Upgrading my tp-link EAP225v3 to 22.03.3 from .2 broke management access to it via ssh and http(s). I was able to restore ssh and https access after a few factory resets and config change attempts.
My one question at this point is: What is a valid proper firewall configuration for an AP that does not route user traffic and is no longer using the "default" lan/wan interfaces?
I hope the following helps someone else.
TL/DR - Be sure to have a working firewall config in place if you normally run with service firewall disabled. Sysupgrade enables all services and it seems an empty /etc/config/firewall file causes fw4 to block traffic, at least on my EAP225v3 OpenWrt 22.03.3 with multiple bridged VLANs connected to one SSID each. Only one IP address on one interface though which is used for management.
Last year, using info in this thread from 2021 I zeroed out /etc/config/firewall and also did service firewall disable on my EAP225v3 running OpenWrt 22.03.2. Dumb AP reenables services upon updating the image (firewall, odhcpd, and dnsmasq) ... why?
It worked fine for a quite a while, even after several reboots until upgrading to 22.03.3.
That recommendation is also in the docs: https://openwrt.org/docs/guide-user/network/wifi/dumbap
Upon the sysupgrade to 22.03.3 the AP was unreachable via http/https and ssh but the IP address did respond to arp requests and it otherwise functioned normally as an AP with 10 SSIDs and trunking 6 dot1q VLANs back to my switch.
Doing a factory reset with the hardware reset button and then restoring the config from a very recent backup resulted in the same broken situation after reboot. Repeating the reset/restore process but also running service firewall disable restored management access, even after a reboot. Finding that sysupgrade enables all services, I looked for a more permanent solution.
Without serial console access, I cannot be sure what was going on as I could not see dmesg or logread output.
Experimenting, I found the following config for /etc/config/firewall allowed ssh and http(s) access with the firewall starting up and running.
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
After testing that config a couple times I also added the following stanza to /etc/rc.local modified but based on https://openwrt.org/docs/guide-user/network/wifi/dumbap
#
# these services do not run on dumb APs
logger checking/disabling services by way of /etc/rc.local
#
for i in firewall dnsmasq odhcpd; do
if /etc/init.d/"$i" enabled; then
/etc/init.d/"$i" disable
/etc/init.d/"$i" stop
logger disabled and stopped service $i
fi
done
logger done checking/disabling services by way of /etc/rc.local
#
I manually enabled the firewall with service firewall enable and rebooted.
service shows firewall disabled and logread output has:
Fri Feb 3 18:14:57 2023 user.notice root: checking/disabling services by way of /etc/rc.local
Fri Feb 3 18:14:58 2023 user.notice root: disabled and stopped service firewall
Fri Feb 3 18:14:59 2023 user.notice root: done checking/disabling services by way of /etc/rc.local
Looks good. Hopefully the log entries will help me if I ever try to run with the firewall and wonder why it gets disabled on every restart.
Testing from a working config, zeroing out the /etc/config/firewall file and starting the firewall service manually, immediately stops ssh and https access to the EAP225. A reboot restores proper access by way of the commands in /etc/rc.local.
Hopefully future sysupgrades with keeping the existing config will be trouble free.
By the way, the only extra packages installed are luci-app-attendedsysupgrade and tcpdump-mini.
I tested the firewall issue using a custom image from the software selector with the two packages (and luci-ssl) as well as the pre-built standard image, both for version 22.03.3.
I did not try going back to previous versions to test 22.03.2 etc.