Openwrt x86 and existing UNIFI infrastructure

Hi all,
thanks for the effort profused supporting user and sorry for my bad english in advance!

My actual home network infrastructure is based on unifi ATM.
i own a USG, a USW-48POE and two u6-lite AP. Unifi network appliance is installed on a ubuntu server Vm running in my proxmox server
my network connection is a FFTH 1000/300mbps with PPPoE.

My connection is pretty stable, and i can reach full speed in DL/UL, but i'm bufferbloat affected!
If i enable SQM on my unifi USG my download droops to 50Mbps .
This is the reason why i've chose to migrate to openwrt on x86 hardware to test if i can gain speed with SQM on!

I've successfully installed openWRT on a futro s920 with two gbit NIC.
I've successfully configured WAN via PPPoe and vlan tagging, and test my connection with openWRT and SQM. the result obtained are pretty impressive so i can reach 850/250Mmbps!

So i decided to switch to openWRT for my gateway.

Now i would understand how to replicate my network configuration in openWRT, maintaining switch and AP from unifi.

This is my actual network configuration:

NETWORK:

  • DEFAULT, vlan id1 10.10.2.1/24 dhcp range 10.10.2.51-10.10.2.71 (for network device :ap,switch and USG lives here!);
  • SURVEY, vlan id11 10.10.11.1/24 dhcp range 10.10.11.150-10.10.11.160 (for security camera);
  • CLIENT, vlan id101 10.10.101.1/24 dhcp range 10.10.101.150-10.10.101.200 (for wired/wireless client);
  • GUEST, vlan id200 10.10.200.1/24 dhcp range 10.10.200.150-10.10.180.200 (for wired/wireless guest client);
  • SERVER, vlan id10 10.10.10.1/24 dhcp range 10.10.10.150-10.10.10.160 (for phisical/virtual server);
  • VPN, vlan id250 10.10.250.1/24 dhcp range 10.10.250.150-10.10.250.160 (for vpn clientr).

The two AP exposes 2 ssid: one for guest and one for client(network above)
Most host are static dhcp entry. the primary dns for my wan and all the network is a self hosted AdGuard.

i've several nat rules and services exposed over internet.

My goal is to switch between the USG and openWRT X86 maintaining my config.
Is this possible without flash openwrt even on the AP?
Can continue to manage the switch and the APs with unifi network appliances?
For what i see on opewrt luci interface i cannot set the dhcp for every network, i've to do trough /etc/config/dhcp right?

what is the best way to migrate to openwrtx86?

Thanks in advice!

What you want to do is absolutely possible, and shouldn’t be that difficult. The process of configuring OpenWrt is considerably different than Unifi, but you’ll get the hang of it pretty quickly.

I’d recommend starting by configuring your main network (default; in the OpenWrt default config, this will be lan). To get it running as the equivalent of your Unifi setup, you’ll start by changing the IP address of the lan network, then adjusting the DHCP server (start = 51, limit =21; start is the starting value — an offset from the base network address, limit is the size of the pool). This network will be untagged on the Ethernet port (probably eth0).

Next, create the guest network. I’d follow the guest wifi guide for this, applying the address/subnet that you want instead of what’s in the guide (and the DHCP server range accordingly). Instead of creating the wifi network, though, you’ll simply create the network interface and use device eth0.200 (assuming eth0 is the physical port associated with the lan side of your network). You can follow the guide in creating the firewall zone and rules. When you’re done, you’ll have tagged VLAN 200 on the Ethernet port and you should be good to go with the guest network.

Use that general recipe for the remaining networks, adjusting of course for eth0.x where x is the VLAN ID and obviously also the address and DHCP range. On the firewall, there are lots of ways to configure based on the desired goals — you can allow or deny access to the internet, between network, and so on — as broad or as granular as you would like. We can help you with that if you need.

You’ll continue to manage your Unifi hardware (i.e. the APs and the switch) using the Unifi Network Application wherever you have that hosted now (cloudkey, some other server, etc.).

And yes, you can continue to use your AdGuard DNS — you’ll probably want to set your system DNS to the AG address as well as advertise DHCP option 6 with that address to your DHCP client machines. Remember that your firewall will need to have rule(s) allowing the devices to connect to the AdGuard host (assuming you don’t allow open routing between all your networks).

If you would like us to review your config, we can easily do that here based on the text configuration files.

Remember to start small — build one network at a time and test to prove it is working. This will help you spot mistakes before you repeat it multiple times.

