yeah it then says scanning and then wont connect on my phone. The laptop will attempt to connect for sometime and then will connect after a bit but has no internet
Disable wds and try again.
Also try with static IP instead of DHCP.
Where is the laptop connected and what IP does it have?
Which IP is it trying to ping?
I pinged 192.168.1.107 for router and 192.168.4.228 for alarm, the laptop was connected to the BPI ( I probably shouldve tested on the mx4200 silly me)
didn't work either unfortunately, still getting no internet on laptop, tried pinging alarm and all i got was request timed out
Try to ping the alarm from the BPi.
100% packet loss, I've noticed there's another IP address with 4.229 but nothing else is currently connected also gets 100% packet loss
the mx4200 can ping 192.168.4.1 just fine and get a response but it cant get a response when trying to ping the alarm at 192.168.4.228
This doesn't make sense.
Install tcpdump on mx4200 and capture the traffic.
opkg update; opkg install tcpdump; tcpdump -i any -c 10 -vnn net 192.168.4.0/24
then try to ping and access the alarm.
bytes
15:58:16.485190 lan3 B ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.4.1 tell 192.168.4.228, length 46
15:58:16.485190 br-lan B ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.4.1 tell 192.168.4.228, length 46
15:58:16.485190 br-lan.4 B ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.4.1 tell 192.168.4.228, length 46
15:58:16.485231 br-lan.4 Out ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.4.1 is-at length 28
15:58:16.485233 br-lan Out ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.4.1 is-at, length 28
15:58:17.509464 lan3 B ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.4.1 tell 192.168.4.228, length 46
15:58:17.509464 br-lan B ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.4.1 tell 192.168.4.228, length 46
15:58:17.509464 br-lan.4 B ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.4.1 tell 192.168.4.228, length 46
15:58:17.509502 br-lan.4 Out ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.4.1 is-at, length 28
15:58:17.509504 br-lan Out ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.4.1 is-at, length 28
10 packets captured
11 packets received by filter
0 packets dropped by kernel
Pinging the alarm from the mx4200 still results in 100% packet loss, ill try connecting to alarm in a few mins
no luck can connect to alarm
I rest my case.
I would suggest to revert to a normal setup without any vlans and limit the connectivity of the alarm and the cctv with firewall rules.
ok thanks for the help
Wait just a quick question, is the firewall setup like the one I did for the CCTV which is make a guest Lan for the ethernet that's connected to the alarm, and do I do it on the MX4200 or BPI R4
The CCTV was more simple because it has its own interface.
With the alarm it will be on the lan interface of BPI, so you'll need to add a rule to block forwarding of the alarm MAC address to the wan zone.
1 Like
ok so using the firewall i managed to block the alarm from connecting to wan, which allows me to connect to the alarm while im connected to my home network, but i cant connect to the alarm via vpn
Add a source nat rule for the wg traffic. Change the IP address to the correct of the alarm.
uci add firewall nat
uci set firewall.@nat[-1].name='test'
uci set firewall.@nat[-1].family='ipv4'
uci add_list firewall.@nat[-1].proto='all'
uci set firewall.@nat[-1].src='lan'
uci set firewall.@nat[-1].src_ip='192.168.5.0/24'
uci set firewall.@nat[-1].dest_ip='192.168.1.100' <-change here
uci set firewall.@nat[-1].target='SNAT'
uci set firewall.@nat[-1].snat_ip='192.168.1.1'
uci commit firewall
service firewall restart
1 Like
it didnt work weirdly
Post the latest config from BPi.
uci export network; uci export firewall
BusyBox v1.36.1 (2024-12-23 00:55:35 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 24.10.0-rc4, r28211-d55754ce0d
-----------------------------------------------------
root@bpi:~# uci export network; uci export firewall
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd38:7784:d57b::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth2'
option macaddr ''
config interface 'wan'
option device 'eth2'
option proto 'pppoe'
option username ''
option password ''
option ipv6 'auto'
option keepalive '0 1'
config interface 'wan6'
option device 'eth2'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option norelease '1'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option defaultroute '0'
config interface 'cctv'
option proto 'static'
option device 'eth1'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option defaultroute '0'
config interface 'wg0'
option force_link '1'
option listen_port '51820'
list addresses '192.168.5.1/24'
config wireguard_wg0
option
list allowed_ips '192.168.5.2/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
package firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wg0'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
config zone
option name 'cctv'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list device 'cctv'
list network 'cctv'
config forwarding
option src 'lan'
option dest 'cctv'
config rule 'wg'
option name 'Allow-WireGuard'
option src '*'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Allow-DNS-cctv'
option src 'cctv'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Allow DHCP-cctv'
list proto 'udp'
option src 'cctv'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'Allow-DNS-guest'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Allow DHCP-Guest'
list proto 'udp'
option src 'guest'
option dest_port '67'
option target 'ACCEPT'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/firewall.include'
config rule
option src 'lan'
list src_mac '10:2C:B1:41:1F:45'
option target 'REJECT'
option dest 'wan'
config nat
option name 'test'
option family 'ipv4'
option src 'lan'
option src_ip '192.168.5.1/24'
option dest_ip '192.168.1.228'
option target 'SNAT'
option snat_ip '192.168.1.1'
list proto 'all'
root@bpi:~#