Pi4b - Recommended setup

After my previous post I've bought a Pi4b with 2GB RAM and a 32GB SD card. I was able to set it up browsing this forum and other sources. But since this is my first Pi and also my first OpenWrt install I still have some questions:

1. There are two available images (ext4 and squashfs). Which one is recommended for a Pi4b ? I certainly intend to install more packages, mainly for IoT, but I'm concerned with SD card degradation
2. I've seen a post suggesting f2fs filesystem as a way to extend SD card's usefull life. As f2fs seems to not be included in the base image, how can I set it afterwards ? In other wors, what files should be moved to a f2fs partition, and how ?
3. Supposing that I install several packages and use f2fs, will it be a nightmare to update OpenWrt to newer versions ?
4. The Pi4b seems to be oversized (cpu / ram / flash) for a basic OpenWrt install. What other packages are suggested ? Is it a crazy idea to install mosquitto and connect usb dongles (zigbee and/or zwave) with ser2net (I have OpenHab runnig on a separate NAS where it's not possible to connect such dongles) ?

Thanks in advance.

Don't be too concerned about SD card life, typical lifespan is 10 years.

You can reduce wear on sdcard by using tmpfs for data files you don't need to keep after reboot.

Thanks. I'm currently using the ext4 image, so probably will stick with it. I've expanded rootfs size with GParted, will it remain with upgrade process ?

I've also installed mosquitto and it is working. What I've failed to setup is wireguard, the available info is not easy to follow for a newbie like me.

I am not specialist on Wireguard, but manual is very clear. What troubles have you encountered?

The squashfs build makes the runtime writeable partition an f2fs. I recommend that unless you're going to be storing a lot of general data to the card, in which case the ext4 can be readily resized, although you should probably make a third partition for data.

Regarding wireguard I've followed these instructions but I'm not sure what to do next

1. how to parametrize using Luci
2. how to parametrize my Windows client. I've tried to follow this but without success.

How far have you got so far? Have you set anything up at all or just installed the required packages?

I've parametrized WG for OpenWRT as follows

imagem871×405 15.2 KB

And parametrized WG for windows as follows

WG for OpenWRT does not detect any connection.

Have you opened the wireguard port in the firewall?

That did the trick, thanks. Now I'm able to connect but I can't access any device inside my lan when accessing remotely.

Can you copy the output of the following commands from your router and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; 

Here it goes

root@OpenWrt:~# uci export network; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru;
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd69:54be:fafd::/48'

config interface 'lan'
        option ifname 'eth0'
        option proto 'static'
        option ipaddr '192.168.130.1'
        option netmask '255.255.255.0'
        list dns '192.168.170.1'
        option gateway '192.168.170.1'

config interface 'lan1'
        option ifname 'eth0.1000'
        option proto 'static'
        option ipaddr '192.168.131.1'
        option netmask '255.255.255.0'
        option gateway '192.168.170.1'
        option force_link '0'
        list dns '192.168.170.1'
        list dns '8.8.8.8'

config interface 'lan3'
        option ifname 'eth0.3000'
        option proto 'static'
        option ipaddr '192.168.129.1'
        option netmask '255.255.255.0'
        option gateway '192.168.170.1'
        option force_link '0'
        list dns '192.168.170.1'
        list dns '8.8.8.8'
        option delegate '0'

config interface 'wan'
        option proto 'static'
        option ifname 'eth1'
        option ipaddr '192.168.170.2'
        option netmask '255.255.255.0'
        option gateway '192.168.170.1'

config interface 'wg0'
        option proto 'wireguard'
        option delegate '0'
        option private_key 'xxxx'
        option listen_port '44767'
        list addresses '192.168.9.1/32'

config wireguard_wg0
        option description 'laptop-hugo'
        option public_key 'xxxx'
        list allowed_ips '192.168.9.2/32'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan lan1 lan3 wg0'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option name 'Plex'
        list proto 'tcp'
        option src 'wan'
        option src_dport '17171'
        option dest 'lan'
        option dest_ip '192.168.130.210'
        option dest_port '32400'

config redirect
        option target 'DNAT'
        option name 'OpenVPN'
        list proto 'udp'
        option src 'wan'
        option src_dport '8194'
        option dest 'lan'
        option dest_ip '192.168.130.210'
        option dest_port '1194'

