Hello guys !
As I have some time now, I'm reviewing my network architecture.
Here's what I want to achieve:
My problem, for now, is that I can't resolve from mydomain.lan to lab.lan for example.
Here are my config files:
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix xxxx'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.1.254'
option broadcast '192.168.1.255'
option _orig_ifname 'eth0.1000 radio1.network1 radio2.network1'
option _orig_bridge 'true'
option delegate '0'
list dns '127.0.0.1'
option ifname 'eth0.1000'
config interface 'guest'
option proto 'static'
option netmask '255.255.255.0'
option broadcast '192.168.100.255'
option delegate '0'
option ipaddr '192.168.100.254'
list dns '127.0.0.1'
config interface 'wan'
option ifname 'eth1.2000'
option proto 'dhcp'
option delegate '0'
option peerdns '0'
list dns '127.0.0.1'
config interface 'wan6'
option proto 'dhcpv6'
option ifname 'eth1.2000'
option reqaddress 'try'
option reqprefix 'auto'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config interface 'wg0'
...
config wireguard_wg0 'wgclient'
...
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '1000'
option ports '3 4t 5t'
config switch_vlan
option device 'switch0'
option vlan '4'
option vid '2000'
option ports '4t 6t'
config switch_vlan
option device 'switch0'
option vlan '5'
option vid '1100'
option ports '2 5t'
config switch_vlan
option device 'switch0'
option vlan '6'
option ports '1 5t'
option vid '1200'
config interface 'lab'
option proto 'static'
option ifname 'eth0.1100'
option ipaddr '192.168.2.254'
option netmask '255.255.255.0'
option delegate '0'
list dns '127.0.0.1'
option broadcast '192.168.2.255'
/etc/config/dhcp
config dnsmasq 'dnsmasq_lan'
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option expandhosts '1'
option authoritative '1'
option leasefile '/mnt/usb/log/dnsmasq_lan.leases'
option localservice '1'
option logqueries '1'
option logfacility '/mnt/usb/log/dnsmasq_lan.log'
option local '/mydomain.lan/'
option domain 'mydomain.lan'
option allservers '1'
option nohosts '1'
option filterwin2k '1'
option nonegcache '1'
option noresolv '1'
option enable_tftp '1'
option tftp_root '/mnt/usb/pxe/'
option cachesize '1000'
list notinterface 'wan'
list notinterface 'guest'
list notinterface 'lab'
list interface 'lan'
list interface 'wg0'
list interface 'loopback'
list server '127.0.0.1#5353'
list server '/lab.lan/192.168.2.254'
config dhcp 'lan'
option interface 'lan'
option force '1'
list dhcp_option '42,192.168.1.254'
option instance 'dnsmasq_lan'
option start '200'
option leasetime '12h'
option limit '40'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'name'
option mac 'xxxx'
option ip '192.168.1.10'
...
config host
option name 'test'
option mac 'xxxx'
option ip '192.168.2.10'
...
