Hello,
I am a newbie. The following configuration somehow does not work (Turris OS version 3.10.8)!
wan (eth1) --> wolke (eth2) --> (okay)
lan (eth0) --> wolke (eth2) --> (?)
musik (eth0) --> wolke (eth2) --> (?)
I am able to connect from the outside to the server “wolke” but not from “lan” nor “musik”. The server on wolke does not get any lets encrypt certificate.
a) /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxx:xxx:xxxx::/48'
config interface 'lan'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '64'
option ip6hint '1000'
option _orig_ifname 'eth0 eth2 wlan0 wlan1'
option _orig_bridge 'true'
option ifname 'eth0.1'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
option ipv6 '1'
config interface 'wan6'
option ifname '@wan'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 5t'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '2'
option ports '4 6'
config interface 'guest_turris'
option type 'bridge'
option proto 'static'
option bridge_empty '1'
option enabled '1'
option ipaddr '10.111.222.1'
option netmask '255.255.255.0'
list ifname 'guest_turris_0'
list ifname 'guest_turris_1'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '3'
option ports '3 5t'
config interface 'musik'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option ifname 'eth0.3'
option ip6assign '64'
option ip6hint '3000'
config interface 'wolke'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option gateway '192.168.2.1'
option ip6assign '64'
option ip6hint '2000'
option _orig_ifname 'eth2'
option _orig_bridge 'false'
option ifname 'eth2'
b) /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config include
option path '/usr/share/firewall/turris'
option reload '1'
config include
option path '/etc/firewall.d/with_reload/firewall.include.sh'
option reload '1'
config include
option path '/etc/firewall.d/without_reload/firewall.include.sh'
option reload '0'
config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config rule 'turris_wan_6in4_rule'
option enabled '0'
config zone 'guest_turris'
option name 'guest_turris'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
option enabled '1'
list network 'guest_turris'
config forwarding 'guest_turris_forward_wan'
option name 'guest to wan forward'
option src 'guest_turris'
option dest 'wan'
option enabled '1'
config rule 'guest_turris_dns_rule'
option name 'guest dns rule'
option src 'guest_turris'
option proto 'tcpudp'
option dest_port '53'
option target 'ACCEPT'
option enabled '1'
config rule 'guest_turris_dhcp_rule'
option name 'guest dhcp rule'
option src 'guest_turris'
option proto 'udp'
option src_port '67-68'
option dest_port '67-68'
option target 'ACCEPT'
option enabled '1'
config zone
option name 'musik'
list network 'musik'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option src 'musik'
option dest 'wan'
config zone
option name 'wolke'
list network 'wolke'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option src 'wolke'
option dest 'wan'
config rule
option enabled '1'
option target 'ACCEPT'
option src 'wan'
option dest 'wolke'
option name 'wolke HTTPS'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'wolke'
option proto 'tcp'
option dest_ip '192.168.2.80'
option name 'wolke'
config forwarding
option src 'wolke'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'wolke'
c) /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option port '0'
option localservice '1'
option nonwildcard '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
list dhcp_option '6,192.168.1.1'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
config dhcp 'guest_turris'
option interface 'guest_turris'
option start '200'
option limit '50'
option leasetime '1h'
option ignore '0'
list dhcp_option '6,10.111.222.1'
config dhcp 'musik'
option interface 'musik'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
list dhcp_option '6,192.168.3.1'
option ra_management '1'
config dhcp 'wolke'
option interface 'wolke'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
list dhcp_option '6,192.168.2.1'
option ra_management '1'
config host
option name 'server'
option mac 'xx:xx:xx:xx:xx:xx'
option ip '192.168.2.80'
d) /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option country 'CZ'
option hwmode '11a'
option path 'soc/soc:pcie-controller/pci0000:00/0000:00:02.0/0000:02:00.0'
option htmode 'VHT80'
option disabled '0'
config wifi-iface
option device 'radio0'
option mode 'ap'
option disabled '0'
option ssid 'lanWLAN5'
option hidden '0'
option encryption 'psk2+ccmp'
option wpa_group_rekey '86400'
option key 'xxxxxxxxxxxxxxxx'
option network 'lan'
config wifi-device 'radio1'
option type 'mac80211'
option channel '11'
option country 'CZ'
option hwmode '11g'
option path 'soc/soc:pcie-controller/pci0000:00/0000:00:01.0/0000:01:00.0'
option htmode 'HT20'
option disabled '0'
config wifi-iface
option device 'radio1'
option mode 'ap'
option disabled '0'
option ssid 'lanWLAN'
option hidden '0'
option encryption 'psk2+ccmp'
option wpa_group_rekey '86400'
option key 'xxxxxxxxxxxxxxx'
option network 'lan'
config wifi-iface 'guest_iface_0'
option device 'radio0'
option disabled '0'
option mode 'ap'
option ssid 'homeGAST5'
option network 'guest_turris'
option encryption 'psk2+ccmp'
option wpa_group_rekey '86400'
option key 'xxxxxxxxxxx'
option ifname 'guest_turris_0'
option isolate '1'
config wifi-iface 'guest_iface_1'
option device 'radio1'
option disabled '0'
option mode 'ap'
option ssid 'homeGAST'
option network 'guest_turris'
option encryption 'psk2+ccmp'
option wpa_group_rekey '86400'
option key 'xxxxxxxxxxxxx'
option ifname 'guest_turris_1'
option isolate '1'
config wifi-iface
option device 'radio0'
option mode 'ap'
option disabled '0'
option ssid 'homeMUSIK5'
option hidden '0'
option encryption 'psk2+ccmp'
option wpa_group_rekey '86400'
option key 'xxxxxxxxxxxxxxxxx'
option network 'musik'