GL-MT6000 - IOT wireless network loses internet access

Please forgive the long post. Refer to previous post: GL-MT6000 - IOT wireless network setup problem GL-MT6000 - IOT wireless network setup problem

My Flint 2 router is running firmware 4.6.2 (OpenWrt 21.02-SNAPSHOT r15812+1075-46b6ee7ffc Kernel Version 5.4.238). The wan port is connected to my primary router by cable for its internet and my desktop pc is connected to lan port 2. This is for testing and setup. Once everything is working to my satisfaction I will replace my existing R7800 router with the Flint 2.

I set up a wireless IOT network (see previous post link above) that briefly ran well but has now lost internet access. I have tried to reconfigure from scratch a few times with no success. My first goal is to regain internet access on my IOT network. My overall goal is to have a one router system with three networks: a Primary network including ports ‘lan1’ ‘lan2’ and ‘lan3’, a Guest network that includes port ‘lan4’, and an IOT network that includes port ‘lan5’. The plan is to use bridges to set this up: ‘br-lan’ ‘br-guest’ and ‘br-iot’. The bridges ‘br-lan’ and ‘br-guest’ are default bridges, and ‘br-iot’ is created in the IOT network setup.

In LuCi under “Network-Interfaces” the bridge ‘br-guest’ shows in the Guest interface – see below. Therefore, we know it exists.

Unfortunately, bridge ‘br-guest’ does not show up in LuCi under “Network-Devices” (meaning LuCi can’t edit it to add ‘lan4’) or in the file “/etc/config/network” (to be edited there). However, the “/etc/config/network” file does show the following for the interface ‘guest’:

config interface guest

There is no configuration for the “device” ‘br-guest’ so I can’t add ‘lan4’ to the bridge.

Can I just add (list ports ‘lan4’) under the config interface ‘guest’?

The configuration for my bridge ‘br-iot’ is below:

Config br-iot

Here is the configuration for the IOT interface:

Configure interface iot

Here is the current firewall setup:

Problems

Restart/re-establish internet access to IOT network.

Add ‘lan4’ to the Guest network and maintain internet access.

Thank you in advance for your help.

Long story short yes :slight_smile:

Only you should edit br-lan, and remove lan4, then just use lan4 for interface guest, the bridge is not really needed maybe only if you wanted some multicast control, then you can add lan4 to the br-guest bridge.

Also a other thing since i took note you used br-guest, i've been told by OpenWrt forums mixing DSA devices from bridge A in bridge B could cause unwanted or deeper conflicts though i never found them, but it is a unintentional setup, it is how well DSA is implemented also.

However if your br-guest only had lan4 thats also fine aslong it did not had br-lan.50 in br-guest as illustration for what i mean, the vlan belongs to the specific desired bridge.

xize11 - thanks for the guidance.

Using LuCi I removed 'lan4' from 'br-lan'. I then edited /etc/config/network to add "list ports 'lan4'" under "config interface 'guest'". I rebooted and now the LAN interface has 'lan1' 'lan2' and 'lan3' while the GUEST interface has 'lan4' and the IOT interface has 'lan5'. See below:

For clarification the 'br-guest' is a GL-iNet configuration (along with 'br-lan'). I added bridge 'br-iot' and the IOT interface.

Currently the LAN and GUEST interfaces can access the internet, but the IOT interface cannot.

I will keep working with the IOT interface, but any guidance/thoughts will be appreciated.

1 Like

Can you show the firewall zone of zone iot?

The input must be set to accept, often by default creation it is set to drop or reject, this blocks connection.

This is due to how the global rules are set which is fine but only for the desired zone set input to accept.

xize11 - thanks for the suggestions.

There is an image of the Firewall zones shown above earlier in this post.

The IOT zone is modeled after the Guest zone with the input set to reject. I changed the IOT zone input to accept and rebooted. This does provide internet access to the IOT zone. However then the IOT zone is no longer isolated from the LAN zone and the router admin page is reachable from the IOT zone. I do not want this.

The Guest zone has input set to reject and it still has internet access. Also, the router admin page cannot be reached from the Guest zone. This is what I want for the IOT zone.

I believe I need to leave the IOT zone input set to reject and find a way to get internet access.

I don't understand firewalls, but I will examine the firewall config file to see if I can find some clues. In the mean time I am returning the IOT zone input to reject.

Any other ideas?

It sound to me, you accidentally added lan5 somewhere in a other bridge which is also connected to lan.

Please remove this, usually with each its own firewall zone clients cannot talk to other zones except the ones which are forwarded to i.e wan.

Since this is already happening my suspicion is that something is not correct in the /etc/config/network.

The gateway however... this can be reachable because OpenWrt routes the gateway on 0.0.0.0, there is a easy fix for this by adding a traffic rule via luci -> network -> firewall like:

src: iot
dest: this device
target: reject

Then those clients are refused to get access to the web page.

1 Like

Using the "Monkey see - Monkey copy" technique I seem to have made some progress. (But as a monkey I don't understand exactly what I have done.)

I want my IOT network to work like the Guest network that came installed on the router (after you activate it).

I edited /etc/config/network and copied the guest configuration substituting 'iot' for guest and changing the subnet for iot. I then edited /etc/config/firewall to add an 'iot' configuration the same as each guest configuration I found. I duplicated the settings substituting 'iot' for guest.

After a reboot everything seems to be working fine for the time being.

The IOT and Guest networks have internet access but cannot access the router admin page. The firewall settings are as shown earlier in this post with IOT and Guest having the same settings.

I will do some more testing to confirm all the networks are isolated from each other. If everything continues to look good I will do a test replacement of my existing router with the Flint 2.

My only regret is I don't understand clearly what I have done.

You can always make a backup :slight_smile:

I've made a configuration backup in LuCi and I have backed up the config files in text files.

In hindsight I don't think the steps I used to create the IOT network were critical. What was critical was the configuration of the firewall config file. Using the guest zone firewall settings as a guide I added the following iot zone firewall settings;

config redirect 'dns_vpn_iot'
option name 'dns for vpn iot'
option src 'iot'
option src_dport '53'
option dest 'iot'
option dest_port '1653'
option mark '!0x8000/0xc000'
list proto 'tcp'
list proto 'udp'
option enabled '0'

config rule
option name 'Allow-DHCP'
option src 'iot'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'

config rule
option name 'Allow-DNS'
option src 'iot'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'

The additional firewall settings did the trick. I now have the networks configured as I want. I was beginning to consider thoughts of returning the Flint 2 to Amazon and going with a more expensive Synology router. Thankfully I won't need to.

1 Like