Hi guys,
I have set up openWRT with VLANs for IOT devices and Cameras, and using Frigate and Home Assistant.
wired thing, is that I had to set IOT vlan input, output and forward to accept since devices were not able to obtain an IP.
any suggestion?
Thank you!
Here is my config:
Let's look at your config in text form -- it's much easier to see the whole story.
Further, in the future, if you do post screenshots, please upload them directly to the forum site instead of using 3rd party image sharing sites.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Here is my config
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.134",
"hostname": "OpenWrt",
"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
"model": "TP-Link Archer A7 v5",
"board_name": "tplink,archer-a7-v5",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.0",
"revision": "r23497-6637af95aa",
"target": "ath79/generic",
"description": "OpenWrt 23.05.0 r23497-6637af95aa"
}
}
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'XXXXX:XXXXX::/48'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '10'
option description 'local 192.168.10.0'
option ports '0t 2t 3 4'
config switch_vlan
option device 'switch0'
option vlan '4'
option vid '20'
option description 'iot 192.168.20.0'
option ports '0t 2t 5'
config switch_vlan
option device 'switch0'
option vlan '5'
option vid '40'
option description 'camera 10.10.40.0'
option ports '0t 2t'
config switch_vlan
option device 'switch0'
option vlan '6'
option vid '99'
option description 'guest 10.10.99.0'
option ports '0t 2t'
config switch_vlan
option device 'switch0'
option vlan '7'
option vid '111'
option description 'modem'
option ports '0t 1'
config interface '10local'
option proto 'static'
option device 'br-vlan10'
option type 'bridge'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
config interface '20iot'
option proto 'static'
option device 'br-vlan20'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
option force_link '0'
config device
option type 'bridge'
option name 'br-vlan10'
list ports 'eth0.10'
option bridge_empty '1'
config device
option type 'bridge'
option name 'br-vlan20'
list ports 'eth0.20'
option bridge_empty '1'
config interface 'WAN'
option proto 'dhcp'
option device 'eth0.111'
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config device
option type 'bridge'
option name 'br-vlan40'
list ports 'eth0.40'
config device
option type 'bridge'
option name 'br-vlan99'
list ports 'eth0.99'
config interface '40cameras'
option proto 'static'
option device 'br-vlan40'
option ipaddr '10.10.40.1'
option netmask '255.255.255.0'
option force_link '0'
config interface '99guest'
option proto 'static'
option device 'br-vlan99'
option force_link '0'
option ipaddr '10.10.99.1'
option netmask '255.255.255.0'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp '20iot'
option interface '20iot'
option start '20'
option limit '200'
option leasetime '12h'
config dhcp '10local'
option interface '10local'
option start '40'
option limit '200'
option leasetime '12h'
config dhcp '40cameras'
option interface '40cameras'
option start '101'
option limit '200'
option leasetime '12h'
config dhcp '99guest'
option interface '99guest'
option start '100'
option limit '150'
option leasetime '12h'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network '10local'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'WAN'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'DHCP IOT'
list proto 'udp'
option src 'iot'
option dest_port '67-68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'DHCP GUEST'
list proto 'udp'
option src 'guest'
option dest_port '67-68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'DHCP CAMERAS'
list proto 'udp'
option src 'cameras'
option dest_port '67-68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'cameras'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network '40cameras'
config zone
option name 'iot'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network '20iot'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network '99guest'
config rule
option name 'IOT to 80'
list proto 'tcp'
option src 'iot'
option dest 'wan'
option dest_port '80'
option target 'ACCEPT'
config rule
option name 'IOT to 443 (https)'
list proto 'tcp'
option src 'iot'
option dest 'wan'
option dest_port '443'
option target 'ACCEPT'
config rule
option name 'DNS - IOT'
option src 'iot'
option dest_port '53'
option target 'ACCEPT'
list proto 'tcp'
list proto 'udp'
config rule
option name 'DNS - CAMERAS'
option src 'cameras'
option dest_port '53'
option target 'ACCEPT'
list proto 'tcp'
list proto 'udp'
config rule
option name 'DNS - GUEST'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Guest to 80'
list proto 'tcp'
option src 'guest'
option dest 'wan'
option dest_port '80'
option target 'ACCEPT'
config rule
option name 'Guest to 443 (https)'
list proto 'tcp'
option dest 'wan'
option dest_port '443'
option target 'ACCEPT'
option src 'guest'
config rule
option name 'CAMERAS to 80'
list proto 'tcp'
option src 'cameras'
option dest 'wan'
option dest_port '80'
option target 'ACCEPT'
config rule
option name 'CAMERAS to 443 (https)'
list proto 'tcp'
option dest 'wan'
option dest_port '443'
option target 'ACCEPT'
option src 'cameras'
config forwarding
option src 'lan'
option dest 'cameras'
config forwarding
option src 'lan'
option dest 'guest'
config forwarding
option src 'lan'
option dest 'iot'
config forwarding
option src 'lan'
option dest 'wan'
config redirect
option dest 'iot'
option target 'DNAT'
option name 'Home assistant'
option src 'wan'
option src_dport '8123'
option dest_ip '192.168.20.5'
option dest_port '8123'
config rule
option name '853 IOT'
option dest_port '853'
option target 'ACCEPT'
option src 'iot'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
option channel 'auto'
config wifi-iface 'default_radio0'
option device 'radio0'
option network '10local'
option mode 'ap'
option ssid 'rete1'
option encryption 'psk2'
option key 'XXXXX'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/ahb/18100000.wmac'
option channel '1'
option band '2g'
option htmode 'HT20'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option ssid 'reteIOT'
option encryption 'psk2'
option key 'XXXX'
option network '20iot'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'reteIOT'
option encryption 'psk2'
option network '20iot'
option key 'XXXXXXX
config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid 'retecam2'
option encryption 'psk2'
option key 'XXXXX'
option network '40cameras'
config wifi-iface 'wifinet4'
option device 'radio0'
option mode 'ap'
option ssid '99guest'
option encryption 'psk2'
option key 'XXXX'
option network '99guest'
config wifi-iface 'wifinet5'
option device 'radio1'
option mode 'ap'
option ssid 'retecam2'
option encryption 'psk2'
option key 'XXXXXX'
option network '40cameras'
Remove the line for the option type bridge... it does not belong here:
Remove the force_link from all network stanzas:
Your camera DHCP server is out of range...
