Hello Community,
I apologize if this discussion has already been covered else where. If so, please let me know if I should take this post down and please do not penalize me harshly as I am "newb" status. I have tried searching for this particular sitiation that I am encountering and I did not locate any discussions or solutions here or else where on the inter-webs
I am configuring a Linksys WRT 3200acm with the news version of LEDE 17.01 branch (git-17.290.79498-d3f0685) / LEDE Reboot 17.01.4 r3560-79f57e422d. The scenarios is I am configuring a network that has three networks. The architecture is as follows:
a) One wifi network is bridged to my private lan network interface called "LEDE".
b) One wifi network is my guest network configured on its own interface named "slave".
c) One wifi network is for a project I am trying to setup called "tor" with its own interface.
The router model has three radios detected which is discussed in the following thread located here:
third radio in wrt3200acm
A general overview for those who do not want to click on the link is there are three radio devices the OS discovers natively after install by default. The break down is below:
- radio0 is the 5GHz interface
- radio1 is the 2.4GHz interface
- radio2 is an auxiliary interface, that can be configured either as 2.4GHz or 5GHz and used for short range items (not ideal for heavy network usage)
For the rest of this post I will be referring to the wifi networks as a, b, and/or c from the alphabetized list and the network devices as 1, 2, and/or 3 respectively from the above numbered list.
The way I wanted to configure the router was to use 2 as the interface that will host all three (a, b, and c) of the wifi networks mentioned above. The reason is to ensure device compatibility for guests on my network as not all hardware supports 5GHz.
Everything works fine when I only have two wifi networks setup.
But the issue arises when I add a third wifi network. When I add a third wifi network, the other two that were previously setup (that was tested to work) will break and wont allow devices to connect to it and only the newly added wifi network will allow connections, procure a dhcp address, and access to the internet.
For example:
- I first set up wifi networks a and b on device 2 and have each of them bridged to their own interface.
- I create the firewall rules to b to allow procurement of dhcp, dns, and access to the wan/internet
- Test connectivity and confirmed working on both wifi networks on different devices i.e. smart phone, laptop, etc.
- I then follow the same procedures to add c to device 2
- As soon as c is added, all connection attempts to a and b crashes on the devices and returns error messages that the "network cannot be connected to" or "failed to connect to network slave/LEDE" but access to c works fine.
*I check the logs by doing a readlog -f and it does not show any connectivity or dhcp requests when trying to connect devices to a and b wifi networks
Other failed methods I have tried:
- I have tried configuring different vlans to house each of the wifi networks.
- I have tried creating an entirely new device but that seemed to fail and I think this is due to the device driver file referenced only sees 1, 2, and 3.
I tried a work around that seems to work but it does not meet my requirement of having them on the same device. It was as follows:
- I create wifi networks a and b on device 2 and have each of them bridged to their own interface.
- I create the firewall rules to b to allow procurement of dhcp, dns, and access to the wan/internet
- Test connectivity and confirmed working on both a and b wifi networks on different devices i.e. smart phone, laptop, etc.
- I then follow the same procedures to add c to device 1 with firewall configurations
- Test connectivity and confirmed working on both c wifi network on different devices i.e. smart phone, laptop, etc.
I am thinking the issue may be either of the following and looking for confirmation or a solution from the community:
- The device/operating system doesnt support more than 3 wifi networks (I read somewhere on here that the LEDE driver for this router was not a binary driver that could handle this and DD WRT was able to handle this use-case but I can't seem to find the article/URL but I would prefer OpenWRT/LEDE over that OS)?
- The feature can be done but there is an issue with the device's driver which needs an update?
- I am misconfiguring something i.e. firewall, network, etc.?
For your reference is my configurations below. Please let me know if you need any additional information that I have forgotten to include or other configurations with other use-cases I have tried i.e. vlans
note: I know the configs may be non-secure but I am just trying to get this working for now. Once functioning, I will apply security hardening afterwards.
Sincerely,
A humbly committed student
vi /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fde1:67cc:118f::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6'
config interface 'tor'
option proto 'static'
option ifname 'tor'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option type 'bridge'
config interface 'slave'
option _orig_ifname 'wlan1-2'
option _orig_bridge 'false'
option proto 'static'
option ipaddr '10.0.1.1'
option netmask '255.255.255.0'
vi /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'soc/soc:pcie-controller/pci0000:00/0000:00:01.0/0000:01:00.0'
option htmode 'VHT80'
option disabled '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'LEDE'
option encryption 'none'
config wifi-device 'radio1'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'soc/soc:pcie-controller/pci0000:00/0000:00:02.0/0000:02:00.0'
option htmode 'HT20'
option country 'US'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'LEDE'
option encryption 'none'
config wifi-device 'radio2'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
option htmode 'VHT80'
option disabled '1'
config wifi-iface 'default_radio2'
option device 'radio2'
option network 'lan'
option mode 'ap'
option ssid 'LEDE'
option encryption 'none'
config wifi-iface
option device 'radio1'
option mode 'ap'
option encryption 'none'
option ssid 'tor'
option network 'tor'
config wifi-iface
option device 'radio1'
option mode 'ap'
option encryption 'none'
option ssid 'Slave'
option network 'slave'
vi /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
config dhcp 'tor'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'tor'
config dhcp 'slave'
option leasetime '12h'
option interface 'slave'
option start '2'
option limit '254'
vi /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'tor'
option forward 'REJECT'
option output 'ACCEPT'
option network 'tor'
option input 'REJECT'
config forwarding
option dest 'wan'
option src 'tor'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'tor internal dns'
option src 'tor'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'tor internal dhcp'
option src 'tor'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option name 'slave'
option input 'REJECT'
option network 'slave'
config forwarding
option dest 'wan'
option src 'slave'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'slave DNS'
option src 'slave'
config rule
option enabled '1'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'slave DHCP'
option src 'slave'