Is my router configuration correct?

Hello

I recently configured my network differently than it was, but I'm terrified that I've configured something wrong and it's working by luck (I have Internet on all devices that need it). I post the configuration to see if someone can help me in the possible errors found.

My setup starts with my ISP modem in bridge mode, then I connect it to my router, then I extend the network for the wireless devices via a dumb ap (another router).

It looks like this

Diagram

This is the configuration of my Main Router [OpenWrt 19.07.7] :

Pictures




/etc/config/network
config device 'lan_eth0_1_dev'
	option name 'eth0.1'
	option macaddr ''

config interface 'wan'
	option proto 'pppoe'
	option password ''
	option username ''
	list dns '9.9.9.9'
	list dns '149.112.112.112'
	option peerdns '0'
	option delegate '0'
	option ifname 'eth0.2'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr ''

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option ports '0 6t'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '10'
	option ports '1 2 6t'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '20'
	option ports '3t 6t'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option vid '30'
	option ports '3t 6t'

config switch_vlan
	option device 'switch0'
	option vlan '6'
	option vid '50'
	option ports '3t 6t'

config switch_vlan
	option device 'switch0'
	option vlan '7'
	option vid '60'
	option ports '3t 6t'

config switch_vlan
	option device 'switch0'
	option vlan '8'
	option vid '89'
	option ports '3t 4 6t'

config interface 'MANAGEMENT'
	option ifname 'eth0.89'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.89.1'

config interface 'HOME'
	option ifname 'eth0.10'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'

config interface 'WIFI_24'
	option ifname 'eth0.20'
	option proto 'static'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'

config interface 'WIFI_5G'
	option ifname 'eth0.60'
	option proto 'static'
	option ipaddr '192.168.60.1'
	option netmask '255.255.255.0'

config interface 'WIFI_5G_GUEST'
	option ifname 'eth0.50'
	option proto 'static'
	option ipaddr '192.168.50.1'
	option netmask '255.255.255.0'

config interface 'IoT'
	option ifname 'eth0.30'
	option proto 'static'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'

/etc/config/firewall
config zone
	option name 'HOME'
	option forward 'DROP'
	option network 'HOME'
	option output 'ACCEPT'
	option input 'DROP'

config forwarding
	option dest 'wan'
	option src 'HOME'

config zone
	option name 'WIFI_24'
	option input 'DROP'
	option forward 'DROP'
	option network 'WIFI_24'
	option output 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'WIFI_24'

config zone
	option name 'WIFI_5G'
	option input 'DROP'
	option forward 'DROP'
	option network 'WIFI_5G'
	option output 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'WIFI_5G'

config zone
	option name 'WIFI_5G_G'
	option input 'DROP'
	option forward 'DROP'
	option network 'WIFI_5G_GUEST'
	option output 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'WIFI_5G_G'

config zone
	option name 'MANAGEMENT'
	option input 'ACCEPT'
	option forward 'DROP'
	option network 'MANAGEMENT'
	option output 'ACCEPT'

config zone
	option name 'IoT'
	option input 'ACCEPT'
	option forward 'DROP'
	option network 'IoT'
	option output 'ACCEPT'

config rule
	option dest_port '53 67'
	option src 'HOME'
	option name 'Allow [ HOME ] => DHCP / DNS'
	option target 'ACCEPT'

config rule
	option dest_port '53 67'
	option src 'WIFI_24'
	option name 'Allow [ WIFI_24 ] => DHCP / DNS'
	option target 'ACCEPT'

config rule
	option dest_port '53 67'
	option src 'WIFI_5G'
	option name 'Allow [ WIFI_5G ] => DHCP / DNS'
	option target 'ACCEPT'

config rule
	option dest_port '53 67'
	option src 'WIFI_5G_G'
	option name 'Allow [ WIFI_5G_GUEST ] => DHCP / DNS'
	option target 'ACCEPT'

config rule
	option dest_port '80 443'
	option src 'wan'
	option name 'Disable HTTP WAN'
	option target 'DROP'

config rule
	option dest_port '22'
	option src 'wan'
	option name 'Disable SSH WAN'
	option target 'DROP'

config zone
	option name 'WIFI_IOT'
	option input 'ACCEPT'
	option forward 'DROP'
	option network 'WIFI_24 WIFI_5G'
	option output 'ACCEPT'

config forwarding
	option dest 'IoT'
	option src 'WIFI_IOT'

config rule
	option dest_port '53 67'
	option src 'IoT'
	option name 'Allow [ IoT ] => DHCP / DNS'
	option target 'ACCEPT'


VLAN 89 => Management for both routers, Main and Dumb AP.

This is the configuration for my Dumb AP [OpenWrt 19.07.7]:

Pictures



/etc/config/network
config interface 'lan'
	option ifname 'eth1.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.100.2'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 2 4t'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4t 6t'
	option vid '20'

config interface 'WIFI_24'
	option ifname 'eth0.20'
	option proto 'none'
	option type 'bridge'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '89'
	option ports '0t 4t 5'

config interface 'MANAGEMENT'
	option ifname 'eth1.89'
	option proto 'dhcp'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '30'
	option ports '4t 6t'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option vid '50'
	option ports '0t 4t'

config switch_vlan
	option device 'switch0'
	option vlan '6'
	option vid '60'
	option ports '0t 4t'

config interface 'WIFI_5G'
	option ifname 'eth1.60'
	option proto 'none'
	option type 'bridge'

config interface 'IoT'
	option ifname 'eth0.30'
	option proto 'none'
	option type 'bridge'

config interface 'WIFI_5G_G'
	option proto 'none'
	option ifname 'eth1.50'
	option type 'bridge'

/etc/config/wireless
config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option network 'WIFI_5G'
	option encryption ''
	option ssid ''
	option key ''

config wifi-iface 'wifinet3'
	option encryption ''
	option device 'radio0'
	option mode 'ap'
	option network 'WIFI_5G_G'
	option ssid ''
	option key ''

config wifi-iface 'wifinet2'
	option ssid ''
	option encryption ''
	option device 'radio1'
	option mode 'ap'
	option network 'WIFI_24'
	option key ''

config wifi-iface 'wifinet4'
	option ssid ''
	option encryption ''
	option device 'radio1'
	option mode 'ap'
	option network 'IoT'
	option key ''
	option hidden '1'

Any help/criticism would be really appreciated (because I don't know if I need to do something else).

Thanks

You have declared some zones twice. For example on the main router:

config zone
	option name 'WIFI_5G'
...
	option network 'WIFI_5G'
...

config zone
	option name 'WIFI_IOT'
...
	option network 'WIFI_24 WIFI_5G'
...

I don't see the wan zone, most likely you didn't copy-paste it. But by default has the INPUT as reject, so the disable HTTP/SSH WAN rules are needless.
Other than that the dumbAP doesn't have much to be inspected, as long as it works.

This is the WAN zone

WAN ZONE
config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'
	option input 'DROP'
	option forward 'DROP'

I was worried about the gateway, I was reading your answer here too Help needed understanding Masquerading option .
Like "Andy1", I'm confused aswell about the "Masquerading option", are my routes in the main router ok?. I ask this because I have "drop" input in almost all interfaces, and I access to the router by connecting my eth cable in the eth4 of the main router.

The gateway, the routes, and the masquerade look fine.

I don't see how is this connected to the routes. Firewall settings are a bit strict for a home user and most likely you forgot to change the input in WIFI_IOT, but it's up to you how locked the router will be.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.