I have an interface called "GUEST" (br-guest) I created for the guest wireless. It is setup on it's own IP range and in its own firewall zone. Can I simply go into the "Switch" tab and setup port 4 to use this interface?
I'm not quite clear on the settings need to use for my newly created VLAN 3 or if this is even possible.
You wouldn't change anything on VLANs 1 and 2, as they are configured properly. You are working with VLAN 3.
I'm not sure whant you mean by:
You need a VLAN specified in interfaces setup including its IP range, etc. If you deleted that, you'll have to add it again. Regarding the Switch settings, I only mentioned tagging the CPU:
Add VLAN 3 to CPU/eth1 as “Tagged”
Change VLAN 1 on CPU/eth1 to “Tagged”
Remove VLAN 1 from LAN 4 by changing it to “Off”
Add VLAN 3 to LAN 4 by changing it from “Off” to “Untagged”
Sorry... I thought you were suggesting something about the default state of mine vs. yours.... I re-added VLAN3 and made the changes you proposed as summarized in the screenshot below. Upon hitting "save and apply," a yellow box came up stating: Interface "lan" device auto-migrated from "eth1" to "eth1.1".
I went into Network>interfaces>GUEST>Edit>Physical Settings and checked "Switch VLAN: "eht1.3" Then booted a machine (dhcp) connected directly to port 4 but it did not receive an IP in the range defined in my guestzone. How do we associate VLAN3 with the guestzone interface?
VLAN 3 appears to be properly setup on the Router and Switch...You should be able to test at this point by statically assigning an IP and attempting to reach the router. But let's work on the DHCP for your VLAN 3...
Did you enable DHCP server and specify how many hosts should receive dynamic IPs (size of the DHCP pool)?
First, you go to INTERFACES > then click on your Guest-LAN
Under the Common Confguration section, you should see DHCP.
Be sure to specify the beginning IP to be issued and how many IPs to hand out (e.g. place "2" and a limit of "10" to make a dynamic pool of xxx.xxx.xxx.2 - xxx.xxx.xx.11). The lease time should have a default of 12h.
Lastly, check the "Dynamic DHCP" button on the advanced tab.
Also, make sure that your router accepts inbound DHCP Request traffic from the Guest Firewall Zone, as the issue could be your DCHP request packets are being dropped or rejected.
I browsed to the hardware page but didn't see anything about mapping. I then did an experiment: I plugging cable into port 1 and watched the icon in Network>Switch. I saw "no link" over 1,2, and 3 and "1000baseT full-duplex" over 4. After walking for cable down the other ports I determined that they are mapped precisely backwards.
SO... I left the device to be wired-connected to Physical 4 and adjusted Network>Switch as shown below and it did indeed get a correct IP address in the subnet I wanted it to!
Now have I been trying and failing to create a firewall rule to allow the ssh traffic on port 49999 from any host on LAN to a specific host in the guestzone.
Here is the summary rule that does not work (I get ssh: connect to host odroid64 port 49999: Connection refused when I try):
Note - I know odroid64 is accepting ssh on port 49999 because I can ssh into the LEDE router and from there successfully connect via:
ssh -p 49999 user@odroid64
Halting the firewall on the router /etc/init.d/firewall stop allows the connect to work so it has to be something I setup incorrectly. Thanks for your insights and continued patients with me
EDIT2: This is scary... it seems as through LAN and WAN are also mis-mapped. If I attempt to ssh to my external IP address using the above rule, I actually connect just fine.
ssh -p 49999 myuser@mydomain.com
Last login: Thu Oct 19 18:16:42 2017 from ...
myuser@odroid64 ~ %
First...does device 172.17.1.200 have port tcp/22 open or port tcp/49999 for SSH?
You don't connect to the router as no Network Address Translation is needed...both devices are known to the system, it can route it...that brings me to this...
You appear to have made a Port Forward, instead of a Traffic Rule
Your Traffic Rule should read: "IPv4-tcp From any host in lan to IP 172.17.1.200 at port 22 in guestzone" (use 49999 only if you configured that SSH server to use that port instead of 22)
Yes! I misunderstood your suggestion for a port forwarding setup and in fact I needed a traffic rule. That solved the problem for me:
Thanks again for your help... I would have never figured out the switch settings without it
If I wanted to make it more generic so I could connect to any number of machines in the guestzone, would I just define the IP in the guestzone as 172.17.1.0/24 or is there a more proper way?
Well...are you testing this from the INTERNET or from inside your LAN???
If you're testing from the LAN, that's why the rules works when you switch it (meaning, you also need a local firewall rule if they are in 2 difffernt zones)
You have to test the HTTPS connection from the correct zone (the Internet)
If both client and server are on the same LAN, use the Public IP address, and make sure you enabled "Enable NAT Loopback"
Testing between LANs may be a little more complex, you may have to configure NAT re-directs (which place the packet in the other LAN, then routes it) or a port forward, allowing the router to NAT (this is what you configured)
If you want to make it generic, remove 172.17.1.200 and change it to ANY or 172.17.1.0/24
No, as they're not mis-mapped. That's why I mentioned the reversed ports (and to use 2 and 3 for configuration). Ports tend to be identified by LEDE in reverse-order from the instructions provided by the router's OEM (this is because the OEM can configure their firmware and molded plastic casing to make the ports appear in ascending-counting order from Left-to-Right of the consumer's view). Some devices even have a phantom 6th port (for fiber SFPs or other PHYs to be added to the board, that causes more confusion).
If you have access to the Wiki, you may want to contribute that information, though.
...I just noticed a behavior change now that we have the subset configured. With the out-of-the-box LEDE setup, If I ran the following nmap command on a device connected to the lan (not guestzone), the IP addresses would also return hostnames. Currently, the hostnames are omitted. Any thoughts?
% sudo nmap -sn 10.9.8.0/24 -oG -
# Nmap 7.60 scan initiated Sat Oct 21 09:53:40 2017 as: nmap -sn -oG - 10.9.8.0/24
Host: 10.9.8.1 () Status: Up
Host: 10.9.8.103 () Status: Up
Host: 10.9.8.124 () Status: Up
Host: 10.9.8.131 () Status: Up
# Nmap done at Sat Oct 21 09:53:42 2017 -- 256 IP addresses (4 hosts up) scanned in 1.79 seconds
-n (No DNS resolution) .
Tells Nmap to never do reverse DNS resolution on the active IP addresses it finds. Since DNS can be slow even with Nmap's built-in parallel stub resolver, this option can slash scanning times.
I changed the original lan from 192.168.1.0 to 10.9.8.0. The option for nmap isn't actually -n it's -sn (Ping Scan - disable port scan) ... if you run the corresponding nmap stanza on your network, do you get hostnames?