Topic: Update on Linksys WRT1900AC support

The content of this topic has been archived between 16 Sep 2014 and 7 May 2018. Unfortunately there are posts – most likely complete pages – missing.

Page 492 of 598

Post #12276

shm0

28 Jun 2016, 20:35

dlang wrote:

you should create a new zone for the guest network and then create rules between that zone and your lan zone.

thanks for your answer.

the guest is already in a separate zone (isolated zone).
Here is want i tried so far but no luck.

1. Adding Static routes
2. Add forward rule from lan to isolated and isolated to lan
3. Put lan and isolated in same zone and set forward to accept
4. Create firewall rules to allow traffic from isolated to lan and vice versa.

Also when i read through the wiki https://wiki.openwrt.org/doc/uci/firewall
Zones:
INPUT rules for a zone describe what happens to traffic trying to reach the router itself through an interface in that zone.

I understand that as Input = zone -> router
So its more like an output from zone to router and not input?

Now at zone options:
input string no DROP Default policy (ACCEPT, REJECT, DROP) for incoming zone traffic

I understand that as traffic -> zone.

For example:

config zone
    option name 'isolated'
    option output 'ACCEPT'
    option network 'isolated'
    option forward 'REJECT'
    option input 'REJECT'

Input is rejected here. Then this rule for example:

config rule
    option name 'Allow-Isolated-Network-DNS'
    option src 'isolated'
    option dest_port '53'
    option proto 'tcpudp'
    option target 'ACCEPT'

I read that rule as allow outgoing traffic. But why is it labeled as Accept Input?

So Input/Ouput should be viewed from router points of view?

(Last edited by shm0 on 28 Jun 2016, 22:19)

Post #12277

JW0914

28 Jun 2016, 22:44

@shm0 I'm not sure about the vlan question, but there's how I setup the firewall config for someone with a guest network:

/etc/config/firewall

config include
    option    path '/etc/firewall.user'

config redirect
    option    target            DNAT       
    option    src               *
    option    src_dport         20020
    option    dest              lan
    option    dest_port         2201
    option    proto             tcp
    option    name              'Allow Redirect WAN -> LAN (SSH)'
    
# We need to accept udp packets on port 68
# see https://dev.openwrt.org/ticket/4108
config rule
    option    target            ACCEPT
    option    family            ipv4
    option    src               wan
    option    proto             udp
    option    dest_port         68
    option    name              'Allow WAN -> WRT1200ac (DHCP-Renew)'

# Allow IPv4 ping
config rule
    option    target            ACCEPT
    option    family            ipv4
    option    src               wan
    option    proto             icmp
    option    icmp_type         'echo-request'
    option    name              'Allow WAN -> WRT1200ac (echo-request)'

config rule
    option    target            ACCEPT
    option    family            ipv4
    option    src               wan
    option    proto             igmp
    option    name              'Allow WAN -> WRT1200ac (IGMP)'

# Allow IPsec/ESP and ISAKMP passthrough
config rule
    option    target            ACCEPT
    option    src               wan
    option    dest              lan
    option    proto             esp
    option    name              'Allow WAN -> WRT1200 (IPsec ESP)'

config rule
    option    src               wan
    option    dest              lan
    option    dest_port         500
    option    proto             udp
    option    target            ACCEPT
    option    name              'Allow WAN -> WRT1200ac (IPsec udp 500)'

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
    option    target            ACCEPT
    option    family            ipv6
    option    src               wan
    option    proto             udp
    option    src_ip            'fc00::/6'
    option    dest_ip           'fc00::/6'
    option    dest_port         546
    option    name              'Allow WAN -> WRT1200ac (DHCPv6 Reply)'

config rule
    option    target            ACCEPT
    option    family            ipv6
    option    src               wan
    option    proto             icmp
    option    src_ip            'fe80::/10'
    list      icmp_type         '130/0'
    list      icmp_type         '131/0'
    list      icmp_type         '132/0'
    list      icmp_type         '143/0'
    option    name              'Allow WAN -> WRT1200ac (IPv6 ICMP MLD)'

