Well, I've messed something up in my firewall

Here are my settings but if I change wan to reject, accept, reject it locks me out of the edit for the wan firewall.

root@OpenWrt:~# cd /etc/config
root@OpenWrt:/etc/config# vi firewall
conf defaults
option input 'ACCEPT'
ption input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'

config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'ACCEPT'
list network 'wwan2' >

You haven't provided enough information to assist you.

• Can you explain why you're setting the WAN zone to REJECT/REJECT/REJECT?

• More importantly, are you configuring the OpenWrt device from WAN?

I got flustered with the rejects; the post is fixed now.

The copy is what works and the reject, accept, reject is what I was told was wrong but that locks me out.

I'm on the Lan.

Could you share your full firewall config and the network config?

I'm just going to start over.

The options are out of order, one is not even 'option' it is 'ption' that is a duplicate.

I have no idea how it got corrupted, I did not do that. Who knows what else is FUBAR.

Thanks.

<login as: root
root@192.168.38.1's password:

BusyBox v1.35.0 (2023-11-15 10:00:42 UTC) built-in shell (ash)

| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -| || | | || || |
|_____|| |||||___||| |____|
|| W I R E L E S S F R E E D O M

OpenWrt 22.03.5, r20134-5f15225c1e

root@OpenWrt:~# cd /etc/config
root@OpenWrt:/etc/config# ve wireless
-ash: ve: not found
root@OpenWrt:/etc/config# vi wireless
option txpower '13'
option distance '3'
option channel '6'

config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'Pi4'
option encryption 'psk2'
option key ''
wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/20300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:00
option band '2g'
option htmode 'HT20'
option disabled '0'
option country 'US'
option cell_density '2'
option beacon_int '100'
option txpower '13'
option distance '3'
option channel '6'

root@OpenWrt:/etc/config# vi network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd55:bb0e:d335::/48'

config device
option name 'br-lan'
option type 'bridge'
list ports 'wlan0'
option ipv6 '0'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.38.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '1.1.1.1'

login as: root
root@192.168.38.1's password:

BusyBox v1.35.0 (2023-11-15 10:00:42 UTC) built-in shell (ash)

root@OpenWrt:/etc/config# vi network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd55:bb0e:d335::/48'

config device
option name 'br-lan'
option type 'bridge'
list ports 'wlan0'
option ipv6 '0'

config interface 'lan'

• network 1/66 1%

That was the full output for the firewall.
Radio 1 is not showing up wan is missing. FUBAR!

It is in Luci.

So much is wrong even I can see it. Those are the full replies from: firewall, wireless and network.

Again, you haven't provided enough information.

This is incorrect, wireless devices are not ports, nor are they listed in the network config on modern OpenWrt versions.

You have an empty quotation - did you intended to paste the firewall?

• Did you reset your OpenWrt device?

?

?

It may help to remain calm, take a brief break - then return to post more details.

Everything looks right in Luci. It passed ShieldsUp: nothing replied and it dropped the ping. But is is ridiculously slow with two devices try to stream 1080p; I assumed that was a limitation of the cpu.

This is my pi zero w I am trying to make my travel router.

The only CLI I did was after flash I set up wlan so I could access the device in Luci.
I have to go to work, so plenty of time to not obsess over this. I can see in the replies it gives are missing things and configured wrong on so many levels. But they are all in Luci.
Thank you.

The pi WiFi system (all variants) is very slow and limited. It does not make a good wireless ap, so it is likely that is the performance bottleneck.

But yes, there are likely significant issues with the config - certainly the firewall is very problematic. You should consider starting fresh and then building up the functionality you need with the assistance of those on this forum (after you describe your goals in detail).

Another thing to note: the pi WiFi is not capable of running in sta (client) and ap modes simultaneously. It is one or the other. So the pi zero may not be a good option for a travel router (there are purpose built travel routers that will be much better in almost every respect).

I'm using an Alfa AWUS036NH for the WAN.

I shut it down and now it is not even broadcasting a wlan.

I'll just start again tonight, thanks.

I have these things (alfa, pi) sitting in a drawer doing nothing and I wanted to make a travel router,

It was doing fairly well until I changed the wan firewall config and had to change it back because it was not allowing access, through Luci, to a couple configuration pages.

I rebooted, no help, I unplugged it and it is totally corrupted. No AP.

Thank you.

We may be able to help you if you provide more information:

The reject, reject, reject was just a brain fart. It was, originally accept accept reject and I changed it to:
option input REJECT
option output ACCEPT
option forward REJECT
And it all fell apart.

This is basically a bridge to an AP hotspot, So it would always be behind a hotspot.

I'll get back to it tonight.

Thank you.

Bridging and routing are very different things. For a travel router, you want to route. For a dumb ap, bridging works well (but only if the uplink is Ethernet).

I was accessing it from the AP radio which was the built in radio.

I know bridging is from a to b with no other clients but that is, essentially what the WWan is in this case.
Its only connected to the AP of the hotspot and nothing else. The second radio, when bridged in the firmware etho which then move to the lan add the internal radio and delete the etho, leaving just the radio bridge, works.

I think I understand most routers have one radio (or two but bonded to the same soc) and they do not bridge and serve clients.

Anyway, I'll check back and be re-educated later tonight,

Thank you

be careful when you go to modify the configuration files with the vi command, it is preferable to rely on the gui luci

change in (delete "ption input 'ACCEPT'" line no. 3)

conf defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

change this in (line n. 22)

list network 'wwan2'

I confirm that the standard settings already define a safe environment, as you pointed out:

It's really hard to follow your responses, you seem to reply to the wrong person, or don't understand why I asked about the Firewall Zone from which you configured the AP.

This is why you originally locked yourself out. You assigned this WiFi to WAN, then proceeded to firewall it. As suggested:

You also must be sure ACCEPT output and input on the firewall zone you assign the AP's interface.

Yeah, was all over the place in my replies. Sorry about that.
I just started over:

conf defaults
        option input 'ACCEPT'
       option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wwan'

- firewall 1/121 0%

        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wwan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

I really appreciate you all's help.

I only used vi to enable the radio, change the ip address, look at the results and remove multiple lines of 'list network' in the WAN firewall. There was 1 two many.

I prefer Luci. 

I was following [https://www.youtube.com/watch?v=jlHWnKVpygw&t=756s](https://www.youtube.com/watch?v=jlHWnKVpygw&t=756s) at 13:17

I called it bridging because when you set up two totally different radios you have to bridge the lan and it talks to the wan. But I understand what you are saying: if I were to bridge the routers my travel router would be a part of the AP I'm connecting to. Which is, exactly what I do not want.

I want a firewall and I'll just deal with double Natting. It is not like I play games when away.

I did build a new firmware. Firstboot is not very useful when you bake the settings into the firmware.

Anyway, since I sent the configs I have disabled IPV6 in Luci and I'm not looking at the CLI unless I am told to..

why do you have something like this in the configuration file?

Please use cat command:
​

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall