Hey fellas! I need a bit of help.
Context
I am trying to add a VLAN for my IoT devices, accessible by WiFi, so that they cannot access the other devices on my network.
Problem
When I connect to the new SSID with my phone, it says I have no internet, and I can't load any websites.
What I've Done
I started by creating a new wireless SSID, assigning it to a new interface, and then assigning that interface to a new firewall zone.
My main LAN interface has the static IP of 10.0.0.1/8
, and my IoT interface has the static IP of 172.16.0.0/16
, so they shouldn't collide. Both use DHCP, and I verified that my phone does get assigned an IP address on the 172.16.0.0/16
subnet.
When configuring the firewall, I've set up the IoT interface to forward to WAN; no additional traffic rules, and everything set to "accept" for now.
Config Files
To protect some personal info, I've redacted the port forward entries, static IP assignments, hostnames, and WiFi passwords. I've also renamed the SSIDs but they're easier to understand this way.
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option ip6assign '60'
option netmask '255.0.0.0'
option ipaddr '10.0.0.1'
list dns '8.8.8.8'
list dns '1.1.1.1'
option ipv6 'off'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option ipv6 'off'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
option reqprefix 'auto'
option reqaddress 'try'
option auto '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 2 3 4 5'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
option vid '2'
config interface 'iotlan'
option proto 'static'
list dns '1.1.1.1'
list dns '8.8.8.8'
list ipaddr '172.16.0.0/16'
option delegate '0'
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option network 'iotlan'
option input 'ACCEPT'
option name 'iotlan'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
[config redirect entries redacted]
config forwarding
option dest 'wan'
option src 'iotlan'
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
option domain '[redacted]'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '6h'
option dhcpv6 'disabled'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
[config host entries redacted]
config dhcp 'iotlan'
option leasetime '12h'
option interface 'iotlan'
option start '1'
option limit '255'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11a'
option path 'pci0000:00/0000:00:00.0'
option htmode 'VHT80'
option channel 'auto'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option key '[redacted]'
option encryption 'psk2'
option ssid 'main5ghz'
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11g'
option path 'platform/ahb/18100000.wmac'
option htmode 'HT20'
option channel 'auto'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option key '[redacted]'
option encryption 'psk2'
option ssid 'main2ghz'
config wifi-iface 'wifinet2'
option ssid 'iot2ghz'
option encryption 'psk2'
option device 'radio1'
option mode 'ap'
option key '[redacted]'
option network 'iotlan'
(Click the arrows to expand the files.)
Hardware
I am using an Archer C7 AC1750.
Thanks
Please let me know if you need more info. I really appreciate any help!