I have a open sense firewall and use a openwrt link sys router to get wifi to my devices.
Modem-> OpenSense->OpenWRT-(wifi)>Devices
Which works so far for my main wifi in the lan network but I have another network called iot24 which I do not really know how to route it though the openSense firewall. Any hints where I should start?
What I tried so far:
-Setting the open sense firewall as default GW in the iot24 network.
-sharing firewall rules in the openWRT device to allow traffic
Did you create the iot24 network on your OpenWrt router (as a new network), or did you create it on your pfsense box with the VLAN passing to the OpenWrt device as a dumb AP?
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Sorry for the delay!
Network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'XXXXX:XXXXX:XXXX::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'lan1'
option macaddr 'XX:XX:XX:XX:XX:XX'
config device
option name 'lan2'
option macaddr 'XX:XX:XX:XX:XX:XX'
config device
option name 'lan3'
option macaddr 'XX:XX:XX:XX:XX:XX'
config device
option name 'lan4'
option macaddr 'XX:XX:XX:XX:XX:XX'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '1.1.1.1'
list dns '10.11.11.243'
option ipaddr '10.11.11.2'
option gateway '10.11.11.1'
config device
option name 'wan'
option macaddr 'XX:XX:XX:XX:XX:XX'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'iot24'
option proto 'static'
option ipaddr '10.11.13.1'
option netmask '255.255.255.0'
Wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/soc:pcie@XXXXXXXXXXXXXXXX:02:00.0'
option channel '1'
option band '2g'
option htmode 'HT20'
option country 'XXXX'
option cell_density '0'
option txpower '5'
config wifi-device 'radio1'
option type 'mac80211'
option path 'soc/soc:pcie@XXXXXXXXXXXXXX:03:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option txpower '5'
option country 'XXXXX'
option cell_density '0'
config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option ssid 'Aiot24'
option encryption 'psk2'
option key 'XXXX'
option network 'iot24'
config wifi-iface 'wifinet1'
option device 'radio1'
option mode 'ap'
option ssid 'AAInet'
option key 'XXX'
option network 'lan'
option encryption 'sae-mixed'
DHCP
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'iot24'
option interface 'iot24'
option start '100'
option limit '150'
option leasetime '12h'
config host
option name 'rasppi4'
option ip '10.11.11.195'
option mac 'XX:XX:XX:XX:XX:XX'
config host
option name 'syn720'
option ip '10.11.11.243'
option mac 'XX:XX:XX:XX:XX:XX'
config host
option name 'b8a97b8'
option ip '10.11.13.205'
option mac 'XX:XX:XX:XX:XX:XX'
config host
option name 'C100_FD372D'
option ip '10.11.13.162'
option mac 'XX:XX:XX:XX:XX:XX'
Network
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'wlan0'
list network 'lan'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SYn720VPN'
list proto 'udp'
option src 'wan'
option src_dport '51194'
option dest_ip '10.11.11.243'
config zone
option name 'iot24'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'iot24'
config rule
option name 'iot24-ICMP'
list proto 'icmp'
option src 'iot24'
option dest 'lan'
option target 'ACCEPT'
config rule
option name 'iot24-InfluxDB'
list proto 'tcp'
option src 'iot24'
option dest 'lan'
option dest_port '48086'
option target 'ACCEPT'
config rule
option name 'iot24-NTP'
list proto 'udp'
option src 'iot24'
option dest 'wan'
option dest_port '123'
option target 'ACCEPT'
config rule
option name 'iot24-DNS'
list proto 'udp'
option src 'iot24'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'iot24-DHCP'
list proto 'udp'
option src 'iot24'
option dest_port '67'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Helium'
option src 'wan'
option src_dport '44158'
option dest_port '44158'
option dest_ip '10.11.13.205'
config rule
option src 'iot24'
list src_ip '10.11.13.205'
option dest 'wan'
option target 'ACCEPT'
config rule
option name 'Syn720ToTaboCam'
option src 'lan'
list src_ip '10.11.11.243'
option target 'ACCEPT'
option dest 'iot24'
list dest_ip '10.11.13.162'
list proto 'tcp'
option dest_port '2020'
config rule
option name 'IoT-OWRT'
option target 'ACCEPT'
option src 'iot24'
list dest_ip '10.11.11.1'
option dest 'lan'
list proto 'all'
config rule
option src 'iot24'
option target 'ACCEPT'
list proto 'all'
option dest 'lan'
A few important questions before I really look through the config and make recommendations...
How is the OpenWrt router connected to the upstream (OpenSense) router? Is it a lan-wan or lan-lan configuration?
What Does the iot24 network originate on the OpenSense router, or is this network supposed to be setup using the OpenWrt router? (another way to look at this -- what device is the DHCP server for that network)
What is the intent of the IoT network with respect to allowances/restrictions (for example, at a coarse level: should the IoT network be able to initiate connections to the main lan? What about main lan initiating connections to the IoT network? Are there more specific/granular controls needed in terms of inter-network connections).
Should the IoT network have the ability to reach all services on the OpenWrt router (including the admin ssh and web interfaces)?
Do you want to have symmetric routing and avoid double-NAT on the IoT network (this requires at least one setting on the OpenSense router must be changed), or do you want to have the OpenWrt router perform NAT for the IoT network?
You have a bunch of firewall rules -- can you describe the purpose of them...
modem -> opensens (wan) -> openWRT (Lan4)
modem -------------------------->openWRT(Wan) - I currently do this because wifi traffic is not going though lan and only though WAN.
Currently the DHCP for iot24 is openWRT but any is fine, I just did not make it work differently. iot24 is a network and wifi, I use it to separate my hot devices from my private LAN.
Yes, iot24 should be able to connect the internet for NTP and the LAN network at port 48086. No need as of now that LAN initiates connection to iot.
No
I think no need to for double netting. My idea is that basically Konsense is managing the networks, DCHP, routing and so on. The openWRT just offeres the wifi connections.
option name 'SYn720VPN' = allows VPN connections from the internet
option name 'iot24-ICMP' = allows ping from not to LAN
option name 'iot24-InfluxDB' = allows iot to connect to a database
option name 'iot24-NTP' = allows iot to connect to a internet time server
option name 'Helium' = allows one of my devices to be accessible from the internet
option name 'Syn720ToTaboCam' = web cam can send video stream to NAS
option name 'IoT-OWRT' =For testing opened everything from iot to LAN
Here's a quick TL;DR with a bunch more detail below:
You have a few options about how you configure this system -- you need to select the one that works the best for you:
These two options are mutually exclusive.... you should probably start with a decision about how you want your network topology to work...
My personal recommendation would be to setup the IoT network on your OpenSense router and then use VLANs to connect those to your OpenWrt device (which will operate as a dumb AP) so that you can offer wifi. IMO, one central router (for actual routing) and then dumb APs to provide wifi is cleaner and easier to administer than having several different devices operating as actual routers.
If you decide to go that way, the OpenWrt config becomes quite simple... you just follow the dumb AP guide and then you'll add one more network (as a VLAN, unmanaged) and connect it to an SSID.
On the other hand, if you choose your OpenWrt router to manage the IoT network, you'll be running a configuration more like this dumb AP with Guest Wifi.
Also, if you wish to use your OpenWrt device to manage the IoT network, you can choose to use NAT (double-NAT'ing the IoT network) on the OpenWrt router and having that self-contained vs avoiding an additional NAT layer by configuring a static route on the OpenSense router (which requires configuring both devices).
Hope that helps... let me know what you want to do and we'll work to build that configuration.