[Help Needed] OpenWrt DumbAP + Samba

Lebzul · April 25, 2020, 11:42pm

Network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'MAC::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option delegate '0'
	option stp '1'
	option ipaddr '10.50.10.100'
	option gateway '10.50.10.1'
	option dns '10.50.10.1'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr 'MAC'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr 'MAC

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 1 2 3 4 5'

Wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11g'
	option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'HT40'
	option txpower '12'
	option channel '11'
	option disabled '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid '2.4GHz'
	option hidden '1'
	option encryption 'psk2'
	option key 'pass'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11a'
	option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
	option htmode 'VHT80'
	option channel '161'
	option disabled '0'
	option txpower '18'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid '5GHz'
	option encryption 'psk2'
	option key 'pass'
	option hidden '1'

DHCP

config dnsmasq
	option domainneeded	1
	option boguspriv	1
	option filterwin2k	0  # enable for dial on demand
	option localise_queries	1
	option rebind_protection 1  # disable if upstream must serve RFC1918 addresses
	option rebind_localhost 1  # enable for RBL checking and similar services
	#list rebind_domain example.lan  # whitelist RFC1918 responses for domains
	option local	'/lan/'
	option domain	'lan'
	option expandhosts	1
	option nonegcache	0
	option authoritative	1
	option readethers	1
	option leasefile	'/tmp/dhcp.leases'
	option resolvfile	'/tmp/resolv.conf.auto'
	#list server		'/mycompany.local/1.2.3.4'
	option nonwildcard	1 # bind to & keep track of interfaces
	#list interface		br-lan
	#list notinterface	lo
	#list bogusnxdomain     '64.94.110.11'
	option localservice	1  # disable to allow DNS requests from non-local subnets

config dhcp lan
	option interface	lan
	option start 	100
	option limit	150
	option leasetime	12h

config dhcp wan
	option interface	wan
	option ignore	1

Firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option drop_invalid '1'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

Hegabo · April 26, 2020, 10:19am

Why do you have DHCP on on .100? Don't you have DHCP server on the main router?

If you are saying that you can ping .100 from .101 and .102 clients but can't access .100 share (while you can access the same share from the same devices if they are connected directly to .100, then the only other thing I can think of now is that you check Windows firewall in case you have those networks as public, hence blocking file sharing.

On a separate note, you may clean the config a bit by commenting out the lines related to WAN in the different files.

You could also try commenting out these lines in /etc/config/network if you don't need them.

	option delegate '0'
	option stp '1'

Lebzul · April 26, 2020, 1:24pm

I am accessing the share from cellphones. Mostly iPhones with VLC.

Could you please explain the function of those?

option delegate '0'
option stp '1'

Hegabo · April 26, 2020, 1:37pm

I think for easier diagnosis it might be best to try from a PC.

The first line is about IPv6 tunnelling.
The sending [second] one is about spanning tree protocol, which is useful when you have possible multiple paths between two modes in the network, as it is used to avoid loops.

Lebzul · April 26, 2020, 6:41pm

The first line is about IPv6 tunnelling.

I am not using IPv6. It is not being deployed by ISP yet. It is good to have it 0 or 1?

The sending one is about spanning tree protocol, which is useful when you have possible multiple paths between two modes in the network, as it is used to avoid loops.

Can you exemplify this? I've always considered this to be on.

Hegabo · April 26, 2020, 6:44pm

I meant to type: the "second" one.

Lebzul · April 27, 2020, 1:18pm

I've seen those definitions but I was looking for a layman's example and how to relate it to a network similar to mine and if it does not apply, how to apply it in the future (possible case).

Hegabo · April 27, 2020, 1:35pm

If there are two possible routes between 2 nodes, then you need STP.

Lebzul · April 27, 2020, 4:04pm

option delegate '0'

What about this? It is off right?
What's this for and where can I find it in Luci?