Router: Linksys WRT1900ACS
OpenWrt LEDE 17.01.5
NOTE: In the above the 2NET radio is a dedicated point-to-point link to 1NET and provides absolutely no wireless AP access to 2NET in this scenario.
BACKGROUND
After running into some erroneous code in OpentWrt documentation (now resolved, see Routed Client Doc Erroneous?) and other problems with fuzzy documentation elsewhere I gave up trying to set up a Routed Client via the SSH command line and went back to trying to "fake it" using LuCI.
Everything was stripped down to "bare bones" using one radio (2.4GHz) as a point to point link and deleting every interface except for a static LAN configuration. After joining and an establishing a client WWAN, suddenly everything was working (and I really do not know why... yet).
The two big questions I have are these --
- Is this set up a Routed Client? If yes, what flavor?
- Everyone can see everyone on each LAN. How should I modify the default firewall settings (which I did not touch) so that ...
2a) No host on either the 1NET or the 2NET can see each other
2b) The 2NET has access to 1NET's Internet connection
2c) Lastly (to be implemented later), allow one host on 1NET and one host on 2NET to communicate for sharing files.
I have provided the pertinent configuration files that resulted from my LuCI setup and was hoping that some knowledgeable person might look them over and give me some answers and tips, especially with simplifying the config files (for instance, I have no need for anything IPv6) and how to handle the firewall settings.
I don't really expect any definitive answers as this is a lot to ask. Nevertheless I am posting it anyway.
Pertinent Configs --
root@LEDE:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd99:bda3:95c5::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6'
config interface 'wwan'
option _orig_ifname 'wlan1'
option _orig_bridge 'false'
option proto 'static'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'
option gateway '192.168.1.1'
option dns '209.244.0.3 209.244.0.4'
root@LEDE:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'soc/soc:pcie-controller/pci0000:00/0000:00:01.0/0000:01:00.0'
option htmode 'VHT80'
option disabled '1'
option country 'US'
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11g'
option path 'soc/soc:pcie-controller/pci0000:00/0000:00:02.0/0000:02:00.0'
option htmode 'HT20'
option country 'US'
option disabled '0'
option channel '6'
config wifi-iface
option network 'wwan'
option ssid '1NET'
option device 'radio1'
option mode 'sta'
option bssid 'aMACaddress'
option encryption 'psk2+ccmp'
option key 'obscuredbyclouds'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'