Heres my topology
what i want todo is to prevent my home alarm and CCTV from "phoning home", while still having remote access via Wireguard which i already have setup.
im not sure how to setup vlan, i tried todo it but i ended up with no wifi connection, can someone help me achieve this
I also have a HP Printer that connects to 2.4ghz but requires wpa 1, is there a way to create a vlan for that to isolate it
Let's see the configuration of your Bpi and your MX4200. Also, please indicate which ports are used to connect each of the devices.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
BPI-R4
BusyBox v1.36.1 (2024-12-23 00:55:35 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 24.10.0-rc4, r28211-d55754ce0d
-----------------------------------------------------
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.67",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 0",
"model": "Bananapi BPI-R4",
"board_name": "bananapi,bpi-r4",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.0-rc4",
"revision": "r28211-d55754ce0d",
"target": "mediatek/filogic",
"description": "OpenWrt 24.10.0-rc4 r28211-d55754ce0d",
"builddate": "1734915335"
}
}
root@OpenWrt:~#
BusyBox v1.36.1 (2024-12-23 00:55:35 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 24.10.0-rc4, r28211-d55754ce0d
-----------------------------------------------------
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd0e:51e:9fb7::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'wan'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'br-wan'
option type 'bridge'
list ports 'eth2'
config device
option name 'wan'
option macaddr 'Redacted'
config device
option name 'eth2'
option macaddr 'Redacted'
config interface 'wan'
option device 'br-wan'
option proto 'pppoe'
option username 'Redacted'
option password 'Redacted'
option ipv6 'auto'
option keepalive '0 1'
config interface 'wan6'
option device 'br-wan'
option proto 'dhcpv6'
config interface 'wg0'
option proto 'wireguard'
option private_key 'Redacted'
option listen_port '51820'
option mtu '8940'
list addresses '10.0.0.1/24'
list addresses 'fd86::1/64'
config wireguard_wg0
option description 'Redacted'
option public_key 'Redacted'
option private_key 'Redacted'
option preshared_key 'Redacted'
option route_allowed_ips '1'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '10.0.0.2/32'
list allowed_ips 'fd86::2/128'
config wireguard_wg0
option public_key 'Redacted'
option private_key 'Redacted'
option preshared_key 'Redacted'
option description 'Redacted'
list allowed_ips '10.0.0.3/32'
list allowed_ips 'fd86::3/128'
option route_allowed_ips '1'
option endpoint_port '51820'
option persistent_keepalive '25'
config wireguard_wg0
option description 'Redacted'
option public_key 'Redacted'
option private_key 'Redacted'
option preshared_key 'Redacted'
list allowed_ips '10.0.0.4/32'
list allowed_ips 'fd86::4/128'
option route_allowed_ips '1'
option endpoint_port '51820'
option persistent_keepalive '25'
config device
option type '8021q'
option ifname 'br-lan'
option vid '44'
option name 'br-lan.44'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/11300000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option radio '0'
option band '2g'
option channel 'auto'
option htmode 'HE40'
option country 'GB'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'No Signal'
option encryption 'psk-mixed'
option isolate '1'
option dtim_period '3'
option key 'Redacted'
option ieee80211r '1'
option mobility_domain '4f57'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option ieee80211k '1'
option wnm_sleep_mode '1'
option wnm_sleep_mode_no_keys '1'
config wifi-device 'radio1'
option type 'mac80211'
option path 'soc/11300000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option radio '1'
option band '5g'
option channel 'auto'
option htmode 'HE160'
option country 'GB'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'No Signal'
option encryption 'sae'
option isolate '1'
option dtim_period '3'
option key 'Redacted'
option ocv '0'
option ieee80211r '1'
option mobility_domain '4f57'
option ft_over_ds '0'
option ieee80211k '1'
option wnm_sleep_mode '1'
option wnm_sleep_mode_no_keys '1'
config wifi-device 'radio2'
option type 'mac80211'
option path 'soc/11300000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option radio '2'
option band '6g'
option channel 'auto'
option htmode 'HE160'
option country 'GB'
option cell_density '0'
config wifi-iface 'default_radio2'
option device 'radio2'
option network 'lan'
option mode 'ap'
option ssid 'No Signal'
option encryption 'sae'
option isolate '1'
option dtim_period '3'
option key 'redacted'
option ocv '0'
option ieee80211r '1'
option mobility_domain '4f57'
option ft_over_ds '0'
option ieee80211k '1'
option wnm_sleep_mode '1'
option wnm_sleep_mode_no_keys '1'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
option port '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
list dhcp_option '6,192.168.1.1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'OpenWrt'
option ip '192.168.1.107'
list mac 'Redacted'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wg0'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option src '*'
option target 'ACCEPT'
option proto 'udp'
option dest_port '51820'
option name 'Allow-Wireguard-Inbound'
root@OpenWrt:~#
BusyBox v1.37.0 (2024-12-08 23:38:13 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt SNAPSHOT, r0-fda78df
-----------------------------------------------------
OpenWrt recently switched to the "apk" package manager!