# Allow essential incoming IPv6 ICMP traffic
config rule
    option    target            ACCEPT
    option    family            ipv6
    option    src               wan
    option    proto             icmp
    list      icmp_type         'echo-request'
    list      icmp_type         'echo-reply'
    list      icmp_type         'destination-unreachable'
    list      icmp_type         'packet-too-big'
    list      icmp_type         'time-exceeded'
    list      icmp_type         'bad-header'
    list      icmp_type         'unknown-header-type'
    list      icmp_type         'router-solicitation'
    list      icmp_type         'neighbour-solicitation'
    list      icmp_type         'router-advertisement'
    list      icmp_type         'neighbour-advertisement'
    option    limit             '1000/sec'
    option    name              'Allow WAN -> WRT1200ac (ICMPv6 Input)'

# Allow essential forwarded IPv6 ICMP traffic
config rule
    option    target            ACCEPT
    option    family            ipv6
    option    src               wan
    option    dest              *
    option    proto             icmp
    list      icmp_type         'echo-request'
    list      icmp_type         'echo-reply'
    list      icmp_type         'destination-unreachable'
    list      icmp_type         'packet-too-big'
    list      icmp_type         'time-exceeded'
    list      icmp_type         'bad-header'
    list      icmp_type         'unknown-header-type'
    option    limit             '1000/sec'
    option    name              'Allow WAN -> WRT1200ac (ICMPv6 Forward)'

config zone
    option    name              guest
    option    network           guest
    option    input             REJECT
    option    forward           REJECT
    option    output            ACCEPT
    option    conntrack         1
    option    log               1

config forwarding
    option    dest              wan
    option    src               guest

config rule
    option    target            ACCEPT
    option    proto             'tcp udp'
    option    dest_port         53
    option    src               guest
    option    name              'Allow Guest -> WRT1200ac (DNS Queries)'

config rule
    option    target            ACCEPT
    option    proto             udp
    option    src_port          '67-68'
    option    dest_port         '67-68'
    option    src               guest
    option    name              'Allow Guest -> WRT1200ac (DHCP Requests)'

config rule
    option    target            DROP
    option    src               guest
    option    dest              *
    option    proto             any
    option    dest_port         22
    option    name              'Deny Guest -> WRT1200ac (SSH)'

config rule
    option    target            DROP
    option    src               guest
    option    dest              *
    option    proto             any
    option    dest_port         23
    option    name              'Deny Guest -> WRT1200ac (Telnet)'

config rule
    option    target            DROP
    option    src               guest
    option    dest              *
    option    proto             any
    option    dest_port         135
    option    name              'Deny Guest -> WRT1200ac (RPC)'

config rule
    option    target            DROP
    option    src               guest
    option    dest              *
    option    proto             any
    option    dest_port         137
    option    name              'Deny Guest -> WRT1200ac (NETBIOS Name Service)'

config rule
    option    target            DROP
    option    src               guest
    option    dest              *
    option    proto             any
    option    dest_port         138
    option    name              'Deny Guest -> WRT1200ac (NETBIOS Datagram Service)'

config rule
    option    target            DROP
    option    src               guest
    option    dest              *
    option    proto             any
    option    dest_port         139
    option    name              'Deny Guest -> WRT1200ac (NETBIOS Session Service)'

config rule
    option    target            DROP
    option    src               guest
    option    dest              *
    option    proto             any
    option    dest_port         445
    option    name              'Deny Guest -> WRT1200ac (CIFS)'

config rule
    option    target            DROP
    option    src               guest
    option    dest              *
    option    proto             any
    option    dest_port         1194
    option    name              'Deny Guest -> WRT1200ac (OpenVPN)'

config rule
    option    target            DROP
    option    src               guest
    option    dest              *
    option    proto             any
    option    dest_port         1194
    option    name              'Deny Guest -> VPN'

config rule
    option    target            DROP
    option    src               guest
    option    dest              *
    option    proto             any
    option    dest_port         2200
    option    name              'Deny Guest -> WRT1200ac (SSH VPN)'

config rule
    option    target            DROP
    option    src               guest
    option    dest              *
    option    proto             any
    option    dest_port         2201
    option    name              'Deny Guest -> WRT1200ac (SSH LAN)'

config rule
    option    target            ACCEPT
    option    src               guest
    option    dest              wan
    option    proto             'tcp udp'
    option    name              'Allow Guest -> WAN'

config rule
    option    target            DROP
    option    src               guest
    option    dest              lan
    option    proto             all
    option    name              'Deny Guest -> LAN'

config rule
    option    target            DROP
    option    src               guest
    option    dest              vpn
    option    proto             all
    option    name              'Deny Guest -> VPN'

config defaults
    option    syn_flood         1
    option    input             ACCEPT
    option    output            ACCEPT
    option    forward           REJECT

