Hi all, I just ordered my router! I am now trying to educate myself on openWrt to hit the ground running when it arrives.
I am pretty excited about all this, but I think I need a bit of help to figure out the basics (apologies in advance for the naive questions).
I am going through the example for basic configuration. I am trying to make sure I understand the configuration for the interfaces.
1. What is the scope of section names?
Is there any hidden impact of the section name, beyond its use in the configuration file? For example, can the section name be used in other configuration files?
In other words, can I do a sed to replace network.lan by network.mypetname in the file /etc/config/network (only this file) and everything will work exactly the same?
I don't see any option here that makes the ipaddr 127.0.0.1 work as a loopback (i.e. redirect to the client itself). What am I missing? Is the forwarding back to itself configured someplace else?
Why is the type bridge? What are the two networks this interface is bridging? A candidate would be that this interface bridges the lan and the wan, but this seems incorrect : given the following definitions it seems this interface should route and not bridge the lan network to the wan network?
It's also a bit confusing to me that this interface is called lan, given that we also have a notion of lan network. But I guess the documentation warns that wan and lan mean different things in different contexts.
4. guest network
One of my early goals (once I receive the router!) is to set up a guest wireless network. In the guest network, I want each device to only be able to have access to the internet, but not to each other. I actually think this might be a good default characteristic for any network. Only allow inter-clients communication if necessary.
What is the best way to do this?
I expect yes, but only because the text network.lan doesn't appear in that file in the first place, so sed won't change anything. At least, it doesn't appear in that file on my instance of OpenWRT.
However, be aware that changing interface definitions in /etc/config/network may affect the behaviour of the firewall. Some of the entries in /etc/config/firewall depend on corresponding entries in /etc/config/network.
I suggest spinning up an instance of OpenWRT inside VMware Player/Workstation or VirtualBox (there are how-to docs for both on the OpenWRT website) so you can play with it directly and get a feel for how the various configuration files interact with each other.
It's a standard behaviour. Any address which begins with 127 refers to the host itself. I can't remember which RFC document describes it, but 127.x.x.x as a loopback address is universal, not confined solely to OpenWRT.
By default, LAN and Wireless to form one contiguous layer 2 domain.
Out of the box, OpenWRT bridges LAN and Wireless together, and segregates them from WAN via routing and the firewall.
See the contents of /etc/config/wireless to find the directive which says that the wireless interface belongs to the lan network.
Your search engine terms for the day are "private VLAN" and/or "client isolation".
I've no idea if OpenWRT supports it either natively or via additional modules; I've never investigated.
'lo' is an Ethernet-like psuedo-device in every Linux kernel. It doesn't connect to anything external but it allows looping data back.
Don't mess with 'loopback' at all. It is something that many Linux applications expect to be there.
You can change names but as noted the name is referred to in other files particularly firewall and wireless. Network names should be kept short (kernel limit 15 characters, including the br- or pppoe- etc that OpenWrt may add) and by convention lower case only.
Wireless is interesting that wifi interfaces are attached to networks in /etc/config/wireless not /etc/config/network. This leads to the situation that it appears there is a bridge with only one member, but additional wireless APs or STA(WDS) or mesh may be attached to it. brctl show can be used to examine the actual setup of bridges. There's also nothing wrong with a bridge with only one member, it keeps it simple to expand later.
A guest network starts with making a new bridge with a short lowercase name like 'guest', and a separate IP range and new matching firewall zone. Then set the firewall to forward guest only to wan not to lan. Guests can use the Internet but can't reach your LAN.
That's because this config only creates the "lo" interface for use by the system, the fact that it's used as loopback is a network standard so all applications just assume this is up and available and don't need additional config. It just needs to be there at all.
first, this is a physical interface bridge, not a networking bridge. It bridges phyisical ethernet ports or VLANs or wifi networks to form a single virtual interface with the same IP address and dhcp server and whatnot. see here for more info https://wiki.linuxfoundation.org/networking/bridge
This creates a new interface in your system, called br-NAME
so in this case br-lan.
