Dears, a complete newbie here. I’ve followed exactly the script made by Miles here to create an Iot VLAN (slightly modified to include also 5 and 6 GHz wifi).
Now, based on the examples I’ve seen here and there, I prepared a script “on the paper” to create a VLAN (192.168.50.x) entirely dedicated to my surveillance devices (an antitheft system and, in the future, a POE NVR), using LAN ports 3 and 4. Here it is:
uci set network.vlan_surv='switch_vlan'
uci set network.vlan_surv.device='switch1'
uci set network.vlan_surv.vlan='50'
uci set network.vlan_surv.ports='3t 4ut 5ut'
uci set network.eth1_50=device
uci set network.eth1_50.type='8021q'
uci set network.eth1_50.ifname='eth1'
uci set network.eth1_50.vid='50'
uci set network.eth1_50.name='eth1.50'
uci add network device
uci set network.@device[-1].type='bridge'
uci set network.@device[-1].name='br-surv'
uci add_list network.@device[-1].ports='eth1.50'
uci set network.surv=interface
uci set network.surv.proto='static'
uci set network.surv.device='br-surv'
uci set network.surv.ipaddr='192.168.50.1'
uci set network.surv.netmask='255.255.255.0'
uci set dhcp.surv=dhcp
uci set dhcp.surv.interface='surv'
uci set dhcp.surv.start='100'
uci set dhcp.surv.limit='150'
uci set dhcp.surv.leasetime='12h'
uci add firewall zone
uci set firewall.@zone[-1].name='surv'
uci set firewall.@zone[-1].input='ACCEPT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci add_list firewall.@zone[-1].network='surv'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='surv'
uci set firewall.@forwarding[-1].dest='wan'
uci add firewall rule
uci set firewall.@rule[-1].name='Allow-DHCP-Surv'
uci add_list firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].src='surv'
uci set firewall.@rule[-1].dest_port='67-68'
uci set firewall.@rule[-1].target='ACCEPT'
uci add firewall rule
uci set firewall.@rule[-1].name='Allow-DNS-Surv'
uci set firewall.@rule[-1].src='surv'
uci set firewall.@rule[-1].dest_port='53'
uci set firewall.@rule[-1].target='ACCEPT'
uci commit
reboot
Questions:
-
not that sure regarding ports enablement. Actually my Flint 3 is basically as it comes out the box, with the exception of the IoT VLAN I created. That is to say, currently LAN ports are not bound to any VLAN: is therefore correct to use '3t 4ut 5ut' for port enablement?
-
I basically configured few rules for the firewall: internet access through WAN, DHCP, DNS.
I also would like the NVR to be accessible from the default LAN/wireless.
I think I should add:
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='surv'
But this should allow wired devices on LAN1 and LAN2 to access to the surv VLAN. How to allow also wireless devices connected to the default 192.168.8.x?
(use case: access to an rtsp stream from my smartphone connected to the “Home” wireless connection)