When you’re ready for us to review your progress (suggested after you add your guest network), post the following configs and we’ll take a look:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

Really thanks for your answer psherman!
Yes i'll start step by step!

Just one other question: the uplink between owrt and the unifi switch must be a tagged one?
on my current setup i have the uplink port on the switch set as default VLAN (10.10.2.0/24) and the traffic from all other tagged vlan are allowed.
Here a screen of the port setting:

on owrt side i suppose i've to create the various tagged VLAN,(eth0.10, eth0.101, ans so on..) and in br-lan allow the routing of tagged vlan via br-lan interface, it's correct?
Sorry but ATM i've the owrt powered off so i can mismatch the name of interface/settings!
Thanks again for your support, i'll post my setup as soon as i have the time to dedicate to my home network infrastructure!
Have a nice day!

Following the 802.1q standard, you may have an untagged network on a trunk port. So if you want to have an untagged network, it will simply be eth0. The tagged networks will be eth0.x where x is the VLAN ID.

No, each interface will use option device ‘eth0.x’. Do not put all the VLANs into the same bridge — bridging the VLANs defeats the purpose of the VLANs to begin with.

Leave br-lan as it is and use that for the ‘default’ lan (untagged). Then with the new interfaces, setup with devices eth0.x accordingly.

hi @psherman,
i find some time to work on openwrt!
i wrongly configured the vlan on br-lan interface insteadn of eth0 interface. so i deleted the br-lan from config and started working wit the two physical interfaces:eth1 FFTH itnernet and eth0 lan

this is what i've done for now, i attach the network, dhcp and firewall config!

network:

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd77:521f:e0cf::/48'

config interface 'lan'
	option device 'eth0'
	option proto 'static'
	option ipaddr '10.10.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '10.10.100.123'
	list dns '1.1.1.1'

config interface 'wan'
	option proto 'pppoe'
	option username 'username'
	option password 'password'
	option service 'wan.835'
	option ipv6 'auto'
	option device 'eth1.835'

config device
	option type '8021q'
	option ifname 'eth1'
	option vid '835'
	option name 'eth1.835'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '10'
	option name 'eth0.10'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '11'
	option name 'eth0.11'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '101'
	option name 'eth0.101'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '200'
	option name 'eth0.200'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '250'
	option name 'eth0.250'
	option ipv6 '0'

root@OpenWrt:~# 

dhcp:

root@OpenWrt:~# cat /etc/config/dhcp 

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

root@OpenWrt:~# 

firewall:

root@OpenWrt:~# cat /etc/config/firewall 

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

root@OpenWrt:~# 

now i have few questions:

  1. i suppose i have to recreate the br-lan interface, right? i've to create just a bridge deviche with eth0 as a member or i have to specify some other information?

  2. i still don't understand how to set the ip address, dhcp pool etc for every vlan i've created

  3. as i can see the interface 'lan' (eth0) has no vlan, but in my previous network configuration this network 10.10.2.0/24 has a vlan (vid 2) and was used for the network devices. i dont understand how to recreate this scenario!
    to make it simple in my past config all my network was vlan

thanks in advice for reply!!
S.

You can delete all the 802.1q stanzas. These will be created implicitly by using eth0.x or eth1.x dotted notation.

You can delete the option service 'wan.835' line from below. And usually, there is a separate wan6 interface, so the ipv6 stuff doesn't normally belong here:

No, you don't need it if you're only using a single physical interface (i.e. one ethernet port, no wifi) for your lan.

create additional network stanzas... I'll show you based on this network definition:

config interface 'survey'
	option device 'eth0.11'
	option proto 'static'
	option ipaddr '10.10.11.1'
	option netmask '255.255.255.0'

Then, you add (to the dhcp file) a dhcp server:

config dhcp 'survey'
	option interface 'survey'
	option start '150'
	option limit '11'
	option leasetime '12h'
	option dhcpv4 'server'

And you'll need to add the network to a firewall zone. For now, we'll just put it in the lan zone, but this can be changed, of course, to allow for whatever level of isolation you need:

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'survey'

You'll use dotted notation. If the VLAN was actually untagged from your previous router, you'll just use option device 'eth0' but if you want it tagged, it will be option device 'eth0.2'.

HI @psherman thanks again for your time!
Now i have my openwrt x86 box, so i can create the necessary config file (i no wan ATM attached to the router cause i'm not at home.)

you mean that i 've to delete the "option type '8021q'" from every config device of single vlan?

so as i can understand i've to define vlan as device and as interface attached to that devices right?
so for the eth0.11 example my config will be like this:

config device
  	option ifname 'eth0'
  	option vid '11'
  	option name 'eth0.11'
  	option ipv6 '0'

config interface 'survey'
    	option device 'eth0.11'
    	option proto 'static'
    	option ipaddr '10.10.11.1'
    	option netmask '255.255.255.0'

after that i've to create a configdhcp for every vlan, and a firewall zone too like your example.

Can i define dns in dhcp or the dns defined in general config will be applied for every vlan (i've adguard home as internal dna and 1.1.1.1 for secondary dns server, but i use it for every vlan).

sorry i don't understand :sweat_smile:

as i write in my first post, my actual network infrstructure is based on unifi devices (GW, SW and 2 AP). i want to replace my GW with openwrtx86.
i assume that, when i define the 2 vlan used for wifi (client eth0.101 and guest eth0.200) wireless should be work as usual whit the 2 ssid defined(each pointing the corrispective vlan).
But i don't uderstand if the LAN interface linking the openwrtbox and unifi switch has the correct configuration right now!

the wan interface was configured wia GUI (835 is the vlan used by mi ISP for pppoe auth). i've tested the wan with this config and it work. the option service for this interface is useless and can be deleted from the config?

Thanks again for you help!
Now i'm starting config the device and interface for my vlan via cli, hoping that this time it will be correct! :joy:

HI @psherman,
i've configured my networks, dhcp (with some static ip) and firewall (basic configuration.
Here the config file:

network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd77:521f:e0cf::/48'

config interface 'lan'
	option device 'eth0'
	option proto 'static'
	option ipaddr '10.10.2.1'
	option netmask '255.255.255.0'
	option ipv6 '0'
	list dns '10.10.100.111'
	list dns '1.1.1.1'

config interface 'wan'
	option proto 'pppoe'
	option username 'username'
	option password 'password'
	option service 'wan.835'
	option ipv6 'auto'
	option device 'eth1.835'

config device
	option type '8021q'
	option ifname 'eth1'
	option vid '835'
	option name 'eth1.835'
	option ipv6 '0'

config device
  option ifname 'eth0'
  option vid '10'
  option name 'eth0.10'
  option ipv6 '0'

config interface 'server'
  option device 'eth0.10'
  option proto 'static'
  option ipaddr '10.10.10.1'
  option netmask '255.255.255.0'

config device
  option ifname 'eth0'
  option vid '11'
  option name 'eth0.11'
  option ipv6 '0'

config interface 'survey'
    option device 'eth0.11'
    option proto 'static'
    option ipaddr '10.10.11.1'
    option netmask '255.255.255.0'

config device
  option ifname 'eth0'
  option vid '101'
  option name 'eth0.101'
  option ipv6 '0'

config interface 'client'
  option device 'eth0.101'
  option proto 'static'
  option ipaddr '10.10.101.1'
  option netmask '255.255.255.0'

config device
  option ifname 'eth0'
  option vid '200'
  option name 'eth0.200'
  option ipv6 '0'

config interface 'guest'
  option device 'eth0.200'
  option proto 'static'
  option ipaddr '10.10.200.1'
  option netmask '255.255.255.0'

config device
  option ifname 'eth0'
  option vid '250'
  option name 'eth0.250'
  option ipv6 '0'

config interface 'vpn'
  option device 'eth0.250'
  option proto 'static'
  option ipaddr '10.10.250.1'
  option netmask '255.255.255.0'

dhcp:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'server'
	option interface 'server'
	option start '150'
	option limit '11'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'survey'
	option interface 'survey'
	option start '150'
	option limit '11'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'client'
	option interface 'client'
	option start '150'
	option limit '51'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'guest'
	option interface 'guest'
	option start '150'
	option limit '51'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'vpn'
	option interface 'vpn'
	option start '150'
	option limit '11'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'nexus7HA'
	list mac 'd8:50:e6:91:38:68'
	option ip '10.10.101.169'

config host
	option name 'Yeelight-GERSIO'
	list mac '5c:e5:0c:a2:29:ac'
	option ip '10.10.101.168'

config host
	option name 'Yeelight-LU'
	list mac '5c:e5:0c:a2:34:53'
	option ip '10.10.101.165'

config host
	option name 'Heos-WiFi'
	list mac '00:05:cd:6c:d9:ce'
	option ip '10.10.101.200'

config host
	option name 'SmartPlug-Cuccia-Berta'
	list mac '50:02:91:1e:ad:0c'
	option ip '10.10.101.156'

