Wifi iot net forwarding to LAN (Internet) not working

MIRC0 · January 1, 2021, 2:24pm

Following the wiki documentation I set up a new interface, wifi device and firewall rules now being able to connect a device with my new iot wifi. It gets an IP (network 192.168.187.0) and can resolve URL addresses to ip. But I cannot get any web traffic through. Hard stuff for a newbie so I thought I can get some hints here.
This is my local setup (basic schema):
Bildschirmfoto 2021-01-01 um 14.58.40

I simply want to seperate my iot devices from the rest starting with a dedicated ap to start learning. Goal is to have my own VLAN where I can specifically control per device/port what is going where.

I dont have a WAN interface, LAN is static ip and provides 192.168.188.1 as gw. As for now, I want to understand, meaning, being fully capable of managing zones and fw rules. So, from my iot net I want to reach out to all my lan devices (but not vice versa) and from my iot net I want to connect to internet (no restrictions). This is not working but as I got it, it should work ;(

firewall.iot_dns=rule
firewall.iot_dns.name='Allow-DNS-iot'
firewall.iot_dns.src='iot'
firewall.iot_dns.dest_port='53'
firewall.iot_dns.proto='tcp udp'
firewall.iot_dns.target='ACCEPT'
firewall.iot_dhcp=rule
firewall.iot_dhcp.name='Allow-DHCP-iot'
firewall.iot_dhcp.src='iot'
firewall.iot_dhcp.dest_port='67'
firewall.iot_dhcp.family='ipv4'
firewall.iot_dhcp.proto='udp'
firewall.iot_dhcp.target='ACCEPT'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='lan'
firewall.@forwarding[1].src='iot'
firewall.@rule[11]=rule
firewall.@rule[11].src='iot'
firewall.@rule[11].name='fromIOT2LAN'
firewall.@rule[11].dest='lan'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].proto='all'

wireless.iot=wifi-iface
wireless.iot.device='radio1'
wireless.iot.mode='ap'
wireless.iot.network='iot'
wireless.iot.ssid='miti_iot'
wireless.iot.encryption='none'

network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.ip6assign='60'
network.lan.gateway='192.168.188.1'
network.lan.dns='192.168.188.2'
network.lan.ipaddr='192.168.188.6/24'
network.iot=interface
network.iot.type='bridge'
network.iot.proto='static'
network.iot.ipaddr='192.168.187.1'
network.iot.netmask='255.255.255.0'
network.iot.ifname='eth0.10'

This is my polite question to the community if someone would be so nice to throw me a hint

happy new year!

trendy · January 2, 2021, 1:02pm

MIRC0:

firewall.@rule[11]=rule
firewall.@rule[11].src='iot'
firewall.@rule[11].name='fromIOT2LAN'
firewall.@rule[11].dest='lan'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].proto='all'

This is redundant, you have already the forwarding in place.
You don't show if lan zone has masquerade on. If not, then the main router must have a static route for 192.168.187.0/24 via 192.168.188.6

MIRC0 · January 2, 2021, 1:50pm

In the meantime I ran through the wiki article directly using what the uci commands say (copy and paste). It all ended up with a guest not having any internet connection at all.
The ONLY difference is, that my router is a dumb ap so I got rid of the wan interface (moved eth0 tp lan) and therefore changed wan to lan.

MIRC0 · January 2, 2021, 2:02pm

I see, masquerading was not activated, now is making it all working as expected. Thank you, will spend reading about masquerading

trendy · January 2, 2021, 3:51pm

You could have followed the dumbAP+guest guide, only to change the guest with iot and allow the iot->lan forwarding.

system · January 12, 2021, 3:51pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.