Computing > Networking & Wireless

Configuring OpenWRT

(1/4) > >>

soldar:
In an earlier thread I flashed a router with OpenWRT so I now have a (TP-Link TL-WR841N/ND v9, Firmware Version OpenWrt Chaos Calmer 15.05.1 / LuCI 15.05-149) router running OpenWRT.

At present I am using it as a switch and not using the WAN side. It has WIFi plus four LAN Ethernet ports, one of which goes to the router and the WAN is not connected.

I realize it is a big field so I want to start slowly learning the ropes. I think I understand the basics of the routing tables but I have tried blocking some IP addresses and it doesn't work.

Question the first: As the device is working as a switch and not router, can I still block outside global IPs? Or does the routing table only come in when the traffic is between LAN and WAN?

Question the second: Not that I really need it but could I configure the WAN Ethernet port as one more LAN port?

Nominal Animal:
Note that on the OpenWrt TL-WR841ND page, the download links at the middle of the page are to Chaos Chalmer, but if you scroll a bit further down, to the Installation section, you have links to the current stable version (18.06.4, as of this writing).

I shall also assume you are asking whether things can be done on the command line, and not whether there is a ready Luci web interface for them.


--- Quote from: soldar on September 17, 2019, 04:07:51 pm ---I think I understand the basics of the routing tables but I have tried blocking some IP addresses and it doesn't work.
--- End quote ---
Tried how? "it doesn't work" only applies to the method(s) you tried.  That is, that only says you tried something that didn't work.  (If you just meant that in the sense that you're not asking theoretical questions, but doing this in real life, ignore this point.)


--- Quote from: soldar on September 17, 2019, 04:07:51 pm ---As the device is working as a switch and not router, can I still block outside global IPs? Or does the routing table only come in when the traffic is between LAN and WAN?
--- End quote ---
The Linux kernel will see every packet entering the device, and can drop/filter each packet in every case.
The configuration (especially if bridging) does affect exactly how/where the rules are applied, though.

When "working as a switch", the four ports are bridged together, so any filtering must be applied to the bridge device (br-lan, usually).  The bridging firewall might be disabled in default configuration; you might need to install/enable some packages (bridge firewall kernel modules).

You can also put each LAN port in a separate VLAN, too, and filter packets between VLANs.  It is common to split LAN1..LAN4 into two VLANs, "LAN" (say LAN1..LAN3) and "DMZ" (LAN4 port), so that a local server can be put in "DMZ", and different rules used between LAN-DMZ, LAN-WAN, and DMZ-WAN.)


--- Quote from: soldar on September 17, 2019, 04:07:51 pm ---Not that I really need it but could I configure the WAN Ethernet port as one more LAN port?
--- End quote ---
Yes.

soldar:
Wow, so much to chew on!


--- Quote from: Nominal Animal on September 17, 2019, 05:19:18 pm --- Note that on the OpenWrt TL-WR841ND page, the download links at the middle of the page are to Chaos Chalmer, but if you scroll a bit further down, to the Installation section, you have links to the current stable version (18.06.4, as of this writing).
--- End quote ---

Installing what I have was quite an adventure and I don't know that I want to upgrade unless there is a good reason. Would you recommend it? And if so, why? Will it add capabilities?  I am afraid to find out something was made worse.


--- Quote from: Nominal Animal on September 17, 2019, 05:19:18 pm --- I shall also assume you are asking whether things can be done on the command line, and not whether there is a ready Luci web interface for them.
--- End quote ---

I did not even know there was a command line I could use. How do I get to it?


--- Quote from: Nominal Animal on September 17, 2019, 05:19:18 pm --- Tried how? "it doesn't work" only applies to the method(s) you tried.  That is, that only says you tried something that didn't work.  (If you just meant that in the sense that you're not asking theoretical questions, but doing this in real life, ignore this point.)
--- End quote ---

Yes, I tried putting a line redirecting packets with a specific destination IP address to 127.0.0.1 but it made no difference. I am beginning to realize this is more complex than I thought. i am somewhat familiar with the Windows routing table which is simpler.


--- Quote from: Nominal Animal on September 17, 2019, 05:19:18 pm --- The Linux kernel will see every packet entering the device, and can drop/filter each packet in every case.
The configuration (especially if bridging) does affect exactly how/where the rules are applied, though.

When "working as a switch", the four ports are bridged together, so any filtering must be applied to the bridge device (br-lan, usually).  The bridging firewall might be disabled in default configuration; you might need to install/enable some packages (bridge firewall kernel modules).

You can also put each LAN port in a separate VLAN, too, and filter packets between VLANs.  It is common to split LAN1..LAN4 into two VLANs, "LAN" (say LAN1..LAN3) and "DMZ" (LAN4 port), so that a local server can be put in "DMZ", and different rules used between LAN-DMZ, LAN-WAN, and DMZ-WAN.)

--- End quote ---


This is way over my head. Rather than trying to do anything useful my objective is to learn so let's do something simple. How can I have it drop packets addressed to a certain, external IP address?

Nominal Animal:

--- Quote from: soldar on September 17, 2019, 08:02:24 pm ---Installing what I have was quite an adventure and I don't know that I want to upgrade unless there is a good reason.
--- End quote ---
Yes, I agree.  I am currently trying to create a firmware image of 18.06.4 but with a few patches to the mt76 driver, as snapshots contain support for 5 GHz on my Asus RT-AC51U, but 18.06.4 from June does not.  I think.


--- Quote from: soldar on September 17, 2019, 08:02:24 pm ---Would you recommend it? And if so, why? Will it add capabilities?  I am afraid to find out something was made worse.
--- End quote ---
It will be supported up to version 19.07, but not later versions, because it has only 4MB of Flash.

Let's see, by looking at what others who have the same board have said, at the OpenWrt forum.  No, I don't see any issues speaking against using 18.06.

18.06 was released after the OpenWrt-LEDE merge, and includes a much newer kernel and many security-related fixes.  So yes, I do recommend updating to 18.06.


--- Quote from: soldar on September 17, 2019, 08:02:24 pm ---I did not even know there was a command line I could use. How do I get to it?
--- End quote ---
When you configure the router, enable SSH.  Then, you can connect using SSH to a command line shell on the device.


--- Quote from: soldar on September 17, 2019, 08:02:24 pm ---Yes, I tried putting a line redirecting packets with a specific destination IP address to 127.0.0.1 but it made no difference. I am beginning to realize this is more complex than I thought. i am somewhat familiar with the Windows routing table which is simpler.
--- End quote ---
Unfortunately, I'm not at all familiar with LuCI, barely having ever used it..

Please remember that the complexity is not just asininity on behalf of the developers, but is a direct result of the wildly varying hardware.  The same system works across several completely different architectures, and supports who knows many different chipsets; complexity is to be expected.  LuCI itself is even a separate project just shared under the OpenWrt umbrella..

(As an example, in newer upstream Linux kernels, switches (like the LAN1-LAN4 ports on your TP-Link) are exposed as individual ethernet devices, instead of as a switch device -- this is called DSA, distributed switch architecture.  However, OpenWrt is based on older kernels where most switches are exposed as a switch device (controlled by different utilities compared to normal ethernet ports; swconfig instead of ifconfig on the command line).  OpenWrt firmware images cannot jump from one type of driver to the other as it would break existing configurations (all the custom rules users have set), so typically the older switch device is used.)
 
(For me, the current hurdle is getting to know the OpenWrt build system better, because I don't just want to recompile an existing firmware image, but modify part of the kernel it uses, while keeping the rest of it compatible with updates.  I could use a snapshot instead, but I cannot decide which one to use, as I really would prefer just 18.06 but with slightly newer mt76 driver; and all monolithic, not modular. Yes, I am being difficult...  :-/O)


--- Quote from: soldar on September 17, 2019, 08:02:24 pm ---This is way over my head. Rather than trying to do anything useful my objective is to learn so let's do something simple.
--- End quote ---
Have you read the OpenWrt quick start or user guides?


--- Quote from: soldar on September 17, 2019, 08:02:24 pm ---How can I have it drop packets addressed to a certain, external IP address?
--- End quote ---
Note that a route describes how a packet is transmitted, but a filter or rule determines what is done with a packet.  You want rules/filters, not routes.

The LuCI Firewall > Traffic rules interface only defines rules between zones (LAN or WAN) by default, AFAIK.  It is an user interface choice, I believe, by the LuCI developers.  I'm not sure if it supports adding rules to bridges.

If we look at how current (18.06.4) OpenWrt/LuCI works on an TP-Link TL-WR841N, it seems quite different; perhaps it would be better if you first moved to 18.06.4 firmware?

In particular, if you want to filter traffic within a zone, you'll need kmod-br-netfilter and kmod-ipt-physdev packages, as each multi-port zone is a bridge, I think.

Or, you could configure a different zone for each physical port on the device, so you can use the web interface to define the rules, as the standard interface limits rules to those that apply packets between zones, not within a zone.  (If you have a switch downstream from the TP-Link, and two machines are connected to that switch, they can always see each other, as the packages no longer go through the TP-Link; so, the zone configuration reflects real world pretty well then.)
I suppose this zone-per-port is the simplest, most straightforward way to get to exploring how the filtering works, however.


I am afraid that this is one of those cases where previous Windows knowledge may be a hindrance, and not very helpful.  The fact that you know about IP addresses and TCP and UDP ports helps; but the structure and operation of the filtering and tables themselves...  Be prepared to be annoyed at things working differently than what would feel intuitive to you!

Jeroen3:
I used to break my head around OpenWrt and DDWRT as well. Now I just buy a router from Mikrotik and have all the things OpenWRT is also capable of. But only now it works as expected.

Navigation

[0] Message Index

[#] Next page

There was an error while thanking
Thanking...
Go to full version