config host
	option name 'BroadLink-RM4pro'
	list mac 'EC:0B:AE:EE:04:97'
	option ip '10.10.101.191'

config host
	option name 'Megatron'
	list mac '24:18:c6:13:b6:9d'
	option ip '10.10.101.155'

config host
	option name 'NEBULA'
	list mac '00:08:9b:8d:80:fe'
	option ip '10.10.10.50'

config host
	option name 'OledTV-Living'
	list mac '80:c7:55:fd:75:96'
	option ip '10.10.101.150'

config host
	option name 'haori-letto'
	list mac 'fc:dd:55:f6:2a:11'
	option ip '10.10.101.163'

config host
	option name 'haori-living'
	list mac 'fc:dd:55:f5:d4:78'
	option ip '10.10.101.164'

config host
	option name 'haori-studio'
	list mac 'fc:dd:55:fc:e2:07'
	option ip '10.10.101.162'

config host
	option name 'CAMesterno-Studio'
	list mac '74:ac:b9:01:c3:87'
	option ip '10.10.11.10'

config host
	option name 'CAMstudio'
	list mac 'd0:21:f9:96:f7:9f'
	option ip '10.10.11.12'

config host
	option name 'CAMsoggiorno'
	list mac '80:2a:a8:cc:c3:f6'
	option ip '10.10.11.14'

config host
	option name 'VM-domuHA'
	list mac '06:2d:4b:77:e2:04'
	option ip '10.10.10.100'

config host
	option name 'TV-studio'
	list mac '54:2A:A2:20:40:10'
	option ip '10.10.101.188'

config host
	option name 'erebo'
	list mac '14:7d:da:a2:8c:af'
	option ip '10.10.101.160'

config host
	option name 'XBOX'
	list mac 'cc:60:c8:38:25:19'
	option ip '10.10.101.178'

config host
	option name 'MiFan2S'
	list mac '54:48:e6:e0:36:ac'
	option ip '10.10.101.180'

config host
	option name 'AsciugatriceCandy'
	list mac 'c4:dd:57:40:aa:9c'
	option ip '10.10.101.167'

config host
	option name 'NSpanePro-ingresso'
	list mac '10:bb:f3:70:1e:6e'
	option ip '10.10.101.166'

firewall:

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
  	list network 'server'
    	list network 'survey'
    	list network 'client'
    	list network 'guest'
    	list network 'vpn'


config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

I've still not test it at my home, cause in first i want to replicate some firewall rule (masquerade and port forward) that i use in my environment!
Can you please help me to replicate my rules from ubiquiti to openwrt with an example?

this is a masquerade that i've configured in ubiquiti:

iptables -t nat -A POSTROUTING -s 10.10.10.100 -d 10.10.101.0/24 -j MASQUERADE

and this are an example of port forwarding that i use right now:

This is the corresponding of that rule in iptables:

Chain WAN_IN (2 references)
target     prot opt source               destination

RETURN     udp  --  anywhere             XBOX                 /* WAN_IN-3009 */ udp dpt:3544

The other firewall rule that i use ind i need to replicate is an permit tcp/udp 53 from guest (10.10.200.0/24) to my internal dns (10.10.10.111)
and a deny of traffic (after dns query) from guest to other internal networks:

I hope you can help me with these settings so i can replicate it for my other needs!

Thanks in advice!!

The DNS entries on the lan are not necessary -- they don't actually affect the DNS for the hosts on that network.

You can remove all of these 802.1q type device declarations. They're not necessary since the 802.1q devices are generated implicitly as a function of the use of the dotted notation (i.e. eth0.100):

With all of your networks in the lan zone, things should "just work" in terms of general connectivity.

However, don't be alarmed when you can freely route between networks -- there will be no restrictions based on this current configuration. That's fine and actually a good thing for getting started since all the networks will work. However, if/when you want to treat the networks differently in terms of inter-vlan routing and/or internet access and the like, you'll probably want to setup other zones.

This will be a basic port forward rule. It'll look something like this:

config redirect
	option enabled '1'
	option target 'DNAT'
	option src_dport '3544'
	option dest_port '3544'
	option name 'xbox3554'
	option proto 'udp'
	option src 'wan'
	option dest 'lan'
	option dest_ip '10.10.101.178'

Currently there won't be any restriction because everything is in the same zone with forwarding set to accept. But yes, when you shift things around, you'll need this -- it's a basic traffic rule to allow, and typically anything not explicitly allowed in some way will be rejected.

