I have an Archer C7 running openwrt. So far I have WAN coming from ISP router connected to the ethernet WAN port. Also, I configured an interface called "TetheringWAN" (receiving signal from my phone through usb port) as a spare when my ISP is down (to do that I followed a step-by-step guide from some website).
This worked very well. No complaints there.
Lately I've been trying to do something a bit different. And that's where I need help.
I manage to have my regular ISP running trough the 2.4GHZ wifi and the TetheringWAN running through 5Ghz wifi. They are independent from each other.
This is almost perfect. The only thing I'm missing is that I can't seem to apply iptables rules to the TetheringWAN. The rules only apply to my "regular" WAN.
Can anyone give me some insights on what I'm missing out?
I'm still a begginer to all this. Thanks in advance.
So here are the files.
Please excuse any mess, I was trying out different things to get the result I wanted.
Also, you will notice an interface called "DMZ". That's not necessary anymore.
Just making myself clear: my wish is to have one wifi (2.4Ghz) "connected" to my ISP for general purpose. The other wifi (5GHz) will be "connected" to usb port for gaming purposes (just my PS4 as client). (Before you ask: yes, sadly I get better gaming experience through my 4G then through my ISP.)
Remember: it's important to get iptables applied to both networks.
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config rule
option target 'ACCEPT'
option src 'wan'
option dest_port '53'
option name 'dmz-dns'
option dest_ip '192.168.0.1'
option family 'ipv4'
option proto 'udp'
option enabled '0'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option network 'TetheringWAN'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option name '4gwan'
config forwarding
option dest 'wan'
option src 'lan'
config zone
option name '4glan'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'LAN_4G'
option forward 'ACCEPT'
config forwarding
option dest '4gwan'
option src '4glan'
This way I can get two completely independent wifis. However iptables and nf_conntrack don't apply to the 4G_LAN network. I think mainly my question is regarding this fact. What to do to apply these resources to two different networks.
Other thing I noticed is that when I connect to "OpenWrt" wifi I don't get IP in the range of 192.168.2.* as I expected. I get an IP in the range of 192.168.42.*.