Seperate network for IoT devices

eR2022 · March 9, 2023, 5:32am

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdcb:5521:564a::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        option promisc '0'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.15.1'

config interface 'wan'
        option device 'wan'
        option proto 'pppoe'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option ipv6 '0'
        option username 'user'
        option password 'pass'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option auto '0'

config device
        option name 'wlan2g'

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/c000000.wifi'
        option band '5g'
        option htmode 'HE80'
        option country 'IL'
        option cell_density '0'
        option txpower '27'
        option channel '40'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'xxx'
        option hidden '1'
        option encryption 'sae-mixed'
        option key 'xxx'
        option ifname 'wlan5g'
        option macfilter 'deny'
        list maclist 'xxxxxx'
        option ieee80211k '1'
        option time_advertisement '2'
        option time_zone 'IST-2IDT,M3.4.4/26,M10.5.0'
        option bss_transition '1'
        option skip_inactivity_poll '1'
        option disassoc_low_ack '0'
        option wnm_sleep_mode '1'
        option dtim_period '3'
        option mbo '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/c000000.wifi+1'
        option band '2g'
        option country 'IL'
        option cell_density '0'
        option channel '1'
        option htmode 'HE20'
        option txpower '27'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'xxx'
        option encryption 'sae-mixed'
        option key 'xxx'
        option macfilter 'deny'
        option ifname 'wlan2g'
        list maclist 'xxx'
        option skip_inactivity_poll '1'
        option disassoc_low_ack '0'
        option ieee80211k '1'
        option time_advertisement '2'
        option time_zone 'IST-2IDT,M3.4.4/26,M10.5.0'
        option wnm_sleep_mode '1'
        option bss_transition '1'
        option dtim_period '3'
        option mbo '1'

cat /etc/config/dhcp


config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option dhcpv4 'server'
        option leasetime '8h'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'AX6-AP'
        option dns '1'
        option mac 'xxxxx'
        option ip '192.168.15.2'

etc etc...

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'cctv_app'
        option src 'wan'
        option src_dport 'xxxx'
        option dest_ip '192.168.15.3'
        option dest_port 'xxxx'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'cctv_web'
        option src 'wan'
        option src_dport 'xxxx'
        option dest_ip '192.168.15.3'
        option dest_port 'xxxx'

psherman · March 9, 2023, 5:34am

You don't want to use vlan-filtering. You'll be using bridge-vlan.

Follow the DSA tutorial to assign VLANs.

eR2022 · March 9, 2023, 5:35am

Maybe you know if ipq807x (Redmi AX6) SNAPSHOT is supporting DSA?

and is this still relevant?

So in that case...
VLANs 30 and 99 tagged on lan1
VLAN 30 untagged on lan2.

psherman · March 9, 2023, 5:42am

Based on your configuration, I can see that it is using DSA.

Yes. DSA and swconfig are just two different methods of working with VLANs. The idea of tagged and untagged networks on ports is central to the idea of VLANs. To make a silly analogy, it's like phillips head and flathead screwdrivers... the end result/action is the same, the tool details are different based on the hardware it is interfacing with.

eR2022 · March 9, 2023, 5:59am

I did what you said.
And changed br-lan to br-lan.99 , but it's not working.
90 sec passed and changes are reverted..
Maybe should tick "Is Primary VLAN" somewhere ?

slh · March 9, 2023, 6:05am

ipq807x does not use DSA (nor swconfig), the ports are just named similarly, the details are more complicated, but currently the (switchdev) vendor driver does present each port as its own interface, without knowledge of the switch in service,

eR2022 · March 9, 2023, 6:06am

you mean it will not working?

psherman · March 9, 2023, 6:22am

oh... if this is the case, the implementation details I've been recommending would be totally wrong.

How does this platform work with VLANs? What syntax is used?
Is it somethign like lan1.x and lan2.y?
Would it look like:

config device
        option name 'br-iot'
        option type 'bridge'
        list ports 'lan1.30'
        list ports 'lan2'

slh · March 9, 2023, 6:30am

Probably best to treat them as if they were individual network cards (like an x86 box with 4 nics; there is no offloading, no switch awareness, no nothing, just a very basic switchdev driver), so bridging on the software level, VLANs directly on the interface.

psherman · March 9, 2023, 6:37am

Ok. Thanks!

@eR2022 - based on @slh's input, it should work like this:

This example should work to tag VLAN 30 on port 1 and have it untagged on port 2.

And then the other network (lan) would be VLAN 99 tagged on port lan1 like this:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1.99'

eR2022 · March 9, 2023, 6:39am

Could you please explain me how to do that on Luci?

psherman · March 9, 2023, 6:50am

In the devices tab, you’ll create lan1.30 and lan1.99.

The standard be-lan will then need to be edited to include lan1.99 and remove lan1 and lan2.

Then you’ll create a bridge for iot and include lan1.30 and lan2.

eR2022 · March 9, 2023, 6:53am

base device what shoul I choose?

psherman · March 9, 2023, 6:53am

Presumably base device is lan1

eR2022 · March 9, 2023, 7:10am

I just don't know what's going on here
Lets leave lan1.30 for now ..

I created lan1.99
Changed br-lan under devices to lan1.99 and lan3
Save changes and it's not working. 90 sec passed and changes reverted

psherman · March 9, 2023, 7:21am

You need to be connected to the lan3 port when you make the change.

eR2022 · March 9, 2023, 7:22am

I also tick "bring up on empty bridge" and still not working..
Why do I have to be connected to LAN3 ?

psherman · March 9, 2023, 7:25am

Because lan3 will remain untagged. Lan1 will now require a device that is working with vlan99 tagged. If you’re connected to lan1 you will lose connectivity until you setup another vlan aware device to work with vlan99 tagged. In the meantime, openwrt will detect the broken connection and roll back as a safety measure. Connecting to lan3 will fix this issue.

eR2022 · March 9, 2023, 7:27am

Actually I dont have a device to connect to LAN3 ....
Can I move DVR from LAN2 to LAN3 ?

psherman · March 9, 2023, 7:29am

The computer you are using to make the changes should be connected to lan3