vlan
April 15, 2024, 8:16pm
1
Hi!, i have been following the youtube videos of One Marc Fifty. The goal was to create an IOT vlan with no access to the router admin page. But the Vlan i've created still enter the routers admin page. So i don't know wht is wrong?
OpenWRT 21
I’ve made these configuration in Luci. Firt i've created a new Firewall zone, then.
i’ve added a new firewall traffic rule for IOT
Then, configured the firewall rule
after that i’ve created a new bridge for the new vlans
I’ve added the vlans. One for IOT and another for Management.
Then i’ve changed the bridge port of the default bridge-lan to the management one br-lan99.99
Then i’ve added the interface for IOT, as far this is just for internet. I don’t want for any device connected here to be able to enter the admin page on the router.
At the end i’ve tried with a computer on the port of IOT vlan (br-lan99.9 ) and it is connected to the internet. But i can access the ip of the admin page of the router, and also all the traffic seems to be generated on the Management VLAN (br-lan99.99 ) and not in the IOT one.
i just realized there are to much 9 sorry for that.
some Questions:
What i have made wrong? (LoL)
If i add an Access point (another openwrt router) to feed other computer with internet, the IOT config will work?
Really Thanks for your time. I know this is not free consultncy space, but you re the experts to ask
krazeh
April 15, 2024, 8:20pm
2
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
vlan
April 15, 2024, 10:19pm
3
Thanks @krazeh this is the out put
bash
ubus call system board
"version": "21.02-SNAPSHOT",
"revision": "r16399+165-c67509efd7",
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '*********'
option netmask '***********'
config globals 'globals'
option ula_prefix '***************'
config device
option name 'br-lan'
option type 'bridge'
option macaddr '************'
list ports 'br-lan99.9'
list ports 'br-lan99.99'
config device
option name 'eth1'
option macaddr '************'
config device
option name 'eth2'
option macaddr '***********'
config device
option name 'eth3'
option macaddr '***********'
config device
option name 'eth4'
option macaddr '***********'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '*************'
option netmask '***********'
option ip6assign '****'
option isolate '0'
config device
option name 'eth0'
option macaddr '***************'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
option force_link '0'
option ipv6 '0'
option metric '10'
config interface 'wan6'
option proto 'dhcpv6'
option disabled '1'
option device '@wan'
config switch
option name 'switch0'
option reset '0'
option enable_vlan '0'
config interface 'tethering6'
option proto 'dhcpv6'
option disabled '1'
option device '@tethering'
config interface 'wwan6'
option proto 'dhcpv6'
option disabled '1'
option device '@wwan'
config interface 'guest'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '********'
option netmask '******************'
option ip6assign '***'
option multicast_querier '1'
option igmp_snooping '0'
option isolate '0'
option bridge_empty '1'
option disabled '1'
config interface 'wwan'
option proto 'dhcp'
option metric '20'
config interface 'modem_1_1_2_6'
option proto 'dhcpv6'
option disabled '1'
option device '@modem_1_1_2'
config rule 'policy_direct_rt'
option lookup 'main'
option suppress_prefixlength '0'
option priority '1100'
config rule 'policy_default_rt_vpn'
option mark '0x8000/0xc000'
option lookup '8000'
option priority '1101'
option invert '1'
config rule6 'policy_direct_rt6'
option lookup 'main'
option suppress_prefixlength '0'
option priority '1100'
config rule6 'policy_default_rt_vpn6'
option mark '0x8000/0xc000'
option lookup '8000'
option priority '1101'
option invert '1'
config rule 'policy_default_rt_vpn_ts'
option lookup 'main'
option priority '1099'
option mark '0x80000/0xc0000'
option invert '0'
config device
list ports 'eth1'
list ports 'eth2'
list ports 'eth3'
list ports 'eth4'
option type 'bridge'
option name 'br-lan99'
config bridge-vlan
option device 'br-lan99'
list ports 'eth2:t'
option vlan '9'
config bridge-vlan
option device 'br-lan99'
list ports 'eth1:u*'
list ports 'eth2:u*'
list ports 'eth3:u*'
list ports 'eth4:u*'
option vlan '99'
config interface 'IOT'
option device 'br-lan99.9'
option proto 'none'
config interface 'OnlyAdmins'
option device 'br-lan99.99'
option proto 'dhcp'
cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/c000000.wifi'
option band '5g'
option htmode 'HE80'
option country 'US'
option disabled '0'
option channel 'auto'
option legacy_rates '0'
option txpower '9'
option hwmode '11a'
option channels '36,40,44,48,149,153,157,161'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option encryption 'psk2'
option wds '1'
option isolate '0'
option ifname 'wlan1'
option disabled '1'
option ssid '*******'
option hidden '0'