Hi @psherman,
thanks again for your reply!

sorry...i feel so stupid but i don't understand what you mean!
i have to delete the 'config device' and keep only the 'config interface' part for vlan?

yes, ATM the only isolation i need to apply is the isolation of guest network as i said in my previous post!

thanks, i'll replicate this rule for my other device/port!

how cai i obtain this isolation?can you please give me an example so i can undertand how to apply future network restriction?

And for this masquerade what will be the config to apply?

Thanks again for your support!!

Just delete the stanzas that look like this:

Yes, but let's make sure everything works in general before we add any restrictions. We don't want to add additional variables to the initial set of functionality.

Masquerading is enabled on the wan zone (by default), so your masquerading will be applied without any additional work.

ok, understood! done!

this make sense! you'r right, this settings can be applied later when we are sure that all works!

so i can just append that iptables line in /etc/network/firewall and will work? so openwrt 'understand' iptables entry?

Again, thanks for your support, in the next days i'll test this config at home and let you know!

hi @psherman ,
i wanna say thank you again and again!
yesterday i've tried my openwrtx86 at home, and all flawlessly works!
i've tested all my network from inside and outside and seems all ok!

next step are to isolate guest network from all network (exept udp 53 from 10.10.250.0/24 to 10.10.10.111 for dns request) and to apply the masquerade that i previously use!

now i'm switch back to unifi gateway until i finish my config to finally switch to openwrt!!

Again, huge thanks!

Hope you can assist me for the last steps, after that i've to install and configure wireguard and i'm ready to go!!

Awesome! Great to hear!

So for this:

  • remove the guest network from the lan firewall zone
  • create a new firewall zone for the guest network, and obviously make sure the guest network is covered by this new zone.
    • the zone will have output = accept, and then both input and forward set to reject.
    • Add a zone forward from guest > wan.
    • Add a rule to accept traffic from the guest zone on udp port 67 (this is for DHCP).
    • add a rule to accept tcp+udp port 53 from the guest zone with destination zone lan zone and destination address 10.10.10.111 (this is for DNS).
    • Add dchp option 6 to the DHCP server for the guest network.

Then restart the router and test from the guest zone. If your DNS at 10.10.10.111 is a pihole, make sure you adjust the pihole configuration to accept all origins, otherwise it will reject the dns traffic.

with your support the switch off was easy!

done!

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'
config forwarding
	option src 'guest'
	option dest 'wan'  
config rule
	option name 'Allow-guest-DHCP-Request'
	option src 'lan'
	option proto 'udp'
	option dest_port '67'
	option target 'ACCEPT'
	option family 'ipv4'
config rule
	option name 'Allow-guest-internal-DNS-Request'
	option src 'guest'
    option dest 'lan'
	option proto 'udp'
    option proto 'tcp'
    option dest_ip '10.10.10.111'
	option dest_port '53'
	option target 'ACCEPT'
	option family 'ipv4'
config dhcp 'guest'
	option interface 'guest'
	option start '150'
	option limit '51'
	option leasetime '12h'
	option dhcpv4 'server'
    list 'dhcp_option' '6,10.10.10.111'

is this right? (i can test ATM cause i'm not at home, i just wrote the config for now!)

my dns is an adguard home local machine (in the future i think i'll integrate in openwrt x86)!

once again, thank you!!!

Everything looks good except for one rule...

In the aboce, remove the two option proto lines.. when omitted, it will default to TCP+UDP.

hi @psherman,
i found the time to test the last config and it work like a charm! i've just to edit it a bit (changing the source of traffic from lan to guest!)

config rule
        option name 'Allow-guest-DHCP-Request'
        option src 'guest'
        option proto 'udp'
        option dest_port '67'
        option target 'ACCEPT'
        option family 'ipv4'

Now i'm using openwrtx86 as my router!!
i've also configured the wireguard tunnel on it and it works!

The only rule i need to implement is just this masquerade

iptables -t nat -A POSTROUTING -s 10.10.10.100 -d 10.10.101.0/24 -j MASQUERADE

Can you please help me to translate it for openwrt standard firewall?

once again thanks for your effort!

Hi @psherman ,
i've implemented the masquerade and it work, i think that config is correct:

config nat
        option name 'test_masquerade'
        list proto 'all'
        option src 'lan'
        option src_ip '10.10.10.100'
        option dest_ip '10.10.101.0/24'
        option target 'MASQUERADE'