I’m setting up a guest Wi-Fi network on my OpenWRT router (XDR6088). I want to ensure that devices connected to the guest network can only access the internet and are isolated from the main network (“LAN”) and each other.
However, I am confused about the zone-based firewall. I have some experience with pfSense rule settings, but it seems that OpenWRT’s firewall is not interface-based. I cannot create rules on the interface itself; the zone must be created with some global forwarding settings.
Could someone guide me on how to achieve this using LuCI or SSH? Detailed steps or commands would be greatly appreciated.
This tutorial has the whole explanation, including the firewall stuff that you're asking about. Specifically, it creates a separate firewall zone for the guest network, reject input (i.e. to the router itself), and then allows DHCP + DNS services on the router to be accessed. It allows forwards from guest > wan zones (for internet access) but does not allow guest > lan.
It seems that I should learn the uci command. I find that the config in LuCI will create Anonymous Sections like firewall.zone[0] instead of firewall.Guest
You can do it via LuCI, CLI/UCI commands, or direct firewall file edits.
The names of the zones and sections are not really important except for human readability... so it's not an issue one way or the other.
If you'd like a review of your config files:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
Noted. I also want to know more about the relationship between the zone setting (or zone forwarding setting?) in the OpenWRT Firewall.
Is it possible to set up traffic rules manually, instead of using the zone’s setting? For example, if I set up a “zone to reject” with both Input/Output/Forwarding set to Reject, is it possible to overwrite this setting with a traffic rule? This way, I can have a zone that defaults to rejecting everything, and I can enable specific traffic (e.g., IPv4 TCP/UDP for 80/443, IPv4 UDP 123, etc.) when needed.
In the zone definition, there are three broad rules:
Input: controls access to the router itself that is originating from hosts on a network within that zone
Output: controls traffic emerging from the firewall towards the hosts/network(s) in the zone.
Forward: controls intra-zone forwarding. This applies when there are two or more networks within the same firewall zone. If forwarding is allowed, the networks will be able to communicate with each other.
Then there is the fowarding rules, like from lan > wan. This is what allows networks in one zone to reach networks in another zone. In the lan > wan example, that is allowing the lan to initiate connections to the wan, but we generally don't want the reverse which is why we don't have a wan > lan forward.
These are the broad rules, but rules can be created with whatever granularity is required. You'd start by assigning a network to a zone (new zone if needed). Then you typically set the zone rules and zone fowardings to cover the default case and then create granular rules to achieve your specific goals.
Yes, you can do this. However, keep in mind that this can become more complex or cumbersome as a function of practicality... so yes, it's possible to allow just dns and http/https on the internet, but there may be other ports/services that websites are expecting to be able to reach. And it's also possible (depending on your users) to use the open ports for a VPN, for example, which would then be able to circumvent your attempts at limiting the types of connections/services that can be made.
I am able to set rules for my management interface (network?), but now I want to create a local-only lan2 interface (zone lan2_) and find that I cannot get IPs from the DHCP server.
Here are my firewall settings:
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd75:69a7:0b0e::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan4'
config bridge-vlan
option device 'br-lan'
option vlan '160'
list ports 'lan4:t'
list ports 'lan5:t'
config interface 'wan2'
option proto 'dhcp'
option device 'eth2.160'
config device
option name 'eth2'
option mtu '9000'
config device
option type '8021q'
option ifname 'eth2'
option vid '160'
option name 'eth2.160'
config interface 'guest_5G'
option proto 'static'
option device 'phy1-ap1'
option ipaddr '192.168.200.1'
option netmask '255.255.255.0'
config interface 'mgmt'
option proto 'static'
option ipaddr '192.168.2.5'
option netmask '255.255.255.0'
option device 'eth2.10'
config device
option type '8021q'
option ifname 'eth2'
option vid '10'
option name 'eth2.10'
config device
option type '8021q'
option ifname 'eth2'
option vid '326'
option name 'eth2.326'
config interface 'lan2'
option proto 'static'
