Hello, everyone
First, thank you for this great router software and community.
I really appreciate it.
I installed openwrt on rasp pi 4 and this replaced the fios router.
It has been working great!
I have a question though regarding Samba
I configured samba to be bound to certain interfaces( in my case, lo, br-lan, eth1.1 ), but I can still access the samba share from other interfaces( my case eth1.107 - network for iot ).
There is no forward rule betwen interface eth1.1 and eth1.107 in /etc/config/firewall and computers on eth1.107 could not reach computers on eth1.1.
The only exception seems to be samba service hosted on the router.
Here is the snippet of the smb.conf:
[global]
....
interfaces = lo eth1.1
....
bind interfaces only = yes
here is the outcome from smbstatus:
# smbstatus
Samba version 4.13.8
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
...
...
3547 xxxxxx nogroup 192.168.107.xxx (ipv4:192.168.107.xxx:52756) SMB3_11 - partial(AES-128-CMAC)
Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------
IPC$ 3547 192.168.107.xxx Sat Jun 26 18:12:09 2021 EDT - -
xxxxxx 3547 192.168.107.xxx Sat Jun 26 18:12:09 2021 EDT - -
Please let me know what setup I did incorrectly?
Appreciate your help on this.
It's better to limit the access using the firewall. If the iot firewall zone has accept in INPUT, then it will be able to access any service running on the router, on any address the router might have. Therefore use reject on INPUT for iot zone and allow only the necessary, like dns and dhcp.
so, it seems that my issue is firewall issue actually..
I know I have option input ACCEPT on the interface 192.168.107. However there is no forwarding rule between 192.168.1 and 192.168.107.
Not sure how traffic thru 192.168.107 is connected 192.168.1.
quite confused now.
any help would be appreciated.
Forward policy applies to interfaces of the same zone.
Forwarding policy applies to traffic between zones.
Any traffic destined to the OpenWrt is regulated from the input policy of the zone.
I hope this clears things out.
Sorry, let me clarify. So, eth1.1(192.168.1.xxx) and etth1.107(191.168.107.xxx) belong to different firewall zones and there is no forwarding policy between them.
So, I expected computers on 192.168.107 won't be able to connect on services bound to eth1.1(192.168.1.xxx)
I think you have a typo there, as both are 192.168.1.X
However you get the point. No forwarding means 192.168.1.x hosts cannot reach 192.168.107.x hosts and vice versa. If you have INPUT policy as accept, then the lan host can reach the OpenWrt router on any IP, 192.168.1.1 or 192.168.107.1