Lenovo m920q + 4port NIC x86 baremetal build

Greetings,
posting for the first time here but I've been reading around for a long time. I am going to try to list as much details from my build and problems along the way as possible, as it might help newbies like me.

Finally got around to try and build a replacement for my tp-link AC1750 that's been running on openwrt for a couple of years now.

The replacement as the title suggests is a Lenovo m920q mini pc (i5-8500T + 8GB RAM) with a pcie 4port 2.5Gig (intel) expansion cart from aliexpress.

So far so good, managed to install 23.05.02 on the nvme and expand the disk space.

I want to tackle the problems one by one and hopefully this will generate a guide on for other enthusiasts.

First objective now is to set up a second network for my two IP PoE cameras. How should I set this up so that the cameras can only be accessed from my NAS/LAN using a VPN to tunnel back in when I am not home.
So far i wend to network>interfaces and created a new interface with a static address (that is not on the same subnet as my lan, i don't know if that right or not?). Under device i set up eth2 (this is port 2 of my 4port nic)

Haven't set up any DNS as the cameras aren't going to go out to the internet (hope that the right choice)
I created a custom firewall:

For covered devices I have selected eth2.
And since there are only two devices and the unmanaged PoE switch that are going to return to this port (not even sure if the switch needs an IP 'prolly not') I set up the DHCP server as start=100/limit=103.
Now the plan is that in this port (eth2) i will connect an unmanaged PoE switch that will power two PoE IP cameras.
After set up I tried connecting the switch to the port and one camera to the switch but nothing happened.
So I suppose I am doing something wrong, but not sure what?
Also tried to plug the PoE switch with the camera to my lan and it immediately got recognized by my router as it issued an IP for the camera.

Any idea what am I doing wrong with setting up this camera interface?

More accurately, the unmanaged swicth cannot have an IP. It has no ability to be configured to use an address and no reason to -- it's unmanaged (meaning that there's nothing at all to configure).

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

You need a DHCP server on the camera network, or set static IPs in the cameras. Since the DHCP server is a router service, and input to the router is generally blocked on the camera zone (which is the right thing to do), add a rule allowing DHCP (port 67 UDP) from the camera zone.

Then you will probably want to set up DHCP reservations so the cameras are certain to always have the same particular addresses.

Hello,

        "kernel": "5.15.137",
        "hostname": "OpenWrt",
        "system": "Intel(R) Core(TM) i5-8500T CPU @ 2.10GHz",
        "model": "LENOVO 10RRS0CX2J",
        "board_name": "lenovo-10rrs0cx2j",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "x86/64",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"

Network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxx'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.x.101'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '192.168.x.1'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config interface 'SCAM'
        option proto 'static'
        option device 'eth2'
        list ipaddr '192.168.y.1'
        list ipaddr '255.255.255.0'

config interface 'IOT'
        option proto 'static'
        list ipaddr '192.168.z.1/32'
        list ipaddr '255.255.255.0'

dhcp:

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option dynamicdhcp '0'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'SCAM'
        option interface 'SCAM'
        option start '100'
        option limit '103'
        option leasetime '12h'

firewall:

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port 'xxx'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port 'xxx'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'xxx'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port 'xxx'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'SCAM'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'SCAM'
        list device 'eth2'

config forwarding
        option src 'SCAM'
        option dest 'lan'

config zone
        option name 'IOT'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'IOT'

Really hope I didn't list anything I didn't have to

There is no need to redact RFC1918 addresses. They do not reveal anything sensitive about your network.

Your DHCP server is fine, but it has a total of 103 addresses that it will lease (100-202).

If you want to have only 3 leases, set the limit to 3.

Your firewall zone for SCAM has a few minor things:

Remove the device from above.
Since you are rejecting input, you must allow DHCP explicitly. Add this rule

config rule
	option name 'Allow-SCAM DHCP'
	option src 'SCAM'
	option dest_port '67-68'
	option target 'ACCEPT'

If your cameras require anything else (DNS, NTP, internet access in general), you will need to acomodate those things, but from an OpenWrt standpoint, that is not required.

Make those changes, reboot, and test again.

I think what you're looking for is option netmask with the second line, but if you use CIDR (slash) notation only one line is needed:
option ipaddr '192.168.5.1/24'

or the old way:
option ipaddr '192.168.5.1'
option netmask '255.255.255.0'

Only one ipaddr can be in an interface block-- it is an option not a list. (Alias interfaces can be used to place more than one IP address on a kernel interface, but that is for special applications, like reaching the configuration GUI of a cable modem on the same port as the Internet)

Did the changes, honestly not sure how to test if the camera is connected without internet to it.
I guess testing for the cam interface will have to continue after I deploy it as a main router.

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port 'xxx'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'xxx'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-SCAM DHCP'
        option src 'SCAM'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'SCAM'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'SCAM'

config forwarding
        option src 'SCAM'
        option dest 'lan'

config zone
        option name 'IOT'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'IOT'

I understand what i did wrong I removed the second IPv4s.

I got ahead of my self with the IOT network, first I need to configure a second interface for wlan for port eth4 I guess and read up on how can I deploy a tp-link router set to AP mode (with stock tp-link firmware) as an AP.

We can tell you what will happen based on viewing the complete config.

The firewall doesn't appear to have been adjusted per my recommendation (you'll need to allow DHCP). You didn't post the network and dhcp files, so we cannot verify that those are correct. Please post and we'll review.

