So @trendy @psherman
Airplay is a bad test, I now understand
Testing firewall rules between my Mac (LAN) and RPi4 running DietPi (WiFI - not audio this time , just ssh testing connections with Terminal)
So how can I test if a firewall rule is working to make sure the iOT can not communicate with the Mac? Just ping 192.168.xxxx the IP address of ioT from Mac terminal is enough ?
And if the L2/L3 thing is still going to be an issue with firewall traffic rules, can you assist with setting up VLAN for this simple setup?
Noting I also want W2 and W3 to have LAN access, per OP diagram
trendy
August 26, 2022, 7:32am
22
You can test with ping, as long as you allow it. By default you allow only tcp+udp, not icmp.
I am not sure what are you expecting from vlans here, as I don't see how they can assist to your issue.
1 Like
I don't have a preference - per thread title.
@psherman mentioned in post #9 the below.
psherman:
Firewall: The firewall operates at L3 (in general), so you can use the firewall to block connections between different networks, but the firewall is generally not involved at L2 (switching). This means that you must use different networks/VLANs to control connections between devices.
No preference at my end.
My only goal is to achieve the digram per post #1
I guess I will try to persist further with just firewall rules and see if we can achieve it
@trendy Putting aside VLANs and pushing on with just firewall traffic rules, I've setup the below rules between iPhone and RPi4 (WiFi) and vice versa.
Both are on the same WiFi network (172.16.0.XXX)
But even with this basic rule to reject packets both ways, iPhone can still see and communicate with wireless RPi4
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'WiFi'
option output 'ACCEPT'
list network 'WiFi'
option input 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option src 'WiFi'
option dest 'wan'
config rule
option name 'iPhone to DietPi WiFi'
list proto 'all'
option src 'WiFi'
list src_ip '172.16.0.105'
option dest 'WiFi'
list dest_ip '172.16.0.151'
option target 'REJECT'
config rule
option name 'DietPi WiFi to iPhone'
list proto 'all'
option src 'WiFi'
list src_ip '172.16.0.151'
option dest 'WiFi'
list dest_ip '172.16.0.105'
option target 'REJECT'
root@OpenWrt:~#
psherman:
FWIW, Airplay does use mdns/zero-config networking to function... this does not route across networks by default. You need an mdns reflector/repeater, and that doesn't always allow it to work, either.
So per my diagram in OP, there's really no sure-fire way for W2 (iPhone) & W3 (iPad) to communicate with LAN (eg Airplay, AirPrint etc)?
Even VLAN won't help here?
trendy
August 26, 2022, 11:58am
26
This is expected. When they are in the same network the communicate without hitting the firewall.
1 Like
Ok thanks, I'm learning.
So there's no way to block them? Any hints?
The 'isolate clients' feature blocks ALL wireless clients right? You can't pick and choose which clients?
trendy
August 26, 2022, 12:02pm
28
If they are in the same network you cannot block them. Hence the need for vlans and different networks.
1 Like
Ok thanks - back to VLANs
Any advise on how to setup simple VLAN for this simple case (iPhone and Wireless DietPi)?
Then I can try to work out how to do it for my intended goal
Would I need two seperate wireless VLANs on same wlan0 ? Seperate SSIDs ?
And then where to allow IP addresses to access seperate VLAN ? Where does that happen? In Firewall Traffic Rules between the VLANs ?
Ok I've setup 2 seperate wireless VLANs.
But seems I'm not able to create 2 seperate SSIDs with the single WiFi AP
So I imagine I need to be using single SSID ?
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fe80::/10'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth2'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option device 'br-lan'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config device
option type '8021q'
option ifname 'wlan0'
option vid '1'
option name 'wlan0.1'
config device
option type '8021q'
option ifname 'wlan0'
option vid '2'
option name 'wlan0.2'
config interface 'iOSwifi'
option proto 'static'
option ipaddr '172.16.1.1'
option netmask '255.255.255.0'
option type 'bridge'
option device 'wlan0'
config interface 'IOTwifi'
option proto 'static'
option ipaddr '172.16.2.1'
option netmask '255.255.255.0'
option type 'bridge'
option device 'radio0.network2'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
option cell_density '0'
option band '2g'
option channel '1'
option txpower '1'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/fe980000.usb/usb1/1-1/1-1:1.0'
option band '2g'
option cell_density '0'
option htmode 'HT20'
option txpower '3'
option channel '13'
option disabled '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'wifi'
option encryption 'psk2+ccmp'
option key 'XXX'
option disabled '1'
config wifi-device 'radio2'
option type 'mac80211'
option path 'platform/soc/fe980000.usb/usb1/1-1/1-1.2/1-1.2:1.0'
option band '2g'
option channel '13'
option txpower '3'
option cell_density '0'
config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'ap'
option encryption 'psk2+ccmp'
option key 'XXX'
option network 'iOSwifi'
option ssid 'iOSwifi'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'iOTwifi'
option encryption 'psk2+ccmp'
option key 'XXX'
option network 'IOTwifi'
trendy
August 26, 2022, 1:15pm
31
This is a limitation of the weak wifi of RPi4.
Ok I can add a second wifi device (USB to WiFi adapter).
But is this the right approach?
Two seperate SSDI's ?
And then where to allow IP addresses to access seperate VLAN ?
Where does that happen? In Firewall Traffic Rules between the VLANs ?
I now have 2 x wirelss VLANs and 2 x seperate SSIDs.
IOSwifi and IOTwifi are both on same wireless network (172.16...)
I do have a device now connected to each of these
How do I now make them communicate with each other ?
The firewall rule before isn't doing anything.
I tried to look at where to tag/untag but I can only do this with br-lan ? No tagging/untagging for the wireless devices ?
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fe80::/10'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth2'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option device 'br-lan'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config device
option type '8021q'
option ifname 'wlan0'
option vid '1'
option name 'wlan0.1'
config device
option type '8021q'
option ifname 'wlan0'
option vid '2'
option name 'wlan0.2'
config interface 'iOSwifi'
option proto 'static'
option ipaddr '172.16.1.1'
option netmask '255.255.255.0'
option type 'bridge'
option device 'wlan0'
config interface 'IOTWIFI'
option proto 'static'
option ipaddr '172.16.2.1'
option netmask '255.255.255.0'
option device 'radio0.network2'
option type 'bridge'
root@OpenWrt:~#
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
option cell_density '0'
option band '2g'
option channel '1'
option txpower '1'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/fe980000.usb/usb1/1-1/1-1:1.0'
option band '2g'
option cell_density '0'
option htmode 'HT20'
option txpower '3'
option channel '1'
config wifi-device 'radio2'
option type 'mac80211'
option path 'platform/soc/fe980000.usb/usb1/1-1/1-1.2/1-1.2:1.0'
option band '2g'
option channel '13'
option txpower '3'
option cell_density '0'
config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'ap'
option encryption 'psk2+ccmp'
option key ''
option network 'iOSwifi'
option ssid 'iOSwifi'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option ssid 'IOTwifi'
option encryption 'psk2+ccmp'
option key ''
option network 'IOTWIFI'
root@OpenWrt:~#
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'iOSwifi'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'iOSwifi'
config zone
option name 'IOTWifi'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'IOTWIFI'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option src 'iOSwifi'
option dest 'wan'
config forwarding
option src 'IOTWifi'
option dest 'wan'
config rule
option name 'iOS to DietPi WiFi'
list proto 'all'
option src 'iOSwifi'
list src_ip '172.16.1.164'
option dest 'IOTWifi'
list dest_ip '172.16.2.151'
option target 'ACCEPT'
config rule
option name 'DietPi WiFi to iOS'
list proto 'all'
option src 'IOTWifi'
list src_ip '172.16.2.151'
option dest 'iOSwifi'
list dest_ip '172.16.1.164'
option target 'ACCEPT'
root@OpenWrt:~#
trendy
August 26, 2022, 1:58pm
33
You need separate SSID, separate networks, and separate zones to control the traffic. Controlling the traffic can be achieved with the firewall rules.
Thanks @trendy , I got simple Firewall rules now working between the wireless VLANs
I haven't setup any wireless bridge for this to work.
Was I supposed to ?
Seems like I've skipped the entire tagging/untagging , with no bridge ?
trendy
August 26, 2022, 9:14pm
35
vlans don't work over wifi anyway.
So what I have working now has nothing to do with VLANs?
The firewall traffic rules are having an affect across 172.16.1 .x and 172.16.2 .x
Are these technically different networks?
I enable the traffic rules and I can ping these devices and I disable the traffic rules and I can't ping devices
Edit: I guess since I now have 2 different wireless devices (add USB WiFi adapter for the 2nd network), it is different to my previous testing where I was trying to block 2 WiFi devices on same network - which as you said, does not involve firewall
This is kind of a thing of semantics and pedantic definitions vs how we use the term with loose language.
In the more colloquial discussions about network tech, VLANs and "multiple networks/subnets" are often interchangeable (and I'm guilty of this, too).
Technically speaking, VLANs specifically refers to the use of 802.1q ethernet tagging to enable multiple networks to exist over a single link (cable / trunk port).
If your ethernet ports are individually routed (i.e. not connected to a hardware switch chip), or if you are simply using wifi (and no ethernet is involved), having a unique network on each physical interface would not qualify as a VLAN scenario according to the strict definition. It is only technically a VLAN environment if multiple networks are present on any individual port/physical interface. [Side note: It would be legit to call it VLANs if you have a device with a built-in switch where the traffic between the CPU and the switch happens over a single logical link, even if each physical switch port only carries a single network.]
Yes, they are different networks, but technically not VLANs based on the definition above.
2 Likes
It's been confusing for me to go from this to:
Trying to understand how to block/allow connections between wireless devices
But it was probably me misunderstanding along the way
I think (while going in circles) I can now mostly achieve my diagram now
At least I know how to test rules now - are ping tests bulletproof to test if connections are truely blocked/rejected @psherman @trendy ? If I select 'all protocols' and 'all ports' in the rules
Yes, but it is confusing. "Experience is something you don't get until just after you need it." (Steven Wright). It makes sense after you've been working with it for a while, but when you are first learning about VLANs, subnets, and all the nuances, it is quite hard to make sense of it.
No, not bulletproof. But for many practical cases, it is sufficient. The best way to verify that a rule is working is to disable the rule and establish a connection to a known service on another network (a file server, web server, etc.). Then turn the rule on and test to make sure it does what you want. Once you get to know the firewall logic, you'll gain confidence in this, too.
3 Likes
_bernd
August 27, 2022, 7:36am
40
Vlans work not on wifi? Huh?