config redirect
        option target 'DNAT'
        option name 'WireGuard'
        list proto 'udp'
        option src 'wan'
        option src_dport '44767'
        option dest 'lan'
        option dest_ip '192.168.130.1'
        option dest_port '44767'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 192.168.130.1/24 brd 192.168.130.255 scope global eth0
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 192.168.170.2/24 brd 192.168.170.255 scope global eth1
       valid_lft forever preferred_lft forever
5: eth0.1000@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.131.1/24 brd 192.168.131.255 scope global eth0.1000
       valid_lft forever preferred_lft forever
6: eth0.3000@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.129.1/24 brd 192.168.129.255 scope global eth0.3000
       valid_lft forever preferred_lft forever
7: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 192.168.9.1/32 brd 255.255.255.255 scope global wg0
       valid_lft forever preferred_lft forever
default via 192.168.170.1 dev eth1 proto static
192.168.129.0/24 dev eth0.3000 proto kernel scope link src 192.168.129.1
192.168.130.0/24 dev eth0 proto kernel scope link src 192.168.130.1
192.168.131.0/24 dev eth0.1000 proto kernel scope link src 192.168.131.1
192.168.170.0/24 dev eth1 proto kernel scope link src 192.168.170.2
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 192.168.9.1 dev wg0 table local proto kernel scope host src 192.168.9.1
broadcast 192.168.129.0 dev eth0.3000 table local proto kernel scope link src 192.168.129.1
local 192.168.129.1 dev eth0.3000 table local proto kernel scope host src 192.168.129.1
broadcast 192.168.129.255 dev eth0.3000 table local proto kernel scope link src 192.168.129.1
broadcast 192.168.130.0 dev eth0 table local proto kernel scope link src 192.168.130.1
local 192.168.130.1 dev eth0 table local proto kernel scope host src 192.168.130.1
broadcast 192.168.130.255 dev eth0 table local proto kernel scope link src 192.168.130.1
broadcast 192.168.131.0 dev eth0.1000 table local proto kernel scope link src 192.168.131.1
local 192.168.131.1 dev eth0.1000 table local proto kernel scope host src 192.168.131.1
broadcast 192.168.131.255 dev eth0.1000 table local proto kernel scope link src 192.168.131.1
broadcast 192.168.170.0 dev eth1 table local proto kernel scope link src 192.168.170.2
local 192.168.170.2 dev eth1 table local proto kernel scope host src 192.168.170.2
broadcast 192.168.170.255 dev eth1 table local proto kernel scope link src 192.168.170.2
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
root@OpenWrt:~#

Change list addresses '192.168.9.1/32 in the wg0 interface to list addresses '192.168.9.1/24 then restart the interface.

If the openwrt router isn't your default gateway then you'll need to add a static route on the gateway to send traffic for 192.168.9.0/24 to the openwrt router.

This allowed me to ping 192.168.9.1 but not other ip's in the lan.

How do I do that ? I have two routers:

1. The ISP one, to which the TV box and my home router are connected. DMZ is active for the home router
2. The home router (RasPi 4b with OpenWRT) where WG is running

This is a scheme of my network (routers have radios disabled):

imagem1238×622 21.2 KB

Thanks

What's the output of the following commands now you've made that change?

uci export network; uci export dhcp; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; 

Here is:

root@OpenWrt:~# uci export network; uci export dhcp; uci export firewall; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru;
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd69:54be:fafd::/48'

config interface 'lan'
        option ifname 'eth0'
        option proto 'static'
        option ipaddr '192.168.130.1'
        option netmask '255.255.255.0'
        list dns '192.168.170.1'
        option gateway '192.168.170.1'

config interface 'lan1'
        option ifname 'eth0.1000'
        option proto 'static'
        option ipaddr '192.168.131.1'
        option netmask '255.255.255.0'
        option gateway '192.168.170.1'
        option force_link '0'
        list dns '192.168.170.1'
        list dns '8.8.8.8'

config interface 'lan3'
        option ifname 'eth0.3000'
        option proto 'static'
        option ipaddr '192.168.129.1'
        option netmask '255.255.255.0'
        option gateway '192.168.170.1'
        option force_link '0'
        list dns '192.168.170.1'
        list dns '8.8.8.8'
        option delegate '0'

config interface 'wan'
        option proto 'static'
        option ifname 'eth1'
        option ipaddr '192.168.170.2'
        option netmask '255.255.255.0'
        option gateway '192.168.170.1'

config interface 'wg0'
        option proto 'wireguard'
        option delegate '0'
        option private_key 'xxxx'
        option listen_port '44767'
        list addresses '192.168.9.1/24'

config wireguard_wg0
        option description 'laptop-hugo'
        option public_key 'xxxx'
        list allowed_ips '192.168.9.2/32'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option start '1'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'lan3'
        option interface 'lan3'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option start '1'
        option ra_management '1'

config host
        option name 'Lareira-Sala'
        option dns '1'
        option mac 'xxxx'
        option ip '192.168.129.10'

