Hello everybody!
I'm very new to OpenWRT and I could need some help getting it up and running. I do have tried myself, and read a lot of threads and tutorials, but after one and a half weeks trying and not succeding, I thought I'd ask for help.
What I want to do:
I have a Fritzbox 7490, a TP-Link Archer C7v5 and a lof of components, including IoT / SmartHome stuff, that needs to be properly handled. The idea is,
- FritzBox as modem, DECT, a guest wifi and a "DMZ" (Nextcloud, printer)
- Archer C7 with OpenWRT 19.07 splitted into
- VLAN1 for all IoT things like bulbs, power outlets, relays, sensors, Rasbpis and Home Assistant
- VLAN2 for all "private" things like Laptops, PCs, mobile phones, tablets.
So far, so good. A few things to note:
- DMZ should be reachable from outside / internet as well as from VLAN2
- VLAN1 should only be reachable from VLAN2, not from the internet or DMZ
- VLAN2 should be able to do everything, it doesn't need to be reachable from the internet, besides the "back channel"
- I want to run one LAN port with VLAN1 and VLAN2 (both tagged) via a PowerLine adapter to my garage. In the garage there will be a Rasbpi that should split those two VLANs into two wifi networks, so I can use sensors and other things from the home automation (VLAN1 IoT) and a laptop for repair instructions and such things in VLAN2.
And this is what I got so far. I tried to do it with LuCI, but for simplicity I'll show the config files here. Shouldn't matter anyway as LuCI reads/changes the config files, or doesn't it?
root@ArcherC7:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd65:4e78:457f::/48'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr '98:da:c4:bf:d7:29'
config interface 'wan'
option proto 'dhcp'
option ifname 'eth0.66'
config interface 'wan6'
option proto 'dhcpv6'
option ifname 'eth0.66'
config interface 'vlan1'
option proto 'static'
option ipaddr '10.0.10.1'
option netmask '255.255.255.0'
option type 'bridge'
option ifname 'eth0.1 radio0.network1 wlan1'
option ip6assign '64'
config interface 'vlan2'
option proto 'static'
option ipaddr '10.0.74.1'
option netmask '255.255.255.0'
option type 'bridge'
option ifname 'eth0.2'
option ip6assign '64'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '4 3 2t 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '2'
option ports '5 2t 0t'
config switch_vlan
option device 'switch0'
option vlan '66'
option vid '66'
option ports '1 0t'
root@ArcherC7:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option forward 'ACCEPT'
option input 'REJECT'
option output 'REJECT'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
option input 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'vlan1'
option input 'ACCEPT'
option network 'vlan1'
option output 'REJECT'
option forward 'ACCEPT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
option dest 'vlan2'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option dest 'vlan2'
config include
option path '/etc/firewall.user'
config zone
option name 'vlan2'
option output 'ACCEPT'
option network 'vlan2'
option input 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option dest 'vlan1'
option src 'vlan2'
config forwarding
option dest 'vlan2'
option src 'wan'
I have to admit, I've used ddwrt years ago, and in my mind I had it remembered way easier... That's why I thought I'd go with OpenWRT, as it seemed easier to configure... Yet here I am, and need some insight, why things don't work as expected. I guess it has something or mostly to do with the firewall settings, but I have honestly no clue and am totally lost...
Please, any input is much appreciated, I want to understand, what is going on and how to configure it. I don't want to belive I'm a FritzBox user, that forgot everything about real configuration...
Thanks!