root@turris:~# uci export network
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd94:8c3b:f847::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option bridge_empty '1'
list ifname 'lan0'
list ifname 'lan1'
list ifname 'lan2'
list ifname 'lan3'
list ifname 'lan4'
option _turris_mode 'managed'
config interface 'wan'
option ifname 'eth2'
option username '*redact*'
option password '*redact*'
option ipv6 '1'
option proto 'pppoe'
config interface 'guest_turris'
option enabled '1'
option type 'bridge'
option proto 'static'
option ipaddr '10.111.222.1'
option netmask '255.255.255.0'
option bridge_empty '1'
config interface 'wan6'
option ifname '@wan'
option proto 'dhcpv6'
uci export wireless
I do not use WLAN from the Turris Omnia Router. I`ve two separate APs for the WLAN net.
root@turris:~# uci export dhcp
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option port '0'
config dhcp 'lan'
option interface 'lan'
option dhcpv6 'server'
option ra 'server'
option ignore '0'
option leasetime '43200'
option start '106'
option limit '144'
list dhcp_option '6,192.168.1.1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest_turris'
option interface 'guest_turris'
option ignore '0'
option start '100'
option limit '150'
option leasetime '3600'
list dhcp_option '6,10.111.222.1'
root@turris:~# uci export firewall
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone 'guest_turris'
option enabled '1'
option name 'guest_turris'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
list network 'guest_turris'
config forwarding 'guest_turris_forward_wan'
option enabled '1'
option name 'guest to wan forward'
option src 'guest_turris'
option dest 'wan'
config rule 'guest_turris_dns_rule'
option enabled '1'
option name 'guest dns rule'
option src 'guest_turris'
option proto 'tcpudp'
option dest_port '53'
option target 'ACCEPT'
config rule 'guest_turris_dhcp_rule'
option enabled '1'
option name 'guest dhcp rule'
option src 'guest_turris'
option proto 'udp'
option src_port '67-68'
option dest_port '67-68'
option target 'ACCEPT'
config rule 'wan_ssh_turris_rule'
option name 'wan_ssh_turris_rule'
option enabled '0'
option target 'ACCEPT'
option dest_port '22'
option proto 'tcp'
option src 'wan'
config rule 'wan_http_turris_rule'
option name 'wan_http_turris_rule'
option enabled '0'
option target 'ACCEPT'
option dest_port '80'
option proto 'tcp'
option src 'wan'
config rule 'wan_https_turris_rule'
option name 'wan_https_turris_rule'
option enabled '0'
option target 'ACCEPT'
option dest_port '443'
option proto 'tcp'
option src 'wan'
config rule 'turris_wan_6in4_rule'
option enabled '0'
root@turris:~# head -n -0 /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
root@turris:~# iptables-save -c
# Generated by iptables-save v1.6.2 on Wed May 27 10:35:57 2020
*nat
:PREROUTING ACCEPT [4577:392406]
:INPUT ACCEPT [680:43810]
:OUTPUT ACCEPT [1736:129047]
:POSTROUTING ACCEPT [14:839]
:postrouting_guest_turris_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guest_turris_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guest_turris_postrouting - [0:0]
:zone_guest_turris_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[4577:392406] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[4008:366350] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[569:26056] -A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i br-guest_turris -m comment --comment "!fw3" -j zone_guest_turris_prerouting
[4629:282476] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[4615:281637] -A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o br-guest_turris -m comment --comment "!fw3" -j zone_guest_turris_postrouting
[0:0] -A zone_guest_turris_postrouting -m comment --comment "!fw3: Custom guest_turris postrouting rule chain" -j postrouting_guest_turris_rule
[0:0] -A zone_guest_turris_prerouting -m comment --comment "!fw3: Custom guest_turris prerouting rule chain" -j prerouting_guest_turris_rule
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[4008:366350] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[4615:281637] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[4615:281637] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[569:26056] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Wed May 27 10:35:57 2020
# Generated by iptables-save v1.6.2 on Wed May 27 10:35:57 2020
*mangle
:PREROUTING ACCEPT [1364745:1363115221]
:INPUT ACCEPT [21799:1629905]
:FORWARD ACCEPT [1341962:1361294215]
:OUTPUT ACCEPT [20091:1240081]
:POSTROUTING ACCEPT [1362049:1362534093]
[3462:194008] -A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed May 27 10:35:57 2020
# Generated by iptables-save v1.6.2 on Wed May 27 10:35:57 2020
*filter
:INPUT ACCEPT [1:590]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_guest_turris_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_guest_turris_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_guest_turris_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_turris_dest_ACCEPT - [0:0]
:zone_guest_turris_dest_REJECT - [0:0]
:zone_guest_turris_forward - [0:0]
:zone_guest_turris_input - [0:0]
:zone_guest_turris_output - [0:0]