config rule
    option    target            ACCEPT
    option    proto             'tcp udp'
    option    family            ipv4
    option    src               *
    option    dest_port         11940
    option    name              'Allow Forwarded VPN Request -> WRT1200ac'

config rule
    option    target            ACCEPT
    option    proto             tcp
    option    family            ipv4
    option    dest_port         2200
    option    src               vpn
    option    name              'Allow VPN -> WRT1200ac (VPN SSH)'

config rule
    option    target            ACCEPT
    option    proto             'tcp udp'
    option    family            ipv4
    option    dest              *
    option    src_mac           '00:11:22:33:44:55'
    option    dest_port         11940
    option    src_ip            '10.0.0.5/28'
    option    src               vpn
    option    name              'Allow Forwarded VPN (AlienFractals-LAN) -> WRT1200ac'

config rule
    option    target            ACCEPT
    option    proto             'tcp udp'
    option    family            ipv4
    option    src_mac           '11:22:33:44:55:66'
    option    dest              *
    option    dest_port         11940
    option    src_ip            '10.0.0.5/28'
    option    src               vpn
    option    name              'Allow Forwarded VPN (AlienFractals-WiFi) -> WRT1200ac'

config rule
    option    target            ACCEPT
    option    proto             'tcp udp'
    option    family            ipv4
    option    dest              *
    option    dest_port         11940
    option    src_ip            '10.0.0.6/28'
    option    src               vpn
    option    name              'Allow Forwarded VPN (NX6) -> WRT1200ac'

config rule
    option    target            ACCEPT
    option    proto             'tcp udp'
    option    family            ipv4
    option    src_ip            '10.0.0.0/28'
    option    name              'Allow VPN -> LAN'
    option    src               vpn
    option    dest_ip           '192.168.3.0/26'

config rule
    option    target            ACCEPT
    option    proto             'tcp udp'
    option    family            ipv4
    option    src_ip            '10.0.0.0/28'
    option    dest              *
    option    src               vpn
    option    dest_ip           '192.168.3.0/26'
    option    name              'Allow Forwarded VPN -> WRT1200ac'

config rule
    option    target            ACCEPT
    option    family            ipv4
    option    proto             icmp
    option    src_ip            '10.0.0.0/28'
    option    dest              lan
    option    name              'Allow VPN (ICMP) -> LAN'
    option    src               vpn

config rule
    option    target            ACCEPT
    option    proto             icmp
    option    family            ipv4
    option    src_ip            '10.0.0.0/28'
    option    dest              wan
    list      icmp_type         'echo-request'
    option    src               vpn
    option    name              'Allow VPN (echo-request) -> WAN'

config zone
    option    name              lan
    option    network           lan
    option    input             ACCEPT
    option    output            ACCEPT
    option    forward           ACCEPT

config zone
    option    name              wan
    option    network          'wan wan6'
    option    input             REJECT
    option    output            ACCEPT
    option    forward           REJECT
    option    syn_flood         1
    option    mtu_fix           1
    option    masq            

config zone
    option    name              vpn
    option    network           vpn
    option    input             ACCEPT
    option    forward           ACCEPT
    option    output            ACCEPT
    option    conntrack         1
    option    log               1

config forwarding
    option    dest              vpn
    option    src               lan

config forwarding
    option    dest              wan
    option    src               lan

config forwarding
    option    dest              lan
    option    src               vpn

config forwarding
    option    dest              wan
    option    src               vpn

/etc/firewall.user

# --- Establish Custom Zones --- #
iptables    -N  DROP_brute
iptables    -N  rate_limit
iptables    -N  log_SSH
iptables    -N  zone_wan_src_DROP
iptables    -N  zone_wan_dest_DROP
iptables    -N  zone_lan_dest_DROP

#--- Log All Dropped ---#
iptables    -A  DROP_brute              -j  LOG --log-prefix    "Brute-Dropped: "   --log-level 4
iptables    -A  DROP_brute              -j  DROP
iptables    -A  zone_wan_src_REJECT     -j  LOG  --log-prefix   "WANin-Dropped: "   --log-level 4
iptables    -A  zone_wan_src_REJECT     -j  DROP
iptables    -A  zone_wan_dest_REJECT    -j  LOG  --log-prefix   "WANout-Dropped: "  --log-level 4
iptables    -A  zone_wan_dest_REJECT    -j  DROP
iptables    -A  zone_lan_dest_DROP      -j  LOG  --log-prefix   "LANin-Dropped: "   --log-level 4
iptables    -A  zone_lan_dest_DROP      -j  DROP

