Static Route with RPI3 Basic OpenWrt

aryeduino · December 13, 2021, 12:24am

Hi All,
I am new to openWRT and I am learning it as I go.
I have just built an OpenWRT router/AP on a RPI3B+ following NetworkChuck Tutorial online.
I currently have the following configuration - Having onboard wifi and a USB Ralink 802.11 n WLAN.
the current routes that I have are:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    0      0        0 wlan0
10.77.77.0      *               255.255.255.0   U     0      0        0 br-lan
192.168.1.0     *               255.255.255.0   U     0      0        0 wlan0

I want to be able to access devices on 10.77.77.0 from a PC located in network 192.168.1.0
I have added the 10.77.77.0/24 NW for IoT and I want to be able to connect to them from my Home assistant located in 192.168.1.0/24 network.

The current configuration I have for network is:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd80:b2f7:f25d::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.77.77.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option force_link '1'

config interface 'wwan'
        option proto 'static'
        option device 'wlan0'
        option ipaddr '192.168.1.97'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        option broadcast '192.168.1.255'
        option peerdns '0'
        option dns '8.8.8.8 1.1.1.1'

I am not sure how to do it? I would be happy to get assistance on creating the static route to make my TWO network connected and I will be able to connect from 10.77.77.0 to 192.168.1.0 and vice versa.

The following is my Wireless:

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '7'
        option hwmode '11g'
        option path 'platform/soc/3f300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
        option htmode 'HT20'
        option disabled '0'
        option short_gi_40 '0'
        option cell_density '0'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'sta'
        option network 'wwan'
        option ssid 'SSID-01'
        option encryption 'psk2'
        option key 'MyPassHERE'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'platform/soc/3f980000.usb/usb1/1-1/1-1.3/1-1.3:1.0'
        option htmode 'HT20'
        option disabled '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'SSID-02'
        option encryption 'psk2'
        option key 'MyPassHERE'

I have SSID-02 on 10.77.77.0 Network that way I can connect all my devices to it and have them connected to the internet from the new OpenWRT RPI3.

I want to be able to have devices located on 10.77.77.0 network and access them from 192.168.1.0 - and also have them send data to serves on 192.168.1.0 from 10.77.77.0.

Please assist me with doing that and make them talk from one LAN to another.
I would be happy to know all I need to do in order to have the settings the way i need them to be - any device on 10.77.77.0 can get to any device on 192.168.1.0 and vice versa.

Thank you
Arye

psherman · December 13, 2021, 1:37am

It seems that the 192.168.1.0/24 network is upstream of your Pi. Is that correct?

Does your upstream router (192.168.1.1) have the ability to set static routes? This is required for what you want to do (you don't need to set a static route on the Pi because it already has a route from the 10.77.77.0/24 network > 192.168.1.0/24; the other direction 192.168.1.0/24 > 10.77.77.0/24 must be added to the 192.168.1.1 router).

That static route will be 10.77.77.0/24 via 192.168.1.97.
Then you will need to make a few modifications to the firewall on the OpenWrt (Pi) firewall, but first thing is the main router static route.

EDIT: It is worth noting that the current security model you have (i.e. the IoT network behind the Pi) doesn't really protect your trusted network (in front of the Pi) because the firewall doesn't isolate the networks. Currently, the IoT network can initiate connections to the main network, but not vice versa. You'll want to actually reverse this behavior if you want to prevent the IoT network from initiating connections to your trusted network. But we'll get to that later.

aryeduino · December 13, 2021, 7:41am

Thanks @psherman
Yes it is my upstream - I'll have to check the way to create a static route on my router (ARCHER VR600)
I am already thinking to change it to pfSense (But I am not there yet (I am sure that on pfSense it would be easier way to create static route).

Would an ERROR in creating the route will effect my router in any way? meaning I will not be able to access it or something like that?

Thanks

psherman · December 13, 2021, 7:47am

If you change to pfSense (or OpenWrt) as your main router, you could actually just create VLANs to handle the different networks (trusted LAN, IoT, guest, etc.) and setup the firewall rules on the router to provide the access/restrictions as desired... you wouldn't need a second router.

A major error could potentially mess things up, but the static routes are pretty simple. All you really need is the destination network (10.77.77.0/24) and the IP address of the gateway that gets you to the destination network (192.168.1.97) -- also called "via" when you are setting this up. These values are pulled from the configuration you shared.

aryeduino · December 13, 2021, 7:56am

Thanks @psherman
Yes that is what I want to do.
is this settings OK? can I save it and it will work? thanks

psherman · December 13, 2021, 7:58am

Yes, but the interface won’t be pppoe. It will be the lan.