option ipaddr '192.168.201.1'
option netmask '255.255.255.0'
option type 'bridge'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan_z'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'lanUv880_'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan_'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan_z'
option dest 'wan_'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan_'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan_'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan_'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config include
option path '/etc/firewall.fail2ban'
option enabled '1'
option reload '1'
config zone 'Guest'
option name 'guest_'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest_5G'
config rule 'Guest_dns'
option name 'Allow-DNS-Guest'
option src 'guest_'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
option family 'ipv4'
config rule 'Guest_dhcp'
option name 'Allow-DHCP-Guest'
option src 'guest_'
option dest_port '67'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'
config zone
option name 'wan2_'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
list network 'wan2'
config forwarding
option src 'lanUv880_'
option dest 'wan_'
config forwarding
option src 'guest_'
option dest 'wan2_'
config zone
option name 'mgmt_'
option input 'REJECT'
option output 'REJECT'
option forward 'REJECT'
list network 'mgmt'
config rule
option name 'Allow-Ping-mgmt'
list proto 'icmp'
option src 'mgmt_'
list dest_ip '192.168.2.5'
option target 'ACCEPT'
option family 'ipv4'
list icmp_type 'echo-request'
config rule
option name 'Allow-MGMT-mgmt'
option family 'ipv4'
list proto 'tcp'
option src 'mgmt_'
list dest_ip '192.168.2.5'
option dest_port '22 80 443'
option target 'ACCEPT'
config zone
option name 'lan2_'
option input 'REJECT'
option output 'REJECT'
option forward 'REJECT'
list network 'lan2'
config rule
option name 'Allow-DHCP-lan2'
option family 'ipv4'
list proto 'udp'
option src 'lan2_'
option dest_port '67 68'
option target 'ACCEPT'
config rule
option name 'Allos-DNS-lan2'
option src 'lan2_'
option dest_port '53'
option target 'ACCEPT'
option family 'ipv4'
There are multiple problems with the lan2 network.
First, remove the last line here:
Bridges must be declared as an explicit device, outside the network interface stanza. When added inside the interface, it will actually break things.
A bridge is required if you will be using more than one physical interface -- that is, wifi + Ethernet, multiple WiFi radios, or multiple Ethernet ports on DSA (swconfig is different). Is that the case here?
For your zone config, you have input and output set to reject. You do allow DHCP and DNS later, though... but output must be set to ACCEPT because otherwise traffic that is destined for the network cannot leave the firewall.
It seems that there may be a bug in LuCI such that the device cannot be deleted from the interface. I tried deleting the interface lan2 and creating it again, adding a new traffic rule for allowing DNS from the device to the zone lan2_, and it is now able to get an IP.
The lan2 interface was previously linked to a bridge (eth2, a USB interface), which might have been the problem. Before your previous reply, I was experimenting with a single interface VLAN (eth2) using lan2. Later, I realized that the Linux Bridge might not be designed for a single interface, so I deleted it and created a VLAN device myself. You can see that wan2 and mgmt are using VLAN devices.
I will follow your suggestion soon (it’s too late in my timezone). I also tried using DSA with the MT7531 switch, and it works well.
Regarding the bridge setting: Currently, I am trying to build a network with only Wi-Fi. However, I will try it soon as having Wi-Fi and LAN (eth2’s VLAN) on the same network is one of my use cases (PC, NAS, phone, TV, etc.). For this case, which one should I use? Linux Bridge (eth2)’s VLAN or direct interface’s VLAN?
A bridge will only be needed (or erroneously created per the bug) when there are two or more physical interfaces associated. One USB interface wouldn't need one.
If the physical Ethernet port is not part of the built-in switch, and as long as it is used only for this specific network (I.e. not carrying additional networks via vlans), you'll simply create a new bridge like this:
config device
option name 'br-management'
option type 'bridge'
list ports 'eth2'
And then use device br-management in the network interface.
After a day of fault finding, I discovered that a bug in LuCI was causing multiple issues. I ended up deleting the interface, device, zone, and rules, then recreated them using UCI commands in SSH. After correcting minor mistakes in LuCI, I finally managed to get an IP.
