Setting up management VLAN

Hi all, I tried following this thread (Management VLAN firewall zone not working) but couldn't get the VLAN for management to work on my end. I skipped step #10 because I assumed the trunking was for multiple routers/switches that the OP had.

The network interface is given the static IP but I can't connect to it when I try to set the switch to the management VLAN (I've chosen 981 for this purpose). The management IP right now is 192.168.1.11 and I want it to be 192.168.4.1 (as well as the management IP for my dumb AP to be 192.168.4.2).

mgmt

config interface 'Management'
        option proto 'static'
        option device 'eth0.981'
        option ipaddr '192.168.4.1'
        option netmask '255.255.255.0'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.11'
        option netmask '255.255.255.0'
        option ip6assign '60'

Here's the firewall zones

And the corresponding rules I tried adding (do I need to add a rule for DHCP because I have input as REJECT?)

config rule
        option name 'Admin-VLAN-DNS'
        option src 'Management'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Admin-VLAN-Access'
        option src 'lan'
        list src_ip '192.168.1.218'
        option dest 'Management'
        option target 'ACCEPT'
        list proto 'all'

Here's what the switch is currently set up as

Screenshot 2024-09-05 181201

I tried setting the PVID for Port 1 & 2 to 981 but lost connection to everything. Plugging my PC into Port 7 doesn't seem to do anything. My router is connected to Port 1 & Dumb AP to 2.

Any help would be appreciated as I'm not well versed in networking.

Taking a step back:

  • where else does your management network (VLAN 981) exist and what other devices will be part of this management network?
  • Do you have this network present on your main router?
  • Does this network need a DHCP server?
  • Does this network need to be routed for internet access or to be able to access other networks?
  • Does this network need to be accessed by other networks?
  • Can you provide a network topology diagram so we can see how things are connected?
  • It will be on the main router and the dumb AP; It will be managing the router, AP, smart switch (might add another one later on but not sure yet), and later on a NAS
  • Yes, the network is present on my main router
  • No, because I want them to have static addresses that I set
  • No, I want it to be local only
  • This I'm not sure on at the moment

Thanks for the clarity.

Let's see the complete output of the following:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

ubus call system board (router)

	"kernel": "5.15.150",
        "hostname": "Lenovo",
        "system": "Intel(R) Core(TM) i5-6500T CPU @ 2.50GHz",
        "model": "LENOVO 10MUS17L00",
        "board_name": "lenovo-10mus17l00",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "x86/64",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"

cat /etc/config/network (router)

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'x'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.11'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '9.9.9.9'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '2620:fe::fe'
        list dns '2606:4700:4700::1111'
        list dns '2606:4700:4700::1001'
        list dns '2620:fe::9'

config interface 'IoT'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option device 'eth0.754'

config interface 'Management'
        option proto 'static'
        option device 'eth0.981'
        option ipaddr '192.168.4.1'
        option netmask '255.255.255.0'

cat /etc/config/firewall (router)

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'IoT'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'IoT'

config forwarding
        option src 'IoT'
        option dest 'wan'

config rule
        option name 'Allow-IoT-DNS'
        option src 'IoT'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Allow-IoT-DHCP'
        list proto 'udp'
        option src 'IoT'
        option dest_port '67 68'
        option target 'ACCEPT'

config redirect
        option target 'DNAT'
        option name 'Intercept-DNS'
        option family 'any'
        option src 'lan'
        option src_dport '53'
        option enabled '0'

config redirect
        option target 'DNAT'
        option name 'Intercept-DNS-IoT'
        option family 'any'
        option src 'IoT'
        option src_dport '53'
        option dest 'lan'
        option dest_port '53'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Divert-DNS, port 53'
        option src 'lan'
        option src_dport '53'
        option dest_port '53'

config zone
        option name 'Management'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Management'

config forwarding
        option src 'Management'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'Management'

config rule
        option name 'Admin-VLAN-DNS'
        option src 'Management'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Admin-VLAN-Access'
        option src 'lan'
        list src_ip '192.168.1.218'
        option dest 'Management'
        option target 'ACCEPT'
        list proto 'all'

ubus call system board (AP)

"kernel": "5.15.137",
        "hostname": "AC1750v5",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "TP-Link Archer C7 v5",
        "board_name": "tplink,archer-c7-v5",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "ath79/generic",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"

network (AP)

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'x'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.12'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.11'
        list dns '192.168.1.11'

config device
        option name 'eth0.2'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '754'
        option ports '4t 0t'

config device
        option type 'bridge'
        option name 'br-iot'
        list ports 'eth0.754'

config interface 'IoT'
        option proto 'none'
        option device 'br-iot'

firewall (AP)

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

If the purpose of the management network is to allow access to the network hardware's admin interfaces, I'd recommend changing the main router's management firewall zone input rule to ACCEPT.

That makes this rule unnecessary, so it can be deleted:

And you have a forwarding from lan > management, so this rule is not actually necessary.

