Hi,
i have 3 Zones in my Networt. Home(Vlan20), Homenet(VLAN22) and WAN(VLAN7)
Now I'd lik that Home and Homenet see each other, but Home has no access to WAN.
In Openwrt 18 it's still working, but in 22 not where are my misstake?
Here are my config:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Thanks here are the Output:
ubus call system board
{
"kernel": "5.10.161",
"hostname": "Homenet",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "Ubiquiti EdgeRouter X SFP",
"board_name": "ubnt,edgerouter-x-sfp",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "22.03.3",
"revision": "r20028-43d71ad93e",
"target": "ramips/mt7621",
"description": "OpenWrt 22.03.3 r20028-43d71ad93e"
}
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd3e:1b54:959f::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth3'
config device
option name 'eth0'
config device
option type 'bridge'
option name 'br_Gast'
list ports 'eth1'
list ports 'eth4'
config bridge-vlan
option device 'br_Gast'
option vlan '1'
list ports 'eth1'
list ports 'eth4:t'
config device
option type 'bridge'
option name 'brHomenet'
list ports 'eth2'
list ports 'eth4'
config bridge-vlan
option device 'brHomenet'
option vlan '22'
list ports 'eth2'
list ports 'eth4:t'
config device
option type 'bridge'
option name 'WAN_br'
list ports 'eth0'
list ports 'eth5'
config bridge-vlan
option device 'WAN_br'
option vlan '7'
list ports 'eth0'
list ports 'eth5:t'
config interface 'Gast_LAN'
option proto 'static'
option device 'br_Gast.1'
option netmask '255.255.255.0'
option ipaddr '192.168.7.1'
config interface 'Homenet'
option proto 'static'
option device 'brHomenet.22'
option ipaddr '10.25.22.1'
option netmask '255.255.255.0'
config interface 'TK_WAN'
option device 'eth5'
option proto 'static'
option ipaddr '10.10.1.2'
option netmask '255.255.255.0'
option gateway '10.10.1.1'
config route
option interface 'Homenet'
option target '10.10.1.1/24'
option gateway '10.25.22.1'
config device
option type 'bridge'
option name 'brHome'
list ports 'eth3'
list ports 'eth4'
config bridge-vlan
option device 'brHome'
option vlan '20'
list ports 'eth3'
list ports 'eth4:t'
config interface 'Home'
option proto 'static'
option ipaddr '10.25.20.1'
option netmask '255.255.255.0'
option device 'brHome.20'
cat /etc/config/wireless
cat: can't open '/etc/config/wireless': No such file or directory
Its an ER-X-SFP without Wireless
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'Gast_LAN'
option interface 'Gast_LAN'
option start '10'
option limit '5'
option leasetime '1h'
config dhcp 'Homenet'
option interface 'Homenet'
option leasetime '24h'
option start '220'
option limit '19'
config dhcp 'Home'
option interface 'Home'
option start '200'
option limit '20'
option leasetime '1h'
cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'DROP'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'DROP'
option forward 'DROP'
list network 'TK_WAN'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option enabled '0'
config zone
option name 'Gast'
option output 'ACCEPT'
list device 'br_Gast.1'
option forward 'DROP'
option input 'DROP'
list network 'Gast_LAN'
config zone
option name 'Homenet'
option input 'ACCEPT'
option output 'ACCEPT'
list device 'brHomenet.22'
option forward 'ACCEPT'
list network 'Homenet'
config forwarding
option src 'Homenet'
option dest 'wan'
config forwarding
option src 'Gast'
option dest 'wan'
config rule
option name 'GAST_Allow_DHCP'
option src 'Gast'
option dest_port '67 68'
option target 'ACCEPT'
config rule
option name 'GastDNS'
option src 'Gast'
option dest_port '53'
option target 'ACCEPT'
config zone
option name 'Home20'
option input 'ACCEPT'
option output 'ACCEPT'
list device 'brHome.20'
option forward 'ACCEPT'
list network 'Home'
config forwarding
option src 'Home20'
option dest 'Homenet'
config forwarding
option src 'Homenet'
option dest 'Home20'
All ports need to be part of a single bridge.
