Isolate Guest/IOT on a single-port AP

Installing and Using OpenWrt
1

After having solved my previous problem (thanks to massive help from a great user here), I wanted to try a different approach (without VLAN), just to become more familiar with openwrt.

After another many hours I seem to have failed again.

OpenWRT 23.05.5 on an AP with just one WAN-Port.

What I want to achieve:

Wlan "w1" should have access to everything on the LAN
Wlan "w2" should have access to the internet and ONE device on the LAN (e.g. 192.168.0.10), nothing else. At best it should use ondevice DHCP

w1 always works, no trouble here.
But I tried so many things to get w2 running as intended, and the best I managed so farwas being able to connect to the AP (with the correct IP-range and dns from the dhcp) but no internet and nothing else on the LAN.
OR not being able to connect at all, OR just having the same access as w1.

Hereby I officially declare defeat and beg for help :slight_smile:
Thanks for your time and input in advance!

This is my current naked setup:

Network-config 
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd2e:d770:d31b::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.0.252'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.0.1'
	option broadcast '192.168.0.255'
	list dns '192.168.0.2'
	list dns '192.168.0.3'
Wireless-config 
config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/18000000.wifi'
	option channel '1'
	option band '2g'
	option htmode 'HE20'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/18000000.wifi+1'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option cell_density '0'

config wifi-iface 'wifinet0'
	option device 'radio1'
	option mode 'ap'
	option ssid 'w1'
	option encryption 'psk'
	option key 'testtest'
	option network 'lan'

config wifi-iface 'wifinet1'
	option device 'radio0'
	option mode 'ap'
	option ssid 'w2'
	option encryption 'psk'
	option key 'testtest'
DHCP-config 
config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
Firewall-config 
config defaults
	option syn_flood	1
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option dest		wan
#	option proto	tcp
#	option target	REJECT

# block a specific mac on wan
#config rule
#	option dest		wan
#	option src_mac	00:11:22:33:44:66
#	option target	REJECT

# block incoming ICMP traffic on a zone
#config rule
#	option src		lan
#	option proto	ICMP
#	option target	DROP

# port redirect port coming in on wan to lan
#config redirect
#	option src			wan
#	option src_dport	80
#	option dest			lan
#	option dest_ip		192.168.16.235
#	option dest_port	80
#	option proto		tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#	option src		wan
#	option src_dport	22001
#	option dest		lan
#	option dest_port	22
#	option proto		tcp

### FULL CONFIG SECTIONS
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port	80
#	option dest		wan
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp
#	option target	REJECT

#config redirect
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port		1024
#	option src_dport	80
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp
2

Should be pretty simple. But to clarify...

  • This device appears to have a single ethernet port. That port is being used as a lan port. Can you confirm that this is correct?

  • You have an upstream router. This is simply a bridged AP. Correct?

  • Is your intent to form these new networks by using this device as a bridged-AP that performs its own routing for w1 and w2 networks? In other words, these networks are not handled by the upstream router (via ethernet and VLANs), but instead they will be strictly controlled locally on this device. Is this all correct?

  • Finally, is w1 a distnicintly different network than the current lan (192.168.0.1)?

2 Likes
3

Thanks :slight_smile:

Yes

It should be yes. The router is the gateway, and both (and all else) are connected to a switch.

Yes, I think. The AP should have handled everything that leaves it. Router is dumb and switch won't interfere either. Basically W2 should be able to use the gateway and one single IP on the LAN and be isolated from the rest.

Nope. Whole lan is just 192.168.0.0/24.

4

Ok... simple.

Create a new bridge and network:

config device
	option name 'br-w2'
	option type 'bridge'
	option bridge_empty '1'

config interface 'w2'
	option device 'br-w2'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

Now make a new DHCP server:

config dhcp 'w2'
	option interface 'w2'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

Create a new firewall zone (if you want it to be more restrictive, let me know) and forwarding to lan:

config zone
	option name		'w2'
	list   network		'w2'
	option input		'ACCEPT'
	option output		'ACCEPT'
	option forward		'ACCEPT'

config forwarding
	option src		'w2'
	option dest		'lan'

Add restrictions to the w2 zone, allowing the single host as mentioned earlier:

config rule
	option src		'w2'
	option dest		'lan'
	option dest_ip	'192.168.0.10'
	option proto	'all'
	option target	'ACCEPT'

config rule
	option src		'w2'
	option dest		'lan'
	option dest_ip	'192.168.0.0/24'
	option proto	'all'
	option target	'REJECT'

And importantly enable masquerading on the lan firewall zone:

config zone
	option name		lan
	list   network		'lan'
	option input		'ACCEPT'
	option output		'ACCEPT'
	option forward		'ACCEPT'
	option masq		'1'

And then the last thing is to create a new SSID with network w2. Reboot and test. If it doesn't work, post the updated configs for review.

2 Likes
5

Damn, this did it ad hoc. I have no clue what I did wrong all the time, as your way didn't seem any different. But it works. THANKS A LOT! :smile:

Would it also be possible to have w2 on the same subnet? I sadly have some silly devices that are fixed on 192.168.0.0/24. Just changing the interfaces ip did not work.

6

That is the definition of w1, is it not? But no, w1 and w2 must be on different subnets or w2 won’t work at all.

You could change the upstream lan subnet and then set w2 with a the 192.168.0.0/24 subnet. Or, figure out how to reset those devices, or just put them on w1.

But anything that is on the same subnet as w1 cannot be filtered. Only the devices on w2 can be filtered such that they can only reach specified hosts on w1.

1 Like
7

I suspected that. Sadly so. Guess the best approach then is to somehow bring those things into w2 or just stop the hassles and buy new ones.

Thanks again for your help, it was very much appreciated!

1 Like
8

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.