#--- Establish Rate Limit ---#
iptables    -A  rate_limit      -p  ICMP    --icmp-type echo-request    -m  limit   --limit 4/sec           -j  ACCEPT
iptables    -A  rate_limit  !   -p  ICMP                                                                    -j  LOG     --log-prefix    " Connection dropped: "

iptables    -A  rate_limit      -p  tcp --dport 22      -m  limit   --limit 1/min   --limit-burst   1       -j  DROP_brute
iptables    -A  rate_limit      -p  tcp --dport 23      -m  limit   --limit 1/min   --limit-burst   1       -j  DROP_brute
iptables    -A  rate_limit      -p  tcp --dport 1194    -m  limit   --limit 1/min   --limit-burst   1       -j  DROP_brute
iptables    -A  rate_limit      -p  udp --dport 1194    -m  limit   --limit 1/min   --limit-burst   1       -j  DROP_brute
iptables    -A  rate_limit      -p  tcp --dport 11940   -m limit    --limit 5/min   --limit-burst   5       -j  ACCEPT
iptables    -A  rate_limit      -p  udp --dport 11940   -m limit    --limit 5/min   --limit-burst   5       -j  ACCEPT
iptables    -A  rate_limit      -p  tcp --dport 2200    -m limit    --limit 3/min   --limit-burst   3       -j  log_SSH
iptables    -A  rate_limit      -p  tcp --dport 2201    -m limit    --limit 3/min   --limit-burst   3       -j  log_SSH
iptables    -A  rate_limit      -p  tcp                                                                     -j  REJECT  --reject-with   tcp-reset
iptables    -A  rate_limit      -p  udp                                                                     -j  REJECT  --reject-with   icmp-port-unreachable
iptables    -A  rate_limit                                                                                  -j  DROP

#--- Apply Rate Limit ---# 
iptables    -I  input_rule  -p  ICMP    --icmp-type echo-request                                                                            -j rate_limit

iptables    -I  input_rule  -p  tcp     --dport     22      -m  state   --state NEW -m  recent  --set
iptables    -I  input_rule  -p  tcp     --dport     22      -m  state   --state NEW -m  recent  --update    --seconds   60  --hitcount  1   -j  rate_limit
iptables    -I  input_rule  -p  tcp     --dport     23      -m  state   --state NEW -m  recent  --set
iptables    -I  input_rule  -p  tcp     --dport     23      -m  state   --state NEW -m  recent  --update    --seconds   60  --hitcount  1   -j  rate_limit
iptables    -I  input_rule  -p  tcp     --dport     1194    -m  state   --state NEW -m  recent  --set
iptables    -I  input_rule  -p  tcp     --dport     1194    -m  state   --state NEW -m  recent  --update    --seconds   60  --hitcount  1   -j  rate_limit
iptables    -I  input_rule  -p  udp     --dport     1194    -m  state   --state NEW -m  recent  --set
iptables    -I  input_rule  -p  udp     --dport     1194    -m  state   --state NEW -m  recent  --update    --seconds   60  --hitcount  1   -j  rate_limit
iptables    -I  input_rule  -p  tcp     --dport     11940   -m  state   --state NEW                                                         -j  rate_limit
iptables    -I  input_rule  -p  udp     --dport     11940   -m  state   --state NEW                                                         -j  rate_limit
iptables    -I  input_rule  -p  tcp     --dport     2200    -m  state   --state NEW                                                         -j  rate_limit
iptables    -I  input_rule  -p  tcp     --dport     2201    -m  state   --state NEW                                                         -j  rate_limit

# --- Check for bans in rate_limit --- #
iptables    -A  input_rule  -p  tcp --dport 22      -j  rate_limit
iptables    -A  input_rule  -p  tcp --dport 23      -j  rate_limit
iptables    -A  input_rule  -p  tcp --dport 1194    -j  rate_limit

#--- Log SSH Traffic ---#
iptables    -A  log_SSH                             -j  LOG     --log-prefix    "SSH-Traffic: " --log-level 4
iptables    -A  log_SSH                             -j  ACCEPT

(Last edited by JW0914 on 29 Jun 2016, 01:37)

