I have a C7 V2 configured as an AP and I'd like to use the WAN port so that the device I connect it to lives in its own LAN, with internet access but incapable of seeing or contacting the hosts on the main LAN.
I have read multiple threads but I cannot figure out how things should be configured.
This is my network file:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdba:fd2c:4f2e::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.2'
list ports 'eth1.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.2'
option gateway '192.168.1.1'
list dns '8.8.8.8'
list dns '9.9.9.9'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
DHCP is disabled since the main router takes care of that part.
You've got both VLANs connected to br-lan: remove VLAN2 from it, then create a new interface (e.g. "LAN2") with just VLAN2 in it and give it IP-address 192.168.2.1 or similar.
Create a new firewall-zone for LAN2 and disable forwarding from LAN<->LAN2
Create a new firewall-rule for LAN2 to allow forwarding from LAN2 to !192.168.1.0/24 -- the exclamation-mark inverses that rule, ie. it basically says "allow forwarding to anything except to the 192.168.1.0/24-network"
You need to add a static route on your main router for 192.168.2.0/24, with 192.168.1.2 as the gateway.
Add a firewall-rule for LAN-zone to allow forward from !192.168.1.0/24 to LAN2-zone, or allow forwarding from any to LAN2, if you want to be able to connect from LAN to LAN2, but not vice versa.
Is eth0.2 corresponding to the WAN ethernet port on the C7, or is it eth1.1? I cannot find a cross-reference in the Network -> interaces or in Network -> Switch that would let me understand this.
Edit: I think it's eth0.2 because eth0 is one of the CPU ethernets and .2 must correspond to VLAN 2?
Thanks! Was having some trouble at understanding the Switch page; now I still need to keep a bridge for the regular ethernet ports even if it has only eth1.1 in it because it is needed for the WLAN, is that right?
A bridge groups different network-ports together and allows for traffic to flow between them, so yes, if you want WLAN and the LAN-ports to all be part of the same LAN-network, they all need to be part of the same bridge.
Thanks; here you mean that I should assign a static address to the new interface so that it creates its own separate network, but do I leave the main router as IPv4 gateway? I guess so
Thanks! I already added the DHCP server. You have been extremely helpful, I was thinking perhaps once I am done I could add a wiki page about this.
Indeed, that's what I am going for!
I created these rules
accept forward LAN -> LAN2
reject forward LAN2 -> LAN
accept forward LAN2 -> any
Because of the order it should still work as intended? I can SSH into a LAN2 host from LAN however LAN2 hosts have no internet. Perhaps I need NATing too?
I already did step 4 (adding a static route on the main router) and DHCP is working fine, but it just can't route packets through the default route (192.168.2.1, which can be pinged though).
root@debian:~# ip route
default via 192.168.2.1 dev eth0 proto dhcp metric 100
169.254.0.0/16 dev eth0 scope link metric 1000
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.186 metric 100
root@debian:~# ping 192.168.2.1
PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=0.194 ms
64 bytes from 192.168.2.1: icmp_seq=2 ttl=64 time=0.221 ms
^C
--- 192.168.2.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1029ms
rtt min/avg/max/mdev = 0.194/0.207/0.221/0.013 ms
Disclaimer: different router than OP's. The same procedure applies, however. Another --possibly easier -- option would be proper tagged VLANs, but that requires the main router to support those as well.
I was testing only with pings, but I had never enabled ICMP in the traffic rule my bad...
I noticed that traceroute was doing successful reverse DNS and then tried a curl command and found the issue; many thanks for all the help! I will start a wiki page, perhaps we could add there also the other approach with native VLANs?
The firewall rule is wrong, by the way: it's supposed to be !192.168.1.0/24, ie. to any zone except LAN.
That's my bad: I should have told to set the protocol to 'Any'. When you're used to doing things like this, it's sometimes a little too easy to forget to mention every single thing someone with less experience needs to know about
You should maybe ask others here as well for some opinions on whether you should do a whole new page or just extend an existing one. I mean, you are basically just setting up a guest network here, even if you are doing it for your own uses, and there are some pages for guest networking there already.
Also, this setup is kind of minimal: if you e.g. wanted to be able to have port-forwarding from the main-router's WAN into some devices on LAN2, you'd also need to add a new rule on LAN2-zone that allows forwarding from 'any' to the desired port of the desired device on LAN2.
Currently you don't need one for general Internet-traffic, because when a device on LAN2 contacts something on the Internet, the routers now consider a connection between that device on LAN2 and the something on the Internet as having been established and thus allow for related traffic in the other direction as well. Alas, if you have port-forwarding set up, there is no connection established between the device on LAN2 and whatever on the Internet yet, so there has to be a rule to allow the traffic in even without there being a pre-established connection.
Anyways, I'll look into explaining the basic setup for a tagged VLAN later on. I'll leave the Wiki-stuff to you; I have Asperger's syndrome and I am not always particularly clear or efficient in my communications.
It's ok, we can share the blame on this I remember looking at the combo box options for a minute but I didn't connect the dots. I am inexperienced with OpenWRT and the web UI very often leads me to dead ends (I am not saying it is a bad UI, just not great for me).
I understand; I could not find any wiki page explaining anything similar though.
Thanks for the help so far! I didn't have any problem understanding what you wrote, but I also have little experience with OpenWRT so every option is a question for me.
my bad...
I remember looking at the combo box options for a minute but I didn't connect the dots. I am inexperienced with OpenWRT and the web UI very often leads me to dead ends (I am not saying it is a bad UI, just not great for me).