Regarding 192.168.6.0/23: (on ASUS internet router)
so, the usage of a /23 was related to another attempt to redesign all this before I found openwrt. Its unnecessarily large, but I'm not changing it for this.
Regarding 192.168.1.0/24 (on openwrt WAN interface)
This is to relocate my device that is to be isolated, without requiring me to change what other devices pointed at for its IP (192.168.1.11). The IP is now assigned on the openwrt WAN interface.
Regarding 192.168.99.0/24: (on openwrt LAN interface port 1)
I used this to configure openwrt initially. I now use the WAN interface to configure it.
Regarding 192.168.98.0/24: (on openwrt IsolatedNet interface)
I need to assign an IP to my isolated device that is NOT in my home network. I chose 192.168.98.0/24 for that isolated network (IsolatedNet) which is assigned on the IsolatedNet interface. I am not a routing guy so have no clue what is actually appropriate for this. there is only the one device (192.168.98.11) and I am hoping the openwrt router can handle routing for it. I chose "98" because it was outside of the /20 I had been using with the main home network (and for access to the openwrt WAN interface of 192.168.1.11)
You will see lots of disabled rules and routes. I have been trying a lot of stuff. All disabled items/rules can be ignored.
Once I can get the isolated device to reach the internet (ICMP to 8.8.8.8 for example) then I can manage the firewall rules at that point. Thats easier for me to understand. its the routing that very foreign to me.
ubus call system board :
{
"kernel": "5.15.137",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 0 (v7l)",
"model": "Asus RT-AC68U (BCM4708)",
"board_name": "asus,rt-ac68u",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.2",
"revision": "r23630-842932a63d",
"target": "bcm53xx/generic",
"description": "OpenWrt 23.05.2 r23630-842932a63d"
}
}
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '::::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
option ipv6 '0'
list ports 'lan1'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ip6assign '60'
list ipaddr '192.168.99.1/24'
config device
option name 'wan'
option macaddr ''
config interface 'wan'
option device 'wan'
option proto 'static'
option ipaddr '192.168.1.11'
option netmask '255.255.0.0'
option gateway '192.168.6.1'
option broadcast '192.168.7.255'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option reqaddress 'none'
option reqprefix 'auto'
config interface 'Isolatednet'
option proto 'static'
option device 'br-Isolated'
list ipaddr '192.168.98.1/24'
config device
option type 'bridge'
option name 'br-Isolated'
list ports 'lan2'
option ipv6 '0'
config route
option interface 'Isolatednet'
option target '192.168.1.11/32'
option gateway '192.168.99.1'
option metric '0'
option table 'main'
option mtu '1500'
option source '192.168.1.1'
option disabled '1'
config rule
option priority '30000'
option in 'lan'
option src '192.168.99.0/24'
option out 'Isolatednet'
option dest '192.168.10.0/24'
option lookup 'main'
option disabled '1'
config device
option name 'lan2'
option ipv6 '0'
option acceptlocal '1'
config route
option interface 'wan'
option target '192.168.6.0/23'
option gateway '192.168.6.1'
config route
option interface 'lan'
option target '192.168.1.11/32'
option gateway '192.168.99.1'
option disabled '1'
config route
option interface 'lan'
option target '192.168.10.1/32'
option gateway '192.168.99.1'
option disabled '1'
config route
option interface 'Isolatednet'
option target '192.168.10.11/32'
option gateway '192.168.10.1'
option disabled '1'
config route
option interface 'lan'
option target '192.168.98.0/24'
option gateway '192.168.98.1'
option disabled '1'
config rule
option in 'lan'
option out 'wan'
option lookup 'main'
option disabled '1'
config device
option name 'lan3'
config device
option name 'lan1'
config rule
option in 'Isolatednet'
option out 'wan'
option lookup 'main'
option disabled '1'
cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option limit '150'