OPKG Command APK Equivalent Description
------------------------------------------------------------------
opkg install <pkg> apk add <pkg> Install a package
opkg remove <pkg> apk del <pkg> Remove a package
opkg upgrade apk upgrade Upgrade all packages
opkg files <pkg> apk info -L <pkg> List package contents
opkg list-installed apk info List installed packages
opkg update apk update Update package lists
opkg search <pkg> apk search <pkg> Search for packages
------------------------------------------------------------------
For more https://openwrt.org/docs/guide-user/additional-software/opkg-to-apk-cheatsheet
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.63",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "Linksys MX4200v1",
"board_name": "linksys,mx4200v1",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"revision": "r0-fda78df",
"target": "qualcommax/ipq807x",
"description": "OpenWrt SNAPSHOT r0-fda78df",
"builddate": "1733701093"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd66:3172:ecea::/48'
option packet_steering '2'
option steering_flows '256'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'wan'
config interface 'lan'
option device 'br-lan'
option proto 'dhcp'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc@0/c000000.wifi'
option band '5g'
option channel 'auto'
option htmode 'HE80'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'No Signal'
option encryption 'sae-mixed'
option key 'Redacted'
option ieee80211r '1'
option mobility_domain '4f57'
option ft_over_ds '0'
option ocv '0'
option wnm_sleep_mode '1'
option wnm_sleep_mode_no_keys '1'
option dtim_period '3'
option ieee80211k '1'
option isolate '1'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc@0/c000000.wifi+1'
option band '2g'
option channel 'auto'
option htmode 'HE40'
option cell_density '0'
option country 'GB'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'No Signal'
option encryption 'sae-mixed'
option key 'Redacted'
option ieee80211r '1'
option ft_over_ds '0'
option ocv '0'
option mobility_domain '4f57'
option wnm_sleep_mode '1'
option wnm_sleep_mode_no_keys '1'
option dtim_period '3'
option ieee80211k '1'
option isolate '1'
config wifi-device 'radio2'
option type 'mac80211'
option path 'platform/soc@0/c000000.wifi+2'
option band '5g'
option channel '100'
option htmode 'HE80'
option country 'GB'
option cell_density '0'
config wifi-iface 'default_radio2'
option device 'radio2'
option network 'lan'
option mode 'ap'
option ssid 'No Signal'
option encryption 'sae-mixed'
option key 'Redacted'
option wnm_sleep_mode '1'
option wnm_sleep_mode_no_keys '1'
option ocv '0'
option dtim_period '3'
option ieee80211r '1'
option ft_over_ds '0'
option ieee80211k '1'
option isolate '1'
option mobility_domain '4f57'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option flow_offloading '1'
option synflood_protect '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'qcanssecm'
option type 'script'
option path '/etc/firewall.d/qca-nss-ecm'
root@OpenWrt:~#
On BPI R4 Eth 1 connects to CCTV, Lan 3 connects to switch, Lan 2 connects to Linksys MX4200
On MX4200 Lan 3 connects to bpi R4 and Lan 2 connects to home alarm system
This is the easiest part to start with.