:zone_guest_turris_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[15842:833277] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[5965:797044] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[2416:650865] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[553:23220] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[2640:106380] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[909:39799] -A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i br-guest_turris -m comment --comment "!fw3" -j zone_guest_turris_input
[1341962:1361294215] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[1338427:1361085709] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[3535:208506] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i br-guest_turris -m comment --comment "!fw3" -j zone_guest_turris_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[15842:833277] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[4260:408236] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[2534:279868] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1:40] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[1725:128328] -A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o br-guest_turris -m comment --comment "!fw3" -j zone_guest_turris_output
[881:36203] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[25:3446] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[553:23220] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_guest_turris_dest_ACCEPT -o br-guest_turris -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_guest_turris_dest_REJECT -o br-guest_turris -m comment --comment "!fw3" -j reject
[0:0] -A zone_guest_turris_forward -m comment --comment "!fw3: Custom guest_turris forwarding rule chain" -j forwarding_guest_turris_rule
[0:0] -A zone_guest_turris_forward -m comment --comment "!fw3: Zone guest_turris to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_guest_turris_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_guest_turris_forward -m comment --comment "!fw3" -j zone_guest_turris_dest_REJECT
[0:0] -A zone_guest_turris_input -m comment --comment "!fw3: Custom guest_turris input rule chain" -j input_guest_turris_rule
[0:0] -A zone_guest_turris_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: guest dns rule" -j ACCEPT
[0:0] -A zone_guest_turris_input -p udp -m udp --dport 53 -m comment --comment "!fw3: guest dns rule" -j ACCEPT
[0:0] -A zone_guest_turris_input -p udp -m udp --sport 67:68 --dport 67:68 -m comment --comment "!fw3: guest dhcp rule" -j ACCEPT
[0:0] -A zone_guest_turris_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_guest_turris_input -m comment --comment "!fw3" -j zone_guest_turris_src_REJECT
[0:0] -A zone_guest_turris_output -m comment --comment "!fw3: Custom guest_turris output rule chain" -j output_guest_turris_rule
[0:0] -A zone_guest_turris_output -m comment --comment "!fw3" -j zone_guest_turris_dest_ACCEPT
[0:0] -A zone_guest_turris_src_REJECT -i br-guest_turris -m comment --comment "!fw3" -j reject
[1:40] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[3535:208506] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[3535:208506] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[2640:106380] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[2640:106380] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[1:40] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[1:40] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[2639:105790] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[4:203] -A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[5256:336631] -A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[909:39799] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[3:150] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[906:39649] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[1725:128328] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[1725:128328] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[906:39649] -A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
COMMIT
root@turris:~# ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
21: br-guest_turris: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN qlen 1000
inet 10.111.222.1/24 brd 10.111.222.255 scope global br-guest_turris
valid_lft forever preferred_lft forever
22: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
23: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN qlen 3
inet 134.101.155.233 peer 84.46.104.216/32 scope global pppoe-wan
valid_lft forever preferred_lft forever
root@turris:~# ip -4 ro li tab all
default via 84.46.104.216 dev pppoe-wan
10.111.222.0/24 dev br-guest_turris scope link src 10.111.222.1
84.46.104.216 dev pppoe-wan scope link src 134.101.155.233
192.168.1.0/24 dev br-lan scope link src 192.168.1.1
broadcast 10.111.222.0 dev br-guest_turris table local scope link src 10.111.222.1
local 10.111.222.1 dev br-guest_turris table local scope host src 10.111.222.1
broadcast 10.111.222.255 dev br-guest_turris table local scope link src 10.111.222.1
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
local 134.101.155.233 dev pppoe-wan table local scope host src 134.101.155.233
broadcast 192.168.1.0 dev br-lan table local scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local scope link src 192.168.1.1
root@turris:~# ip -4 ru
0: from all lookup local
32766: from all lookup main
32767: from all lookup default