GaryDa
December 17, 2023, 8:17am
1
Hi everyone, I'm new to the OpenWrt scene, and I'm completely noob about this router software platform. Please, I need all the help.
First of all, sorry if there are rules not followed with this post, if there are, will make sure to explore the forum and read more about it.
My setup is a:
Xiaomi Mi Router 4A Gigabit Edition
OpenWrt 23.05.0 r23497-6637af95aa / LuCI openwrt-23.05 branch git-23.236.53405-fc638c8
Default Setup, configured one radio as Wi-Fi client for the time being, serving as my Internet
What I want to accomplish is similar to this (adding the VLANs in luci for Guest, IOT and LAN ):
But using OpenWrt 23.
I tried to follow along, but got stucked on most of the steps, since they don't match the GUi. So I'm really totaly lost.
What I've tried so far:
In Network > Interfaces > Devices:
Device Type: VLAN (802.1q)
Base Device: eth0
In Network > Interfaces > Created a new Interface:
Name: iotlan
Protocol: Static
Device: eth0.22
Enabled DHCP Server
Firewall Setting: Crated a new with the same name "iotlan"
When I hit "save and apply" button. It reverted back, so obviously my configuration was wrong and LuCi revert it back.
Can one please guide me through this?
I am trying to:
separate my normal LAN from IoT LAN.
Iot LAN with VLAN ID 22, mapped to physical LAN port 2 (this should be untagged, yah?)
My normal LAN is my standard LAN for my current devices, PC, Laptop, VMs, etc.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
GaryDa
December 17, 2023, 8:38am
3
Thank you @psherman , please see requested info below.
ubus call system board :
{
"kernel": "5.15.134",
"hostname": "OpenWrt",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "Xiaomi Mi Router 4A Gigabit Edition",
"board_name": "xiaomi,mi-router-4a-gigabit",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.0",
"revision": "r23497-6637af95aa",
"target": "ramips/mt7621",
"description": "OpenWrt 23.05.0 r23497-6637af95aa"
}
}
cat /etc/config/network :
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd18:096a:92ea::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wwan'
option proto 'dhcp'
config device
option type '8021q'
option ifname 'eth0'
option vid '22'
option name 'eth0.22'
config interface 'iotlan'
option proto 'static'
option device 'eth0.22'
option ipaddr '192.168.22.1'
option netmask '255.255.255.0'
cat /etc/config/wireless :
config wifi-device 'radio0'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
option channel '1'
option band '2g'
option htmode 'HT20'
option disabled '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-device 'radio1'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option country 'PH'
option cell_density '0'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'sta'
option network 'wwan'
option ssid 'my-isp-router-wifi-ssid'
option bssid 'C4:0D:xx:xx:xx:xx'
option encryption 'psk2'
option key 'mywpa2-password'
cat /etc/config/dhcp :
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'iotlan'
option interface 'iotlan'
option start '100'
option limit '150'
option leasetime '12h'
cat /etc/config/firewall :
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wwan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'iotlan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'iotlan'
The video doesn’t really fully apply to your situation because your device uses dsa, not swconfig.
Delete this:
Remove lan2 from br-lan
Then make a new bridge for your iot:
config device
option name 'br-iot'
option type 'bridge'
list ports 'lan2'
Edit the iot network to use br-iot like this:
config interface 'iotlan'
option proto 'static'
option device 'br-iot'
option ipaddr '192.168.22.1'
option netmask '255.255.255.0'
And for now, change the input rule to accept.
Does your iot network need to reach the internet? Does the trusted lan need to be able to reach the iot network?
1 Like
GaryDa
December 17, 2023, 8:59am
5
Thank you for the prompt response, appreciate it.
My first goal for the time being is to have a separate VLAN working, which should not have communication between one another. I mean, the iotlan should not be able to reach my lan, but both lan should have their own Internet.
I will try your suggested edits above, and will report back. Thanks a mil!
Currently the iot network can’t reach the internet. Add forwarding from the iot zone to the wan zone to allow that.
1 Like
GaryDa
December 17, 2023, 9:28am
7
GaryDa:
config
Thanks! I have it working now. Can I please ask for further assistance?
I want to:
Reach a single host in iotlan with specific ipaddress from my lan or "trusted lan".
Make sure, iotlan host can not access mylan nor the router admin.
If you may, please advise on how to tackle on this? would creating another VLAN would make sense? so that a host in trustedlan will be able to access a specific host in iotlan?
Thank you once again.
GaryDa:
Reach a single host in iotlan with specific ipaddress from my lan or "trusted lan".
Create a rule that accepts traffic (usually TCP and/or UDP) with source zone lan and destination zone iotlan, destination IP address will be the address of that specific host in the iotlan. You can make this rule for all ports or just specific ones.
