Hi All,
I am new to openWRT and I am learning it as I go.
I have just built an OpenWRT router/AP on a RPI3B+ following NetworkChuck Tutorial online.
I currently have the following configuration - Having onboard wifi and a USB Ralink 802.11 n WLAN.
the current routes that I have are:
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0
10.77.77.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.1.0 * 255.255.255.0 U 0 0 0 wlan0
I want to be able to access devices on 10.77.77.0 from a PC located in network 192.168.1.0
I have added the 10.77.77.0/24 NW for IoT and I want to be able to connect to them from my Home assistant located in 192.168.1.0/24 network.
I am not sure how to do it? I would be happy to get assistance on creating the static route to make my TWO network connected and I will be able to connect from 10.77.77.0 to 192.168.1.0 and vice versa.
I have SSID-02 on 10.77.77.0 Network that way I can connect all my devices to it and have them connected to the internet from the new OpenWRT RPI3.
I want to be able to have devices located on 10.77.77.0 network and access them from 192.168.1.0 - and also have them send data to serves on 192.168.1.0 from 10.77.77.0.
Please assist me with doing that and make them talk from one LAN to another.
I would be happy to know all I need to do in order to have the settings the way i need them to be - any device on 10.77.77.0 can get to any device on 192.168.1.0 and vice versa.
It seems that the 192.168.1.0/24 network is upstream of your Pi. Is that correct?
Does your upstream router (192.168.1.1) have the ability to set static routes? This is required for what you want to do (you don't need to set a static route on the Pi because it already has a route from the 10.77.77.0/24 network > 192.168.1.0/24; the other direction 192.168.1.0/24 > 10.77.77.0/24 must be added to the 192.168.1.1 router).
That static route will be 10.77.77.0/24 via 192.168.1.97.
Then you will need to make a few modifications to the firewall on the OpenWrt (Pi) firewall, but first thing is the main router static route.
EDIT: It is worth noting that the current security model you have (i.e. the IoT network behind the Pi) doesn't really protect your trusted network (in front of the Pi) because the firewall doesn't isolate the networks. Currently, the IoT network can initiate connections to the main network, but not vice versa. You'll want to actually reverse this behavior if you want to prevent the IoT network from initiating connections to your trusted network. But we'll get to that later.
Thanks @psherman
Yes it is my upstream - I'll have to check the way to create a static route on my router (ARCHER VR600)
I am already thinking to change it to pfSense (But I am not there yet (I am sure that on pfSense it would be easier way to create static route).
Would an ERROR in creating the route will effect my router in any way? meaning I will not be able to access it or something like that?
If you change to pfSense (or OpenWrt) as your main router, you could actually just create VLANs to handle the different networks (trusted LAN, IoT, guest, etc.) and setup the firewall rules on the router to provide the access/restrictions as desired... you wouldn't need a second router.
A major error could potentially mess things up, but the static routes are pretty simple. All you really need is the destination network (10.77.77.0/24) and the IP address of the gateway that gets you to the destination network (192.168.1.97) -- also called "via" when you are setting this up. These values are pulled from the configuration you shared.
On your openwrt pi, you can edit the firewall using the web interface, uci commands, or editing the firewall file directly- whichever is most comfortable for you.
Thanks a lot @psherman
I will have to test and will work on security after I'll have it working for a while and see that I have the settings correct on my devices.
I am sure want to have the IoT be secure - I put a VERY STRONG password on it for starts
I know that this is not enough - but it will give me time to check the network.
Thanks @psherman for all your help.
I have a question regarding the Firewall settings that I have made
IS it allow ALL Ports from 192.168.1.0 to 10.77.77.0 and also ALL ports from 10.77.77.0 and 192.168.1.0?
Thanks
So I'm not sure exactly what your goals are here, but my perspective may be different.
IMO, the network that is important to secure is the trusted LAN (where your computers and valuable data live). The IoT network should still be secured, but putting a "VERY STRONG" password on the IoT network doesn't really help protect your main network.
I'd have to see your firewall file (/etc/config/firewall) to know what your current settings look like, and I'd also need to know your objectives if you want advice about how to set your firewall.
My angle on the security model is as follows:
IoT devices are generally not considered trusted devices. They may have vulnerabilities that could be actively exploited (either within the firmware residing within the product, or with cloud infrastructures that some of the IoT devices require).
IoT devices will probably not get frequent updates to patch those vulnerabilities, and more could be found at any time.
At some point, IoT devices won't be actively supported by the vendors, but may continue to function, albeit in an even less trustworthy mode of operation since updates will cease and cloud services may not be properly maintained.
So, these IoT devices should always be treated with a level of distrust.
You may or may not wish to allow the IoT devices access to the internet (sometimes it is required, other times it is optional) due to potential security issues or just simple privacy considerations (i.e. does your smart light bulb manufacturer build a profile of your usage with their cloud services and do you want to prevent the devices from calling home?)
The IoT network, as a potential security threat, should not have free access to the main trusted network.
The main trusted network, on the other hand, should be secured against access from any untrusted devices/users.
The trusted network may or may not need access to the IoT network.
The firewall can be used to craft the allowances and restrictions as large blanket rules or targeted/granular ones.
As an example, you can setup firewall rules that allow the trusted LAN to initiate connections and the IoT network to respond, while blocking the reverse situation. (basically this equates to telling the IoT network "you will not speak unless you are spoken to").
If the above is your desired result, you need to set the firewall to drop or reject all traffic from source 10.77.77.0/24 to destination 192.168.1.0/24. Then, based specifically on how your OpenWrt setup is being configured and used, allow forwarding from WAN > LAN (normally this would not be recommended if the OpenWrt device was directly connected to the internet).