Setup Guest and IoT networks

oiuqwon · January 16, 2024, 3:38pm

Hi everyone,

somehow i cannot get this scenario to work:

I have a guest and a iot interface and wi-fi called GUEST (192.168.2.0/24) and THINGS (192.168.3.0/24).

The following rules should apply:

GUEST should be able to access the internet but nothing else
THINGS should to be accessible from LAN
THINGS should be able to access a host (192.168.1.200) in LAN (mqtt server, port 1883) but nothing else - see next rule
THINGS should not be able to access anything else (WAN, LAN, GUEST)

The Guest network is working as expected.

The problem is with with THINGS: i cannot access any host in LAN no matter what i change.

My config (there are other rules here but those can be ignored i think):

# uci show network
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth1.1'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipv6='0'
network.lan.delegate='0'
network.wan=interface
network.wan.device='eth0.7'
network.wan.proto='pppoe'
network.wan.username='***'
network.wan.password='***'
network.wan.ipv6='0'
network.wan.ac='***'
network.wan.host_uniq='***'
network.wan.peerdns='0'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='1 2 3 4 6t'
network.@switch_vlan[0].vid='1'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='7'
network.@switch_vlan[1].ports='0t 5t'
network.@switch_vlan[1].vid='7'
network.guest=interface
network.guest.proto='static'
network.guest.ipaddr='192.168.2.1'
network.guest.netmask='255.255.255.0'
network.guest.dns='192.168.1.1'
network.guest.ipv6='0'
network.things=interface
network.things.proto='static'
network.things.ipaddr='192.168.3.1'
network.things.netmask='255.255.255.0'
network.things.dns='192.168.1.1'
network.things.ipv6='0'

# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='REJECT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='DROP'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='DROP'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].masq='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@zone[2]=zone
firewall.@zone[2].name='guest'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='ACCEPT'
firewall.@zone[2].network='guest'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='guest'
firewall.@forwarding[1].dest='wan'
firewall.@rule[9]=rule
firewall.@rule[9].name='block GUEST access to LAN'
firewall.@rule[9].src='guest'
firewall.@rule[9].dest_ip='192.168.1.0/24'
firewall.@rule[9].target='DROP'
firewall.@rule[9].enabled='0'
firewall.@rule[9].dest='lan'
firewall.@rule[10]=rule
firewall.@rule[10].name='allow GUEST Bare Necessities'
firewall.@rule[10].src='guest'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].dest_port='67 68 53 5353 123 1883'
firewall.@rule[10].proto='tcp' 'udp'
firewall.@rule[11]=rule
firewall.@rule[11].name='allow GUEST to moj HTTPS'
firewall.@rule[11].proto='tcp'
firewall.@rule[11].src='guest'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].dest='lan'
firewall.@rule[11].dest_ip='192.168.1.200'
firewall.@rule[11].dest_port='443'
firewall.@rule[12]=rule
firewall.@rule[12].name='allow nb15 to moj HTTPS'
firewall.@rule[12].src_ip='192.168.2.152'
firewall.@rule[12].dest='lan'
firewall.@rule[12].dest_ip='192.168.1.200'
firewall.@rule[12].target='ACCEPT'
firewall.@rule[12].src='guest'
firewall.@rule[13]=rule
firewall.@rule[13].name='allow THINGS Bare Necessities'
firewall.@rule[13].src='things'
firewall.@rule[13].dest_port='67 68 53 5353 123'
firewall.@rule[13].target='ACCEPT'
firewall.@redirect[0]=redirect
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='moj HTTP'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].src_dport='80'
firewall.@redirect[0].dest_ip='192.168.1.200'
firewall.@redirect[0].enabled='0'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].name='moj HTTPS'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].src_dport='443'
firewall.@redirect[1].dest_ip='192.168.1.200'
firewall.@redirect[1].proto='tcp'
firewall.@redirect[1].family='ipv4'
firewall.@redirect[2]=redirect
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].name='moj SSH'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].src_dport='26344'
firewall.@redirect[2].dest_ip='192.168.1.200'
firewall.@redirect[2].dest_port='22'
firewall.@redirect[2].family='ipv4'
firewall.@redirect[2].proto='tcp'
firewall.@redirect[3]=redirect
firewall.@redirect[3].dest='lan'
firewall.@redirect[3].target='DNAT'
firewall.@redirect[3].name='moj OPENVPN'
firewall.@redirect[3].family='ipv4'
firewall.@redirect[3].proto='udp'
firewall.@redirect[3].src='wan'
firewall.@redirect[3].src_dport='1194'
firewall.@redirect[3].dest_ip='192.168.1.200'
firewall.@redirect[4]=redirect
firewall.@redirect[4].dest='lan'
firewall.@redirect[4].target='DNAT'
firewall.@redirect[4].name='moj TimeLimit'
firewall.@redirect[4].family='ipv4'
firewall.@redirect[4].proto='tcp'
firewall.@redirect[4].src='wan'
firewall.@redirect[4].src_dport='28181'
firewall.@redirect[4].dest_ip='192.168.1.200'
firewall.@redirect[5]=redirect
firewall.@redirect[5].target='DNAT'
firewall.@redirect[5].name='GUEST access WebServer'
firewall.@redirect[5].proto='tcp'
firewall.@redirect[5].src='guest'
firewall.@redirect[5].src_dport='443'
firewall.@redirect[5].dest_ip='192.168.1.200'
firewall.@redirect[5].enabled='0'
firewall.@redirect[6]=redirect
firewall.@redirect[6].target='DNAT'
firewall.@redirect[6].name='GUEST access SSH'
firewall.@redirect[6].proto='tcp'
firewall.@redirect[6].src='guest'
firewall.@redirect[6].src_dport='26344'
firewall.@redirect[6].dest_ip='192.168.1.200'
firewall.@redirect[6].dest_port='22'
firewall.@redirect[6].enabled='0'
firewall.@zone[3]=zone
firewall.@zone[3].name='things'
firewall.@zone[3].input='ACCEPT'
firewall.@zone[3].output='ACCEPT'
firewall.@zone[3].forward='ACCEPT'
firewall.@zone[3].network='lan' 'things'
firewall.@rule[14]=rule
firewall.@rule[14].name='allow THINGS to access MQTT server'
firewall.@rule[14].src='things'
firewall.@rule[14].target='ACCEPT'
firewall.@rule[14].dest='lan'
firewall.@rule[14].proto='tcp' 'udp' 'icmp' 'igmp' 'esp'
firewall.@rule[14].dest_port='1883'
firewall.@rule[15]=rule
firewall.@rule[15].name='allow LAN to access THINGS'
firewall.@rule[15].dest='things'
firewall.@rule[15].target='ACCEPT'
firewall.@rule[15].src='lan'
firewall.@rule[16]=rule
firewall.@rule[16].name='deny THINGS to access WAN'
firewall.@rule[16].src='things'
firewall.@rule[16].dest='wan'
firewall.@rule[16].target='DROP'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='things'
firewall.@forwarding[2].dest='lan'

psherman · January 16, 2024, 3:43pm

Would you mind posting your config in the following way, instead of uci listings? I find it much easier to read this way:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

oiuqwon · January 16, 2024, 4:09pm

# ubus call system board
{
	"kernel": "5.15.134",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 0 (v7l)",
	"model": "Netgear Nighthawk X4S R7800",
	"board_name": "netgear,r7800",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.0",
		"revision": "r23497-6637af95aa",
		"target": "ipq806x/generic",
		"description": "OpenWrt 23.05.0 r23497-6637af95aa"
	}
}

# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipv6 '0'
	option delegate '0'

config interface 'wan'
	option device 'eth0.7'
	option proto 'pppoe'
	option username 'xxx'
	option password 'xxx'
	option ipv6 '0'
	option ac 'xxx'
	option host_uniq 'xxx'
	option peerdns '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '7'
	option ports '0t 5t'
	option vid '7'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	list dns '192.168.1.1'
	option ipv6 '0'

config interface 'things'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
        list dns '192.168.1.1'
        option ipv6 '0'

cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'xxx'
	option encryption 'sae-mixed'
	option key 'xxx'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'xxx'
	option encryption 'psk2'
	option key 'xxx'
	option network 'lan'

