Hi all,
I'm new to OpenWRT but not new to networking (currently doing CCNA). I'm hoping that someone is able to assist with my home setup. I'll explain what I've got so far, and then explain below what I'm trying to achieve.
Current setup
What I would like to achieve
The routing/firewall stipulations would need to be as below:
I think I know how I'd do this on cisco, but, with my limited knowledge of Linux as a whole and also openWRT, I'm hoping one of you out there is able to help. I've been using the GUI (because of my limited knowledge of Linux commands (too used to Cisco atm).
Hope this all makes sense, and someone is able to help.
trendy
January 25, 2021, 4:27pm
2
You can control the allowed flows of the firewall with forwardings. iot and guest have forwarding only to wan. lans have to iot and wan.
1 Like
mpa
January 25, 2021, 8:03pm
3
To add a wired connection to a subnet which is currently WiFi-only:
configure VLAN X in the switch configuration if applicable (Network -> Switch): tagged on the CPU port, untagged on the access port where the client connects
enable bridging under "Physical settings" for an OpenWrt interface (Network -> Interface)
add the physical interface (usually eth0.X) to the bridge
The details may vary, that's why it would be good to see your current configuration. Please post these files from /etc/config/ after redacting any secrets:
networkwirelessfirewall
What is the device's make and model?
1 Like
Just managed to do that with the Vlan, thanks!
How do I get it to do a "show running-config"? I'm running a Linksys WRT1900ACS
trendy
January 28, 2021, 10:40am
5
There isn't one-file-shows-all-config, but you can see the individual files in /etc/config/
mpa
January 28, 2021, 10:59am
6
In addition to looking at the individual UCI config files, you can also run uci show or uci export after logging in via SSH.
There is a lot of documentation about the config system in the OpenWrt wiki:
The UCI system See also: UCI defaults, Network scripting The abbreviation UCI stands for Unified Configuration Interface, and is a system to centralize the configuration of OpenWrt services. UCI is the successor to the NVRAM-based configuration...
Some add-on packages may come without UCI support and use their own config files located elsewhere.
LuCI can export the configuration as an archive (System -> Backup/Flash Firmware).
1 Like
Hi,
Thanks for that. Think I've redacted everything I need to.
firewall.@defaults [0]=defaults@defaults [0].input='ACCEPT'@defaults [0].output='ACCEPT'@defaults [0].forward='REJECT'@defaults [0].synflood_protect='1'@zone [0]=zone@zone [0].name='lan'@zone [0].input='ACCEPT'@zone [0].output='ACCEPT'@zone [0].forward='ACCEPT'@zone [0].network='lan'@zone [1]=zone@zone [1].input='ACCEPT'@zone [1].name='LauraNET'@zone [1].output='ACCEPT'@zone [1].forward='ACCEPT'@zone [1].network='Laura_NET'@zone [2]=zone@zone [2].name='GuestNET'@zone [2].input='ACCEPT'@zone [2].forward='ACCEPT'@zone [2].network='GuestNET'@zone [2].output='ACCEPT'@zone [3]=zone@zone [3].network='IoTNET'@zone [3].input='ACCEPT'@zone [3].name='IoTNET'@zone [3].output='ACCEPT'@zone [3].forward='ACCEPT'@zone [4]=zone@zone [4].name='wan'@zone [4].input='REJECT'@zone [4].output='ACCEPT'@zone [4].forward='REJECT'@zone [4].masq='1'@zone [4].mtu_fix='1'@zone [4].network='wan wan6'@forwarding [0]=forwarding@forwarding [0].src='lan'@forwarding [0].dest='wan'@rule [0]=rule@rule [0].name='Allow-ICMPv6-Forward'@rule [0].src='wan'@rule [0].dest=''@rule [0].proto='icmp'@rule [0].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'@rule [0].limit='1000/sec'@rule [0].family='ipv6'@rule [0].target='ACCEPT'@rule [1]=rule@rule [1].name='Allow-IPSec-ESP'@rule [1].src='wan'@rule [1].dest='lan'@rule [1].proto='esp'@rule [1].target='ACCEPT'@rule [2]=rule@rule [2].name='Allow-ISAKMP'@rule [2].src='wan'@rule [2].dest='lan'@rule [2].dest_port='500'@rule [2].proto='udp'@rule [2].target='ACCEPT'@include [0]=include@include [0].path='/etc/firewall.user'@forwarding [1]=forwarding@forwarding [1].dest='wan'@forwarding [1].src='GuestNET'@forwarding [2]=forwarding@forwarding [2].dest='wan'@forwarding [2].src='IoTNET'@forwarding [3]=forwarding@forwarding [3].dest='wan'@forwarding [3].src='LauraNET'@defaults [0]=defaults@defaults [0].syn_flood='1'@defaults [0].input='ACCEPT'@defaults [0].output='ACCEPT'@defaults [0].forward='REJECT'@zone [0]=zone@zone [0].name='lan'@zone [0].network='lan'@zone [0].input='ACCEPT'@zone [0].output='ACCEPT'@zone [0].forward='ACCEPT'@zone [1]=zone@zone [1].name='wan'@zone [1].network='wan' 'wan6'@zone [1].input='REJECT'@zone [1].output='ACCEPT'@zone [1].forward='REJECT'@zone [1].masq='1'@zone [1].mtu_fix='1'@forwarding [0]=forwarding@forwarding [0].src='lan'@forwarding [0].dest='wan'@rule [0]=rule@rule [0].name='Allow-DHCP-Renew'@rule [0].src='wan'@rule [0].proto='udp'@rule [0].dest_port='68'@rule [0].target='ACCEPT'@rule [0].family='ipv4'@rule [1]=rule@rule [1].name='Allow-Ping'@rule [1].src='wan'@rule [1].proto='icmp'@rule [1].icmp_type='echo-request'@rule [1].family='ipv4'@rule [1].target='ACCEPT'@rule [2]=rule@rule [2].name='Allow-IGMP'@rule [2].src='wan'@rule [2].proto='igmp'@rule [2].family='ipv4'@rule [2].target='ACCEPT'@rule [3]=rule@rule [3].name='Allow-DHCPv6'@rule [3].src='wan'@rule [3].proto='udp'@rule [3].src_ip='fc00::/6'@rule [3].dest_ip='fc00::/6'@rule [3].dest_port='546'@rule [3].family='ipv6'@rule [3].target='ACCEPT'@rule [4]=rule@rule [4].name='Allow-MLD'@rule [4].src='wan'@rule [4].proto='icmp'@rule [4].src_ip='fe80::/10'@rule [4].icmp_type='130/0' '131/0' '132/0' '143/0'@rule [4].family='ipv6'@rule [4].target='ACCEPT'@rule [5]=rule@rule [5].name='Allow-ICMPv6-Input'@rule [5].src='wan'@rule [5].proto='icmp'@rule [5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'@rule [5].limit='1000/sec'@rule [5].family='ipv6'@rule [5].target='ACCEPT'@rule [6]=rule@rule [6].name='Allow-ICMPv6-Forward'@rule [6].src='wan'@rule [6].dest=' '@rule [6].proto='icmp'@rule [6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'@rule [6].limit='1000/sec'@rule [6].family='ipv6'@rule [6].target='ACCEPT'@rule [7]=rule@rule [7].name='Allow-IPSec-ESP'@rule [7].src='wan'@rule [7].dest='lan'@rule [7].proto='esp'@rule [7].target='ACCEPT'@rule [8]=rule@rule [8].name='Allow-ISAKMP'@rule [8].src='wan'@rule [8].dest='lan'@rule [8].dest_port='500'@rule [8].proto='udp'@rule [8].target='ACCEPT'@include [0]=include@include [0].path='/etc/firewall.user'
network.loopback=interface@switch [0]=switch@switch [0].name='switch0'@switch [0].reset='1'@switch [0].enable_vlan='1'@switch_vlan [0]=switch_vlan@switch_vlan [0].device='switch0'@switch_vlan [0].vlan='1'@switch_vlan [0].vid='1'@switch_vlan [0].ports='5t 3 1 0'@switch_vlan [1]=switch_vlan@switch_vlan [1].device='switch0'@switch_vlan [1].vlan='2'@switch_vlan [1].ports='6t 4'@switch_vlan [1].vid='2'@switch_vlan [2]=switch_vlan@switch_vlan [2].device='switch0'@switch_vlan [2].vlan='3'@switch_vlan [2].vid='10'@switch_vlan [2].ports='6t 2'
wireless.radio0=wifi-device
mpa
January 28, 2021, 1:32pm
8
When posting configurations, please use the Preformatted text tool </>.
Add forwardings:
lan -> IoTNET
LauraNET -> IoTNET
Since wireless interface names are dynamic, it is better not to use them in the network configuration.
I wonder whether radio1.network3 does anything useful there.
Please remove all references to wireless interfaces from the ifname lists. When any of them becomes empty, delete that ifname option as well.
The association between the network section and the wireless interface is already established with the network option in the wireless interface configuration. Examples:
That is enough for joining a wireless interface to a bridge.
jammy137:
firewall-opkg
This is a backup file, apparently created by the opkg package manager. It is not part of the active configuration.
While this may be working, I think it is common practice to join additional LAN-like VLANs to the same CPU port which already has the LAN attached to it. If you change this, also update the interface to use eth0 instead of eth1:
network.IoTNET.ifname='eth0.10'
For each zone, consider whether you want to block access to the OpenWrt router itself by settinginput to REJECT. Don't forget to add exceptions for essential protocols such as DNS, DHCP and ICMP in this case.
2 Likes
If you don’t mind, I’ll take advantage of it, I think it will soon be useful to me
mpa
January 28, 2021, 11:19pm
10
This is a small addition to my previous post.
Your configuration connects two wireless interfaces to the Laura_NET network interface:
I believe this requires the bridge option (currently missing):
network.Laura_NET.type='bridge'
1 Like
Hi,
The two Laura_NET wireless interfaces are a 2.4Ghz and a 5Ghz interface, it all appears to work perfectly when both types of devices connect to the WiFi and they can see each other on the network.
Just going through your longer reply, which is really useful thanks! Can't see where to add exceptions. I've opened the relevant forwarding in the "Zones" area on Firewall. (btw, I'm doing 99% of this on the GUI, unsure if that makes a difference). Would I be inputting the exception rules in "Traffic Rules"?
