icek
January 15, 2023, 12:33pm
1
Hi
Just wanted some guidance on what I have setup on my home network, if it is correct or if it can be improved.
Network
My main D-link Openwrt router is 192.168.1.1 and connected to TWO WANs
Both WANs have been configured in the main .1 router and work fine. the Cable router provides the WAN access all the time and the 4G router provides WAN connectivity, whenever I need a boost for the kids etc
I have 5 routers as dumb access points and these have been configured with individual IP's in the range 192.168.1.x and the following
Default GW is 192.168.1.1
Wifi on the dumb access points has been setup with Fast Roaming and different channels so that they do not clash near each other.
My LAN has a DVR, IP cameras, multiple phones, PC, Laptop, Amazon stick etc
Speedtests always show as 6-7 Mbps when the ONLY WAN is the cable router, however, it will jump to between 20 -40 when the 4G router becomes active.
Overall system appears to be stable, however, occasionally it slows down and I was wondering if there was any network setting that was incorrect or that could be improved.
We can't provide guidance based on a narrative of your infrastructure.
As a minimum, please copy the output of the following commands and post it here using the "Preformatted text </> " button:
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like
icek
January 15, 2023, 11:26pm
3
Main Router
-----------------------------------------------------
OpenWrt 21.02.1, r16325-88151b8303
-----------------------------------------------------
root@DIR-2660:~#
NETWORK
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd88:3fad:58f9::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option metric '1'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
config device
option type '8021q'
option ifname 'lan1'
option vid '35'
option name 'lan1.35'
config interface 'wanb'
option proto 'dhcp'
option metric '2'
option device 'lan1'
config interface 'wanb_6'
option proto 'dhcpv6'
option device 'lan1'
option reqaddress 'try'
option reqprefix 'auto'
cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11g'
option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option cell_density '0'
option htmode 'HT20'
option channel '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'HomeTrust-2G'
option key 'XXXXXXXX'
option ieee80211r '1'
option ft_psk_generate_local '1'
option nasid '16811'
option mobility_domain '4f57'
option encryption 'psk2'
option ft_over_ds '0'
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11a'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
option cell_density '0'
option htmode 'HT40'
DHCP
cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
list server '1.1.1.1'
list server '8.8.8.8'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
list ra_flags 'none'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'InternalGFCam'
option dns '1'
option mac 'XX:XX:XX:XX:XX:XX'
option ip '192.168.1.15'
option leasetime '24h'
config host
option name 'InternalFFCam'
option dns '1'
option mac 'XX:XX:XX:XX:XX:XX'
option ip '192.168.1.14'
option leasetime '24h'
config host
option name 'DVR'
option dns '1'
option mac 'XX:XX:XX:XX:XX:XX'
option ip '192.168.1.100'
option leasetime '24h'
config host
option name 'AnranCam'
option dns '1'
option mac 'XX:XX:XX:XX:XX:XX'
option ip '192.168.1.12'
option leasetime '24h'
config host
option name 'DahuaIP'
option dns '1'
option mac 'XX:XX:XX:XX:XX:XX'
option ip '192.168.1.11'
option leasetime '24h'
config host
option name 'BTComtrend1'
option dns '1'
option mac 'XX:XX:XX:XX:XX:XX'
option ip '192.168.1.191'
option leasetime '24h'
config host
option name 'Rear-Wifi-Cam'
option dns '1'
option mac 'XX:XX:XX:XX:XX:XX'
option ip '192.168.1.129'
option leasetime '24h'
config host
option name 'FrontGate-Wifi-Cam'
option dns '1'
option mac 'XX:XX:XX:XX:XX:XX'
option ip '192.168.1.130'
option leasetime '24h'
config host
option name 'BTComtrend2'
option dns '1'
option mac 'XX:XX:XX:XX:XX:XX'
option ip '192.168.1.192'
option leasetime '24h'
config host
option name 'HP-4300'
option dns '1'
option mac 'XX:XX:XX:XX:XX:XX'
option ip '192.168.1.250'
option leasetime '1d'
FIREWALL
root@DIR-2660:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wanb'
list network 'wanb_6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
option channel '40'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option key 'XXXXXXXX'
option ssid 'HomeTrust-5G'
option encryption 'psk2'
option ieee80211r '1'
option ft_over_ds '1'
option ft_psk_generate_local '1'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'mesh'
option mesh_id 'Havelli-Mesh'
option mesh_fwding '1'
option mesh_rssi_threshold '0'
option key 'XXXXXXXX'
option network 'lan'
option encryption 'sae'
option disabled '1'
icek
January 15, 2023, 11:27pm
4
Dumb Access points
OpenWrt 19.07.8, r11364-ef56c85848
-----------------------------------------------------
root@BTHH5A-02:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd7b:72fc:0a42::/48'
config atm-bridge 'atm'
option vpi '1'
option vci '32'
option encaps 'llc'
option payload 'bridged'
option nameprefix 'dsl'
config dsl 'dsl'
option annex 'a'
option tone 'av'
option ds_snr_offset '0'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.1.1'
option macaddr 'XX:XX:XX:XX:XX:XX'
list dns '1.1.1.1'
list dns '8.8.8.8'
config device 'lan_eth0_1_dev'
option name 'eth0.1'
option macaddr 'XX:XX:XX:XX:XX:XX'
config device 'wan_dsl0_dev'
option name 'dsl0'
option macaddr 'XX:XX:XX:XX:XX:XX'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 6t'
config interface 'Guest'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.2.1'
list dns '8.8.8.8'
list dns '1.1.1.1'
root@BTHH5A-02:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11a'
option path 'pci0000:01/0000:01:00.0/0000:02:00.0'
option htmode 'HT40'
option channel '60'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ft_over_ds '1'
option ssid 'HomeTrust-5G'
option encryption 'psk2'
option ft_psk_generate_local '1'
option key 'XXXXXXXX'
option ieee80211r '1'
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11g'
option path 'pci0000:00/0000:00:0e.0'
option channel '13'
option htmode 'HT20'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'HomeTrust-2G'
option encryption 'psk2'
option ft_psk_generate_local '1'
option key 'XXXXXXXX'
option ieee80211r '1'
option nasid '16812'
option mobility_domain '4f57'
option ft_over_ds '0'
config wifi-iface 'wifinet2'
option ssid 'Guest Wifi'
option device 'radio1'
option mode 'ap'
option network 'Guest'
option encryption 'psk2'
option isolate '1'
option key 'xxxxxxxx'
option ft_psk_generate_local '1'
option nasid '1232'
option mobility_domain '4f58'
option ieee80211r '1'
option ft_over_ds '0'
root@BTHH5A-02:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'Guest'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'Guest'
root@BTHH5A-02:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'Guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
list network 'Guest'
config forwarding
option dest 'lan'
option src 'Guest'
config rule
option src 'Guest'
option name 'Guest DHCP'
option target 'ACCEPT'
list proto 'udp'
option dest_port '67-68'
config rule
option dest_port '53'
option src 'Guest'
option name 'Guest DNS'
option target 'ACCEPT'
config rule
option src 'Guest'
option name 'Block Guest Access to LAN'
option dest 'lan'
list dest_ip '192.168.1.0/24'
option target 'DROP'
list proto 'all'
icek
January 15, 2023, 11:29pm
5
Will you require the same output from the other access points, as they should be the same as 1.2
icek
January 17, 2023, 6:57am
6
Appreciate any thoughts, RuralRoots ?