What is your desired port configuration (in plain english terms) for each port?
Hi Thanks for Replay,
ETH5 (SFP-Port) should the internet port.
ETH0 is the Gast Lan
ETH1 ist for the Fritz.Box as telefon gateway.
ETH2 is for the TV which should only get access to a Shared folder in the PC.
ETH3 is for the PC to Share data with TV and get internet
ETH4 is the Trunk(all Vlan but internet) port to connect to a managed switch.
I was about to start providing a bunch of suggestions, but it turns out that it would be so much easier to simply reset to defaults and start over.
Post your config files once that is done.
Thanks again!
Here the Output after Config just the Internet Port (ETH5)
root@OpenWrt:~# ubus call system board
{
"kernel": "5.10.161",
"hostname": "OpenWrt",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "Ubiquiti EdgeRouter X SFP",
"board_name": "ubnt,edgerouter-x-sfp",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "22.03.3",
"revision": "r20028-43d71ad93e",
"target": "ramips/mt7621",
"description": "OpenWrt 22.03.3 r20028-43d71ad93e"
}
}
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd38:22a7:9124::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth2'
list ports 'eth3'
list ports 'eth4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option proto 'pppoe'
option device 'eth5.7'
option ipv6 'auto'
option username '002687042565551140114349#0001@t-online.de'
option password 'Rob#7866e'
config device
option type '8021q'
option ifname 'eth5'
option vid '7'
option name 'eth5.7'
cat /etc/config/wireless
cat: can't open '/etc/config/wireless': No such file or directory
cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
Let's start by adding the bridge-vlans and the gast network on port eth1 (untagged) and port eth4 (tagged). From there, you should be able to see how the rest should be setup.
add bridge-vlans to /etc/config/network -- we'll use vlan1 for the lan, and vlan 7 for the gast:
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'eth2:u*'
list ports 'eth3:u*'
list ports 'eth4:u*'
config bridge-vlan
option device 'br-lan'
option vlan '7'
list ports 'eth1:u*'
list ports 'eth4:t'
Next, edit the lan interface to use br-lan.1:
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
And add the gast network like this:
config interface 'gast'
option proto 'static'
option device 'br-lan.7'
option netmask '255.255.255.0'
option ipaddr '192.168.7.1'
In the /etc/config/dhcp file, add a dhcp server for gast
config dhcp 'gast'
option interface 'gast'
option start '100'
option limit '150'
option leasetime '1h'
and in the /etc/config/firewall file add the relevant firewall rules:
config zone
option name 'gast'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
list network 'gast'
config rule
option name 'gast-DHCP'
option src 'gast'
option dest_port '67 68'
option target 'ACCEPT'
config rule
option name 'gast-DNS'
option src 'gast'
option dest_port '53'
option target 'ACCEPT'
config forwarding
option src 'gast'
option dest 'wan'
Then restart the router. you should see the gast network on port eth1 (untagged) and port eth4 (tagged). The regular lan should work on eth2-eth4 (untagged).
The gast network will have internet access, but no ability to access the router itself (aside from DHCP and DNS), nor will it be able to acceess the main lan.
Hi, Thanks for Replay.
I did the Step as you mentioned via Luci.
Here are the Result:
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd38:22a7:9124::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
list ports 'eth1'
list ports 'eth2'
list ports 'eth3'
list ports 'eth4'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option device 'br-lan.2'
config interface 'wan'
option proto 'pppoe'
option device 'eth5.7'
option ipv6 'auto'
option username '002687042565551140114349#0001@t-online.de'
option password 'Rob#7866e'
config device
option type '8021q'
option ifname 'eth5'
option vid '7'
option name 'eth5.7'
config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'eth0'
list ports 'eth1'
list ports 'eth2'
list ports 'eth4'
config bridge-vlan
option device 'br-lan'
option vlan '22'
list ports 'eth3'
config interface 'Homenet'
option device 'br-lan.22'
option proto 'static'
option ipaddr '10.25.22.1'
option netmask '255.255.255.0'
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'Homenet'
option interface 'Homenet'
option leasetime '12h'
option start '220'
option limit '15'
cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'zHomenet'
option input 'ACCEPT'
option output 'REJECT'
option forward 'REJECT'
list network 'Homenet'
config forwarding
option src 'zHomenet'
option dest 'wan'
config rule
option name 'rHomenet_DHCP'
option src 'zHomenet'
option target 'ACCEPT'
option dest_port '67 68'
config rule
option name 'rHomenet_DNS'
option src 'zHomenet'
option dest_port '53'
option target 'ACCEPT'
The problem is actual that I didn't get an IP an eth3. In Luci it is config in VLAN22 untagged.