Post #12278

dlang

28 Jun 2016, 22:52

shm0 wrote:

dlang wrote:
you should create a new zone for the guest network and then create rules between that zone and your lan zone.
thanks for your answer.
the guest is already in a separate zone (isolated zone).
Here is want i tried so far but no luck.
1. Adding Static routes
2. Add forward rule from lan to isolated and isolated to lan
3. Put lan and isolated in same zone and set forward to accept
4. Create firewall rules to allow traffic from isolated to lan and vice versa.
Also when i read through the wiki https://wiki.openwrt.org/doc/uci/firewall
Zones:
INPUT rules for a zone describe what happens to traffic trying to reach the router itself through an interface in that zone.
I understand that as Input = zone -> router
So its more like an output from zone to router and not input?
Now at zone options:
input string no DROP Default policy (ACCEPT, REJECT, DROP) for incoming zone traffic
I understand that as traffic -> zone.
For example:
config zone
    option name 'isolated'
    option output 'ACCEPT'
    option network 'isolated'
    option forward 'REJECT'
    option input 'REJECT'
Input is rejected here. Then this rule for example:
config rule
    option name 'Allow-Isolated-Network-DNS'
    option src 'isolated'
    option dest_port '53'
    option proto 'tcpudp'
    option target 'ACCEPT'
I read that rule as allow outgoing traffic. But why is it labeled as Accept Input?
So Input/Ouput should be viewed from router points of view?

with iptables,

the input chain is rules going to an IP in the router
the output chain is for rules going from an IP in the router
the forward chain is for rules arriving on one interface that will be sent out another interface

ACCEPT means that the packet is allowed if the rule is matched.
REJECT means that the packet is rejected if the rule is matched.

you should not need to add any routes, once you have an interface on that network you should have a route to that network.

Post #12279

shm0

28 Jun 2016, 23:09

Thanks for your answers.

So when i set both the lan zone and the isolates zone to
INPUT= ACCEPT
OUTPUT = ACCEPT
FORWARD = REJECT

And set those forwarding rules:

config forwarding
    option    dest              isolated
    option    src               lan

config forwarding
    option    dest              lan
    option    src               isolated

It should work or?

Post #12280

JW0914

28 Jun 2016, 23:12

shm0 wrote:

Thanks for your answers.
So when i set both the lan zone and the isolates zone to
INPUT= ACCEPT
OUTPUT = ACCEPT
FORWARD = REJECT
And set those forwarding rules:
config forwarding
    option    dest              isolated
    option    src               lan

config forwarding
    option    dest              lan
    option    src               isolated
It should work or?

Those two rules allow:
LAN -> Isolated
Isolated -> LAN
If you want traffic to be allowed between LAN and Isolated, that's what you want

(Last edited by JW0914 on 28 Jun 2016, 23:12)

Post #12281

shm0

28 Jun 2016, 23:15

I tried this but it does not work.

Without the forwarding rules ping give me the message Target protocol unavailable (dont know the correct translation)
With the forwarding rules ping just times out.

(Last edited by shm0 on 28 Jun 2016, 23:17)

Post #12282

JW0914

28 Jun 2016, 23:17

shm0 wrote:

I tried this but it does not work.

Please post the output of both /etc/config/firewall & /etc/firewall.user (ensuring to remove or generalize sensitive info such as MACs, SSH and VPN ports, etc.)

Re-skimming your post above, you have a typo with 'tcpudp', which should be 'tcp udp'

(Last edited by JW0914 on 28 Jun 2016, 23:19)

Post #12283

shm0

28 Jun 2016, 23:21

Thanks for your help.

firewall:
Ignore the Allow-isolated-network * rules. I temporally set the input policy for isolated to accept.

config rule
    option name 'Allow-Isolated-Network-DNS'
    option src 'isolated'
    option dest_port '53'
    option proto 'tcpudp'
    option target 'ACCEPT'

config rule
    option name 'Allow-Isolated-Network-DHCP'
    option src 'isolated'
    option proto 'udp'
    option dest_port '67'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'
    option enabled '0'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fc00::/6'
    option dest_ip 'fc00::/6'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'
    option enabled '0'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'
    option enabled '0'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'
    option enabled '0'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'
    option enabled '0'

config rule
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'
    option enabled '0'

config rule
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'
    option enabled '0'

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option network 'lan'
    option forward 'REJECT'

config zone
    option name 'isolated'
    option output 'ACCEPT'
    option network 'isolated'
    option forward 'REJECT'
    option input 'ACCEPT'

config zone
    option name 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    option network 'wan wan6'

config include
    option path '/etc/firewall.user'

config forwarding
    option dest 'wan'
    option src 'isolated'

config forwarding
    option dest 'wan'
    option src 'lan'

config forwarding
    option dest 'isolated'
    option src 'lan'

config forwarding
    option dest 'lan'
    option src 'isolated'

firewall.user is empty.