You will also need to modify the openwrt firewall:

turn off masquerading on the wan.
enable forwarding from wan > lan

aryeduino · December 13, 2021, 8:00am

Thanks @psherman
I don't have another one to chose from -it is the only one.

psherman · December 13, 2021, 8:04am

Oh. Ok. That should stay as is. It is the wan/default route. The static route should work as you showed before.

Edit: does it give you the option when you are creating the static route to select the interface?

aryeduino · December 13, 2021, 8:09am

Thanks @psherman
You are RIGHT!!! it does give me the LAN if in the dropdown
this should work - correct?

psherman · December 13, 2021, 8:09am

Yes. That looks good

aryeduino · December 13, 2021, 8:12am

Thanks @psherman , I have created it.
Now I need to follow this and have the ability to connect with 10.77.77.0 - Right?

Should I edit the firewall file? where does these settings need to be done?
Thanks

psherman · December 13, 2021, 8:14am

On your openwrt pi, you can edit the firewall using the web interface, uci commands, or editing the firewall file directly- whichever is most comfortable for you.

aryeduino · December 13, 2021, 8:19am

Thanks @psherman
Is this enough or I need to do changes in the reject section at the top?

aryeduino · December 13, 2021, 8:21am

or this

Since I could not put two images in one post I had to put it in a new one

psherman · December 13, 2021, 8:22am

Yes. Masquerading off. Forward to lan enabled.

aryeduino · December 13, 2021, 8:24am

Thanks @psherman
that is how it should be?

psherman · December 13, 2021, 8:26am

Yes. This does not give you additional security, but does allow the connections you have specified.

aryeduino · December 13, 2021, 8:29am

Thanks a lot @psherman
I will have to test and will work on security after I'll have it working for a while and see that I have the settings correct on my devices.
I am sure want to have the IoT be secure - I put a VERY STRONG password on it for starts
I know that this is not enough - but it will give me time to check the network.

Thank you!

aryeduino · December 15, 2021, 5:07am

Thanks @psherman for all your help.
I have a question regarding the Firewall settings that I have made
IS it allow ALL Ports from 192.168.1.0 to 10.77.77.0 and also ALL ports from 10.77.77.0 and 192.168.1.0?
Thanks

psherman · December 15, 2021, 6:30am

So I'm not sure exactly what your goals are here, but my perspective may be different.
IMO, the network that is important to secure is the trusted LAN (where your computers and valuable data live). The IoT network should still be secured, but putting a "VERY STRONG" password on the IoT network doesn't really help protect your main network.

I'd have to see your firewall file (/etc/config/firewall) to know what your current settings look like, and I'd also need to know your objectives if you want advice about how to set your firewall.

My angle on the security model is as follows:

IoT devices are generally not considered trusted devices. They may have vulnerabilities that could be actively exploited (either within the firmware residing within the product, or with cloud infrastructures that some of the IoT devices require).
IoT devices will probably not get frequent updates to patch those vulnerabilities, and more could be found at any time.
At some point, IoT devices won't be actively supported by the vendors, but may continue to function, albeit in an even less trustworthy mode of operation since updates will cease and cloud services may not be properly maintained.
So, these IoT devices should always be treated with a level of distrust.
You may or may not wish to allow the IoT devices access to the internet (sometimes it is required, other times it is optional) due to potential security issues or just simple privacy considerations (i.e. does your smart light bulb manufacturer build a profile of your usage with their cloud services and do you want to prevent the devices from calling home?)
The IoT network, as a potential security threat, should not have free access to the main trusted network.
The main trusted network, on the other hand, should be secured against access from any untrusted devices/users.
The trusted network may or may not need access to the IoT network.
The firewall can be used to craft the allowances and restrictions as large blanket rules or targeted/granular ones.
As an example, you can setup firewall rules that allow the trusted LAN to initiate connections and the IoT network to respond, while blocking the reverse situation. (basically this equates to telling the IoT network "you will not speak unless you are spoken to").

If the above is your desired result, you need to set the firewall to drop or reject all traffic from source 10.77.77.0/24 to destination 192.168.1.0/24. Then, based specifically on how your OpenWrt setup is being configured and used, allow forwarding from WAN > LAN (normally this would not be recommended if the OpenWrt device was directly connected to the internet).