Create a new network interface for the printer. Protocol static, IP, and mask are enough. Create a new wireless SSID for the printer with the WPA details. You can add it in the lan firewall zone, or create a new zone for the printer and setup the necessary forwardings, e.g lan->printer and printer->wan if the printer needs internet access. You will lose some functionality, like automatic printer detection from lan hosts, but you can always print directly if you use the IP of the printer.
For the CCTV, remove eth1 from the br-lan, then create a new bridge with it. Add a network interface on the new bridge, static protocol, IP, and mask. Add this in its own firewall zone and allow forwarding lan->CCTV zone.
For the home alarm it mostly depends on how many more devices are connected to MX4200.
If only the alarm is connected, then you can add lan2 of BPi to the CCTV bridge and get on with it.
Otherwise you'd need to use a vlan tagging on lan2 of BPi and lan3 on MX4200, which will be bridged to a new SSID for the alarm.
Thanks for this I'll try it tomorrow, I'm just having a weird issue where my device won't do a handshake with wireguard after rebooting the router, I have to delete the original config and scan the qr code and then it'll do the handshake again, even tho the key remains the same on the router side after reboot
I'm not sure if I've done it correctly because I can't access my CCTV through the app
Edit:
Current config
BusyBox v1.36.1 (2024-12-23 00:55:35 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 24.10.0-rc4, r28211-d55754ce0d
-----------------------------------------------------
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.67",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 0",
"model": "Bananapi BPI-R4",
"board_name": "bananapi,bpi-r4",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.0-rc4",
"revision": "r28211-d55754ce0d",
"target": "mediatek/filogic",
"description": "OpenWrt 24.10.0-rc4 r28211-d55754ce0d",
"builddate": "1734915335"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd0e:51e:9fb7::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'wan'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'br-wan'
option type 'bridge'
list ports 'eth2'
config device
option name 'wan'
option macaddr '0e:cf:c7:ec:58:c5'
config device
option name 'eth2'
option macaddr '0e:cf:c7:ec:58:c5'
config interface 'wan'
option device 'br-wan'
option proto 'pppoe'
option username 'redacted'
option password 'redacted'
option ipv6 'auto'
option keepalive '0 1'
config interface 'wan6'
option device 'br-wan'
option proto 'dhcpv6'
config interface 'wg0'
option proto 'wireguard'
option private_key 'redacted'
option listen_port '51820'
option mtu '8940'
list addresses '10.0.0.1/24'
list addresses 'fd86::1/64'
config wireguard_wg0
option description 'redacted'
option public_key 'redacted'
option private_key 'redacted'
option preshared_key 'redacted'
option route_allowed_ips '1'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '10.0.0.2/32'
list allowed_ips 'fd86::2/128'
config wireguard_wg0
option public_key 'redacted'
option private_key 'redacted'
option preshared_key 'redacted'
option description 'redacted'
list allowed_ips '10.0.0.3/32'
list allowed_ips 'fd86::3/128'
option route_allowed_ips '1'
option endpoint_port '51820'
option persistent_keepalive '25'
config wireguard_wg0
option description 'redacted'
option public_key 'redacted'
option private_key 'redacted'
option preshared_key 'redacted'
list allowed_ips '10.0.0.4/32'
list allowed_ips 'fd86::4/128'
option route_allowed_ips '1'
option endpoint_port '51820'
option persistent_keepalive '25'
config device
option type 'bridge'
option name 'cctv'
list ports 'eth1'
config interface 'cctv'
option proto 'static'
option device 'cctv'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option gateway '192.168.1.1'
list dns '192.168.1.1'
root@OpenWrt:~# cat /etc/config/wireless
at /etc/config/firewall
config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/11300000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option radio '0'
option band '2g'
option channel 'auto'
option htmode 'HE40'
option country 'GB'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'No Signal'
option encryption 'sae'
option isolate '1'
option dtim_period '3'
option key 'redacted'
option ieee80211r '1'
option mobility_domain '4f57'
option ft_over_ds '0'
option ieee80211k '1'
option wnm_sleep_mode '1'
option wnm_sleep_mode_no_keys '1'
option ocv '0'
config wifi-device 'radio1'
option type 'mac80211'
option path 'soc/11300000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option radio '1'
