I‘ve reconfigured my router to an access point, DHCP off, added VLANs, lots of interface + switch tweaks (DSA device), former WAN port is now used as VLAN trunk.
Everything working so far, what I need.
Except, I can now no longer download OpenWRT packages to the device. It seems, it is no longer able to connect.
I must have unknowingly removed/changed the interface/zone/whatsoever config parts that is required to download packages from OpenWRT servers.
Can some point me to, which config components or firewall rules does the OpenWRT device need, to successfully be able to download software packages?
Typically this is not a firewall thing. More often than not, it is a network config issue -- be sure to have the gateway and dns set appropriately.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
If you don't use DHCP client for your uplink, but prefer a static configuration, make sure to configure the gateway and DNS servers as well.
--
personally I prefer DHCP with static DHCP leases for everything, makes potential changes/ renumbering much easier (one single place to configure 'everything', on the router) and sidesteps issues like these completely.
Thanks for your help. My setup so far: 1 router + 1 AP so far
Trying to go with the often used lan + guest + iot network setup on both devices
This is my package download issue on the AP:
root@MR90X:~# opkg update
Downloading https://downloads.openwrt.org/releases/23.05.0-rc3/targets/mediatek/ filogic/packages/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/23.05.0-rc3/targets/mediatek/filogic/packages/Packages.gz
...(rest truncated for readability, same message repeated over again)
"network" on my access point device:
DSA-Device: 3 LAN ports (lan0-2) + a 4th "eth1" which is WAN in default config, "eth1" is used as VLAN trunk to the router
guest network not fully setup yet
devices on interface lan, iot and their Wifis work so far without noticable flaws
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdec:xxxx:6f03::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'lan0'
list ports 'lan1'
list ports 'lan2'
config device
option name 'lan0'
option macaddr 'xx:xx:xx:xx:xx:xx'
config device
option name 'lan1'
option macaddr 'xx:xx:xx:xx:xx:xx'
config device
option name 'lan2'
option macaddr 'xx:xx:xx:xx:xx:xx'
config interface 'lan'
option device 'br-lan.16'
option proto 'static'
option ipaddr '192.168.3.4'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option proto 'dhcp'
config interface 'wan6'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
config interface 'iot'
option proto 'static'
option device 'br-lan.17'
option ipaddr '192.168.6.4'
option netmask '255.255.255.0'
config bridge-vlan
option device 'br-lan'
option vlan '16'
list ports 'eth1:t'
list ports 'lan0'
list ports 'lan1'
list ports 'lan2'
config bridge-vlan
option device 'br-lan'
option vlan '17'
list ports 'eth1:t'
config bridge-vlan
option device 'br-lan'
option vlan '18'
list ports 'eth1:t'
config interface 'guest'
option proto 'static'
option device 'br-lan.18'
option ipaddr '192.168.5.4'
option netmask '255.255.255.0'
"firewall" on my access point:
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'iot'
option input 'REJECT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'iot'
config zone
option name 'guest'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
"network" of the router (x86, 5 dedicated LAN ports: eth0-4)
eth4 is the trunk port towards the previously mentioned AP
eth3 is prepared as another tagged VLAN port, but not used so far
eth1 is WAN port
also here: guest interface is just initially prepared, but not yet tested
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd19:xxxx:c122::/48'
config interface 'wan'
option proto 'dhcp'
option device 'eth1'
config interface 'wan6'
option proto 'dhcpv6'
option reqaddress 'try'
option device 'eth1'
option reqprefix '56'
config interface 'lan'
option device 'br-lan.16'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.3.1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
list ports 'eth2'
list ports 'eth3'
list ports 'eth4'
config bridge-vlan
option device 'br-lan'
option vlan '16'
list ports 'eth0'
list ports 'eth2'
list ports 'eth3:t'
list ports 'eth4:t'
config interface 'iot'
option proto 'static'
option device 'br-lan.17'
option ipaddr '192.168.4.1'
option netmask '255.255.255.0'
config bridge-vlan
option device 'br-lan'
option vlan '17'
list ports 'eth3:t'
list ports 'eth4:t'
config bridge-vlan
option device 'br-lan'
option vlan '18'
list ports 'eth4:t'
config interface 'guest'
option proto 'static'
option device 'br-lan.18'
option ipaddr '192.168.5.1'
option netmask '255.255.255.0'
"firewall" on the x86 router:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'iot'
option input 'REJECT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'iot'
config forwarding
option src 'iot'
option dest 'wan'
config rule
option name 'IOT DHCP'
list proto 'udp'
option src 'iot'
option dest_port '67-68'
option target 'ACCEPT'
config rule
option name 'IOT DNS'
option src 'iot'
option dest_port '53'
option target 'ACCEPT'
config zone
option name 'guest'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
It is recommended to have the input rule for untrusted networks set to REJECT. You've done it on the IoT network... you may want to consider doing this on the guest network too (you'll want to either create similar rules as you did for the IOT DNS and IOT DHCP, or change those to accept on any zone).
Also got it: my initial misunderstanding was simply wondering, how on earth the device could possibly guess from which of the 3 interfaces to pull the updates? Thats when you dumbically just click buttons in a GUI, without using a brain: point is, OpenWRT is not loading anything magically from within the "device" zone getting stuff from elsewhere, just because I click the "update lists" button.
opkg in my case simply runs from an IP in the LAN zone (and LuCi also runs from within a browser from a client IP within the LAN as well, and thats why DNS and Gateway on the LAN zone was relevant for updating the package list in this case )
(And due to my great idea of setting a static IP for the AP, I missed DNS and Gateway)
)