config host
        option name 'TPLink-Sala'
        option dns '1'
        option mac 'xxxx'
        option ip '192.168.129.20'

config host
        option name 'TPLink-Suite'
        option dns '1'
        option mac 'xxxx'
        option ip '192.168.129.21'

config host
        option name 'Daikin-Cozinha'
        option dns '1'
        option mac 'xxxx'
        option ip '192.168.129.50'

config host
        option name 'Daikin-Sala'
        option dns '1'
        option mac 'xxxx'
        option ip '192.168.129.51'

config host
        option name 'Shelly-Quintal'
        option dns '1'
        option mac 'xxxx'
        option ip '192.168.129.80'

config host
        option name 'Shelly-Sollius'
        option dns '1'
        option mac 'xxxx'
        option ip '192.168.129.81'

config host
        option name 'Daikin-Suite'
        option dns '1'
        option mac 'xxxx'
        option ip '192.168.129.52'

config host
        option dns '1'
        option mac 'xxxx'
        option ip '192.168.129.100'
        option name 'Sonoff-Quintal'

config dhcp 'lan1'
        option interface 'lan1'
        option limit '150'
        option leasetime '12h'
        option start '1'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan lan1 lan3 wg0'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option name 'Plex'
        list proto 'tcp'
        option src 'wan'
        option src_dport '17171'
        option dest 'lan'
        option dest_ip '192.168.130.210'
        option dest_port '32400'

config redirect
        option target 'DNAT'
        option name 'OpenVPN'
        list proto 'udp'
        option src 'wan'
        option src_dport '8194'
        option dest 'lan'
        option dest_ip '192.168.130.210'
        option dest_port '1194'

config redirect
        option target 'DNAT'
        option name 'WireGuard'
        list proto 'udp'
        option src 'wan'
        option src_dport '44767'
        option dest 'lan'
        option dest_ip '192.168.130.1'
        option dest_port '44767'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 192.168.130.1/24 brd 192.168.130.255 scope global eth0
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 192.168.170.2/24 brd 192.168.170.255 scope global eth1
       valid_lft forever preferred_lft forever
5: eth0.1000@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.131.1/24 brd 192.168.131.255 scope global eth0.1000
       valid_lft forever preferred_lft forever
6: eth0.3000@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.129.1/24 brd 192.168.129.255 scope global eth0.3000
       valid_lft forever preferred_lft forever
7: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 192.168.9.1/24 brd 192.168.9.255 scope global wg0
       valid_lft forever preferred_lft forever
default via 192.168.170.1 dev eth1 proto static
192.168.9.0/24 dev wg0 proto kernel scope link src 192.168.9.1
192.168.129.0/24 dev eth0.3000 proto kernel scope link src 192.168.129.1
192.168.130.0/24 dev eth0 proto kernel scope link src 192.168.130.1
192.168.131.0/24 dev eth0.1000 proto kernel scope link src 192.168.131.1
192.168.170.0/24 dev eth1 proto kernel scope link src 192.168.170.2
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.9.0 dev wg0 table local proto kernel scope link src 192.168.9.1
local 192.168.9.1 dev wg0 table local proto kernel scope host src 192.168.9.1
broadcast 192.168.9.255 dev wg0 table local proto kernel scope link src 192.168.9.1
broadcast 192.168.129.0 dev eth0.3000 table local proto kernel scope link src 192.168.129.1
local 192.168.129.1 dev eth0.3000 table local proto kernel scope host src 192.168.129.1
broadcast 192.168.129.255 dev eth0.3000 table local proto kernel scope link src 192.168.129.1
broadcast 192.168.130.0 dev eth0 table local proto kernel scope link src 192.168.130.1
local 192.168.130.1 dev eth0 table local proto kernel scope host src 192.168.130.1
broadcast 192.168.130.255 dev eth0 table local proto kernel scope link src 192.168.130.1
broadcast 192.168.131.0 dev eth0.1000 table local proto kernel scope link src 192.168.131.1
local 192.168.131.1 dev eth0.1000 table local proto kernel scope host src 192.168.131.1
broadcast 192.168.131.255 dev eth0.1000 table local proto kernel scope link src 192.168.131.1
broadcast 192.168.170.0 dev eth1 table local proto kernel scope link src 192.168.170.2
local 192.168.170.2 dev eth1 table local proto kernel scope host src 192.168.170.2
broadcast 192.168.170.255 dev eth1 table local proto kernel scope link src 192.168.170.2
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
root@OpenWrt:~#

I've studied the firewall documentation and implemented new fw rules that solved the remote access problem, and also provided lan isolation.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.