Hi all. See my shocking sketch below.
I have 3 wireless devices (W1, W2, W3)
I want W1 to have normal communication with W2 + W3 - but I want W1 to be isolated from all the ethernet devices.
But I want W2 + W3 to be able to communicate to all devices, including ethernet
I've shown VLAN1 and VLAN2 but maybe this isn't the best way to think about it
Can someone help with if this is possible and a simple example of how to set this scenario up ?
Thanks !
Hello? 
Any help appreciated
I also wonder if this could be achieved purely using firewall "ZONES", and no need for VLANs ?
W1 = IOT
W2 and W3 = iPad and iPhone which I use to access W1 but also cast/Airplay to ethernet LAN devices.
Hence:
I want W1 to have normal communication with W2 + W3
I want W1 to be isolated from all the ethernet devices (but W1 to still have internet access).
I want W2 + W3 to be able to communicate to all devices, including ethernet LAN
W1 in a dedicated SSID/Network/Zone.
Use firewall rules to allow access to W2/W3 to that zone and drop everything else. Also allow internet to wan zone.
Thanks @trendy , I'll give this a try
Trying a baby step first, which will help me do the full thing.
So I've set up a Wireless interface and Zone both called WiFi and SSID called TestingWiFi
I want to just test if I can make my iPhone connect to the internet but not access my LAN.
If I can get this working then the rest of what I want will be intuitive.
But at the moment I'm not able to make my iPhone NOT see my LAN devices, even with the rules I've set up by MAC address in 'traffic rules'.
I have an Apple TV and my iPhone shouldn't be able to Airplay to it but it does.
Should this below include LAN?
With LAN included here are the firewall zones and traffic rules but still the iPhone has both internet access (good) and LAN access (bad):
Ok so I gave WiFi interface a random IP address and enabled DHCP
And now iPhone can access internet without seeing LAN devices
I guess its obvious when I think about it now - hindsight !
And disabled LAN here, which was probably one of the causes of issues in previous post
Still struggling to have iPhone internet access enabled but block iPhone from seeing other wireless devices (just for this learning curve - final goal will be different)
How should such a rule look @trendy ?
I selected the iPhone MAC address under "Source address" here
Blocking devices from seeing each other falls into 2 broad categories:
[side note] There is a possibility of a bridge firewall method, but it has some limitations/quirks that make it less than ideal.
Thanks but as per my diagram in opening post, this is not what I want. I want wireless devices talking to each other, so I've stayed clear of wifi client isolation
For this part does "different networks" mean different 'firewall zones' essentially?
I have tried the VLAN approach but struggled - hence this thread asking for some advice how to do it
I hit a wall with firewall traffic rules also - the rules don't seem to be doing anything, per my posts yesterday
I understand that... I just wanted to point out that, while this is a potential tool, it is all-or-nothing, and that it is not necessarily useful in every situation (such as yours). But further, this is generally the only way to block L2 connections for wifi devices.
It can, but does not require different zones. Different networks means different subnets. So for example, 192.168.1.0/24 and 192.168.2.0/24 (or any 2 or more non-overlapping RFC1918 address ranges).
Posting your complete config data (see below) is the best way for us to understand the configuration as it stands now. The screen grabs really aren't good for debugging what is happening.
The firewall doesn't operate on the traffic unless it is routed (i.e. VLANs). And depending on how your rules are crafted, they may appear not to work because of the order of execution or other details. That's why the text configuration files are so much easier to use for debug...
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Wifi zone doesn't need masquerade.
Wifi zone doesn't forward to lan, or vice versa. You'd need to add a rule to allow the traffic from Wifi to lan. For the reverse, you might want to enable the lan to wifi forwarding.
Regarding the rule, you need to allow from source IP to destination IP, not MAC (as MAC is not preserved). If you are using hostnames for the communicaton, you may want to allow IPv6 as well.
For more details and troubleshooting, post the files mentioned by @psherman .
I've tried this but the rules don't seem to be getting obeyed. The below screenshot, I would assume does the same as bridging WiFi and LAN but doesn't seem to do anything.