Interesting. Ping from isolated to lan seems to work fine.
But when i try to ping the access point (bridge mode) or trying to access the webinterface in the isolated zone from lan it is not working. But the device does response to pings within the zone itself.

//edit
It seems the problem is the device itself.
The router in the isolated network provides an wlan access point and is connected through its switch (bridge) to the isolated network. So it is using its internal ip.
The Device is accessible through the isolated network (same network).
But somehow it doesnt want to response to the forwarded traffic. What is this?

(Last edited by shm0 on 28 Jun 2016, 23:44)

Post #12284

JW0914

28 Jun 2016, 23:44

config rule
    option  name        'Allow Isolated Network DNS'
    option  src         isolated
    option  dest_port   53
    option  proto       'tcpudp'
    option  target      ACCEPT

needs to be changed to

    option  proto       'tcp udp'

It's one of two things, or both:

isolated: 10.0.0.0/28
lan: 192.168.0.0/24

config zone
    option    name              lan
    option    network           lan
    option    input             ACCEPT
    option    output            ACCEPT
    option    forward           ACCEPT

config zone
    option    name              isolated
    option    network           isolated
    option    input             ACCEPT
    option    output            ACCEPT
    option    forward           ACCEPT

and/or

config rule
    option    target            ACCEPT
    option    proto             'tcp udp'
    option    family            ipv4
    option    src               isolated
    option    src_ip            '10.0.0.0/28'
    option    dest_ip           '192.168.0.0/24'
    option    name              'Allow Isolated -> LAN'

config rule
    option    target            ACCEPT
    option    proto             'tcp udp'
    option    family            ipv4
    option    src               isolated
    option    src_ip            '10.0.0.0/28'
    option    dest              *
    option    dest_ip           '192.168.0.0/24'
    option    name              'Allow Forwarded isolated -> WRT1900ac'

config rule
    option    target            ACCEPT
    option    proto             icmp
    option    family            ipv4
    option    src               isolated
    option    src_ip            '10.0.0.0/28'
    option    dest              lan
    option    name              'Allow Isolated (ICMP) -> LAN'

config rule
    option    target            ACCEPT
    option    proto             'tcp udp'
    option    family            ipv4
    option    src               lan
    option    src_ip            '192.168.0.0/24'
    option    dest_ip           '10.0.0.0/28'
    option    name              'Allow LAN -> Isolated'

config rule
    option    target            ACCEPT
    option    proto             icmp
    option    family            ipv4
    option    src               lan
    option    src_ip            '192.168.0.0/24'
    option    dest              isolated
    option    name              'Allow LAN (ICMP) -> Isolated'

(Last edited by JW0914 on 29 Jun 2016, 01:41)

Post #12285

shm0

28 Jun 2016, 23:51

Thank you.

To make the dlna server running on the lan zone reachable from the isolated zone, do i have to use igmpproxy?
Or is there are better solution?

Post #12286

northbound

28 Jun 2016, 23:56

@JW0914
I smell a good Wiki entry coming up.:)
Your rules are impressive. Thanks for posting.

Post #12287

JW0914

28 Jun 2016, 23:57

shm0 wrote:

Thank you.
To make the dlna server running on the lan zone reachable from the isolated zone, do i have to use igmpproxy?
Or is there are better solution?

I've never utilized a DLNA server, however this rule should work:

config rule
    option    target            ACCEPT
    option    proto             igmp
    option    family            ipv4
    option    src               isolated
    option    name              'Allow Isolated -> WRT1900ac (IGMP)'

and/or

config rule
    option    target            ACCEPT
    option    proto             igmp
    option    family            ipv4
    option    src               isolated
    option    src_ip            '10.0.0.0/28'
    option    dest              *
    option    dest_ip           '192.168.0.0/24'
    option    name              'Allow Forwarded Isolated -> WRT1900ac (IGMP)'

(Last edited by JW0914 on 29 Jun 2016, 01:55)

Post #12288

JW0914

28 Jun 2016, 23:59

northbound wrote:

@JW0914
I smell a good Wiki entry coming up.:)
Your rules are impressive. Thanks for posting.

Thanks! =]

Unfortunately, all wikis are locked until further notice due to server migration... not sure on ETA.