See the output of ip a command to list all interfaces in the system, note how there is a br-lan at the end of the list (point 7). That's the interface bridge.
1: lo: <LOOPBACK,UP,LOWER_UP,80000> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,ALLMULTI,PROMISC,UP,LOWER_UP,80000> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
link/ether ac:16:2d:94:52:0c brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1280 qdisc mq state UP group default qlen 100
link/ether ac:16:2d:94:52:0d brd ff:ff:ff:ff:ff:ff
inet 192.168.89.252/24 brd 192.168.89.255 scope global eth1
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1406 qdisc mq state UP group default qlen 100
link/ether ac:16:2d:94:52:0e brd ff:ff:ff:ff:ff:ff
inet 192.168.88.252/24 brd 192.168.88.255 scope global eth2
valid_lft forever preferred_lft forever
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 100
link/ether ac:16:2d:94:52:0f brd ff:ff:ff:ff:ff:ff
inet 192.168.8.100/24 brd 192.168.8.255 scope global eth3
valid_lft forever preferred_lft forever
6: eth4: <BROADCAST,MULTICAST,ALLMULTI,PROMISC,UP,LOWER_UP,80000> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
link/ether e8:61:1f:11:34:6c brd ff:ff:ff:ff:ff:ff
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP,80000> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether ac:16:2d:94:52:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.100.1/24 brd 192.168.100.255 scope global br-lan
valid_lft forever preferred_lft forever
The interfaces bridged by this interface are in the ifname line, so for example if you want to have two interfaces there you would have option ifname 'eth0 eth4'
And if you look again at the ip a command above you see that the eth0 and eth4 interfaces have no IP address but are shown as UP (active), that's because they are part of the br-lan bridge and their IP is shown in the br-lan entry.
You also need to check out the wifi config at /etc/config/wireless because it is also added to the bridge
note the option network 'lan'
This means that the wifi should be added to the OpenWrt interface called "lan", and this can only happen if that interface is set as a "bridge".
If you look at the interface called "lan" from Luci web interface you should see both ethernet and wifi interfaces connected to it, the settings are not split like in the config files (it's joined for ease of use).
Another thing, if your device has an integrated switch the interfaces are usually set up as VLANs in the switch so you are not bridging ports here. You will get something like in the example option ifname 'eth0.1'
that means "use VLAN 1 of eth0 interface" and in the switch config the VLAN 1 is set to use the usual 4 ports that are called "LAN" on the device's case.
It's also a bit confusing to me that this interface is called lan, given that we also have a notion of lan network.
It's called lan because this is supposed to be the bridge where all interfaces belonging to lan network go. It's the whole point of calling it like that.
There is a tutorial to do this since it's a commonly requested feature https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface
But in general terms, you are creating a new wireless network and then not bridging it to the "lan" interface so it goes on its own "guest wifi" interface, and will therefore be isolated from whatever is in the "lan" bridge. Then in the firewall you will allow forwarding to the "wan" interface so it can access the internet.
If you also want to do this with ethernet it's a bit more complex but follows the same principle
I expressed myself incorrectly with my sed example, but your reply answers my underlying question : section names span across multiple configurations.
Ah! That definitely makes sense. Now that you explain it, its obvious
Thanks for the keyword. That led me to an article according to which it is as simple as adding option 'isolate' '1' to the wifi interface.
@mk24 : thanks for all that. It's very helpful. These conventions are very good to know.
@sml156 : thanks for the links, I'll look into these.
@bobafetthotmail thanks a lot for the very clear explanation. It's also very useful to see actual configurations.
Thanks for that. I'm sure this would have tripped me up.
The loopback is the only thing I am still unclear on. That is probably because I do not have the correct understanding of how it works. Let me try to detail how I picture it in my head, and you can let me know what I am missing.
A client machine with IP 192.168.0.3 sends an IP Packet P0 to destination 127.0.0.1 on SSID S0, with WPA2 encryption.
