Physical interfaces are different than logical network interfaces.
Can you post your configuration and your goals as I hard requested earlier?
I am actually searching for the right configuration.
Current config is meaningless, but here it is:
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config rule
option name 'DHCP'
option direction 'in'
option device 'phy0-sta0'
option family 'ipv4'
option src 'lan'
option target 'REJECT'
option dest 'lan'
list proto 'udp'
option dest_port '67-68'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/ahb/18100000.wmac'
option band '2g'
option channel '11'
option htmode 'HT20'
option txpower '28'
option country 'US'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'WDS_yyyyy'
option encryption 'none'
option wds '1'
option macfilter 'allow'
list maclist 'BBBBBBB'
list maclist 'AAAAAAA'
option hidden '1'
config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'ap'
option ssid 'UPSTAIRS'
option encryption 'none'
list maclist 'AAAA'
option network 'lan'
option macfilter 'allow'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'YYY'
option encryption 'psk-mixed'
option hidden '1'
option key 'mypassword'
option network 'lan'
config wifi-iface 'wifinet4'
option device 'radio0'
option mode 'sta'
option ssid 'WDS_XXX'
option encryption 'none'
option wds '1'
option network 'lan'
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdfe:1f38:2b5c::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
list ports 'eth1'
option bridge_empty '1'
option stp '1'
option igmp_snooping '1'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.21'
option netmask '255.255.0.0'
option ip6assign '60'
option gateway '192.168.2.1'
config device
option name 'eth0'
option ipv6 '0'
config device
option name 'eth1'
option ipv6 '0'
config device
option name 'phy0-ap0'
option ipv6 '0'
config device
option name 'phy0-ap1'
option ipv6 '0'
config device
option name 'phy0-ap2'
option ipv6 '0'
config device
option name 'phy0-sta0'
option ipv6 '0'
no dhcp
Not just meaningless⌠it really has too many issues and no clear goal. You should almost certainly reset to defaults to make sure you have a known good starting configuration.
Please describe exactly what you want to happen in your network. You only have a single subnet defined right now, so letâs start with an understanding of your end goal.
1 - Which errors ?
2 - Goal is stated already 2 or 3 times : I want to block some packets (DHCP to be specific) going through one of the interfaces (reaching the other lan)
You only have one network. There is no âother lanâ
This doesnât go from one network to another in most situations. It comes from the router itself going to the network in question. Aside from blocking dhcp, what does the network do? Does it have access to the internet? Does it allow routing to or from the other network? Etc.
As mentioned already multiple times : the interface reaches another box which IS the other lan
Your other question about Internet is irrelevant here
DHCP server is on LAN1 (where one of the interface connect to via WDS) and those packets go through my current box and I want to block them going to that other box on LAN2:
LAN1 (another box) <----> (interface A) my box here (interface B) <---> LAN 2 (anotehr box)
I want to block packet on interface B
Does this makes it clearer ?
ok...
(It woulda been helpful to mention earlier that this DHCP server was another device.)
Make them 2 separate [properly configured] networks. Place the port LAN1 in a separate network than LAN2. The firewall will not block intra-network traffic.
1 Like
Yes, that was my initial attempt but packets are totally not crossing the 2 zones, and everybody fired on my saying that I am so stupid
No, they told you where your mistake was and how to fix it. You then decided to scrap the entire thing and put all the interfaces into one network.
1 Like
- You don't want DHCP to cross, correct?
- But then then you say that packets are not totally crossing the 2 zones?
In order to assist you, can you clarify what this means?
I don't see the word anywhere, except when you just posted it. I saw multiple people informing you that changing a simple 255.255.0.0 to 255.255.255.0 would fix your networks (you even asked for detailed information regarding what was wrong) - but you said you preferred to make them one network.
We don't know why, feel free to provide more detail if you need further assistance from the community.
1 - yes, I want to block the DHCP packet crossing my box (see scheme above)
2 - yes, I want other packets to cross freely
We need a little more detail than that.
Otherwise simply allow forward from network1 to network2 (and vice versa).
free like in free beer
not sure I understand your question
I don't get the joke, so without more information, I can only suggest:
Good luck.
This would imply that it is a flat network -- the lan of the upstream router would be the same as the lan of the downstream router. There is no easy way to block these communications because they are on the same L2 network and are not subject to the firewall.
You may be conflating physical interfaces and logical network interfaces.
Is the intent to have 2 distinct networks? If so, you need a different configuration... probably a standard routing setup with that 2nd router connected as a wifi client.
1 Like
other router is ALREADY connected as a Wifi client (WDS mentioned earlier)
there is NO internet, NO upstream/downstream, etc.. this is a basic LAN between openwrt physical boxes
I understand that. But it's probably the wrong configuration if you want to prevent DHCP from passing from the main router to the clients that connect to the second router..
1 Like
Maybe it'll help if you explain:
- The purpose of the two OpenWrt devices
- Why they're connected with no Internet
- Is the DHCP device the other OpenWrt?
- What is the purpose of the 2 devices?
- What traffic needs to be allowed between both networks?
- Explain why don't you want DHCP between the 2 (networks/interfaces/?), but want other traffic
And do you have relayd configured on this other device?
I have stated all that multiple times already
- Internet is of no interest here, this is just a LAN question
- there are no 2 openwrt but about 5 to 10 in each LAN, reaching a single connection point in that specific box I am speaking about (so ALL the packets moving from one LAN to the other have to go through this specific box)
- DHCP device is of no importance here. There is one in each LAN somewhere physically in the nature
- Traffic to be allowed : all except DHCP
- Relayd : NO (there is NO relation between WDS wifi connectivity and relayd !!! please, I though I am speaking with experts)
So what happened when you make the config changes by the ones you mistakenly believed called you stupid?
Not sure how we can further help if you won't answer basic questions, but want to block traffic. You won't even tell us what/where the server is.
And, your config says no DHCP, so that presents another unknown factor. Another possibility is that you statically addresses some [portion of your] network, we can't guess.
So how did you connect (given yo have AP and STA configs), which one?
I guess you didn't understand why I'm asking, so you rather insult (we can't guess if you ever made the correct config when 2 networks, nor were this DHCP device is located)?
We also need to know the config of the other OpenWrt device.