This is a network emergency, I think. I built a new OpenWRT network (latest version) with 5 VLANs, set it up so that VLAN10 was considered secure and VLAN20-50 insecure. Set up zones so that VLAN10 had access to all other VLANS but the other VLANs had no access to VLAN10. Then built traffic rules so that VLAN20-50 had internet and DHCP access.
All works as planned, but when I did a port scan with the Gibson website it told me port 80 was open. I went to an outside connected laptop and typed my public IP in a web browser, to my HORROR it loaded LuCl! I have no idea how I am exposing my OpenWRT router, which is on the LAN, to the WAN. Please look at the zones and see if a problem is evident!
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
I have absolutely NO idea how that happened, but even with my limited skills I can see that it's wrong. I tried to remove WAN from the LAN zone in LuCl, but it refused--every time I removed the check from WAN in the LAN zone "covered networks" and saved, it came back again. Finally I edited the zone directly in /etc/config/firewall and made it look like this:
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan’
Restarted the firewall /etc/init.d/firewall restart and all was well--no more exposure on port 80 on the internet! After reloading the webpage for LuCl the zone config was correct there also, maybe this is a small bug in LuCl??
