I would like to create two networks:
LAN 4 -> Port 4 -> Port 6 -> eth2; network can be accessed using first WiFi card; IP pattern 192.168.2.*
LAN 0…3-> Port 0…3 -> Port 5 -> eth0; all traffic routed through OpenVPN connection; network can be accessed via second WiFi card; IP pattern 192.168.1.*
Foris and ssh access via #2 .
I have the OpenVPN client setting working.
How do I go about doing this?
Nones
April 16, 2017, 5:56pm
2
I think everything useful for solving your problem you can find in this topic of official documentation.
I followed the instructions in Configure a guest WLAN to create a guest network (I’ll add the VPN later), but it appears that I’m missing some elements.
When I’m connected to TurrisGuest
:
DHCP resolution doesn’t work
I can ping an remote IP address (e.g. 216.58.192.174 (google.com ))
Web sites are not accessible
bittorrents function
an access point (Apple Airport set to bridging mode disappears). When I reconnect to the TurrisAC
wi-fi network, the access point reappears.
I think I need to do the following, but I want to ‘brick’ the device:
set the iframe
of the guest
interface to eth0
or eth2
and remove the corresponding entry from the lan
interface
do something similar to _orig_ifname
entry on guest
and lan
interfaces
Other comments and suggestions welcomed.
Contents of /etc/config/network
:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd22:91e8:0e0f::/48'
config interface 'lan'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option _orig_ifname 'eth0 eth2 wlan0 wlan1'
option _orig_bridge 'true'
option ifname 'eth0 eth2'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6'
option vid '2'
config interface 'torguard_vpn'
option proto 'none'
option ifname 'tun0'
config interface 'wan'
option proto 'pppoe'
option username 'user@qwest.net'
option password 'password'
option ipv6 '0'
option _orig_ifname 'eth1'
option _orig_bridge 'false'
option mtu '1492'
option ifname 'eth1.201' # tagged to work w/ CenturyLink's network
# my addition
config interface 'guest'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
Contents of /etc/config/wireless
:
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'platform/soc/soc:pcie-controller/pci0000:00/0000:00:02.0/0000:02:00.0'
option htmode 'VHT80'
option disabled '0'
option txpower '23'
option country 'US'
config wifi-iface
option device 'radio0'
option mode 'ap'
option disabled '0'
option encryption 'psk2+tkip+aes'
option key '<password>'
option ssid 'TurrisAC'
option network 'lan'
config wifi-device 'radio1'
option type 'mac80211'
option channel '11'
option country 'CZ'
option hwmode '11g'
option path 'platform/soc/soc:pcie-controller/pci0000:00/0000:00:01.0/0000:01:00.0'
option htmode 'HT20'
option disabled '0'
option txpower '19'
config wifi-iface
option device 'radio1'
option mode 'ap'
option disabled '0'
option encryption 'psk2+tkip+aes'
option key '<password>'
option ssid 'TurrisGuest'
option network 'guest'
option isolate 1 # is this necessary?
Contents of /etc/config/dhcp
:
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
option nonwildcard '0'
option domain 'lan'
option port '5353' # changed to match settings from forums.turris.cz
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
list dhcp_option '6,192.168.1.1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
# my addition
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
list dhcp_option '6,192.168.2.1' # is this line necessary?
option ra 'server'
option dhcpv6 'server'
option ra_management '1'
Contents of /etc/config/firewall
:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config include
option path '/usr/share/firewall/turris'
option reload '1'
config include
option path '/etc/firewall.d/with_reload/firewall.include.sh'
option reload '1'
config include
option path '/etc/firewall.d/without_reload/firewall.include.sh'
option reload '0'
config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config zone
option name 'vpn'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'torguard_vpn'
config forwarding
option src 'lan'
option dest 'vpn'
# 2017/04/16 - CB - adding 'guest' zone, forwarding, and rules
# new zone
config zone
option name 'guest'
option network 'guest'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
# Allow Guest -> Internet
config forwarding
option src 'guest'
option dest 'wan'
# Allow DNS Guest -> Router
# Client DNS queries ordinate from dynamic UDP ports (>1023)
config rule
option name 'Allow DNS Queries'
option src 'guest'
option dest_port '5353' # match value in /etc/config/dhcp
option proto 'tcp udp'
option target 'ACCEPT'
# Allow DHCP Guest -> Router
# DHCP communication uses UDP ports 67-68
config rule
option name 'Allow DHCP request'
option src 'guest'
option src_port '67-68'
option dest_port '67-68'
option proto 'udp'
option target 'ACCEPT'
I was able to get the ‘guest’ WiFi portion functional. One step down…
content of /etc/config/wireless
:
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'platform/soc/soc:pcie-controller/pci0000:00/0000:00:02.0/0000:02:00.0'
option htmode 'VHT80'
option disabled '0'
option txpower '23'
option country 'US'
config wifi-iface
option device 'radio0'
option mode 'ap'
option disabled '0'
option encryption 'psk2+tkip+aes'
option key 'PASSWORD'
option network 'lan'
option ssid 'Omnia'
config wifi-device 'radio1'
option type 'mac80211'
option channel '11'
option country 'US'
option hwmode '11g'
option path 'platform/soc/soc:pcie-controller/pci0000:00/0000:00:01.0/0000:01:00.0'
option htmode 'HT20'
option disabled '0'
option txpower '19'
config wifi-iface
option device 'radio1'
option mode 'ap'
option disabled '0'
option encryption 'psk2+tkip+aes'
option key 'PASSWORD'
option network 'guest_interface'
option ssid 'Guest'
content of /etc/config/network
:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd22:91e8:0e0f::/48'
config interface 'lan'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option _orig_ifname 'eth0 eth2 wlan0 wlan1'
option _orig_bridge 'true'
option ifname 'eth0 eth2'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6'
option vid '2'
config interface 'wan'
option proto 'pppoe'
option username 'USERNAME'
option password 'PASSWORD'
option ipv6 '0'
option _orig_ifname 'eth1'
option _orig_bridge 'false'
option mtu '1492'
option ifname 'eth1.201' # CenturyLink-specific tagging
config interface 'guest_interface'
option _orig_ifname 'wlan1'
option _orig_bridge 'false'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
content of /etc/config/dhcp
:
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
option nonwildcard '0'
option domain 'lan'
option port '5353' # dnsmasq on port 5353
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
list dhcp_option '6,192.168.1.1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
config dhcp 'guest_interface'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'guest_interface'
list dhcp_option '6,192.168.2.1' # this was the key element
content of /etc/config/firewall
:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config include
option path '/usr/share/firewall/turris'
option reload '1'
config include
option path '/etc/firewall.d/with_reload/firewall.include.sh'
option reload '1'
config include
option path '/etc/firewall.d/without_reload/firewall.include.sh'
option reload '0'
config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config zone
option name 'guest_zone'
option forward 'REJECT'
option output 'ACCEPT'
option network 'guest_interface'
option input 'ACCEPT'
config forwarding
option dest 'wan'
option src 'guest_zone'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '5353' # dnsmasq
option name 'Allow Guest DNS Access'
option src 'guest_zone'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'Allow Guest DHCP Access'
option src 'guest_zone'