Hi,
on my OpenWrt router I have configured a restricted interface for IoT devices.
Restricted means in this context that it must be handled like a guest network.
This results in firewall rules that close any router ingress communication and open specific ports using traffic rules.
When I run tcpdump on this interface I can see this discover and request, but no response from OpenWrt:
12:46:53.699395 IP (tos 0x10, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 326)
0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 24:29:34:88:3f:7d, length 298, xid 0x6880911d, secs 6, Flags [none]
Client-Ethernet-Address 24:29:34:88:3f:7d
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Discover
Client-ID (61), length 7: ether 24:29:34:88:3f:7d
MSZ (57), length 2: 1500
Vendor-Class (60), length 15: "android-dhcp-14"
Hostname (12), length 7: "seymour"
Parameter-Request (55), length 12:
Subnet-Mask (1), Default-Gateway (3), Domain-Name-Server (6), Domain-Name (15)
MTU (26), BR (28), Lease-Time (51), RN (58)
RB (59), Vendor-Option (43), URL (114), Unknown (108)
12:47:04.445226 IP (tos 0x10, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 332)
0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 24:29:34:88:3f:7d, length 304, xid 0xcbc6f91c, Flags [none]
Client-Ethernet-Address 24:29:34:88:3f:7d
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Request
Client-ID (61), length 7: ether 24:29:34:88:3f:7d
Requested-IP (50), length 4: 192.168.1.56
MSZ (57), length 2: 1500
Vendor-Class (60), length 15: "android-dhcp-14"
Hostname (12), length 7: "seymour"
Parameter-Request (55), length 12:
Subnet-Mask (1), Default-Gateway (3), Domain-Name-Server (6), Domain-Name (15)
MTU (26), BR (28), Lease-Time (51), RN (58)
RB (59), Vendor-Option (43), URL (114), Unknown (108)
My network setup is somehow different.
OpenWrt router's IoT interface is connected to ISP router's LAN 192.168.1.0/24; this means ISP router is gateway and upstream for this subnet and OpenWrt router has static IP 192.168.1.4.
If DHCP is enabled on ISP router, there are no issues. However I want to use OpenWrt as DHCP router after shutting down DHCP on ISP router.
For interface IoT I have configured these firewall rules:
firewall.@rule[23].name='IoT: Allow-HTTPs-Pihole'
firewall.@rule[23].proto='tcp'
firewall.@rule[23].src='iot'
firewall.@rule[23].src_ip='192.168.1.56'
firewall.@rule[23].dest='server'
firewall.@rule[23].dest_ip='172.16.50.11'
firewall.@rule[23].dest_port='80 443'
firewall.@rule[23].target='ACCEPT'
firewall.@rule[24]=rule
firewall.@rule[24].name='IoT: Allow-DHCP-discover'
firewall.@rule[24].proto='udp'
firewall.@rule[24].src='iot'
firewall.@rule[24].src_port='68'
firewall.@rule[24].dest_port='67'
firewall.@rule[24].family='ipv4'
firewall.@rule[24].target='ACCEPT'
firewall.@rule[25]=rule
firewall.@rule[25].name='IoT: Allow-DHCP-offer'
firewall.@rule[25].proto='udp'
firewall.@rule[25].dest='iot'
firewall.@rule[25].src_port='67'
firewall.@rule[25].dest_port='68'
firewall.@rule[25].family='ipv4'
firewall.@rule[25].target='ACCEPT'
firewall.@rule[26]=rule
firewall.@rule[26].name='IoT: Allow-DHCPv6-discover'
firewall.@rule[26].proto='udp'
firewall.@rule[26].src='iot'
firewall.@rule[26].src_port='547'
firewall.@rule[26].dest_port='546'
firewall.@rule[26].family='ipv6'
firewall.@rule[26].target='ACCEPT'
firewall.@rule[27]=rule
firewall.@rule[27].name='IoT: Allow-DHCPv6-offer'
firewall.@rule[27].proto='udp'
firewall.@rule[27].dest='iot'
firewall.@rule[27].src_port='546'
firewall.@rule[27].dest_port='547'
firewall.@rule[27].family='ipv6'
firewall.@rule[27].target='ACCEPT'
firewall.@rule[28]=rule
firewall.@rule[28].name='IoT: Allow-DNS'
firewall.@rule[28].proto='tcp' 'udp'
firewall.@rule[28].src='iot'
firewall.@rule[28].dest_port='53'
firewall.@rule[28].target='ACCEPT'
firewall.@rule[28].dest='server'
firewall.@rule[29]=rule
firewall.@rule[29].name='IoT: Allow-DNS-Pihole'
firewall.@rule[29].proto='tcp' 'udp'
firewall.@rule[29].src='iot'
firewall.@rule[29].dest_port='53'
firewall.@rule[29].target='ACCEPT'
firewall.@rule[29].dest='server'
firewall.@rule[29].dest_ip='172.16.50.11'
firewall.@rule[30]=rule
firewall.@rule[30].name='IoT: Allow-NTP'
firewall.@rule[30].proto='udp'
firewall.@rule[30].src='iot'
firewall.@rule[30].dest_port='123'
firewall.@rule[30].target='ACCEPT'
firewall.@rule[31]=rule
firewall.@rule[31].name='IoT: Block-DNS-other-networks'
firewall.@rule[31].proto='tcp' 'udp'
firewall.@rule[31].src='iot'
firewall.@rule[31].dest='*'
firewall.@rule[31].dest_port='53'
firewall.@rule[31].target='REJECT'
firewall.@rule[32]=rule
firewall.@rule[32].name='IoT: Block-all'
firewall.@rule[32].proto='all'
firewall.@rule[32].src='iot'
firewall.@rule[32].dest='*'
firewall.@rule[32].target='REJECT'