option band '5g'
option channel 'auto'
option htmode 'HE160'
option country 'GB'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'No Signal'
option encryption 'sae'
option isolate '1'
option dtim_period '3'
option key 'redacted'
option ocv '0'
option ieee80211r '1'
option mobility_domain '4f57'
option ft_over_ds '0'
option ieee80211k '1'
option wnm_sleep_mode '1'
option wnm_sleep_mode_no_keys '1'
config wifi-device 'radio2'
option type 'mac80211'
option path 'soc/11300000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option radio '2'
option band '6g'
option channel 'auto'
option htmode 'HE160'
option country 'GB'
option cell_density '0'
config wifi-iface 'default_radio2'
option device 'radio2'
option network 'lan'
option mode 'ap'
option ssid 'No Signal'
option encryption 'sae'
option isolate '1'
option dtim_period '3'
option key 'redacted'
option ocv '0'
option ieee80211r '1'
option mobility_domain '4f57'
option ft_over_ds '0'
option ieee80211k '1'
option wnm_sleep_mode '1'
option wnm_sleep_mode_no_keys '1'
config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid 'NoS-Guest'
option encryption 'psk-mixed'
option key 'redacted'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
option port '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
list dhcp_option '6,192.168.1.1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'OpenWrt'
option ip '192.168.1.107'
list mac 'D8:EC:5E:72:07:92'
config dhcp 'cctv'
option interface 'cctv'
option start '100'
option limit '150'
option leasetime '12h'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wg0'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option src '*'
option target 'ACCEPT'
option proto 'udp'
option dest_port '51820'
option name 'Allow-Wireguard-Inbound'
config zone
option name 'cctv'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'cctv'
config forwarding
option src 'lan'
option dest 'cctv'
root@OpenWrt:~#
This issue has been solved, but I can not solve the CCTV vlan issue
Can anyone help me, I'm quite stuck, can't use the app to access the cameras after doing this
How the cameras get their IP configuration? There is a DHCP server configured on the cctv interface, but there are no rules allowing DHCP (and DNS) requests originating from the cctv zone.
Remove the gateway and dns options from this section. They are useless here.
I'll post new config, gimme one minute
BusyBox v1.36.1 (2024-12-23 00:55:35 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 24.10.0-rc4, r28211-d55754ce0d
-----------------------------------------------------
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.67",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 0",
"model": "Bananapi BPI-R4",
"board_name": "bananapi,bpi-r4",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.0-rc4",
"revision": "r28211-d55754ce0d",
"target": "mediatek/filogic",
"description": "OpenWrt 24.10.0-rc4 r28211-d55754ce0d",
"builddate": "1734915335"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd38:7784:d57b::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'wan'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'br-wan'
option type 'bridge'
list ports 'eth2'
config device
option name 'wan'
option macaddr 'redacted'
config device
option name 'eth2'
option macaddr 'redacted'
config interface 'wan'
option device 'br-wan'
option proto 'pppoe'
option username 'redacted'
option password 'redacted'
option ipv6 'auto'
option keepalive '0 1'
config interface 'wan6'
option device 'br-wan'
option proto 'dhcpv6'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
list ports '@trunk.4'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option defaultroute '0'
config device
option type 'bridge'
option name 'cctv'
list ports 'eth1'
config interface 'cctv'
option proto 'static'
option device 'cctv'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option defaultroute '0'
config interface 'wg0'
option proto 'wireguard'
option private_key 'redacted'
option listen_port '51820'
list addresses '10.0.0.1/24'
config wireguard_wg0
option description 'redacted'
option public_key 'redacted'
option private_key 'redacted'
option preshared_key 'redacted'
list allowed_ips '10.0.0.2/32'
option route_allowed_ips '1'
option endpoint_port '51820'
option persistent_keepalive '25'
config wireguard_wg0
option description 'redacted'
option public_key 'redacted'
option private_key 'redacted'
option preshared_key 'redacted'
list allowed_ips '10.0.0.4/32'
option route_allowed_ips '1'
option endpoint_port '51820'