GaryDa:
Make sure, iotlan host can not access mylan nor the router admin.
It doesn't have the ability to reach any other networks, unless you create rules or allow forwarding.
The router itself can currently be reached because we set the input rule on the iotlan zone to accept. If you change that to drop or reject, this will also prevent DHCP and DNS from working on that zone... that's not a problem, though... we'll just create a rules to allow those specific services:
config rule
option name 'IoT_DHCP'
list proto 'udp'
option src 'iotlan'
option dest_port '67-68'
option target 'ACCEPT'
config rule
option name 'IoT_DNS'
option src 'iotlan'
option dest_port '53'
option target 'ACCEPT'
1 Like
GaryDa
December 18, 2023, 4:32am
9
Thank you once again! I hope you can help further with this one.
I tried to set this up from the web ui, under:Network > Firewall > Traffic Rules
But it doesn't seem to work, I tried pinging the iotlan host but no good.
Please see config file below for /etc/config/firewall :
config rule
option name 'lan_to_iotlan'
option src 'lan'
option dest 'iotlan'
option target 'ACCEPT'
option family 'ipv4'
list src_ip '192.168.10.111'
list proto 'tcp'
list proto 'udp'
list proto 'icmp'
list dest_ip '192.168.22.113'
Please note, I have change the router's main lan ip to 192.168.10.1
What is the host at 192.168.22.113? If it is a windows machine, the firewall may be blocking this connection.
To rule out (pun intended
config forwarding
option src 'lan'
option dest 'iotlan'
This will allow any host in lan to reach any host in iotlan, but not the other way around (obviously response traffic is allowed; we're just talking about the initiation of the connection here). If it doesn't work, it means that the host on the iot network is either firewalled or has some other reason that it doesn't like crossing subnets.
Once you have tested that, assuming it is successful, you can remove that forwarding rule if you want to be more granular and restrictive. For the rule you showed... make sure you're testing it from the host at 192.168.10.111 -- any other host won't be allowed.
GaryDa
December 18, 2023, 5:32am
11
It's a Linuxmint Machine. Firewall is disabled (UFW inactive).
Applied the above configuration, but still no good. I made sure the iotlan host (Linuxmint) has a static IP lease, firewall not active.
I did made sure I am testing it on the host with IP 192.168.10.111. Still no dice.
Let's review the complete firewall and network config files.
1 Like
GaryDa
December 18, 2023, 6:19am
13
Let's review the complete firewall and network config files.
Thanks! Appreciate it if you can please read through.
cat /etc/config/firewall :
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wwan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'iotlan'
option input 'DROP'
option output 'ACCEPT'
option forward 'REJECT'
list network 'iotlan'
config forwarding
option src 'iotlan'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'iotlan'
config rule
option name 'IoT_DHCP'
list proto 'udp'
option src 'iotlan'
option dest_port '67-68'
option target 'ACCEPT'
config rule
option name 'IoT_DNS'
option src 'iotlan'
option dest_port '53'
option target 'ACCEPT'
cat /etc/config/network :
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd18:096a:92ea::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wwan'
option proto 'dhcp'
config interface 'iotlan'
option proto 'static'
option ipaddr '192.168.22.1'
option netmask '255.255.255.0'
option device 'br-iot'
config device
option type 'bridge'
option name 'br-iot'
list ports 'lan2'
I don't see any reason why you wouldn't be able to communicate from lan > iot.
Are there any other hosts/devices on the iot network that you can try pinging and/or connecting to from the lan?
GaryDa
December 18, 2023, 7:57am
15
Thank you for your feedback!
This made me troubleshoot further, and I found out that a running VPN client tunnel was running on my trusted lan host 192.168.10.111. I turned this off, and ping went well. Also configured a granular and restrictive rule, and it worked. Thanks!
Now, if you may, please help further on the VPN issue. I need to turn it back up and running. How should I tell the trusted lan host to allow to accessiotlan. I am not sure how to refer to this, but is this called split dns or something else?
If the vpn is running on the host, you’ll need to find out how to make custom routing rules on that operating system to ensure that it will not send those packets through the tunnel. That is out of scope for this forum in general because it actually has nothing to do with (and can’t be addressed by) openwrt.
But I’m glad you found the issue and that the firewall rules are working as expected.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
1 Like
GaryDa
December 18, 2023, 8:22am
17
Thanks a mil Peter!
I have marked your answer as solution. Though, I was not able to edit the title to insert the [Solved] prefix.
1 Like
There is a check mark next to the title indicating that it is solved. So all good there!
system
December 28, 2023, 8:23am
19
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
) any issues with the firewall rule itself, you could make a blanket forwarding rule like this: