Firewall settings for two site-to-site OpenWrt routers

Installing and Using OpenWrt Network and Wireless Configuration
7

This should be applied to the R1 starting from factory defaults:

uci -q delete network.lan_lan
uci set network.lan_lan="route"
uci set network.lan_lan.interface="wan"
uci set network.lan_lan.target="192.168.102.0/24"
uci set network.lan_lan.gateway="10.1.0.2"
uci commit network
/etc/init.d/network restart

uci set dhcp.@dnsmasq[0].localservice="0"
uci add_list dhcp.@dnsmasq[0].server="/lan2/10.1.0.2"
uci commit dhcp
/etc/init.d/dnsmasq restart

uci add_list firewall.@zone[1].masq_dest="!10.1.0.2/32"
uci add_list firewall.@zone[1].masq_dest="!192.168.102.0/24"
uci -q delete firewall.wan_dns
uci set firewall.wan_dns="rule"
uci set firewall.wan_dns.name="Allow-DNS-WAN"
uci set firewall.wan_dns.src="wan"
uci add_list firewall.wan_dns.src_ip="10.1.0.2/32"
uci add_list firewall.wan_dns.src_ip="192.168.102.0/24"
uci set firewall.wan_dns.dest_port="53"
uci set firewall.wan_dns.proto="tcp udp"
uci set firewall.wan_dns.target="ACCEPT"
uci -q delete firewall.wan_admin
uci set firewall.wan_admin="rule"
uci set firewall.wan_admin.name="Allow-Admin-WAN"
uci set firewall.wan_admin.src="wan"
uci set firewall.wan_admin.src_ip="192.168.102.0/24"
uci set firewall.wan_admin.dest_port="22 80 443"
uci set firewall.wan_admin.proto="tcp"
uci set firewall.wan_admin.target="ACCEPT"
uci -q delete firewall.l2l_icmp
uci set firewall.l2l_icmp="rule"
uci set firewall.l2l_icmp.name="Allow-ICMP-Forward"
uci set firewall.l2l_icmp.src="wan"
uci set firewall.l2l_icmp.src_ip="192.168.102.0/24"
uci set firewall.l2l_icmp.dest="lan"
uci set firewall.l2l_icmp.proto="icmp"
uci set firewall.l2l_icmp.icmp_type="echo-request"
uci set firewall.l2l_icmp.family="ipv4"
uci set firewall.l2l_icmp.target="ACCEPT"
uci -q delete firewall.l2l_ssh
uci set firewall.l2l_ssh="rule"
uci set firewall.l2l_ssh.name="Allow-SSH-Forward"
uci set firewall.l2l_ssh.src="wan"
uci set firewall.l2l_ssh.src_ip="192.168.102.0/24"
uci set firewall.l2l_ssh.dest="lan"
uci set firewall.l2l_ssh.dest_port="22"
uci set firewall.l2l_ssh.proto="tcp"
uci set firewall.l2l_ssh.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart

The R2 should be configured symmetrically.

2 Likes