The limit is the size of the pool, not the last IP in the pool. It follows this equation
start to (start + limit - 1)
Because the network is a /24, that means that the last valid address is 254. Since you've got a start address of 101, the largest value of limit that is allowed is 154.
Restart the router after making these changes and test again. You shoud be able to set the input rule to drop or reject and still get DHCP addresses.
Great, thank you so much, I also found that HomeAssistant that is on the IOT VLAN20 it looks like its having some network performance issue, it my be related to the firewall?
And I was also wondering if my config is secure....
l this is my updated firewall config
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network '10local'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'WAN'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'cameras'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network '40cameras'
config zone
option name 'iot'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network '20iot'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network '99guest'
config rule
option name 'Cameras to DHCP, DNS'
option src 'cameras'
option dest_port '53 67 68'
option target 'ACCEPT'
list proto 'tcp'
list proto 'udp'
config rule
option name 'Cameras to http, https (80 443)'
list proto 'tcp'
option dest 'wan'
option dest_port '443 80'
option target 'ACCEPT'
option src 'cameras'
config forwarding
option src 'lan'
option dest 'cameras'
config forwarding
option src 'lan'
option dest 'iot'
config forwarding
option src 'lan'
option dest 'wan'
config redirect
option dest 'iot'
option target 'DNAT'
option name 'Home assistant'
option src 'wan'
option src_dport '8123'
option dest_ip '192.168.20.5'
option dest_port '8123'
config forwarding
option src 'iot'
option dest 'wan'
config forwarding
option src 'iot'
option dest 'cameras'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'Guest to DHCP, DNS'
option src 'guest'
option dest_port '53 67 68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Guest to http, https (80 443)'
list proto 'tcp'
option src 'guest'
option dest 'wan'
option dest_port '80 443'
option target 'ACCEPT'
config rule
option name 'IOT to DHCP, DNS, NTPD'
option src 'iot'
option dest_port '53 67 68 123'
option target 'ACCEPT'
config rule
option name 'IOT to http, https (80 443)'
list proto 'tcp'
option src 'iot'
option dest 'wan'
option dest_port '80 443'
option target 'ACCEPT'
Possibly. Although I'm not seeing anything immediately obvious that would cause problems from the IoT network.
A few thoughts... Generally, yes, things are fine. But some things could be better.
Typically, the IoT network should not have access to the router itself except for DHCP and DNS... it depends on your requirements, of course... but I'd recommend settings input to drop or reject:
I wouldn't suggest providing direct access to HA from the wan... this makes your HA host vulnerable to attacks from the internet:
Instead, a VPN would provide much better security. I recommend Wireguard.
Does the IoT network need to reach the cameras? If so, this is good. If not, consider deleting this:
What is the purpose of this (and the other one for the IoT and cameras zones):
You can delete these rules since they don't serve any purpose -- you're already allowing the zone forwarding from guest (or iot or cameras) > wan.
Great! Thank you so much! I was wondering if these setting below were ok, I would like that cameras and IOT can reach the internet but no lan.
I had to change IOT to accept input, output and forward to have it work.
And also how I can prevent access to the router 192.168.10.1 and SSH from IOT, and camera newtork
found this as reference:
Thanks
John
You shouldn't need it based on this... but you may need to specify TCP + UDP here:
The easier and preferred method is by setting input = drop or reject.
So I am actually wondering if in general - input accept is correct.
If I set it to reject the I dont have Internet connection
If you reject/drop input, you need to create rules that accept dhcp (and typically also dns). Without this, devices will be unable to get an ip address via dhcp and may also be unable to resolve domain names.
Hi Peter,
so is it sefe to leave it to accept?
Thanks
John
If you trust that your cameras won’t be used as an attack vector against your router. Probably fine. But if you don’t trust the cameras, make the dedicated accept rules as I described.
Peter, so this should work and be safe:
Thank
John
Yes. Although your iot network has way more ports than I would expect. This type of rule is only necessary for access to services on the router itself.
