Make Ethernet device use IOT interface

NovaViper · May 22, 2022, 9:06pm

Hey guys! I'm setting up Proxmox on my Raspberry Pi 4B 4GB and it requires having an Ethernet connection instead of wireless. This presents an issue where my Pi is now in my LAN interface instead of my IOT one.
The IOT interface uses a different IP address and has stricter rules than the LAN one, and the LAN devices can actually communicate into the IOT interface. This allows for certain devices like smart TVs to be able to still function with my parent's smart phone as well as allow me to be able to access my other raspberry pis connected to the IOT interface via ssh. I've started trying to set it up by creating a new VLAN with the ID 10.

How do I configure OpenWrt to group the port that my pi is connected to inside the IOT device? My router is an Archer A7 V5 running OpenWrt 21.02.2 r16495-bf0c965af0.

Settings

Firewall Rules

config zone
	option name 'GuestZone'
	option output 'ACCEPT'
	option forward 'DROP'
	option input 'DROP'
	list network 'GUEST'

config zone
	option name 'IOTZone'
	option output 'ACCEPT'
	option forward 'DROP'
	option input 'DROP'
	list network 'IOT'
	option masq '1'
	list device 'eth0.10'

config forwarding
	option src 'GuestZone'
	option dest 'wan'

config forwarding
	option src 'IOTZone'
	option dest 'wan'

config rule
	option name 'Guest DHCP and DNS'
	option src 'GuestZone'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'IOT DHCP and DNS'
	option src 'IOTZone'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'IOTZone'

Network

config interface 'GUEST'
	option proto 'static'
	option ipaddr '10.20.60.20'
	option netmask '255.255.255.0'

config interface 'IOT'
	option proto 'static'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '10'
	option ports '0t 2t'

DHCP

config dhcp 'GUEST'
	option interface 'GUEST'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config dhcp 'IOT'
	option interface 'IOT'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

psherman · May 22, 2022, 11:59pm

Presumably there is more to the config files than you have posted... please post the complete files.

What port is the Pi connected to? And to verify, you want the Pi to connect to the IoT network via ethernet?

NovaViper · May 23, 2022, 12:11am

LAN 1, and yes! I want the pi connected to the IOT network via ethernet, so the IOT firewall rules apply to it like all of the other IOT devices

psherman · May 23, 2022, 12:17am

And the complete files?

NovaViper · May 23, 2022, 12:21am

I already pasted the settings relevant to the network and firewall configurations for the IOT network and the VLAN

psherman · May 23, 2022, 12:26am

But the complete files are necessary to ensure that we have the whole picture.

NovaViper · May 23, 2022, 12:47am

Some of the configurations have sensitive data (like port forwards and network interface passwords) which was why I didn't share the full configurations. How do I make sure that the configurations don't contain sensitive information?

psherman · May 23, 2022, 12:56am

Simply redact the sensitive info from the network file. That is the one I really need to see.

NovaViper · May 23, 2022, 1:15am

Ok! Here ya go

Firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'DROP'
	option drop_invalid '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone 'wan'
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'DROP'
	option forward 'DROP'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'GuestZone'
	option output 'ACCEPT'
	option forward 'DROP'
	option input 'DROP'
	list network 'GUEST'

config zone
	option name 'IOTZone'
	option output 'ACCEPT'
	option forward 'DROP'
	option input 'DROP'
	list network 'IOT'
	option masq '1'

config forwarding
	option src 'GuestZone'
	option dest 'wan'

config forwarding
	option src 'IOTZone'
	option dest 'wan'

config rule
	option name 'Guest DHCP and DNS'
	option src 'GuestZone'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'IOT DHCP and DNS'
	option src 'IOTZone'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'IOTZone'

Network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7d:f549:f969::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0.2'
	option macaddr '98:da:c4:7c:0d:24'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 2 3 4 5'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 1'
	option vid '2'

config interface 'GUEST'
	option proto 'static'
	option ipaddr '10.20.60.20'
	option netmask '255.255.255.0'

config interface 'IOT'
	option proto 'static'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'

DHCP

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option rebind_protection '1'
	option rebind_localhost '1'
	list rebind_domain 'example.local'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'GUEST'
	option interface 'GUEST'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config dhcp 'IOT'
	option interface 'IOT'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

Wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option band '5g'
	option cell_density '0'
	option htmode 'VHT80'
	option channel '48'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'XXXXXXX'
	option key 'XXXXXXXX'
	option wpa_disable_eapol_key_retries '1'
	option encryption 'sae-mixed'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option band '2g'
	option cell_density '0'
	option htmode 'HT40'
	option channel 'auto'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'XXXXXXX'
	option key 'XXXXXXXX'
	option wpa_disable_eapol_key_retries '1'
	option encryption 'sae-mixed'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'XXXXXXX'
	option key 'XXXXXXXX'
	option isolate '1'
	option wpa_disable_eapol_key_retries '1'
	option network 'GUEST'
	option ifname 'wlan0-guest'
	option encryption 'sae-mixed'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'XXXXXXX'
	option key 'XXXXXXXX'
	option wpa_disable_eapol_key_retries '1'
	option network 'IOT'
	option encryption 'sae-mixed'
	option ifname 'wlan1-iot'

psherman · May 23, 2022, 1:34am

Add the following to your network config

config device
	option name 'br-iot'
	option type 'bridge'
	list ports 'eth0.3'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '0t 5'

Then edit these existing stanzas to look like this:

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 2 3 4'

config interface 'IOT'
	option device 'br-iot'
	option proto 'static'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'

I have made a guess that logical port 5 corresponds to physical port 4 (as labeled on the case), but that could be wrong. If so, it will likely be logical port 2 in the switch configuration. In that case...

put logical port 5 back into the VLAN 1 definition
remove port 2 from VLAN 1
then add logical port 2 to VLAN 3
and remove port 5 from VLAN 3

NovaViper · May 23, 2022, 1:52am

~~Apparently logical 5 isn't actually port 4... at least from what LUCI is showing.~~ I was completely wrong, logical 5 is actually port 4!

I don't have the pi connected to port 4, I have it connected to the very first port (Number 1 on my router)

psherman · May 23, 2022, 2:06am

Part of the process is figuring out the mapping between the physical port labels, the ones in LuCI, and then the logical assignments in the config files. Once you know how those correlate, you can pretty easily set the VLAN appropriately.

Otherwise, you should be good to go if you follow my directions above.

NovaViper · May 23, 2022, 2:09am

I followed the instructions but now my computer can no longer find the pi; can't connect nor ping to it at all. What do I do now?

--Edit--
Moved the pi to the 4th port on my router, and I try pinging to it, I get this error on the console:

From ThinkNova icmp_seq=5 Destination unreachable: Address unreachable

And Openwrt's System logs says Sun May 22 21:10:45 2022 daemon.warn dnsmasq-dhcp[31385]: DHCP packet received on wlan1-iot which has no address, while before switching (having it in port 1), it didn't display anything at all other than all packets were lost

NovaViper · May 23, 2022, 2:33am

OH I see what happened! So I found out that I can actually ping to the device if I'm connected to the IOT wireless network, but can't ping if I'm in the LAN wireless network. Another thing I just realized is that I was pinging to the device using the device's hostname, which works fine if I ping while connected to the IOT network, but doesn't if I'm not (however I can ping to the device if I use the device's ip address if Im connected either to the IOT network or the LAN network). Any idea why I can't ping using the device's hostname when outside of the IOT network?

psherman · May 23, 2022, 2:39am

what do you get if you use nslookup < hostname > from your computer and from your router?

NovaViper · May 23, 2022, 2:46am

From the router:

From my computer (connected to LAN, I don't have nslookup on my machine, so I had to use drill instead)

❯ drill knoxpi.lan
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 6284
;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; knoxpi.lan.  IN      A

;; ANSWER SECTION:
knoxpi.lan.     0       IN      A       192.168.4.191

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 1 msec
;; SERVER: fd7d:f549:f969::1
;; WHEN: Sun May 22 21:45:17 2022
;; MSG SIZE  rcvd: 44

psherman · May 23, 2022, 3:00am

Is the laptop on the 192.168.1.0/24 network?
Is the address resolved for the pi (192.168.4.191) correct?

What happens when you ping from your laptop on 192.168.1.0/24:

192.168.4.191
knoxpi.lan

NovaViper · May 23, 2022, 3:04am

Yeah, the laptop is on the lan network, which is the 192.168.1.0/24 network! And yea, the address 192.168.4.191 is the pi's current ip address (however I plan on setting the static ip address as 192.168.4.120). The scenario where I couldn't ping to the pi with its hostname was when the laptop was connected to the lan network (I get that address unreachable error); however I can ping to the pi with its ip address when the laptop is on the lan network.

psherman · May 23, 2022, 3:10am

If the laptop is resolving the pi's hostname properly, there should be no difference between using the IP and the hostname.

Can you try that again, back to back, and then do a screen grab or copy/paste of the results?

NovaViper · May 23, 2022, 3:22am

Here ya go! Ran the same commands on my laptop for both cases back to back
LAN Case

IOT Case