Static Route with RPI3 Basic OpenWrt

aryeduino · December 15, 2021, 8:44am

Thanks @psherman
This is the the firewall config I have on the OpenWRT.

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option mtu_fix '1'
        list network 'wwan'
        option forward 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config forwarding
        option src 'wan'
        option dest 'lan'

I am using MQTT port 1883 and I am not able to get my IoT device to register on the Broker.
Broker is on 192.168.1.0 and the device is on 10.77.77.0.
Thanks

aryeduino · December 15, 2021, 4:41pm

Hi @psherman
Is the setting I sent are the ones you asked me to, or i should have send different or more?
Thanks for your help.

psherman · December 15, 2021, 4:49pm

Yeah, the firewall file is exactly what I needed to see. It looks like this is completely open -- no restrictions whatsoever for either network talking to the other. This means all devices can talk to each other and all ports are open.

I haven't used any MQTT devices, so I don't know how it handles working across subnets. It is possible that the broker needs to be on the same L2 network (i.e. on the 10.77.77.0/24 network), especially if it has an auto-discovery function -- many of those auto-discovery technologies only work within the local subnet.

Maybe someone else can chime in about MQTT across networks.

aryeduino · December 15, 2021, 4:50pm

Thank you!!

aryeduino · December 15, 2021, 11:08pm

hi @psherman
I have read that I can use the OpenWRT as a docker host.
I am thinking to create an MQTT docker within the openWRT RPI3 I have
I will use it only for the MQTT broker and I will try to connect my devices on network 10.77.77.0 to it and That will give me a way to trigger automations as well from that broker - I will try and start with this and if I will be able to create a MQTT docker on the OpenWRT i aill try and bridge it to the main broker I have and I hope that i will be able to merge all inside my main broker on 192.168 and that would be good as well.

I would be happy to get help on creating an MQTT Docker on the OpenWRT using LuCi on my RPI3.

Thank You

psherman · December 15, 2021, 11:10pm

Certainly worth a try.

I'd recommend opening a new thread for MQTT + docker related things.

Regarding this specific thread, though... if your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

system · December 25, 2021, 11:11pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.