config wifi-iface 'wifinet2'
	option device 'radio1'
	option mode 'ap'
	option ssid 'xxx'
	option encryption 'psk2'
	option key 'xxx'
	option network 'guest'

config wifi-iface 'wifinet4'
	option device 'radio1'
	option mode 'ap'
	option ssid 'xxx'
	option encryption 'psk2'
	option key 'xxx'
	option network 'things'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '0'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'
	list server '116.203.32.217'
	list server '176.9.93.198'
	option authoritative '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '6,192.168.1.1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option force '1'
	list dhcp_option '6,192.168.1.1'

config dhcp 'things'
	option interface 'things'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,192.168.1.1'

config host
	option name 'moj'
	option ip '192.168.1.200'
	option mac 'xxx'

config host
	option ip '192.168.2.173'
	option mac 'xxx'
	option name 'xxx'
	option dns '1'

config host
	option name 'moj'
	option duid 'xxx'

config host
	option name 'xxx'
	option ip '192.168.3.238'
	option mac 'xxx'
	option dns '1'

config domain
	option name 'xxx'
	option ip '192.168.1.200'

config domain
	option name 'xxx'
	option ip '192.168.1.200'

config host
	option ip '192.168.2.208'
	option mac 'xxx'
	option name 'xxx'
	option dns '1'

config host
	option name 'xxx'
	option ip '192.168.1.244'
	option mac 'xxx'

config domain
	option name 'xxx'
	option ip '2.2.2.2'

# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option name 'block GUEST access to LAN'
	option src 'guest'
	list dest_ip '192.168.1.0/24'
	option target 'DROP'
	option enabled '0'
	option dest 'lan'

config rule
	option name 'allow GUEST Bare Necessities'
	option src 'guest'
	option target 'ACCEPT'
	option dest_port '67 68 53 5353 123 1883'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name 'allow GUEST to moj HTTPS'
	list proto 'tcp'
	option src 'guest'
	option target 'ACCEPT'
	option dest 'lan'
	list dest_ip '192.168.1.200'
	option dest_port '443'

config rule
	option name 'allow nb15 to moj HTTPS'
	list src_ip '192.168.2.152'
	option dest 'lan'
	list dest_ip '192.168.1.200'
	option target 'ACCEPT'
	option src 'guest'

config rule
	option name 'allow THINGS Bare Necessities'
	option src 'things'
	option dest_port '67 68 53 5353 123'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'moj HTTP'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.168.1.200'
	option enabled '0'

config redirect
	option target 'DNAT'
	option name 'moj HTTPS'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.1.200'
	list proto 'tcp'
	option family 'ipv4'

config redirect
	option target 'DNAT'
	option name 'moj SSH'
	option src 'wan'
	option src_dport '26344'
	option dest_ip '192.168.1.200'
	option dest_port '22'
	option family 'ipv4'
	list proto 'tcp'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'moj OPENVPN'
	option family 'ipv4'
	list proto 'udp'
	option src 'wan'
	option src_dport '1194'
	option dest_ip '192.168.1.200'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'moj TimeLimit'
	option family 'ipv4'
	list proto 'tcp'
	option src 'wan'
	option src_dport '28181'
	option dest_ip '192.168.1.200'

config redirect
	option target 'DNAT'
	option name 'GUEST access WebServer'
	list proto 'tcp'
	option src 'guest'
	option src_dport '443'
	option dest_ip '192.168.1.200'
	option enabled '0'

config redirect
	option target 'DNAT'
	option name 'GUEST access SSH'
	list proto 'tcp'
	option src 'guest'
	option src_dport '26344'
	option dest_ip '192.168.1.200'
	option dest_port '22'
	option enabled '0'

config zone
	option name 'things'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'things'

config rule
	option name 'allow THINGS to access MQTT server'
	option src 'things'
	option target 'ACCEPT'
	option dest 'lan'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'
	list proto 'igmp'
	list proto 'esp'
	option dest_port '1883'

config rule
	option name 'allow LAN to access THINGS'
	option dest 'things'
	option target 'ACCEPT'
	option src 'lan'

config rule
	option name 'deny THINGS to access WAN'
	option src 'things'
	option dest 'wan'
	option target 'DROP'

config forwarding
	option src 'things'
	option dest 'lan'

psherman · January 16, 2024, 5:17pm

Delete this:

Remove the lan from the things firewall zone. A network can only be in a single firewall zone.

