config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '0'
option nonwildcard '0'
config dhcp 'lan'
option interface 'lan'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
config dhcp 'guest'
option start '100'
option leasetime '12h'
option interface 'guest'
option limit '150'
config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'platform/ar934x_wmac'
option htmode 'HT20'
option country 'US'
option legacy_rates '1'
config wifi-iface
option device 'radio0'
option mode 'ap'
option ssid 'Com-Con'
option encryption 'psk2'
option key 'xxx'
option network 'lan'
config wifi-device 'radio1'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'pci0000:00/0000:00:00.0'
option htmode 'HT20'
option txpower '17'
option country 'US'
config wifi-iface
option device 'radio1'
option mode 'ap'
option ssid 'Com-Con'
option encryption 'psk2'
option key 'xxxi'
option network 'lan'
config wifi-iface
option device 'radio0'
option mode 'ap'
option ssid 'gast'
option encryption 'psk2'
option key 'yyy'
option network 'guest'
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd90:45b4:3dfd::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.2'
option ifname 'eth0.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option ifname '@wan'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t 2 3 4 5'
config interface 'guest'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option dns '208.67.222.220'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
option masq '1'
list masq_src '192.168.3.0/24'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option output 'ACCEPT'
option name 'guest'
option network 'guest'
option forward 'ACCEPT'
option input 'REJECT'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'Guest DNS'
option src 'guest'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'Guest DHCP'
option src 'guest'
config forwarding
option dest 'lan'
option src 'guest'
root@OpenWrt:~# tcpdump -i any -vn host 8.8.8.8 or host 1.1.1.1
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
14:21:53.562074 IP (tos 0x0, ttl 1, id 15138, offset 0, flags [none], proto UDP (17), length 48)
192.168.3.189.56924 > 8.8.8.8.33434: UDP, length 20
14:21:53.562406 IP (tos 0x0, ttl 1, id 64083, offset 0, flags [none], proto UDP (17), length 48)
192.168.3.189.56924 > 8.8.8.8.33434: UDP, length 20
14:21:53.562647 IP (tos 0x0, ttl 1, id 31433, offset 0, flags [none], proto UDP (17), length 48)
192.168.3.189.56924 > 8.8.8.8.33434: UDP, length 20
14:21:58.559475 IP (tos 0x0, ttl 2, id 61955, offset 0, flags [none], proto UDP (17), length 48)
192.168.3.189.56924 > 8.8.8.8.33434: UDP, length 20
14:21:58.559778 IP (tos 0x0, ttl 2, id 35433, offset 0, flags [none], proto UDP (17), length 48)
192.168.3.189.56924 > 8.8.8.8.33434: UDP, length 20
14:21:58.560016 IP (tos 0x0, ttl 2, id 41802, offset 0, flags [none], proto UDP (17), length 48)
192.168.3.189.56924 > 8.8.8.8.33434: UDP, length 20
14:22:04.566274 IP (tos 0x0, ttl 3, id 39907, offset 0, flags [none], proto UDP (17), length 48)
192.168.3.189.56924 > 8.8.8.8.33434: UDP, length 20
14:22:04.566591 IP (tos 0x0, ttl 3, id 1730, offset 0, flags [none], proto UDP (17), length 48)
192.168.3.189.56924 > 8.8.8.8.33434: UDP, length 20
14:22:04.566825 IP (tos 0x0, ttl 3, id 60329, offset 0, flags [none], proto UDP (17), length 48)
192.168.3.189.56924 > 8.8.8.8.33434: UDP, length 20