86877f36"
OPENWRT_BOARD="ath79/generic"
OPENWRT_ARCH="mips_24kc"
OPENWRT_TAINTS=""
OPENWRT_DEVICE_MANUFACTURER="OpenWrt"
OPENWRT_DEVICE_MANUFACTURER_URL="https://openwrt.org/"
OPENWRT_DEVICE_PRODUCT="Generic"
OPENWRT_DEVICE_REVISION="v0"
OPENWRT_RELEASE="OpenWrt SNAPSHOT r13902-5e86877f36"
➜  ~/git-repo/openwrt/openwrt/z git:(master) cat m/etc/opkg/distfeeds.conf
src/gz openwrt_core http://downloads.openwrt.org/snapshots/targets/ath79/generic/packages
src/gz openwrt_kmods http://downloads.openwrt.org/snapshots/targets/ath79/generic/kmods/5.4.52-1-7088f695112953c6065247e81d1535bb
src/gz openwrt_base http://downloads.openwrt.org/snapshots/packages/mips_24kc/base
src/gz openwrt_freifunk http://downloads.openwrt.org/snapshots/packages/mips_24kc/freifunk
src/gz openwrt_luci http://downloads.openwrt.org/snapshots/packages/mips_24kc/luci
src/gz openwrt_packages http://downloads.openwrt.org/snapshots/packages/mips_24kc/packages
src/gz openwrt_routing http://downloads.openwrt.org/snapshots/packages/mips_24kc/routing
src/gz openwrt_telephony http://downloads.openwrt.org/snapshots/packages/mips_24kc/telephony
➜  ~/git-repo/openwrt/openwrt/z git:(master)
1 Like
20

UPDATE 2:
I got another TP-Link Archer A6.
Flashed the .bin file I did earlier then I ran the following commands on first boot (sysupgrade)

opkg update
opkg install wget
wget http://downloads.openwrt.org/snapshots/targets/ath79/generic/openwrt-ath79-generic-tplink_archer-c6-v2-us-squashfs-sysupgrade.bin --no-check-certificate
sysupgrade -v openwrt-ath79-generic-tplink_archer-c6-v2-us-squashfs-sysupgrade.bin

After sysupgrade the kernel will now be 5.4.52
Continuing on I ran the following commands for my setup

opkg update
opkg install luci-ssl-nginx
opkg install nano
opkg install kmod-br-netfilter
opkg install --force-depends --force-maintainer --force-overwrite wpad-openssl

Restored my backup settings from my device.

And it worked easy. Surprised that after running that sysupgrade I could install kmod-br-netfilter easily.

Not sure why but I'm glad I found a way that works. Posting it up here in case it helps anyone else in the same shoes.

21

If anyone has an Archer A6 / C6 v2 (US), I've made a quick easy video of the process. Couldn't find anything like this on the internet so I hope it helps someone else out (would've helped me out).

Install OpenWRT, Upgrade to the latest snapshot, and then you can opkg install packages easy with no problem.