Hello OpenWrt Community
First of all thanks you for the good work and possibilities you are creating!
I am quite new to OpenWrt and lower level IT environment and therefore requesting your help. Since I have to explain a bit I'd like to descripe the issue I am facing first. Afterwards I tell you about my setup so far and in the end I will attach some config files.
The Issue:
I have set up an OpenWrt Router as a Wireless Acces Point (wireless connection to the main - non OpenWrt - Router and wireless connection to other devices). Everything works fine.
When I am now starting a Bit Torrent download (current Ubuntu LTS) the Torrent client connects to some Peers and starts downloading at max speed as expected. However after just a few seconds (about 5) it stops. At this point I can still connect to the OpenWrt via ssh but from there I am not able to ping the primary router as I was before. After a reboot of the AP everything is back to normal
What I actually need help with is figuring out what that issue is related to. Since I have no idea what to start looking at al. If a similar issue was discussed already I am really sorry.
The Setup:
The described AP is a TP-Link AC50 v1. The overall Idea is to use it as a WiFi repeater (currently non bridged) emitting a fully accessible lan network and a restricted second Guest network at the same time. Furthermore it should provide a non bridged OpenVPN services with yet another VPN Network. What I refer here as "network" would be an "Interface" to OpenWrt. The Connection to the Internet is provided by the wan which is a wireless connection to a Speedport w724v I got from my ISP. In the end it would be perfectly possible if that thing is causing the issue...
The lan is fully forwarded to the wan whereas the Guest only has two firewall rules forwarding packets with destination ports 80, 443, 993 and 995. Additionally there are DNS and DHCP Allowed as mentioned in pretty much all the guest wifi guides. The Bit Torrent test I mentioned above used the lan network. When connected to Guest nothing happened at all - as intended.
The goal with the Guest network is to be restrictive and only ad more access when needed. When everything works properly it will be extend by things like VPN Ports. Anyway I would love your recommendations on that as well.
The Configs:
If you need any more information on anything pleas let me know
Wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
option htmode 'VHT80'
option disabled '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-device 'radio1'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'platform/10180000.wmac'
option htmode 'HT20'
option disabled '0'
option legacy_rates '1'
option country 'DE'
option txpower '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option ssid 'xxx'
option encryption 'psk2'
option key 'xxx'
option network 'Guest'
option isolate '1'
config wifi-iface
option network 'wwan'
option ssid 'xxx'
option encryption 'psk2'
option device 'radio1'
option mode 'sta'
option bssid 'xxx'
option key 'xxx'
config wifi-iface
option device 'radio1'
option mode 'ap'
option ssid 'xxx'
option network 'lan'
option encryption 'psk2'
option key 'xxx'
Network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr 'xxx'
option netmask 'xxx'
config globals 'globals'
option ula_prefix 'xxx'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask 'xxx'
option ifname 'eth0.1 tap0'
option ipaddr 'xxx'
config device 'lan_dev'
option name 'eth0.1'
option macaddr 'xxx'
config device 'wan_dev'
option name 'eth0.2'
option macaddr 'xxx'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 6t'
config interface 'wwan'
option proto 'dhcp'
config interface 'Guest'
option proto 'static'
option ipaddr 'xxx'
option netmask 'xxx'
config interface 'VPN'
option proto 'static'
option ifname 'xxx'
option netmask 'xxx'
option ipaddr 'xxx'
Firewall:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wwan'
option log '1'
option log_limit '500'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'Guest'
option forward 'REJECT'
option output 'ACCEPT'
option network 'Guest'
option input 'REJECT'
config rule
option name 'Allow DNS'
option src 'Guest'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
config rule
option name 'Allow DHCP'
option src 'Guest'
option src_port '67-68'
option dest_port '67-68'
option proto 'udp'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option src 'wan'
option dest_port '1194'
option name 'OpenVPN'
option proto 'tcp udp'
config forwarding
option dest 'wan'
option src 'lan'
config zone
option name 'VPN'
option network 'VPN'
option output 'REJECT'
option forward 'REJECT'
option input 'ACCEPT'
config forwarding
option dest 'lan'
option src 'VPN'
config forwarding
option dest 'wan'
option src 'VPN'
config rule
option target 'ACCEPT'
option src 'Guest'
option name 'Guest Allow Web'
option proto 'tcp'
option dest 'wan'
option dest_port '80 443'
config rule
option enabled '1'
option target 'ACCEPT'
option name 'Guest Allow Mail Client'
option proto 'tcp'
option dest_port '993 995'
option src 'Guest'
option dest 'wan'