I've flagged your post though and categorized it as Wiki, adding it to the list of other suggestions I've received for the WRT1X00AC/S series wiki

Speaking of the WRT1X00AC/S series wiki, @sera made a suggestion about the background color of the switch layout tables. I was able to get that changed before the wikis were locked, however due to differences in monitors, when a few have time, please let me know if the color scheme is okay or if it needs to be tweaked.

(Last edited by JW0914 on 29 Jun 2016, 00:04)

Post #12289

shm0

29 Jun 2016, 00:09

@JW0914

Thank you so much! You really helped me a lot!

One last thing is it possible to nat only to a specific host?
For example from 192.168.0.1 to 192.168.1.253.
Because it seems the access point only allows connections from the local network and i can't find any option to disable that. (very limited web interface)

Post #12290

JW0914

29 Jun 2016, 00:22

shm0 wrote:

@JW0914
Thank you so much! You really helped me a lot!
One last thing is it possible to nat only to a specific host?
For example from 192.168.0.1 to 192.168.1.253.
Because it seems the access point only allows connections from the local network and i can't find any option to disable that. (very limited web interface)

No problem =]

This may work... if not, create a DNAT rule in the OpenWRT WebGUI, then see which options it selects, as the rule below just looks wrong for some reason

I would have, however I only have one zone since I've bridged eth0 & eth1

config redirect
    option    target            DNAT       
    option    proto             all
    option    src               isolated
    option    src_dport         *
    option    src_ip            '192.168.0.1/24'
    option    dest              lan
    option    dest_port         *
    option    dest_ip           '192.168.1.253/24'
    option    name              'Allow Redirect Isolate -> LAN'

For example, this would be a DNAT rule for SSH, but without specifying IPs (I simply added src_ip and dest_ip above)

config redirect
    option    target            DNAT       
    option    proto             tcp
    option    src               wan
    option    src_dport         20020
    option    dest              lan
    option    dest_port         2201
    option    name              'Allow Redirect WAN -> LAN (SSH)'

(Last edited by JW0914 on 29 Jun 2016, 00:27)

Post #12291

shm0

29 Jun 2016, 00:31

Thanks again

Post #12292

northbound

29 Jun 2016, 01:09

@JW0914
switch layout tables
Looks good here.

Post #12293

Driver007

29 Jun 2016, 10:16

hi,
can somebody tell why downloading at high speeds (wan-lan 30-75MB/s) for about 1 minute and it just stops, can't access anymore after 1 minute it works again.

logs:
http://pastebin.com/xQ2fK1rE
http://pastebin.com/aMjFELas

tried few versions of kernel.

this happens over ethernet whit wifi no problem

(Last edited by Driver007 on 29 Jun 2016, 10:55)

Post #12294

JW0914

29 Jun 2016, 13:41

@Driver007 While I can't help with your issue, I did notice two things in your system log.... you're WAN address should either be removed or replaced with xxx:xxx:xxx:xxx. (Notepad replace all would be easiest), and your WAN lease time is set to 300s (is WAN supposed to have a lease time of 300s?)

Post #12295

Driver007

29 Jun 2016, 13:51

Hm, all settings basically are default, just added iptv interface.

Will try to adjust Wan settings.

Post #12296

kirkgbr

29 Jun 2016, 15:37

@Driver007, I love your wlan1 ssid

Post #12297

shm0

29 Jun 2016, 17:15

Some Update on the dlna server thing.
Even when i allow all traffic between the networks there is no dlna discovery possible.
DLNA uses 239.255.255.250 and 224.0.0.22 as mutlicast grps (but im not sure...).
Is it possible to add multicast route then this should work?
How to do this with openwrt?

//edit
can this work?
Do i have to add netmasks?

config route
    option interface 'lan'
    option target '239.255.255.250'
    option type 'multicast'
        
config route
    option interface 'isolated'
    option target '239.255.255.250'
    option type 'multicast'

config route
    option interface 'lan'
    option target '224.0.0.0'
    option type 'multicast'
        
config route
    option interface 'isolated'
    option target '224.0.0.0'
    option type 'multicast'

