Firewall Question

bahtsiz_bedevi · December 17, 2023, 12:31am

How can I access to router B's luci from PC?
Router A is connected to modem via wire
Router B is connected to Router A via 5ghz wifi

Router A's firewall config

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option mtu_fix '1'
        option forward 'ACCEPT'
        list network 'wan'
        list network 'wan6'
        option input 'ACCEPT'
        option masq '1'
config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wan'
        list network 'wan6'
        option name 'wwan'

config forwarding
        option src 'wan'
        option dest 'wwan'

config forwarding
        option src 'wwan'
        option dest 'lan'

Router B's firewall rule to accept all requests from 192.168.* to wan

config rule
        option target 'ACCEPT'
        option src 'wan'
        list src_ip '192.168.1.0/16'
        option name 'Allow-192.168.1.0/16'
        list proto 'all'
        option dest '*'

psherman · December 17, 2023, 12:40am

Based on your diagram, it appears that router a is configured as a dumb AP. Router B appears to be setup as a wireless client on its uplink, and then routing to a different subnet (192.168.1.0/24) relative to the upstream network.

If this is correct...

Set the router B firewall (which you did not show in its entirety) to accept input on the wan zone (this is only safe because your upstream appears to be a trusted lan).

and then delete this, it's wrong, and a rule like this is unnecessary if you just set input to accept on the wan zone:

bahtsiz_bedevi:

config rule
        option target 'ACCEPT'
        option src 'wan'
        list src_ip '192.168.1.0/16'
        option name 'Allow-192.168.1.0/16'
        list proto 'all'
        option dest '*'

Then you can connect to router B's admin interface by using the address it has on its wan (which will be in the 192.168.2.0/24 network).

bahtsiz_bedevi · December 17, 2023, 12:58am

Router A is not dumb AP. It serves as a samba server and AP

psherman · December 17, 2023, 12:59am

Let's see the complete config for both router A and B:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

bahtsiz_bedevi · December 17, 2023, 1:05am

I'll try to disable Router B's firewall, since as you said it's trusted network

psherman · December 17, 2023, 1:11am

No, don't disable the firewall. You need the firewall to make masquerading work for the downstream network from router B.

What I suggested is to make the wan zone input rule = accept.

frollic · December 17, 2023, 3:27pm

It is, since it isn't routing, samba or not, doesn't matter.