Hello, first time user of openWRT and I had some question (at the end of the post). Apologizes if they have been asked before (I tired searching the forums before hand).
I have used the openWRT Wireless Access Point - Dumb Access Point Guide to setup a Dumb AP
Setup (Typical network setup)
- OPNsense router/firewall
- managed switch
- openWRT Dumb AP
Flow (Typical flow)
Client -> openWRT Dumb AP (using VLANS) -> managed switch (using VLANS) -> OPNsense router (using VLANS)
Network descriptions
- access to openWRT router
- Static IP:10.10.40.1
- gateway: didn't put one
- Firewall Zone: LAN
- DCHP: ON
- VLAN 1
- Wifi: OFF/Deleted
- port: WAN for access (untagged)
Note: This is using the default LAN interface so I can access the router
Note: I access this through the WAN port (which I have removed the WAN interfaces which is mentioned in the Dumb AP guide). It is a normal LAN port in this case. I only want to access the openWRT router through the WAN port. not through any other interface
Note: It has DHCP because I didn't want to change my IP on my machine to connect to the dumb AP (is this safe?) It mentions in the guide to turn off DHCP and firewall.
- main
- Static IP: 10.10.10.2
- gateway: 10.10.10.1 (maps to OPNsense gateway)
- Firewall Zone: unspecified
- DHCP: OFF
- VLAN 15
- Wifi: ON/Enabled
- port on AP : 1 for access (untagged)
- guest
- Static IP: 10.20.20.2
- gateway = 10.20.20.1 (maps to OPNsense gateway)
- Firewall Zone: unspecified
- DHCP = OFF
- VLAN 20
- Wifi = ON/Enabled
- port = 2 for access (untagged)
Note: port 3 is tagged for all my VLAN pass through
Note: everything is working as expected and VLANs are enabled on both OPNsense and openWRT Dumb AP
Questions:
-
Is there any security issues with only accessing my router through the WAN port? To clarify, I want to ensure no other interface can access it. I am assuming no other interface has access due to all other interfaces being in "unspecified" firewall.
-
Note: This is a dummy AP, so the WAN port is acting as another LAN. I have deleted the WAN interfaces as per the openWRT dumb AP guide
-
Is there any security issue with allowing default lan interface to use DHCP? It was mentioned in the guide to disable this to safe on resources
-
The reason I am doing this: so I don't need to configure a static IP on my connecting machine when I connect to the router only
-
The default LAN interface doesn't have wifi.
-
It also has its default LAN firewall
-
Why don't I need firewall enabled on the dumb AP?
-
I understand that the OPNsense will handle the firewall for each VLAN interface but does the packets transfer through the openWRT firewall?
-
how does the dummy AP know not to use its firewall? Is that because we put a gateway IP on the interfaces which denotes to pass the packet through the VLAN to OPNsense and not do anything with the openWRT firewall?
-
does the normal/default LAN interface (VLAN 1) use the openWRT firewall?
-
what is the default of unspecified firewall/zone and should I be putting a firewall on each interface? Currently they are "unspecified"
Thanks for anyone reading this and helping out. Let me know if I need to attach configuration files.