config dnsmasq 'dnsmasq_guest'
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option expandhosts '1'
option authoritative '1'
option localservice '1'
option logqueries '1'
option logfacility '/mnt/usb/log/dnsmasq_guest.log'
option local '/guest.lan/'
option domain 'guest.lan'
option allservers '1'
option nohosts '1'
option filterwin2k '1'
option nonegcache '1'
option noresolv '1'
list server '9.9.9.9'
list server '149.112.112.112'
list server '80.67.169.12'
list server '80.67.169.40'
list interface 'guest'
option leasefile '/mnt/usb/log/dnsmasq_guest.leases'
list notinterface 'lan'
list notinterface 'wan'
list notinterface 'wg0'
list notinterface 'lab'
config dhcp 'guest'
option interface 'guest'
option force '1'
option leasetime '12h'
option start '100'
option instance 'dnsmasq_guest'
option limit '100'
config dhcp 'lab'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'lab'
list dhcp_option '42,192.168.2.254'
option instance 'dnsmasq_lab'
option force '1'
config dnsmasq 'dnsmasq_lab'
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option expandhosts '1'
option authoritative '1'
option leasefile '/mnt/usb/log/dnsmasq_lab.leases'
option logqueries '1'
option logfacility '/mnt/usb/log/dnsmasq_lab.log'
option local '/lab.lan/'
option domain 'lab.lan'
option allservers '1'
option nohosts '1'
option filterwin2k '1'
option nonegcache '1'
option noresolv '1'
list server '127.0.0.1#5353'
option cachesize '1000'
option localservice '1'
list interface 'lab'
list notinterface 'wan'
list notinterface 'lan'
list notinterface 'wg0'
list notinterface 'guest'
/etc/config/firewall
config rule
option name 'WAN -> DEVICE | Allow SSH'
option src 'wan'
option proto 'tcp'
option dest_port '22'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'WAN -> DEVICE | Allow DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'WAN -> DEVICE | Allow Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'WAN -> DEVICE | Allow IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'WAN -> DEVICE | Allow DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'WAN -> DEVICE | Allow MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'WAN -> DEVICE | Allow ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port 'xxxx'
option name 'WAN -> DEVICE | Allow WireGuard VPN'
config rule
option name 'WAN -> ANY ZONE | Allow ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'WAN -> LAN | Allow IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'WAN -> LAN | Allow ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'GUEST -> LAN | Deny All'
option src 'guest'
option dest 'lan'
option proto 'all'
option target 'DROP'
config rule
option name 'GUEST -> LAN | Allow DHCP Request'
option src 'guest'
option src_port '67-68'
option dest_port '67-68'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'GUEST -> WAN | Allow DNS Queries'
option src 'guest'
option dest_port '53'
option proto 'tcpudp'
option target 'ACCEPT'
config rule
option name 'GUEST -> WAN | Allow HTTP/HTTPS'
option src 'guest'
option proto 'tcp'
option target 'ACCEPT'
option dest 'wan'
option dest_port '80 443'
config rule
option name 'GUEST -> WAN | Deny'
option src 'guest'
option dest 'wan'
option proto 'all'
option target 'DROP'
config defaults
option syn_flood_protect '1'
option drop_invalid '1'
option syn_flood '1'
option input 'DROP'
option output 'DROP'
option forward 'DROP'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan wg0'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'DROP'
option forward 'DROP'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config include
option path '/etc/firewall.user'
config zone
option name 'guest'
option network 'guest'
option output 'ACCEPT'
option input 'DROP'
option forward 'DROP'
config forwarding
option dest 'wan'
option src 'guest'
config zone
option input 'ACCEPT'
option forward 'DROP'
option name 'lab'
option output 'ACCEPT'
option network 'lab'
config forwarding
option dest 'lab'
option src 'lan'
Somes tests:
- trying to resolve the router lab interface:
machine.mydomain.lan $
nslookup linksys.lab.lan
Server: 192.168.1.254
Address: 192.168.1.254#53
*** Can't find linksys.lab.lan: No answer
- Whereas if I try to join the OpenWRT's lab interface:
machine.mydomain.lan $
ping 192.168.2.254
PING 192.168.2.254 (192.168.2.254) 56(84) bytes of data.
64 bytes from 192.168.2.254: icmp_seq=1 ttl=64 time=3.34 ms
...
So the communication seems to work.
- I tried to add this line in /etc/config/dhcp for mydomain.lan but it doesn't work:
list server '/lab.lan/192.168.2.254'
- I can ping from my router any machine based on their name:
root@linksys:/etc/config# ping test.lab.lan
PING test.lab.lan (192.168.2.10): 56 data bytes
64 bytes from 192.168.2.10: seq=1 ttl=64 time=0.223 ms
64 bytes from 192.168.2.10: seq=2 ttl=64 time=0.339 ms
...
and some remarks
- Both DHCP/DNS work well on their respective interfaces: linksys.mydomain.lan and linksys.lab.lan respond, DHCP with static leases also.
- The ADM zone is not configured yet, just the interface (eth0.1200), as the mirroring port, it's planned, as soon as my other issues will be fixed
- As you may notice, I use dnscrypt-proxy2 for internet DNS quesries, which explains the port 5353.
- As soon as everything works, I'll add a Wifi on the lab interface
If anyone has the solution, I'd be happy to hear it
And of course, if anyone finds any odd patterns, or have a better network configuration, let me know...
Thank you !