My Flint 2 router is running firmware 4.6.2 (OpenWrt 21.02-SNAPSHOT r15812+1075-46b6ee7ffc Kernel Version 5.4.238). The wan port is connected to my primary router by cable for its internet and my desktop pc is connected to lan port 2. This is for testing and setup. Once everything is working to my satisfaction I will replace my existing R7800 router with the Flint 2.
I set up a wireless IOT network (see previous post link above) that briefly ran well but has now lost internet access. I have tried to reconfigure from scratch a few times with no success. My first goal is to regain internet access on my IOT network.My overall goal is to have a one router system with three networks: a Primary network including ports âlan1â âlan2â and âlan3â, a Guest network that includes port âlan4â, and an IOT network that includes port âlan5â. The plan is to use bridges to set this up: âbr-lanâ âbr-guestâ and âbr-iotâ. The bridges âbr-lanâ and âbr-guestâ are default bridges, and âbr-iotâ is created in the IOT network setup.
In LuCi under âNetwork-Interfacesâ the bridge âbr-guestâ shows in the Guest interface â see below. Therefore, we know it exists.
Unfortunately, bridge âbr-guestâ does not show up in LuCi under âNetwork-Devicesâ (meaning LuCi canât edit it to add âlan4â) or in the file â/etc/config/networkâ (to be edited there). However, the â/etc/config/networkâ file does show the following for the interface âguestâ:
There is no configuration for the âdeviceâ âbr-guestâ so I canât add âlan4â to the bridge.
Can I just add (list ports âlan4â) under the config interface âguestâ?
The configuration for my bridge âbr-iotâ is below:
Only you should edit br-lan, and remove lan4, then just use lan4 for interface guest, the bridge is not really needed maybe only if you wanted some multicast control, then you can add lan4 to the br-guest bridge.
Also a other thing since i took note you used br-guest, i've been told by OpenWrt forums mixing DSA devices from bridge A in bridge B could cause unwanted or deeper conflicts though i never found them, but it is a unintentional setup, it is how well DSA is implemented also.
However if your br-guest only had lan4 thats also fine aslong it did not had br-lan.50 in br-guest as illustration for what i mean, the vlan belongs to the specific desired bridge.
Using LuCi I removed 'lan4' from 'br-lan'. I then edited /etc/config/network to add "list ports 'lan4'" under "config interface 'guest'". I rebooted and now the LAN interface has 'lan1' 'lan2' and 'lan3' while the GUEST interface has 'lan4' and the IOT interface has 'lan5'. See below:
There is an image of the Firewall zones shown above earlier in this post.
The IOT zone is modeled after the Guest zone with the input set to reject. I changed the IOT zone input to accept and rebooted. This does provide internet access to the IOT zone. However then the IOT zone is no longer isolated from the LAN zone and the router admin page is reachable from the IOT zone. I do not want this.
The Guest zone has input set to reject and it still has internet access. Also, the router admin page cannot be reached from the Guest zone. This is what I want for the IOT zone.
I believe I need to leave the IOT zone input set to reject and find a way to get internet access.
I don't understand firewalls, but I will examine the firewall config file to see if I can find some clues. In the mean time I am returning the IOT zone input to reject.
It sound to me, you accidentally added lan5 somewhere in a other bridge which is also connected to lan.
Please remove this, usually with each its own firewall zone clients cannot talk to other zones except the ones which are forwarded to i.e wan.
Since this is already happening my suspicion is that something is not correct in the /etc/config/network.
The gateway however... this can be reachable because OpenWrt routes the gateway on 0.0.0.0, there is a easy fix for this by adding a traffic rule via luci -> network -> firewall like:
src: iot
dest: this device
target: reject
Then those clients are refused to get access to the web page.
Using the "Monkey see - Monkey copy" technique I seem to have made some progress. (But as a monkey I don't understand exactly what I have done.)
I want my IOT network to work like the Guest network that came installed on the router (after you activate it).
I edited /etc/config/network and copied the guest configuration substituting 'iot' for guest and changing the subnet for iot. I then edited /etc/config/firewall to add an 'iot' configuration the same as each guest configuration I found. I duplicated the settings substituting 'iot' for guest.
After a reboot everything seems to be working fine for the time being.
The IOT and Guest networks have internet access but cannot access the router admin page. The firewall settings are as shown earlier in this post with IOT and Guest having the same settings.
I will do some more testing to confirm all the networks are isolated from each other. If everything continues to look good I will do a test replacement of my existing router with the Flint 2.
My only regret is I don't understand clearly what I have done.
I've made a configuration backup in LuCi and I have backed up the config files in text files.
In hindsight I don't think the steps I used to create the IOT network were critical. What was critical was the configuration of the firewall config file. Using the guest zone firewall settings as a guide I added the following iot zone firewall settings;
config redirect 'dns_vpn_iot'
option name 'dns for vpn iot'
option src 'iot'
option src_dport '53'
option dest 'iot'
option dest_port '1653'
option mark '!0x8000/0xc000'
list proto 'tcp'
list proto 'udp'
option enabled '0'
config rule
option name 'Allow-DHCP'
option src 'iot'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
config rule
option name 'Allow-DNS'
option src 'iot'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
The additional firewall settings did the trick. I now have the networks configured as I want. I was beginning to consider thoughts of returning the Flint 2 to Amazon and going with a more expensive Synology router. Thankfully I won't need to.