uci set network.br_eth2_326=device
uci set network.br_eth2_326.name='br-eth2_326'
uci set network.br_eth2_326.type='bridge'
uci set network.br_eth2_326.vlan_filtering='1'
uci commit network
uci set network.eth2_326=device
uci set network.eth2_326.name='eth2.326'
uci set network.eth2_326.type='8021q'
uci set network.eth2_326.ifname='eth2'
uci set network.eth2_326.vid='326'
uci set network.br_eth2_326.ports='eth2.326'
uci commit network
uci set network.lan2=interface
uci set network.lan2.proto='static'
uci set network.lan2.ipaddr='192.168.3.1'
uci set network.lan2.netmask='255.255.255.0'
uci set network.lan2.device='br-eth2_326'
uci commit network
uci set dhcp.lan2=dhcp
uci set dhcp.lan2.interface='lan2'
uci set dhcp.lan2.start='100'
uci set dhcp.lan2.limit='150'
uci set dhcp.lan2.leasetime='12h'
uci commit dhcp
uci set firewall.lan2Z=zone
uci set firewall.lan2Z.name='lan2Z'
uci set firewall.lan2Z.network='lan2'
uci set firewall.lan2Z.input='REJECT'
uci set firewall.lan2Z.output='ACCEPT'
uci set firewall.lan2Z.forward='REJECT'
uci commit firewall
uci add firewall rule
uci set firewall.allow_dhcp_lan2Z=rule
uci set firewall.allow_dhcp_lan2Z.name='Allow-DHCP_lan2Z'
uci set firewall.allow_dhcp_lan2Z.src='lan2Z'
uci set firewall.allow_dhcp_lan2Z.proto='udp'
uci set firewall.allow_dhcp_lan2Z.dest_port='67-68'
uci set firewall.allow_dhcp_lan2Z.target='ACCEPT'
uci commit firewall
uci add firewall rule
uci set firewall.allow_dns_lan2Z=rule
uci set firewall.allow_dns_lan2Z.name='Allow-DNS_lan2Z'
uci set firewall.allow_dns_lan2Z.src='lan2Z'
uci set firewall.allow_dns_lan2Z.proto='tcp udp'
uci set firewall.allow_dns_lan2Z.dest_port='53'
uci set firewall.allow_dns_lan2Z.target='ACCEPT'
uci commit firewall
uci add firewall rule
uci set firewall.allow_services=rule
uci set firewall.allow_services.name='Allow-Services'
uci set firewall.allow_services.src='lan2Z'
uci set firewall.allow_services.proto='tcp udp'
uci set firewall.allow_ping_out.dest='wan2_'
uci set firewall.allow_services.dest_port='80 443 21 22 587 993 5222 8080 465 119 143 6667 6697 8443 8843 49152-65535 123 53 853 9418 1000-2000'
uci set firewall.allow_services.target='ACCEPT'
uci set firewall.allow_services.family='ipv4
uci commit firewall
uci add firewall rule
uci set firewall.allow_ping_out=rule
uci set firewall.allow_ping_out.name='Allow-Ping-Outside'
uci set firewall.allow_ping_out.src='lan2Z'
uci set firewall.allow_ping_out.proto='icmp'
uci set firewall.allow_ping_out.icmp_type='echo-request'
uci set firewall.allow_ping_out.dest='wan2_'
uci set firewall.allow_ping_out.target='ACCEPT'
uci commit firewall
/etc/init.d/network restart
/etc/init.d/firewall restart
However, I’m a bit confused about why my rules allow outside traffic to access management if the zone settings for input/output/forwarding are set to reject.
If there is a bug in LuCI, it would be great to help resolve it. Do you mind opening a new thread and documenting your findings so that others can try to reproduce it and determine if it is a bug, intended behavior, or some other situation that you encountered?
It is okay, but I need time to collect the evidence and procedure when I have time.
The two main problems are:
A device in an existing interface was not removed correctly (as mentioned).
The issue isn’t shown in LuCI until you open the CLI and find that your settings haven’t been applied.
Another problem is with the Wi-Fi network settings. Sometimes I need to unconfigure the network settings, save and apply, and then reconfigure them to make it work. Today, I also faced an issue where the Wi-Fi interface was broken, and clients couldn’t connect to it. Strangely, another interface (guest Wi-Fi) on the same band worked. I deleted the broken one, recreated it, and it worked again.
I also see that if the interface is from an Ethernet interface ethX (or VLAN ethX.abc), and a Wi-Fi interface’s network selects that interface, the interface type becomes a bridge (though it is ethX / ethX.abc) in LuCI. However, the Wi-Fi interface wasn’t added to the interface as predicted (only a bridge can be used to connect multiple interfaces).