Have you a solution?
Add :u* to each of the ports like this:
config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'eth0:u*'
list ports 'eth1:u*'
list ports 'eth2:u*'
list ports 'eth4:u*'
config bridge-vlan
option device 'br-lan'
option vlan '22'
list ports 'eth3:u*'
Change your zHomenet zone so that input is REJECT and output is ACCEPT
config zone
option name 'zHomenet'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'Homenet'
Restart and test again.
Hi,
The VLAN are set in Luci with u /u* don't know why it isn't in the SSH.
If I config the Zone with Input Reject, I get an IP but no Internet.
With Input and Output AccpetI get IP and Internet Like the LAN zone. this seem to be the nessosary option.
Next Step would be to create the Interface "Homeint" with Access to "Homenet" but no access to the Internet/WAN interface.
Thank you for Suppport.
The problem is likely that you don't have rules to allow DHCP and DNS. This is what it should look like (except change the source to zHomeNet and change the rule names so it's not confusing):
Change them so the name uses - (dash) instead of _ (underscore). Then restart and try again.
Hi,
that was the goal. With the '-' I get Internet and cannot go to the Luci Interface.
Now I will try to create a Interfac with fully Access to Homenet but no Internet Access(For Printer / TV etc Devices).
Are there Any Rules where I have to look at?
Use the same general method, but don’t add forwarding from the new zone to the wan, and instead add it to the zhonenet zone.
Hi,
I did it, but I can't see the Data schare from a "Homenet-PC" with a "Homeint-PC"
Have YOu a Tipp for me?
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd38:22a7:9124::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
list ports 'eth1'
list ports 'eth2'
list ports 'eth3'
list ports 'eth4'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option device 'br-lan.2'
config interface 'wan'
option proto 'pppoe'
option device 'eth5.7'
option ipv6 'auto'
option username '002687042565551140114349#0001@t-online.de'
option password 'Rob#7866e'
config device
option type '8021q'
option ifname 'eth5'
option vid '7'
option name 'eth5.7'
config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'eth1'
list ports 'eth2'
list ports 'eth4:t'
config bridge-vlan
option device 'br-lan'
option vlan '22'
list ports 'eth3:u*'
list ports 'eth4:t'
config interface 'Homenet'
option device 'br-lan.22'
option proto 'static'
option ipaddr '10.25.22.1'
option netmask '255.255.255.0'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'eth0'
config interface 'Homeint'
option proto 'static'
option device 'br-lan.20'
option ipaddr '10.25.20.1'
option netmask '255.255.255.0'
cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'Homenet'
option interface 'Homenet'
option leasetime '12h'
option start '220'
option limit '15'
config dhcp 'Homeint'
option interface 'Homeint'
option leasetime '12h'
option start '200'
option limit '19'
cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'zHomenet'
list network 'Homenet'
option output 'ACCEPT'
option input 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option src 'zHomenet'
option dest 'wan'
config rule
option src 'zHomenet'
option target 'ACCEPT'
option dest_port '67 68'
option name 'rHomenet-DHCP'
config rule
option src 'zHomenet'
option dest_port '53'
option target 'ACCEPT'
option name 'rHomenet-DNS'
config zone
option name 'zHomeint'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'Homeint'
option forward 'ACCEPT'
config forwarding
option src 'zHomeint'
option dest 'zHomenet'
config forwarding
option src 'zHomenet'
option dest 'zHomeint'
config rule
option name 'rHomeint-DNS'
option src 'zHomeint'
option dest '*'
option dest_port '53'
option target 'ACCEPT'
Thanks again