Guys,
in my previous home setup i had my main router to have one main network and one guest/kid network
(links to what i have been doing at the bottom...)
I have a spare tplink 1043 which i initially wanted to use to experiment with mesh ( mesh attempts - archer c7 + 1043v1) but in the end i decided that my issues were related to the limited hardware capabilities of the the 1043 so found a cheap second hand archer c7, it will arrive in February and i will use that for my mesh network
so i decided to move the guest wifi on the tplink 1043 (this is meant to be my attempt at making life easier on the main router...)
now my setup looks like the following
it is overall working but I cannot opkg update from the tplink 1043
one of the errors:
* opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.0-rc2/packages/mips_24kc/telephony/Packages.gz, wget returned 8
i saw in the forums that this might be related to a wrong network, i tried to play around with the network setting but i cannot get a solution.
I specifically tried to change option gateway and option dns on the archer c7 network config
I also added forwarding rules in the firewall config, i know they are redundant and the firewall config needs some love... but this is what i have at the moment...see also my point below..
as mentioned, additionally I have a doubt regarding firewalls
-Do i need a firewall on the tplink 1043? Or is the firewall on the main archer c7 going to be enough?
I read about double nat and similar things, my idea was to reduce the load on the archer, i would hate if what i did actually caused more damage than actually helped
Is there anyone that could point me in the right direction?
some links to my guest network:
https://forum.openwrt.org/t/solved-dnsmasq-addnhosts-ignored-no-local-hostnames/26191
https://forum.openwrt.org/t/solved-guest-network-how-to-communicate-between-clients/34611
thanks a lot
M
network config - main router:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd68:0f6d:e8d1::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1 bat0.1'
option proto 'static'
option stp '1'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
option igmp_snooping '1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'static'
option ipaddr '192.168.1.64'
option netmask '255.255.255.0'
option gateway '192.168.1.254'
option dns '192.168.1.254'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
# option ports '2 3 4 5 0t'
option ports '3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
### separate the LAN1 port out of the LAN network
### so to have guest network on LAN1
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '2 0t'
### add guest network
config interface 'guest'
option ifname 'eth1.3'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
# option gateway '192.168.2.1'
# option gateway '192.168.3.1'
# option dns '192.168.2.1'
# option dns '192.168.3.1'
config interface 'bat0'
option proto 'batadv'
option routing_algo 'BATMAN_IV'
option aggregated_ogms 1
option ap_isolation 0
option bonding 0
option fragmentation 1
#option gw_bandwidth '10000/2000'
option gw_mode 'off'
#option gw_sel_class 20
option log_level 0
option orig_interval 1000
option bridge_loop_avoidance 1
option distributed_arp_table 1
option multicast_mode 1
option network_coding 0
option hop_penalty 30
option isolation_mark '0x00000000/0x00000000'
config interface 'nwi_mesh0'
option mtu '2304'
option proto 'batadv_hardif'
option master 'bat0'
firewall config on the main router:
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
# to add flow offloading (must be ath79 for archer)
option flow_offloading 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fc00::/6
option dest_ip fc00::/6
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
# add new zone section covering the 'guest' interface, allow internet, DNS and DHCP to guests:
# plus ssh
# https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan
config zone
option name 'guest'
option network 'guest'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
# Allow Guest -> Internet
config forwarding
option src 'guest'
option dest 'wan'
config forwarding
option src 'wan'
option dest 'guest'
# Allow DNS Guest -> Router
# Client DNS queries originate from dynamic UDP ports (>1023)
config rule
option name 'Allow DNS Queries'
option src 'guest'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
# Allow DHCP Guest -> Router
# DHCP communication uses UDP ports 67-68
config rule
option name 'Allow DHCP request'
option src 'guest'
option src_port '67-68'
option dest_port '67-68'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Allow guest ICMP input'
option src 'guest'
option proto 'icmp'
option target 'ACCEPT'
option family 'ipv6'
config forwarding
option src 'lan'
option dest 'guest'
config forwarding
option src 'guest'
option dest 'lan'
### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
# option src lan
# option src_ip 192.168.45.2
# option dest wan
# option proto tcp
# option target REJECT
# block a specific mac on wan
#config rule
# option dest wan
# option src_mac 00:11:22:33:44:66
# option target REJECT
# block incoming ICMP traffic on a zone
#config rule
# option src lan
# option proto ICMP
# option target DROP
# port redirect port coming in on wan to lan
#config redirect
# option src wan
# option src_dport 80
# option dest lan
# option dest_ip 192.168.16.235
# option dest_port 80
# option proto tcp
# port redirect of remapped ssh port (22001) on wan
#config redirect
# option src wan
# option src_dport 22001
# option dest lan
# option dest_port 22
# option proto tcp
### FULL CONFIG SECTIONS
#config rule
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 80
# option dest wan
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
# option target REJECT
#config redirect
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 1024
# option src_dport 80
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
network config on guest router:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd5b:d314:61ad::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1 eth1'
option proto 'static'
option ipaddr '192.168.3.2'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.3.1'
# option gateway '192.168.2.1'
option dns '192.168.3.1'
# option dns '192.168.2.1'
option igmp_snooping '1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
# option gateway '192.168.1.254'
# option dns '192.168.1.254'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 4 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 5t'
firewall config on guest router:
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fc00::/6
option dest_ip fc00::/6
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
thanks