Luci--19.07.0 -- guest network setup

wbeine · December 15, 2019, 5:34pm

Just installed 19.07.0 r2. While configuring guest network, I noticed that Luci does not provide guest network as a dropdown option for Allow forwards from source zones. So I left this undefined. Yet, the firewall config file seems fine:

config forwarding
option dest 'wan'
option src 'GUEST'

Am I doing this incorrectly?

As an aside, there are 2 guides for building the guest network.(CLI and Luci) There's a slight difference in the dhcp firewall rule.

This one indicates you should limit to ports 67-68 for both scr and dest.
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan

This one only limits those ports for dest only--at least in the luci snapshot.
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan-webinterface

Which is the better practice?

Thank you

trendy · December 15, 2019, 5:51pm

Only port 67 is needed. Port 68 is the one that client uses. I don't think it is necessary to define the source port.

Better port the whole config:
uci export firewall

and use preformatted text (the </> button) when you paste console output.

wbeine · December 15, 2019, 11:20pm

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option drop_invalid '1'
        option forward 'DROP'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'DROP'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'DROP'
        option forward 'DROP'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option family 'ipv4'
        list icmp_type 'echo-request'
        option target 'DROP'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option forward 'DROP'
        option name 'GUEST'
        option output 'ACCEPT'
        option family 'ipv4'
        option input 'DROP'
        option network 'GUEST'

config forwarding
        option dest 'wan'
        option src 'GUEST'

config rule
        option dest_port '53'
        option src 'GUEST'
        option name 'guest DNS'
        option target 'ACCEPT'
        option proto 'tcp udp'

config rule
        option dest_port '67-68'
        option src 'GUEST'
        option name 'guest DHCP'
        option target 'ACCEPT'
        option proto 'udp'
        option src_port '67-68'

trendy · December 16, 2019, 2:25pm

The configuration is correct. However I would avoid using the capital letters in the zone and interface definitions.

twinkleLED · December 16, 2019, 3:27pm

I would avoid using the capital letters in the zone and interface definitions.

I assume you mean the interface names. Why avoid capitals?

lleachii · December 16, 2019, 5:16pm

Because (especially in Unix/Linux), there are places where things are case-sensitive.

wbeine · December 16, 2019, 7:17pm

Thank you for taking the time to look at this.