VLAN setup help

trendy · January 5, 2025, 12:42am

It's not correct what you added.

SpectreDev · January 5, 2025, 12:46am

Ah yes, I was just tinkering with it to see if that would work but it didn't, I'll try 5.0 again and see if it works

SpectreDev · January 5, 2025, 1:05am

Doesn't work still

trendy · January 5, 2025, 7:16pm

Run this on the BPi and try to access the alarm from a wireguard client.

opkg update; opkg install tcpdump; tcpdump -i br-lan -c 50 -vnn host 192.168.1.228

SpectreDev · January 6, 2025, 7:53am

I did that wrong sorry, I wasn't connected To wireguard I'll do it again today

SpectreDev · January 6, 2025, 12:16pm

trendy · January 6, 2025, 2:21pm

There were no (interesting) packets captured. Which protocol is the alarm using for communication?

SpectreDev · January 6, 2025, 2:54pm

According to their forums both TCP and UDP

trendy · January 6, 2025, 3:01pm

And which port?

SpectreDev · January 6, 2025, 3:04pm

TCP port 80 and 443 and UDP 0~65535 port

SpectreDev · January 6, 2025, 3:39pm

is this written by chatgpt by chance, because it seems like it

SpectreDev · January 6, 2025, 3:40pm

ok allowing tcp 443 and udp 32100 seems to work

trendy · January 7, 2025, 8:40am

Are you able to connect to the alarm from the wireguard clients now?
What was the problem?

SpectreDev · January 7, 2025, 2:02pm

Yep, after adding traffic rules to allow traffic on those 2 ports, I can simply connect over wireguard now, and if I don't use wireguard on mobile data it doesnt work

SpectreDev · January 7, 2025, 2:04pm

I'll post config in a bit

SpectreDev · January 7, 2025, 5:51pm

Here (BB code ain't working for me for some reason)

BusyBox v1.36.1 (2024-12-23 00:55:35 UTC) built-in shell (ash)

| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -| || | | || || |
|___|| |||||_||| |____|
|| W I R E L E S S F R E E D O M

OpenWrt 24.10.0-rc4, r28211-d55754ce0d

root@bpi:~# cat /etc/network/firewall
cat: can't open '/etc/network/firewall': No such file or directory
root@bpi:~# cat /etc/config/network/firewall
cat: can't open '/etc/config/network/firewall': Not a directory
root@bpi:~# cat /etc/config/firewall

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'

config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wg0'

config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'

config forwarding
option src 'guest'
option dest 'wan'

config zone
option name 'cctv'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list device 'cctv'
list network 'cctv'

config forwarding
option src 'lan'
option dest 'cctv'

config rule 'wg'
option name 'Allow-WireGuard'
option src '*'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'

config rule
option name 'Allow-DNS-cctv'
option src 'cctv'
option dest_port '53'
option target 'ACCEPT'

config rule
option name 'Allow DHCP-cctv'
list proto 'udp'
option src 'cctv'
option dest_port '67'
option target 'ACCEPT'

config rule
option name 'Allow-DNS-guest'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'

config rule
option name 'Allow DHCP-Guest'
list proto 'udp'
option src 'guest'
option dest_port '67'
option target 'ACCEPT'

config rule
list proto 'tcp'
option src 'lan'
list src_mac '
option dest 'wan'
option dest_port '443'
option target 'ACCEPT'
option name 'Allow-Alarm-TCP'

config rule
list proto 'udp'
option src 'lan'
list src_mac '
option dest 'wan'
option dest_port '32100'
option target 'ACCEPT'
option name 'Allow-Alarm-UDP'

config rule
option name 'Block-Alarm-WAN-In'
option src 'wan'
list src_mac
option dest 'lan'
list dest_ip '192.168.1.228'
option target 'REJECT'

config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/firewall.include'

config nat
option name 'test'
option family 'ipv4'
option src 'lan'
option src_ip '192.168.5.0/24'
option dest_ip '192.168.1.228'
option target 'SNAT'
option snat_ip '192.168.1.1'
list proto 'all'
option enabled '0'

config rule
option src 'lan'
list src_mac '
option target 'REJECT'
option dest 'wan'
option name 'Block-Alarm-WAN'

root@bpi:~#

SpectreDev · January 8, 2025, 9:39am

Weird with this setup I'm able to get notifications that my door is open etc without VPN but can't actually see doorbell without VPN, was expecting notifications only work with VPN on

trendy · January 8, 2025, 2:22pm

You do realize that with these 2 rules you are overriding the next rule which blocks the alarm from connecting to the Internet and that was your initial goal, right?

The notifications (I guess to the application of the alarm) need Internet access to work.

SpectreDev · January 8, 2025, 4:18pm

Hmm didn't think of that, so I know the 2 ports I need, is there anyway around it

trendy · January 8, 2025, 7:10pm

Any way around what? You can see that if you block the alarm from reaching the Internet, it is not working properly.

VLAN setup help

| |.-----.-----.-----.| | | |.----.| |_ | - || _ | -| || | | || || | |_____|| |||||___||| |____| || W I R E L E S S F R E E D O M

OpenWrt 24.10.0-rc4, r28211-d55754ce0d

| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -| || | | || || |
|___|| |||||_||| |____|
|| W I R E L E S S F R E E D O M