Just to comment upon this, you're only hurting yourself by being too restrictive here, without actually deterring a potential attacker (who'll just set a static IP and can do whatever they want). My suggestion would be to keep the limit at its default value (or at the very least ~10 more than you need right now), just to keep things working nicely. Think about it, you may only have 3 cameras, but you surely want to confirm that everything is working fine with your notebook (fourth), what about the next two cameras you may add in a couple of months - debugging (and that might very well take a couple of hours, before you realize the real issue) small issues like that can take all the fun out of it.

(and yes, I realize that the current setting is -unconventional- but fine)

I agree with @slh.

A small DHCP pool doesn't actually change anything from a security standpoint, it just makes life a bit more difficult when you do need to have more devices on the network (for testing or normal use). I should have clarified that...

^^^ This should have been my primary point... reason I mentioned this was actually because the OP might have otherwise been confused when the DHCP leases were outside the 100-103 range that they probably would have expected.

Sorry, only have a couple of hours after work to tinker with this project.

This is the current config:
Network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxx'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.65.101'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '192.168.65.1'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config interface 'SCAM'
        option proto 'static'
        option device 'eth2'
        list ipaddr '192.168.75.1'

config interface 'IOT'
        option proto 'static'
        list ipaddr '192.168.85.1/32'

dhcp:

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option dynamicdhcp '0'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'SCAM'
        option interface 'SCAM'
        option start '100'
        option limit '103'
        option leasetime '12h'
        option ignore '1'
        option dynamicdhcp '0'

firewall:

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'xxx'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-SCAM DHCP'
        option src 'SCAM'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'SCAM'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'SCAM'

config forwarding
        option src 'SCAM'
        option dest 'lan'

config zone
        option name 'IOT'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'IOT'

Any advice on testing the camera interface without any internet to the lenovo?
Currently the eth2 is hooked up to a PoE switch and I have one camera hocked to the switch.

Also the next step would prepare a port for an AP, should I extend the lan to an additional port or should i create an additional interface for this. What would be the more secure option, the wireless network will have to have at least 3 networks: main, guest and IOT. Preferably the main should have access to my lan so it can access the NAS, the other two will just go to wan. I know VLANs are going to be needed here, are those to be created on x86 lenovo or on the AP that I hook up to it. The AP that i'm planning to use is a tp-link wifi6 router (that i was planning to use with the stock firmware) ...if possible?
I tried to find some guides on this today but all I found were openwrt devices running in dumb AP mode.

The SCAM network is missing a subnet mask (or CIDR size):

The quick fix is:

config interface 'SCAM'
        option proto 'static'
        option device 'eth2'
        list ipaddr '192.168.75.1/24'

I'm not sue why you have this interface set to ignore... remove that line if you want to have a functional DHCP server on the SCAM network. Also, remove the last line entirely.

The firewall does not currently allow for devices on the SCAM network to get an address via DHCP. To reduce variables, I'd recommend changing the SCAM firewall zone input rule to ACCEPT -- this can be temporary (and locked down later), but it's the fastest way to get this running.

As it stands now, you'll have access from the SCAM network to the lan, but not the other way around. No other access to/from SCAM to any other network is available in any direction.

That depends what you want to achieve. And is the above description what you want?

Based on your description, this will be a port -- you'll need to setup bridges for this to work. We'll get there later.... let's concentrate on your SCAM network first.

done:

config interface 'SCAM'
        option proto 'static'
        option device 'eth2'
        list ipaddr '192.168.75.1/24'

done:

config dhcp 'SCAM'
        option interface 'SCAM'
        option start '100'
        option limit '103'
        option leasetime '12h'

The goal is to have the cameras on this interface they should be able to talk to the synology nas that will be on the lan. I don't want the cameras to talk to the internet and to their manufacturers servers. They need to be connected to the surveillance station on the synology and if i wan't to view footage or live stream i'll be connecting to the lan via something like OpenVPN.

Ok... based on your goal, the network should now function as you want...

You can plug a computer into the SCAM network and you should get an IP address in the 192.168.75.0/24 network (assuming you made the firewall change I recommended). You will (currently) be able to reach the router, and you will be able to reach the lan. The internet will be unreachable.

Go ahead and test/confirm that and let me know if that's working as expected.

yes!

Thank you kindly good sir!

What would you advise as my best course of action for the wlan situation? Will generating a new interface be more secure as I can put a separate firewall between the wlan and the lan, or is it all the same and I should bridge the lan (eth1 to eth3 as well)?

So, luci is acting up really bad since last changes. Sometimes it loads a blank page with just openwrt and refreshing on top, sometimes i get a red bar "XHR request aborted by browser", a couple of the pages like software are missing. Tried the whole /etc/init.d/uhttpd stop|start|restart, rebooting the router, rebooting the PC, even deleted the browser saved data for the site and it persists. I did a backup (should have probably done one earlier) I'll try resetting to factory and uploading or redoing the settings tomorrow evening since I already have a template.

Lost half a day, and got pretty efficient at flashing openwrt to an ssd. Only to find out that my browser was causing my problems

What would you advise as my best course of action for the wlan situation? Will generating a new interface be more secure as I can put a separate firewall between the wlan and the lan, or is it all the same and I should bridge the lan (eth1 to eth3 as well)?

Doh! Glad you found it, though.

It depends on what your goals for your wifi are... but generally, yes, because then you will have global and/or granular control at the main router about what the wifi network can access (especially if you're going to use the stock firmware on that device.

Can you elaborate on (or remind me about/point me to) your goals with the wifi network?

yes this is the overall plan: