Only been using OpenWRT for a week, but had a lot of fun learning. Thanks to all developers.
I am setting up firewall zones for my wifi with LuCI. I have noticed that when I name a firewall zone with a number at the start (eg. "2Ghz" or "5Ghz") my devices in that zone lose connection to the wifi. Just changing the firewall zone name to put the number at the end (eg. "Ghz2" or "Ghz5") seems to work fine.
I have also noticed that if I edit /etc/config/firewall directly to put the number at the start of the wifi name in the relevant places, the connection works fine. So my guess is that numbers at the start of the firewall name might not be accepted by LuCI for some reason. (EDIT: Ignore this paragraph, I forgot to reload the firewall after text editing)
I'm new at this so I could be doing something wrong.
I have tested with 24.10.4 and the SNAPSHOT from today. I am using an OpenWrt One. Please let me know if you need more information.
Each rule has 2 names, both optional, one for config section one for display.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
Below is the output of a simple config where everything is working. I have named the wifi firewall zone "working1". I will post the non-working config in a separate post.
root@OpenWrt:~# ubus call system board;cat /etc/config/network;cat /etc/config/wireless;cat /etc/config/dhcp;cat /etc/config/firewall
{
"kernel": "6.12.59",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "OpenWrt One",
"board_name": "openwrt,one",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"firmware_url": "https://downloads.openwrt.org/",
"revision": "r32151-f614322d28",
"target": "mediatek/filogic",
"description": "OpenWrt SNAPSHOT r32151-f614322d28",
"builddate": "1764446919"
}
}
config interface 'loopback'
option device 'lo'
option proto 'static'
list ipaddr '127.0.0.1/8'
config globals 'globals'
option dhcp_default_duid '[redacted]'
option ula_prefix '[redacted]::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
list ipaddr '192.168.1.1/24'
option ip6assign '60'
config interface 'wan'
option device 'eth0.2'
option proto 'pppoe'
option username '[redacted]'
option password '[redacted]'
option ipv6 'auto'
option norelease '1'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
config device
option type '8021q'
option ifname 'eth0'
option vid '2'
option name 'eth0.2'
config interface '2Ghz'
option proto 'static'
option device 'phy0-ap0'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/18000000.wifi'
option band '2g'
option channel 'auto'
option htmode 'HE20'
option num_global_macaddr '7'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network '2Ghz'
option mode 'ap'
option ssid '[redacted]'
option encryption 'sae-mixed'
option key '[redacted]'
option ocv '0'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/18000000.wifi+1'
option band '5g'
option channel '36'
option htmode 'HE80'
option num_global_macaddr '7'
option disabled '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/odhcpd.leases'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
option piofolder '/tmp/odhcpd-piofolder'
option hostsdir '/tmp/hosts'
config dhcp '2Ghz'
option interface '2Ghz'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'working1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network '2Ghz'
config forwarding
option src 'working1'
option dest 'wan'
config rule
option src 'working1'
option name '2Ghz DHCP'
list proto 'udp'
option dest_port '67'
option target 'ACCEPT'
config rule
option src 'working1'
option name '2GHz DNS'
option dest_port '53'
option target 'ACCEPT'
I will test "numbers" issue a bit later, you put them everywhere, got to figure which is real ;-}
It is not typical to split network by wifi bands, normally you set up subnets as bridges and vlans and join identically named APs from all bands to respective zone
Yeah, it was even worse when I also named the wifi firewall zone "2Ghz".
I just found it easier to keep the 2Ghz band for some things and the 5Ghz band for others so I set them up separately. I needed some special firewall rules for only one band. It works fine, so long as I don't start the name of a wifi firewall zone with a number.
I left out the country code because it wasn't critical. I didn't enable the 5Ghz band in the configs I posted.
I will test this evening CET, no additional input required from you.
... one should not be able to enter broken config via luci (even you coud make broken uci config files with text editor)
Thanks. I have noticed in some other fields that LuCI gives a warning of an invalid entry, but it seemed happy to accept a firewall zone name starting with a number.