//Edit2
I think those 2 routes should be enough but havent tested yet. will report later.
(should cover all local used mutlicast grps maybe overkill)

config route
    option interface 'lan'
    option target '224.0.0.0'
    option netmask '240.0.0.0'
    option type 'multicast'

config route
    option interface 'isolated'
    option target '224.0.0.0'
    option netmask '240.0.0.0'
    option type 'multicast'

igmproxy is only useful in nated environment i think?
pimd is used in networks with multiple gateways to distribute the multicasts between gateways?
maybe smcroute is the tool to use here?
But with smcroute it is only possible to join certain multicast grps?
In this case 239.255.255.250 and 224.0.0.22 ?
For example:

phyint lo disable
phyint wlan0 disable
phyint ifb4eth0 disable
phyint eth0 disable
phyint eth1 disable
phyint eth1.1 enable ttl-threshold 1
phyint eth1.2 enable ttl-threshold 1

mroute from eth1.1 group 239.255.255.250 to eth1.2
mroute from eth1.2 group 239.255.255.250 to eth1.1

//Edit
smcroute approach works fine, using the config from above.

The following firewall rules are needed to allow the isolated netowrk access to the dlna server.
I use plex here which uses tcp port 32469.

config rule
    option target 'ACCEPT'
    option src 'isolated'
    option dest 'lan'
    option name 'Allow-Isolated-DLNA-Discover'
    option family 'ipv4'
    option proto 'udp'
    option dest_ip '239.255.255.250'
    option dest_port '1900'

config rule
    option target 'ACCEPT'
    option src 'isolated'
    option dest 'lan'
    option name 'Allow-Isolated-Plex'
    option family 'ipv4'
    option proto 'tcp'
    option dest_ip '192.168.0.1'
    option dest_port '32469'

If you use plex and enable rebind protection in dnsmasq, you maybe get an dns rebind attack message.
To avoid this add this to your dhcp conf file.

config dnsmasq
...
    list rebind_domain 'plex.direct'
..

//edit
The setup was not perfect. It only worked if the clients were already online and the server started afterwards.
Other way around it did not work.
So for smcroute config. Only the mroute lines are needed. no need for the mgroup lines.
Updated config above.

These lines are also needed it seems. (add to firewall.user)
Multicast have a default ttl of 1. Which is not sufficient.
So we let iptables increase the ttl by one when the multicasts passing one interface.

iptables -t mangle -A PREROUTING -i eth1.1 -d 239.255.255.250 -j TTL --ttl-inc 1
iptables -t mangle -A PREROUTING -i eth1.2 -d 239.255.255.250 -j TTL --ttl-inc 1

(Last edited by shm0 on 1 Jul 2016, 19:10)

Post #12298

AuriconXS

1 Jul 2016, 10:06

Does anyone know if 802.11ac Wave 2 can be added to the WRT1X00AC/S Series routers?

Post #12299

kirkgbr

1 Jul 2016, 14:57

AuriconXS wrote:

Does anyone know if 802.11ac Wave 2 can be added to the WRT1X00AC/S Series routers?

I'm guess not based on this reading. But could be wrong.

Cisco 802.11ac Wave 2 FAQ

Upgrades and Compatibility
Q.    Are Wave 1 hardware and Wave 2 hardware compatible with each other?
A.     No. 802.11ac Wave 1 required new hardware in both access points and client devices to deliver channel widths up to 80 MHz, 256 quadrature amplitude modulation (256-QAM), and up to three spatial streams. The result was a maximum data rate of 1.3 Gbps, or about three times the top-end 802.11n products in the market. Similarly, Wave 2, a superset of Wave 1, requires new hardware in both access points and client devices to support the additional 802.11ac capabilities such as MU-MIMO, channel widths up to 160 MHz, and the potential for a fourth spatial stream.

Post #12300

AuriconXS

1 Jul 2016, 20:04

kirkgbr wrote:

AuriconXS wrote:

Does anyone know if 802.11ac Wave 2 can be added to the WRT1X00AC/S Series routers?

I'm guess not based on this reading. But could be wrong.

Cisco 802.11ac Wave 2 FAQ

Upgrades and Compatibility
Q.    Are Wave 1 hardware and Wave 2 hardware compatible with each other?
A.     No. 802.11ac Wave 1 required new hardware in both access points and client devices to deliver channel widths up to 80 MHz, 256 quadrature amplitude modulation (256-QAM), and up to three spatial streams. The result was a maximum data rate of 1.3 Gbps, or about three times the top-end 802.11n products in the market. Similarly, Wave 2, a superset of Wave 1, requires new hardware in both access points and client devices to support the additional 802.11ac capabilities such as MU-MIMO, channel widths up to 160 MHz, and the potential for a fourth spatial stream.

That's a pity, thank you.

Page 492 of 598