If there is no client isolation (which is the case by default), all client machines on this SSID can listen and decrypt this packet (this is not relevant to my question about loopback, but I just want to make sure I understand this correctly)
The router that created this SSID listens to this packet, decrypts it. It sees destination IP 127.0.0.1, so it generates a new IP Packet P1 which is exactly the same as P0 except that the destination address is not 127.0.0.1 but 192.168.0.3 (does the destination port number stays the same as P0?). That way, the initial client receives its own packet, hence it is a loopback.
My confusion comes from the fact that I do not see anything in the config of interface lo that generates point 3.
No such thing...loopback packets never leave any device, in fact, they rarely (if ever) leave lo. Each device has its own lo. That IP is invalid as a DST IP on the air/wire/network.
Even an endpoint device (smartphone or laptop etc) has more than one interface. In this case the packet addressed to 127.0.0.1 will be dispatched to the interface 127.0.0.1 and immediately return on that same interface. An interface set up as an external connection, i.e. a wifi card 192.168.0.3, will not be involved at all.
An example would be a local instance of a mySQL server listening on port 3306. When another application accesses the database, it sends a packet from localhost:50123 to localhost:3306. The mysqld process receives this packet, and returns the answer to the originating application on localhost:50123. (Like any other TCP, the originator of a connection chooses a random high port number for itself, 50123 in this example) All this happens on the 127.0.0.1 network.
The advantage here is that this client and server application with exactly the same code can be re-used and set up as a remote server merely by changing the IP addresses to something that will route to the other box. (There are faster ways to move data between local processes but it becomes OS specific.)
Loopback is a virtual interface that mirrors packets coming from the same machine. You don't need to do anything, for the application this looks like network traffic.
It's useful to run normal network services that shouldn't be accessed from outside the system (or have no need to actually go out, do a trip to the switch and then turn back since they are contacting another service on the same system) without need to modify them to talk to another local application directly.
It's a little trick like doing symbolic links or bind mounts on a filesystem.
For example Syncthing (and other applications) use it to show a web interface for the user of the PC (since it's far easier to make a cross-platform GUI with web technologies than using 5 different OS-specific GUI toolkits). You point your web browser to 127.0.0.1:8384 and the system will bounce the packets to the local Syncthing application that is listening on 127.0.0.1:8384 and will send its web interface to the browser through that.
This will work on all OSes because every operating system with network access will have a loopback interface.
I understand now where my confusion is. I was mistakenly assuming that the clients's packets addressed to 127.0.0.1 would be addressed to the router, which would send them back to the client. In fact, that's not what happens. Each client creates its own loopback interface, so messages addressed to 127.0.0.1 actually never reach the router.
So the loopback network interface on the router is actually meant only for itself, not for the clients. There is no need for any specific configuration in the loopback's config of the router that redirects packets seen by the router with destination IP 127.0.0.1 (from clients), because packets like these are never seen.
OpenWrt, like all other OSes, knows to simply send back to itself packets send to 127.0.0.1.
This article though does not fit well into that explanation, since it says :
As the loopback address never changes, it is the best way to identify a device in the network.
The loopback interface is always up and it is reachable as long as the route to that IP address is available in the IP routing table. Hence you can use the loopback interface for diagnostics and troubleshooting purposes.
I am guessing this article talks about a different mechanism for loopback? Maybe one closer to my original understanding?
Welcome to the joys of dealing with enterprise networking.
There is a distinction to be drawn between the loopback interface (lo0) and the loopback network (127.0.0.0/8).
From the perspective of any device on the network, any address in the range 127.x.x.x is always "me", i.e. traffic is always handled internally and never leaves the device. It's not possible to talk to 127.x.x.x on another device. Some of the other posts before this one give real-world examples of where the loopback address might be used in practice.
Juniper's documentation illustrates how Juniper equipment supports configuring the loopback interface with a real, routable IP address so that it can be used for out-of-band management and for other services/protocols which may require a loopback address.
Yes. Each client will have its own loopback interface and will do this on its own. The loopback of the router is only used by the router, packets never leave the system.
No it's telling how to use this internal loopback interface on their own equipment to do troubleshooting tests. All the pinging and whatnot they tell to do must be done from the Juniper device itself, not from another device in the network.
Are you asking about a routable loopback address???