option key '************'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/c000000.wifi+1'
option band '2g'
option country 'US'
option disabled '0'
option channel 'auto'
option htmode 'HE40'
option legacy_rates '0'
option txpower '9'
option hwmode '11g'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option encryption 'psk2'
option wds '1'
option isolate '0'
option ifname 'wlan0'
option disabled '1'
option ssid '********'
option hidden '0'
option key '***********'
config wifi-iface 'guest5g'
option device 'radio0'
option network 'guest'
option mode 'ap'
option ifname 'wlan1-1'
option encryption 'psk2'
option guest '1'
option disabled '1'
option wds '1'
option isolate '1'
option ssid '************'
option hidden '0'
option key '*************'
config wifi-iface 'guest2g'
option device 'radio1'
option network 'guest'
option mode 'ap'
option ifname 'wlan0-1'
option encryption 'psk2'
option guest '1'
option disabled '1'
option wds '1'
option isolate '1'
option ssid '********'
option hidden '0'
option key '**********'
cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option rebind_protection '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ra_slaac '1'
option force '1'
option dhcpv6 'disabled'
option ra 'disabled'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config domain
option name 'console.gl-inet.com'
option ip '*************'
config domain
option name 'console.gl-inet.com'
option ip '::ffff:**********'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'disabled'
option ra 'disabled'
cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
list network 'wwan'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option input 'DROP'
option masq '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '****'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config include 'nat6'
option path '/etc/firewall.nat6'
option reload '1'
config rule 'block_dns'
option name 'block_dns'
option src '*'
option device 'br-+'
option dest_port '53'
option target 'REJECT'
option enabled '0'
config rule 'process_mark'
option name 'process_mark'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 65533'
option target 'MARK'
option set_xmark '0x8000/0xc000'
config rule 'wan_in_conn_mark'
option name 'wan_in_conn_mark'
option src 'wan'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-j CONNMARK --set-xmark 0x8000/0xc000'
option enabled '0'
config rule 'lan_in_conn_mark_restore'
option name 'lan_in_conn_mark_restore'
option src 'lan'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark'
option enabled '0'
config rule 'out_conn_mark_restore'
option name 'out_conn_mark_restore'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark'
option enabled '0'
config include 'swap_wan_in_conn_mark'
option type 'script'
option reload '1'
option path '/etc/firewall.swap_wan_in_conn_mark.sh'
option enabled '0'
config include 'gls2s'
option type 'script'
option path '/var/etc/gls2s.include'
option reload '1'
config include 'glblock'
option type 'script'
option path '/usr/bin/gl_block.sh'
option reload '1'
config zone
option name 'guest'
option network 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'Allow-DHCP'
option src 'guest'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
config rule
option name 'Allow-DNS'
option src 'guest'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
config include 'vpn_server_policy'
option type 'script'
option path '/etc/firewall.vpn_server_policy.sh'
option reload '1'
option enabled '1'
config zone
option input 'REJECT'
option forward 'REJECT'
option name 'IOT'
option output 'ACCEPT'
list network 'IOT'
config forwarding
option dest 'wan'
option src 'IOT'
config zone
option input 'ACCEPT'
option forward 'REJECT'
option name 'OnlyAdmins'
option output 'ACCEPT'
list network 'OnlyAdmins'
config forwarding
option dest 'wan'
option src 'OnlyAdmins'
config rule
option target 'ACCEPT'
option src 'IOT'
option name 'IOT DHCP and DNS'
option dest_port '53 67 68'
It appears you are using firmware that is not from the official OpenWrt project.
When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org ). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.
You may find that the best options are:
Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org ).
Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).
If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.
vlan
April 15, 2024, 10:26pm
5
Thanks for your reply @psherman indeed is gl inet router. All the configuration have been made trough Luci. I've tried on Gl inet forums i'm waiting for help and i don't want to push it because is free expert help, just like here.
Because you are using their firmware, you will need to ask them. We can help you if you run official OpenWrt (obtained from the openwrt.org site).
vlan
April 15, 2024, 10:30pm
7
ok, thanks again. Wish you the best on the One Openwrt project and i hope many more products in the future.
Thanks!
1 Like