Delete these:

oiuqwon:

config redirect
	option target 'DNAT'
	option name 'GUEST access WebServer'
	list proto 'tcp'
	option src 'guest'
	option src_dport '443'
	option dest_ip '192.168.1.200'
	option enabled '0'

config redirect
	option target 'DNAT'
	option name 'GUEST access SSH'
	list proto 'tcp'
	option src 'guest'
	option src_dport '26344'
	option dest_ip '192.168.1.200'
	option dest_port '22'
	option enabled '0'

Delete this and make a basic forwarding rule instead:

These are missing destination zones:

oiuqwon:

config redirect
	option target 'DNAT'
	option name 'moj HTTPS'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.1.200'
	list proto 'tcp'
	option family 'ipv4'

config redirect
	option target 'DNAT'
	option name 'moj SSH'
	option src 'wan'
	option src_dport '26344'
	option dest_ip '192.168.1.200'
	option dest_port '22'
	option family 'ipv4'
	list proto 'tcp'

oiuqwon · January 16, 2024, 7:42pm

i did not get this one .. what do you mean by that?

i did all other changes, and removed everything not crucial, still no luck. i also added port 22 to "allow THINGS to access MQTT server" i thought there is something wrong with mqtt/1833 but ssh is also not working.

changed config

# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipv6 '0'
	option delegate '0'

config interface 'wan'
	option device 'eth0.7'
	option proto 'pppoe'
	option username 'xxx'
	option password 'xxx'
	option ipv6 '0'
	option ac 'xxx'
	option host_uniq 'xxx'
	option peerdns '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '7'
	option ports '0t 5t'
	option vid '7'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	list dns '192.168.1.1'
	option ipv6 '0'

config interface 'things'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
        list dns '192.168.1.1'
        option ipv6 '0'
# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'xxx'
	option encryption 'sae-mixed'
	option key 'xxx'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'xxx'
	option encryption 'psk2'
	option key 'xxx'
	option network 'lan'

config wifi-iface 'wifinet2'
	option device 'radio1'
	option mode 'ap'
	option ssid 'xxx'
	option encryption 'psk2'
	option key 'xxx'
	option network 'guest'

config wifi-iface 'wifinet4'
	option device 'radio1'
	option mode 'ap'
	option ssid 'xxx'
	option encryption 'psk2'
	option key 'x'
	option network 'things'

# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '0'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'
	list server '116.203.32.217'
	list server '176.9.93.198'
	option authoritative '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '6,192.168.1.1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option force '1'
	list dhcp_option '6,192.168.1.1'

config dhcp 'things'
	option interface 'things'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,192.168.1.1'

config host
	option name 'moj'
	option ip '192.168.1.200'
	option mac 'xxx'

config host
	option ip '192.168.2.173'
	option mac 'xxx'
	option name 'xxx'
	option dns '1'

config host
	option name 'moj'
	option duid 'xxx'

config host
	option name 'xxx'
	option ip '192.168.3.238'
	option mac 'xxx'
	option dns '1'

config domain
	option name 'xxx'
	option ip '192.168.1.200'

config domain
	option name 'xxx'
	option ip '192.168.1.200'

config host
	option ip '192.168.2.208'
	option mac 'xxx'
	option name 'xxx'
	option dns '1'

config host
	option name 'xxx'
	option ip '192.168.1.244'
	option mac 'xxx'

config domain
	option name 'xxx'
	option ip '2.2.2.2'

# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option name 'allow GUEST Bare Necessities'
	option src 'guest'
	option dest_port '67 68 53 5353 123'
	option target 'ACCEPT'

config rule
	option name 'allow THINGS Bare Necessities'
	option src 'things'
	option dest_port '67 68 53 5353 123'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'moj HTTP'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.168.1.200'
	option enabled '0'

config redirect
	option target 'DNAT'
	option name 'moj HTTPS'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.1.200'
	list proto 'tcp'
	option family 'ipv4'
	option dest 'lan'

config redirect
	option target 'DNAT'
	option name 'moj SSH'
	option src 'wan'
	option src_dport '26344'
	option dest_ip '192.168.1.200'
	option dest_port '22'
	option family 'ipv4'
	list proto 'tcp'
	option dest 'lan'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'moj OPENVPN'
	option family 'ipv4'
	list proto 'udp'
	option src 'wan'
	option src_dport '1194'
	option dest_ip '192.168.1.200'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'moj TimeLimit'
	option family 'ipv4'
	list proto 'tcp'
	option src 'wan'
	option src_dport '28181'
	option dest_ip '192.168.1.200'

config zone
	option name 'things'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'things'

config rule
	option name 'allow THINGS to access MQTT server'
	option src 'things'
	option target 'ACCEPT'
	option dest 'lan'
	option dest_port '1883 22'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'
	list proto 'igmp'
	list proto 'esp'

config rule
	option name 'allow LAN to access THINGS'
	option dest 'things'
	option target 'ACCEPT'
	option src 'lan'

config rule
	option name 'deny THINGS to access WAN'
	option src 'things'
	option dest 'wan'
	option target 'DROP'
	option enabled '0'

config forwarding
	option src 'things'
	option dest 'lan'

psherman · January 16, 2024, 7:45pm

Like this:

config forwarding
	option src 'lan'
	option dest 'things'

oiuqwon · January 16, 2024, 7:56pm

ah ok. done. no change.

oiuqwon · January 16, 2024, 8:58pm

i am beginning to think this is not a firewall issue?! can it be something else?
tried even restarting the router.

psherman · January 16, 2024, 9:04pm

Try removing the things network from the things firewall zone and adding it to the lan firewall zone. This will provide the maximum permissions. If it still doesn’t work, it is likely related to local restrictions or limitations on the hosts

Don’t forget to restart the router after making this change

oiuqwon · January 16, 2024, 9:21pm

ok. that worked - but only AFTER i rebooted the router as you wrote.
i can ssh and access mqtt at 192.168.1.200.

oiuqwon · January 16, 2024, 9:24pm

sorry .. i was in the wrong wifi after reboot.
only ssh works from the things wifi.

psherman · January 16, 2024, 9:37pm

Sounds like the local device either doesn’t accept connections from other subnets and/or it is not configured with a gateway.

Does that device get its address via dhcp or static?

oiuqwon · January 17, 2024, 10:19am

The server (192.168.1.200) has a static lease from the openwrt dhcp and i can access it with moj.lan.
I wonder why there are 2:

config host
	option name 'moj'
	option ip '192.168.1.200'
	option mac 'xxx'

config host
	option name 'moj'
	option duid 'xxx'

The mac seems correct.

The clients in the THINGS network also gets the IP from the openwrt dhcp.
What baffles me is that i can access the server in LAN with on ports 22, 443 from a client in the THINGS network but 1883 and 80 do not work.
curl https://moj.lan - works
curl http://moj.lan - does not work

if i enable the port forward

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'moj HTTP'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.168.1.200'
	option enabled '0'

then http also works. This is still with things and lan in the same firewall zone.

egc · January 17, 2024, 10:41am

Use the IP address of the server and not the domain name to rule out any DNS problem (in case you also have DDNS etc)

oiuqwon · January 17, 2024, 1:05pm

tried also directly with the IP - no luck. but the hostname is resolved properly.

oiuqwon · January 18, 2024, 2:37pm

ok, somehow it's fixed now but unfortunately i haven't found out exactly what the problem was because i did a few things at once but maybe this helps anyone. i traced back what i changed lately and:

realized i recently installed NoMachine and RustDesk for trying out remote control - uninstalled those from the server machine
changed the ip range of the THINGS network to 10.0.0.1/24
rebooted the server

and now everything miraculously works as it should.

Thanks everyone for the help.

lasker · January 19, 2024, 10:29pm

I've followed your progress configuring this setup with interest since I'll be doing something similar. I'd appreciate it if you could post your final configuration. Cheers!