Hey all,
I'm trying to set up a Truenas scale
server running micro-services in my house, and I'd really appreciate your help.
Server has static ip 10.0.0.55
. It's the only device in vlan server
, and in firewall zone server
. The services (served by Traefik
on port 443
) should be accessible from the local network and remotely without the use of a VPN.
On the factory Netgear firmware this was pretty simple, but I can't see what needs to be done to get it working on OpenWrt 21.02.2.
I hope it's alright if I paste screenshots of the relevant pages in Luci, as I'm currently unable to ssh into the router.
Best Regards,
Sombrero
You do not need to create routes for locally accessible nodes.
Please, post your network interfaces, too.
2 Likes
Thank you for the clear-up, Eduperez. Since nothing else was working I figured I might as well try adding routes.
Here is the interface overview, and the advanced settings for SERVER
interface. ROUTERCHAIN
is a separate VLAN for an "untrusted" stock router in the network. Should I post more?
grrr2
April 8, 2022, 1:20pm
4
as i understand zone forwardings column for wan should be blank and only output=accept by default. then if you want to allow something put it to exception list and manually add rules for example via the port forward tab. with this current setup any traffic from wan can access your router (=input accept) unfiltered which normally you would not want.
Thanks. I changed it so that for WAN, only output=accept
Finally back home with ssh access. Hope you it's easier for you to assist me with actual text config files:
cat /etc/config/firewall
config defaults
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option input 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
option masq '1'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
option input 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config redirect
option target 'DNAT'
option name 'server'
option src 'wan'
option src_dport '443'
option dest_port '443'
option dest_ip '10.0.0.55'
list proto 'tcp'
option dest 'server'
option reflection_src 'external'
config zone
option name 'netgear'
option input 'ACCEPT'
option output 'ACCEPT'
option masq '1'
list device 'eth0.3'
list network 'routerchain'
option forward 'DROP'
config forwarding
option src 'netgear'
option dest 'lan'
config forwarding
option src 'netgear'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'netgear'
config forwarding
option src 'wan'
option dest 'netgear'
config rule
option src 'netgear'
option target 'ACCEPT'
list proto 'udp'
option name 'routerchain-dhcp'
option dest_port '67'
config rule
option name 'routerchain-dns'
list proto 'udp'
option dest_port '53'
option target 'ACCEPT'
option src 'netgear'
config rule
option name 'routerchain-ntp'
list proto 'udp'
option src 'netgear'
option dest_port '123'
option target 'ACCEPT'
config zone
option name 'server'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'server'
list device 'eth0.2'
option masq '1'
config forwarding
option src 'server'
option dest 'lan'
config forwarding
option src 'server'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'server'
config forwarding
option src 'wan'
option dest 'server'
config rule
option name 'websecure-server'
option src 'wan'
option src_port '443'
option dest 'server'
list dest_ip '10.0.0.55'
option dest_port '443'
option target 'ACCEPT'
config rule
option name 'local-dns'
option src 'lan'
option dest 'server'
list dest_ip '10.0.0.55'
option target 'ACCEPT'
option dest_port '53'
config rule
option name 'server-dns'
option src 'server'
option dest 'wan'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'lan-to-server-websecure'
option src 'lan'
option dest 'server'
list dest_ip '10.0.0.55'
option dest_port '443'
option target 'ACCEPT'
cat /etc/config/network
:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdf2:f190:4891::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
option vlan_filtering '1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth0.2'
option macaddr '94:a6:7e:b2:7b:3c'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
option type 'bridge'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcp'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option description 'others'
option ports '1 2 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
option description 'wifi'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '3 6t'
option description 'routerchain'
config device
option name 'wlan0'
config interface 'routerchain'
option device 'eth0.3'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.4.1'
config device
option name 'eth0.3'
option type '8021q'
option ifname 'eth0'
option vid '3'
option acceptlocal '1'
option promisc '1'
config switch_vlan
option device 'switch0'
option vlan '4'
option description 'server'
option ports '0 6t'
config device
option name 'eth0.4'
option type '8021q'
option ifname 'eth0'
option vid '4'
config interface 'server'
option device 'eth0.4'
option proto 'static'
option ipaddr '10.0.0.1'
option netmask '255.255.255.0'
config device
option name 'wlan1'
option multicast_router '1'
cat /etc/config/wireless
option type 'mac80211'
option hwmode '11g'
option path 'platform/10300000.wmac'
option cell_density '0'
option channel 'auto'
option txpower '20'
option htmode 'HT20'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option key '****************'
option encryption 'psk2'
option ssid 'OpenWrt2.4'
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11a'
option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
option htmode 'VHT80'
option txpower '20'
option country 'NO'
option cell_density '2'
option channel 'auto'
config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option ssid 'OpenWrt'
option key '********************'
option network 'lan'
option encryption 'psk2'