option persistent_keepalive '25'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/11300000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option radio '0'
option band '2g'
option channel 'auto'
option htmode 'HE40'
option country 'GB'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'No Signal'
option encryption 'sae'
option isolate '1'
option dtim_period '3'
option key 'redacted'
option ieee80211r '1'
option mobility_domain '4f57'
option ft_over_ds '0'
option ieee80211k '1'
option wnm_sleep_mode '1'
option wnm_sleep_mode_no_keys '1'
option ocv '0'
config wifi-device 'radio1'
option type 'mac80211'
option path 'soc/11300000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option radio '1'
option band '5g'
option channel 'auto'
option htmode 'HE160'
option country 'GB'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'No Signal'
option encryption 'sae'
option isolate '1'
option dtim_period '3'
option key 'redacted'
option ieee80211r '1'
option mobility_domain '4f57'
option ft_over_ds '0'
option ieee80211k '1'
option wnm_sleep_mode '1'
option wnm_sleep_mode_no_keys '1'
option ocv '0'
config wifi-device 'radio2'
option type 'mac80211'
option path 'soc/11300000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option radio '2'
option band '6g'
option channel 'auto'
option htmode 'HE160'
option country 'GB'
option cell_density '0'
config wifi-iface 'default_radio2'
option device 'radio2'
option network 'lan'
option mode 'ap'
option ssid 'No Signal'
option encryption 'sae'
option isolate '1'
option dtim_period '3'
option key 'redacted'
option ieee80211r '1'
option mobility_domain '4f57'
option ft_over_ds '0'
option ieee80211k '1'
option wnm_sleep_mode '1'
option wnm_sleep_mode_no_keys '1'
option ocv '0'
config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid 'NoS-Guest'
option encryption 'psk-mixed'
option isolate '1'
option dtim_period '3'
option key 'redacted'
option ieee80211r '1'
option mobility_domain '4f57'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option ieee80211k '1'
option wnm_sleep_mode '1'
option wnm_sleep_mode_no_keys '1'
option network 'guest'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'cctv'
option interface 'cctv'
option start '100'
option limit '150'
option leasetime '12h'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'vpn'
list network 'wg0'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
config zone
option name 'cctv'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'cctv'
list device 'cctv'
config forwarding
option src 'lan'
option dest 'cctv'
config rule 'wg'
option name 'Allow-WireGuard'
option src '*'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Allow-DNS-cctv'
option src 'cctv'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Allow DHCP-cctv'
list proto 'udp'
option src 'cctv'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'Allow-DNS-guest'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Allow DHCP-Guest'
list proto 'udp'
option src 'guest'
option dest_port '67'
option target 'ACCEPT'
root@OpenWrt:~#
The wireguard issue is back weirdly
Should the app automatically detect the cameras? For this to work, the device running the app and the cameras must be on the same L2 segment (and that is no longer the case). Can you set the camera addresses manually in the app?
Run cat /tmp/dhcp.leases to see the leased addresses from network 192.168.3.0/24 and try pinging them from lan.
Also check if the cameras allow access from outside their own IP subnet.
The cameras which are analogue connect to a dvr which is connected to the network via an ethernet cable, I should've clarified that, the app connects to the DVR
Nothing comes up with a 192.168.3.* IP address
Ok after switching the DVR to DHCP, it appears with an IP address, still cannot connect
How does your app work? Specifically, there are three ways these apps can work (it may be one or more of the following):
yeah, it allows me to do both ip address to connect locally or its standard method of using cloud service to re stream it, i guess ill go locally with ip address and open a port
You shouldn't need to open a port...
For the local address, you'll enter the IP of the NVR -- 192.168.3.x (where x is the actual IP address that the NVR obtained from the DHCP server). This will, of course, only work when you're connected to your local network (lan or CCTV network), and will not work on the internet in general.
That said... can you ping your NVR from the a host in the lan? Does it have a web server or ssh or other access beyond the app itself? If so, can you establish a connection from a host on the lan?