Flint 2 Help to restore the FW configuration

Hello,
Will some one be kind enough to send me the default firewall configuration (the /etc/config/firewall) of MT6000 (Flint 2)?
I am pretty much sure that I have a mistake there and I want to avoid a reset.

Always take backups before editing files! I hope someone with the same model can help.

I have a Flint 1 & Flint 2.
And I copied the Flint 1 file on top of 2.
Hadn’t push the previous copy to my repo, boom…

you can take them from /rom/etc/config/firewall :slight_smile:

2 Likes

Lovely.
Many thanks.

And a question. I don’t see the Guest → WAN forwarding rule in the /rom/etc/config/firewall!

How is this possible?

1 Like

I believe the script creates this.

probably can be re-triggered by temporary enabling guest wifi

try this:

# if the traffic rules also do not exist inside luci this is what I found on one of my earliest backups:

uci add firewall forwarding
uci set firewall.@forwarding[-1].src='guest'
uci set firewall.@forwarding[-1].dest='wan'
uci set firewall.@forwarding[-1].enabled='0'

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-DHCP'
uci set firewall.@rule[-1].src='guest'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].dest_port='67-68'

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-DNS'
uci set firewall.@rule[-1].src='guest'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].proto='tcp udp'
uci set firewall.@rule[-1].dest_port='53'

uci add firewall forwarding
uci set firewall.@forwarding[-1]='guest2wgclient''
uci set firewall.@forwarding[-1].src='guest'
uci set firewall.@forwarding[-1].dest='wgclient'
uci set firewall.@forwarding[-1].enabled='1'

# to only create the zone:

uci add firewall zone
uci set firewall.@zone[-1].name='guest'
uci set firewall@zone[-1].network='guest'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci commit firewall

/etc/init.d/firewall restart

Correct. It is at the path: /usr/bin/set_init_portal

1 Like

that is even better :grinning:

I think something is very wrong with the current setup.
Suddenly, I cannot connect to Flint 1 AP. The AP doesn’t get IP, the FW is OK (I found a backup and it’s identical apart from the IoT settings that are not working anyway), I add an IoT WiFi and it simply refuse to add it properly.

Time to hard reset the router.

Did you upgrade your firmware to the beta ones?

During beta the Wi-Fi-driver changed. So old configs won’t work. (And vice versa)

No, it’s the latest stable.
Now I have a completely broken setup.

HOWEVER, I plan to start from scratch and ask for your help. It’s absolutely crazy how such a “simple” thing is not working as it should.

Though having a backup from flint 1 migrating to flint 2 this is risky and will probably not work, only if you know what change and edit it accordingly, my advise when im doing something like this is extracting backup of flint 1 with 7zip, then look to the differences in config in /etc/config, if i think its fine i drag them for each over via winscp and test in steps, additional i can also rename the original ones with _bak appended in the name.

Things what do alter:

  • between flint 1 and flint 2, you have a different wireless device naming, because you transfer from either QSDK or OpenWifi for the Flint 1 (also between these distinct versions the driver config breaks for wifi), to either Mediatek SDK or 4.5.6 equal or less version which is using MT79 as driver device (same story between the driver distinctions).

  • the change of lan ports

  • firewall settings are affected, secondwan is not present in flint 1 afaik, which is expected in Flint 2.

And also quite alot from /etc folder gets inserted inside the backup file, without knowing exactly what, this might also break.

1 Like

No way to do this.
When I say I will start from scratch, I mean from scratch.
Reset both, reset the Zyxel too and then start from scratch.
First make sure that the IOT WiFi works, then move to Vlans to expand the WiFi to flint 1.
Right now, everything is broken and I operate only the flint 2 and only marginally.

A new post will follow tomorrow.

1 Like