Hello!
I have some problems with firwewall configuration on OpenWrt.
This is how my LAN looks like:
Devices: [my_laptop], [some_wifi_router], [carambola8_with_OpenWRT].
When devices are connected as above, I can do ssh from [my_laptop] to [carambola8_with_OpenWRT].
However, when I connect [carambola8_with_OpenWRT] as wifi client via wlan interface, I can't do ssh from [my_laptop] to [carambola8_with_OpenWRT]. Connection is refused.
[my_laptop] ---wificonn--->[some_router]<---wificonn---[carambola8_with_OpenWRT]
When I disable firewall on OpenWrt, ssh works even on wifi connection.
It works when I change option input to ACCEPT in wan zone, but that is not the point.
I've tried to add rule as below, but it does not help:
# Allow SSH in, when using wlan interface
config rule
option name Allow-SSH-in
option src wlan
option dest_port 22
option proto tcp
option target ACCEPT
option enabled 1
This is how config zones and forwarding looks like:
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wlan
list network 'wlan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option src wlan
option dest wan
I agree - @pawel_ub, it seems you want them to have the same firewall permissions. Also, to solve the issue, you must permit forward from Firewall Zone wlan to Zone lan (or, just now obviously, put them in the same LAN Zone).
it seems you want them to have the same firewall permissions.
Yes! This is exactly what I would like to achieve.
On lan interface everything works fine, so I assume that after assigning wlan interface to lan firewall zone should help.
But I'm really newbie in OpenWrt and networking, could you help me do this?
Now I changed config zones and forwarding, but still it is not working:
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
list network 'wlan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
#config zone
# option name wlan
# list network 'wlan'
# option input ACCEPT
# option output ACCEPT
# option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
# option src wlan
option dest wan
Below are complete firewall and network files from my OpenWrt device.
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan wlan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
#config zone
# option name wlan
# list network 'wlan'
# option input ACCEPT
# option output ACCEPT
# option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
# option src wlan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fc00::/6
option dest_ip fc00::/6
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
# Allow SSH in, when using wlan interface
#config rule
# option name Allow-SSH-in
# option src wan
# option dest_port 22
# option proto tcp
# option target ACCEPT
# option enabled 1
# Include a file with users custom iptables rules
config include
option path /etc/firewall.user
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdd3:9a1a:c9d9::/48'
config interface 'lan'
option ifname 'eth0'
option proto 'dhcp'
config interface 'wlan'
option ifname 'wlan0'
option proto 'dhcp'
config interface 'wan'
option ifname 'wlan0'
option proto 'static'
option ipaddr '192.168.2.88'
option netmask '255.255.255.0'
option gateway '192.168.2.1'
list dns '192.168.2.1'
list dns '8.8.8.8'
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
list network 'wlan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fc00::/6
option dest_ip fc00::/6
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
# Include a file with users custom iptables rules
config include
option path /etc/firewall.user
your ethernet lan port and wireless radios (on carambola8) are not bridged ( may be you have done that purposely ) if so then make both ethernet and wirelss port listen to ssh in ssh config
you can check it via netstat it both are listenting for ssh check firewall rules
2 . your lan port and wireless int are bridged ( check for captive portal config )
> Your configuration is inconsistent.
>
> * In /etc/config/network, remove all `option ifname 'wlan0'`
> * In /etc/config/wireless, change `option network 'wan'` to `option network 'wlan'`
> * Reboot
this wil work accidently , i ll prove it and your current working config can also cause problem , understand the concept lying with the openwrt switch all will work , dont close this issue , i will help you for sure