On the AP, add the management VLAN as follows:

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '981'
        option ports '4t 0t'

config interface 'Management'
        option proto 'static'
        option device 'eth0.981'
        option ipaddr '192.168.4.2'
        option netmask '255.255.255.0'

We'll then add a management firewall zone in the AP, with input set to ACCEPT:

config zone
        option name 'Management'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Management'

Then restart the AP. You will be able to access the AP on its management address (192.168.4.2, unless you choose to make it a different address on the 192.168.4.0/24 network).

Once you have verified that you can reach it, you can make the lan network interface on the AP unmanaged, and the device will only be accessible via the management address.

Ok, it seems like everything is working great so far on the VLAN (router, AP, switch). What do I do on the router to ensure that no one can access LUCI via 192.168.1.11?

Edit: I actually spoke too soon. When I changed the AP interface to "Unmanaged", I was not able to access the AP from 192.168.4.2. It can only be accessed via 192.168.1.12.

Let's see the latest configs:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/firewall

Network (router)

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'x'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.11'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '9.9.9.9'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '2620:fe::fe'
        list dns '2606:4700:4700::1111'
        list dns '2606:4700:4700::1001'
        list dns '2620:fe::9'

config interface 'IoT'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option device 'eth0.754'

config interface 'Management'
        option proto 'static'
        option device 'eth0.981'
        option ipaddr '192.168.4.1'
        option netmask '255.255.255.0'

Firewall (router)

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'IoT'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'IoT'

config forwarding
        option src 'IoT'
        option dest 'wan'

config rule
        option name 'Allow-IoT-DNS'
        option src 'IoT'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Allow-IoT-DHCP'
        list proto 'udp'
        option src 'IoT'
        option dest_port '67 68'
        option target 'ACCEPT'

config redirect
        option target 'DNAT'
        option name 'Intercept-DNS'
        option family 'any'
        option src 'lan'
        option src_dport '53'
        option enabled '0'

config redirect
        option target 'DNAT'
        option name 'Intercept-DNS-IoT'
        option family 'any'
        option src 'IoT'
        option src_dport '53'
        option dest 'lan'
        option dest_port '53'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Divert-DNS, port 53'
        option src 'lan'
        option src_dport '53'
        option dest_port '53'

config zone
        option name 'Management'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Management'

config forwarding
        option src 'Management'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'Management'

Network (AP)

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'x'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.12'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.11'
        list dns '192.168.1.11'

config device
        option name 'eth0.2'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '754'
        option ports '4t 0t'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '981'
        option ports '4t 0t'

config device
        option type 'bridge'
        option name 'br-iot'
        list ports 'eth0.754'

config interface 'IoT'
        option proto 'none'
        option device 'br-iot'

config interface 'Management'
        option proto 'none'
        option device 'eth0.981'

Firewall (AP)

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'Management'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Management'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

Wireless (AP)

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'
        option country 'US'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'Home'
        option encryption 'psk2'
        option key 'password'
        list maclist 'xx:xx:xx:xx:xx:xx'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'
        option country 'US'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'Home'
        option encryption 'psk2'
        option key 'password'
        option disabled '1'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'IoT'
        option encryption 'psk2'
        option key 'password'
        option network 'IoT'
        option disabled '1'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid 'IoT'
        option encryption 'psk2'
        option key 'password'
        option network 'IoT'
        list maclist 'xx:xx:xx:xx:xx:xx'

The AP has no address on the management network...

I think you might have missed this:

Ah, I misread your earlier post. I made the Management interface unmanaged instead of the LAN. That's my bad. Now it's working as it should.

How do I restrict access to the Luci address for the router? Is it going to be the same step of making the br-lan "Unmanaged"?

What are the specific restrictions you want to enact? If you want it to only be accessible via the management network, yes, you will make the lan interface unmanaged.

Only allow access from a specific subnet & Ethernet port on switch (192.168.4.x & port 7). I will have a local network only management PC set with a static IP connected to that port later.

In that case, yes, make the lan interface on the AP unmanaged.

Keep in mind that currently you allow devices on the lan to reach the management network by this firewall forwarding rule in the main router:

This means that the AP will be reachable currently from the lan, but (once you make the lan on the AP unmanaged) only at the 192.168.4.2 address.

Alright. I set the correct interface to be unmanaged and now can only access Luci via 192.168.4.2 on the AP as intended.

What will need to be done in order to restrict access for the main router's Luci interface?

Set the lan firewall zone's input rule to REJECT and then add DHP and DNS rules like you have for the IoT network, but with the lan zone as the source:

Alright, it looks like that works now! Thank you.

One last remaining issue I have at the moment is that I can't connect via SSH. I put the Dropbear instance to listen on Management but when I try to access it it states "access denied: publickey" even though I have already uploaded my computer's SSH key to the router.

Just leave it as unspecified/all interfaces. It will only be reachable by the management network based on the firewall zone input policy.

This would probably make sense to have in a new thread since it's not really about management VLANs (it's about ssh keys).

You're welcome. Glad we got it all set!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

I figured it out...I was writing the wrong hostname for the connection.

Now everything is working, thanks for all of your help!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.