option leasetime '12h'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option synflood_protect '1'
option drop_invalid '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option log '1'
option log_limit '10000/minute'
option family 'ipv4'
option masq '1'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
option log '1'
option log_limit '10000/minute'
option family 'ipv4'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option family 'ipv4'
option enabled '0'
config zone
option name 'IsolatedZone'
option input 'DROP'
option output 'DROP'
option forward 'DROP'
list network 'Isolatednet'
option log '1'
option log_limit '10000/minute'
option family 'ipv4'
config rule
option name 'firewall ssh access from wan'
option src 'wan'
option dest_port '22'
option target 'ACCEPT'
config rule
option name 'Permit access to Isolated'
option src '*'
option dest 'lan'
option dest_port '443'
option target 'ACCEPT'
option family 'ipv4'
list dest_ip '192.168.98.11'
list proto 'tcp'
list proto 'udp'
config rule
option name 'Permit ICMP to Isolatednet'
list proto 'icmp'
option src '*'
option dest 'IsolatedZone'
option target 'ACCEPT'
option family 'ipv4'
config forwarding
option src 'wan'
option dest 'IsolatedZone'
config rule
option name 'Permit DNS to 192.168.99.3'
option src '*'
option dest 'lan'
option dest_port '53'
option target 'ACCEPT'
option family 'ipv4'
list dest_ip '192.168.99.3'
config rule
option name 'From LAN to internet'
option src 'lan'
option dest 'wan'
option target 'ACCEPT'
config redirect
option dest 'IsolatedZone'
option target 'DNAT'
option name 'Isolated syslog'
option family 'ipv4'
option src 'wan'
option src_dport '514'
option dest_ip '192.168.98.11'
option dest_port '514'
list proto 'tcp'
list proto 'udp'
config forwarding
option src 'wan'
option dest 'lan'
config rule
option name 'From firewall to WAN'
option dest 'wan'
option target 'ACCEPT'
option family 'ipv4'
list proto 'tcp'
list proto 'udp'
list proto 'icmp'
config rule
option name 'firewall web access from WAN'
option src 'wan'
option target 'ACCEPT'
option dest_port '443'
config rule
option name 'permit Isolated to ping 8.8.8.8'
list proto 'icmp'
option src 'IsolatedZone'
list dest_ip '8.8.8.8'
option target 'ACCEPT'
config rule
option name 'permit Isolated to NCSI'
list proto 'tcp'
list proto 'udp'
list proto 'icmp'
option src 'IsolatedZone'
option dest 'wan'
list dest_ip '13.55.254.36'
option target 'ACCEPT'
config forwarding
option src 'IsolatedZone'
option dest 'wan'
config rule
option name 'Permit Isolatednet to Isolated syslog'
option dest 'IsolatedZone'
option target 'ACCEPT'
config redirect
option dest 'IsolatedZone'
option target 'DNAT'
option name 'Isolated SMB'
option family 'ipv4'
option src 'wan'
option src_dport '445'
option dest_ip '192.168.98.11'
option dest_port '445'
config redirect
option dest 'IsolatedZone'
option target 'DNAT'
option name 'Isolated web'
option family 'ipv4'
option src 'wan'
option src_dport '54443'
option dest_ip '192.168.98.11'
option dest_port '443'
config redirect
option dest 'IsolatedZone'
option target 'DNAT'
option name 'Isolated SSH'
option family 'ipv4'
list proto 'tcp'
option src 'wan'
option src_dport '54022'
option dest_ip '192.168.98.11'
option dest_port '22'
config redirect
option dest 'IsolatedZone'
option target 'DNAT'
option name 'Isolated Nextcloud'
option family 'ipv4'
option src 'wan'
option src_dport '37685'
option dest_ip '192.168.98.11'
option dest_port '37685'
config rule
option name 'Permit IsolatedNet to IsolatedNet'
option src 'IsolatedZone'
option dest 'IsolatedZone'
option target 'ACCEPT'
config rule
option name 'permit IsolatedNet to ping firewall'
list proto 'icmp'
option src 'IsolatedZone'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'WAN to DNS'
option src 'wan'
option src_dport '53'
option dest_ip '192.168.99.3'
option dest_port '53'
config rule
option name 'block Isolated to WAN'
option src 'IsolatedZone'
option dest 'wan'
option target 'DROP'
ifstatus wan | grep address
"ipv4-address": [
"address": "192.168.1.11",
"ipv6-address": [
"ipv4-address": [
"ipv6-address": [