Dumb AP - firewall and DHCP questions/ clarification needed

Hello, first time user of openWRT and I had some question (at the end of the post). Apologizes if they have been asked before (I tired searching the forums before hand).

I have used the openWRT Wireless Access Point - Dumb Access Point Guide to setup a Dumb AP

Setup (Typical network setup)

  • OPNsense router/firewall
  • managed switch
  • openWRT Dumb AP

Flow (Typical flow)

Client -> openWRT Dumb AP (using VLANS) -> managed switch (using VLANS) -> OPNsense router (using VLANS)

Network descriptions

  • access to openWRT router
- Static IP:10.10.40.1
- gateway:  didn't put one
- Firewall Zone: LAN
- DCHP: ON
- VLAN 1
- Wifi: OFF/Deleted
- port:  WAN for access (untagged)

Note: This is using the default LAN interface so I can access the router
Note: I access this through the WAN port (which I have removed the WAN interfaces which is mentioned in the Dumb AP guide). It is a normal LAN port in this case. I only want to access the openWRT router through the WAN port. not through any other interface

Note: It has DHCP because I didn't want to change my IP on my machine to connect to the dumb AP (is this safe?) It mentions in the guide to turn off DHCP and firewall.
  • main
- Static IP: 10.10.10.2
- gateway: 10.10.10.1 (maps to OPNsense gateway)
- Firewall Zone: unspecified
- DHCP: OFF
- VLAN 15
- Wifi: ON/Enabled
- port on AP : 1 for access (untagged)
  • guest
  - Static IP: 10.20.20.2
  - gateway = 10.20.20.1 (maps to OPNsense gateway)
  - Firewall Zone: unspecified
  - DHCP = OFF
  - VLAN 20
  - Wifi = ON/Enabled
  - port = 2 for access (untagged)

Note: port 3 is tagged for all my VLAN pass through

Note: everything is working as expected and VLANs are enabled on both OPNsense and openWRT Dumb AP

Questions:

  • Is there any security issues with only accessing my router through the WAN port? To clarify, I want to ensure no other interface can access it. I am assuming no other interface has access due to all other interfaces being in "unspecified" firewall.

  • Note: This is a dummy AP, so the WAN port is acting as another LAN. I have deleted the WAN interfaces as per the openWRT dumb AP guide

  • Is there any security issue with allowing default lan interface to use DHCP? It was mentioned in the guide to disable this to safe on resources

  • The reason I am doing this: so I don't need to configure a static IP on my connecting machine when I connect to the router only

  • The default LAN interface doesn't have wifi.

  • It also has its default LAN firewall

  • Why don't I need firewall enabled on the dumb AP?

  • I understand that the OPNsense will handle the firewall for each VLAN interface but does the packets transfer through the openWRT firewall?

  • how does the dummy AP know not to use its firewall? Is that because we put a gateway IP on the interfaces which denotes to pass the packet through the VLAN to OPNsense and not do anything with the openWRT firewall?

  • does the normal/default LAN interface (VLAN 1) use the openWRT firewall?

  • what is the default of unspecified firewall/zone and should I be putting a firewall on each interface? Currently they are "unspecified"

Thanks for anyone reading this and helping out. Let me know if I need to attach configuration files.

In order to answer the questions, it's best for us to see the configuration.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

Thanks for the feedback. I have attached the configuration

Note: one of my questions involves the unspecified firewall zone. that doesn't seem to appear in the firewall config. all my interfaces is under the unspecified zone

ubus call system board

ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "OpenWrt",
        "system": "Qualcomm Atheros QCA9558 ver 1 rev 0",
        "model": "TP-Link Archer C7 v2",
        "board_name": "tplink,archer-c7-v2",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ath79/generic",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}

cat /etc/config/network

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7f:17f7:3f21::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.10.40.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 1'
        option vid '1'
        option description 'admin-LAN'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 2t 3'
        option vid '15'
        option description 'main'

config device
        option type 'bridge'
        option name 'br-main'
        list ports 'eth1.15'

config interface 'main'
        option proto 'static'
        option device 'br-main'
        option ipaddr '10.10.10.2'
        option netmask '255.255.255.0'
        option gateway '10.10.10.1'
        list dns '10.10.10.1'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option ports '0t 2t'
        option vid '20'
        option description 'guest'

config device
        option type 'bridge'
        option name 'br-guest'
        list ports 'eth1.20'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '10.20.20.2'
        option gateway '10.20.20.1'
        list dns '10.20.20.1'
        option netmask '255.255.255.0'

cat /etc/config/wireless

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option channel 'auto'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option ssid '<main_ssid>'
        option encryption 'sae'
        option key '<main_password>'
        option network 'main'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid '<guest_ssid>'
        option encryption 'sae'
        option key '<guest_password>'
        option network 'guest'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid '<main_ssid>'
        option encryption 'sae'
        option key '<main_password>'
        option network 'main'

cat /etc/config/dhcp

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

cat /etc/config/firewall

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

From a physical port perspective, a port is a port -- the purpose of each port can be reassigned as needed within OpenWrt, so it's really just a label on the back of the device more than anything else.

Therefore in the case of a bridged AP, no issue, as long as your config is functioning properly. (you would not want to do this on a traditional routed configuration where the wan/upstream is untrusted such as the internet).

Yup... all good, and yes, this is fine.

Security, no. From the looks of it, you've got that lan on a single port which is not shared with anything else. As long as this network is unrelated to anything upstream, it's fine.

The resource discussion is largely irrelevant... it doesn't take much to run the DHCP server, but it shouldn't be running in the majority of bridged-AP configurations to avoid a conflict with the upstream DHCP server (not an issue for your config, though).

To clarify, though -- I personally recommend that the dnsmasq service (which handles DHCP) remains enabled, but the DHCP server itself (usually the lan DHCP server) is disabled by adding the option ignore '1' line to the DHCP server section.

In your specific situation, this is fine, although it's not a common config. Normally you just have the single management network that connected to the upstream. But this is okay.

That's fine. In the situation where you need it, you'll plug into the device.

This is fine.

Some people will say you can disable the firewall. I would not recommend this. I suggest keeping the firewall enabled, and simply put the management network(s) into the lan firewall zone. It will be largely inactive, but this guarantees that you'll have the access you expect.

No packets will actually pass through the firewall because everything is happening at L2 (switching) and is not subject to the firewall. The access to the device itself is governed by the input rule in the firewall, and by simply setting your management network(s) in the lan zone which has input = accept, you guarantee that you'll be able to reach the device.

It's not so much how it "knows not to" but rather that the device isn't doing any routing. It is simply fowarding packets between ethernet and wifi on the same L2 network (or multiple L2 networks that are kept separate by VLANs). The firewall is only used for L3.

In the context of the standard routed configuration, yes, it would. For a bridged AP, it doesn't, except for determining access to the AP itself (again, the input rule).

You should put the management network(s) in the lan firewall zone. The others can remain unspecified -- for a different reason than you might think, though.

The non-management / untrusted networks should actually be unmanaged. That is, the AP will not have an address on these networks. As a result, the networks will pass through the bridged-AP functionality, but they will never interact with the administrative features of the AP, and they cannot be routed through the AP (a bridged-AP should not be used for routing in a setup like yours; all the routing happens on your OPNSense box).

I'm going to assume that your lan and main networks are both used for managing the AP. So, we will add the network main to the lan firewall zone:

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'main'

Next, the guest network will be unmanaged because the users on this network will never need to interact with this device (their traffic passes transparently through it). Edit the guest network to look like this:

config interface 'guest'
        option proto 'none'
        option device 'br-guest'

Restart your AP and the guest network will still work normally, but this will have improved the security posture of your AP in that it will no longer be reachable by guests.

1 Like

Thank you very much for detailed answers

This all makes perfect sense and I made the changes accordingly

I'm going to assume that your lan and main networks are both used for managing the AP. So, we will add the network main to the lan firewall zone:

The original intent was to harden the AP and only allow access through a wired connection. But after reading your detailed explanation; felt this was unnecessary overhead to connect to the AP. I have removed/ deleted lan (and all its parts, the interface, bridge and VLAN) and added the main network to the lan firewall zone (didn't want to rename this firewall zone because it came with the default openWRT setup)

Thank you again.
Hope you have a good day/night

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.