Sorry my mistake - I just selected IP address via Luci dropdown (which shows the MAC address in brackets). But I believe the rule is via IP address this way
Posting shortly
Thanks for your help! outputs below. It's a very simple setup and I'm not trying to do anything advanced (I didn't think). But I don't have much experience in VLANs . And the simple firewall zone rules aren't doing what I thought but it could be due to what you mentioned, L2 and L3
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'XXXXX'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth2'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option device 'br-lan'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'WiFi'
option device 'wlan0'
option proto 'static'
option ipaddr '172.16.0.1'
option netmask '255.255.255.0'
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
option cell_density '0'
option band '2g'
option channel '1'
option txpower '1'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/fe980000.usb/usb1/1-1/1-1:1.0'
option band '2g'
option cell_density '0'
option htmode 'HT20'
option txpower '3'
option channel '13'
option disabled '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'wifi'
option encryption 'psk2+ccmp'
option key 'XXX'
option disabled '1'
config wifi-device 'radio2'
option type 'mac80211'
option path 'platform/soc/fe980000.usb/usb1/1-1/1-1.2/1-1.2:1.0'
option band '2g'
option channel '13'
option txpower '3'
option cell_density '0'
config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'ap'
option encryption 'psk2+ccmp'
option key 'XXX'
option ssid 'wifi'
option network 'WiFi'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
list server '127.0.0.1#5453'
option noresolv '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'WiFi'
option interface 'WiFi'
option start '100'
option limit '150'
option leasetime '12h'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'WiFi'
option output 'ACCEPT'
list network 'WiFi'
option input 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option src 'WiFi'
option dest 'wan'
config rule
option name 'WiFi to LAN'
option src 'WiFi'
option dest 'lan'
option target 'ACCEPT'
config rule
option name 'LAN to WiFi'
option src 'lan'
option dest 'WiFi'
option target 'ACCEPT'
And @psherman @trendy here is a simple rule (I thought) for iPhone (WiFi) to see DietPi Airplay Streamer (LAN) and vice versa.
DietPi streamer is on 'eth2'
These are the correct IP addresses.
But iPhone fails to see Airplay Streamer
Before I try and tackle the more complex stuff, I was hoping to have success with something simple.
If VLAN is a good approach, I'm happy to try, if I can have some guidance
The end result I'm trying to achieve is per diagram in opening post.
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'WiFi'
option output 'ACCEPT'
list network 'WiFi'
option input 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option src 'WiFi'
option dest 'wan'
config rule
option name 'WiFi to streamer'
option src 'WiFi'
list src_ip '172.16.0.105'
option dest 'lan'
option target 'ACCEPT'
list dest_ip '192.168.1.107'
config rule
option name 'Streamer to WiFi'
option src 'lan'
option dest 'WiFi'
list dest_ip '172.16.0.105'
option target 'ACCEPT'
list src_ip '192.168.1.107'
root@OpenWrt:~#
Rules are correct. However are you certain that iphone can communicate with airplay streamer in a different network? Is it possible it works with mdns or broadcasts?
What is the output of ubus call system board; iptables-save -c -t filter ?
Mmm good point - I also tried UPnP renderer on DietPi and still no work
Will do and report back
FWIW, Airplay does use mdns/zero-config networking to function... this does not route across networks by default. You need an mdns reflector/repeater, and that doesn't always allow it to work, either.
EDIT: I hit the reply button for @trendy 's comment (which is on-point), but this should really be directed towards @v2zEPhNxdm .
Airplay was a bad example/starting point to try to explore firewall rules then.
I guess blocking between firewall zones is more of what I'm trying to achieve (per opening post diagram - blocking W1 from LAN connections) rather than allowing like I've been trying here with Airplay
root@OpenWrt:~# ubus call system board; iptables-save -c -t filter
{
"kernel": "5.10.134",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 3",
"model": "Raspberry Pi Compute Module 4 Rev 1.0",
"board_name": "raspberrypi,4-compute-module",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "22.03.0-rc6",
"revision": "r19590",
"target": "bcm27xx/bcm2711",
"description": "OpenWrt 22.03.0-rc6 r1"
}
}
-ash: iptables-save: not found
root@OpenWrt:~#