Topic: DMZ Setup on a WZR-HP-G300NH - OpenWrt Backfire 10.03.1-rc5

The content of this topic has been archived on 27 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

leeand00

2 Nov 2011, 05:03

Hello all,

I am trying to setup a DMZ on a VLAN separate from the local private lan.

So far I have read through much of the documentation and seen that it doesn't apply very well to my particular router but this is probably just ignorance on my part; and I suppose that's why I'm here.

As far as I can tell based on the documentation, the steps to setting up a DMZ go like this:

1. Partition your ports into separate VLANs
2. Setup Firewall Rules for the new VLAN
3. Restart the network and the firewall.

So far I've had limited (success?) in step one, here is what I've done so far:

I read over the Network Interface section of the wiki and determined that I wanted to use one of my router's ports for a new VLAN which would become the DMZ.

After taking a look at the documentation for my router I determined that I wanted to make the LAN Port 1 the port for my DMZ.

If you look over by that blue cable on the left there's a tiny almost impossible to see abs inset label that reads "1".

The documentation states that LAN "1" should be port 3 where it is mentioned in the configuration file /etc/config/network

And so I modified the existing configuration file as follows:

...
config 'switch_vlan'
    option 'device' 'rtl8366s'
    option 'vlan' '1'
    option 'ports' '0 1 2 3 5'
...

Before modification

...

config 'switch_vlan'
    option 'device' 'rtl8366s'
    option 'vlan' '1'
    option 'ports' '0 1 2 5'

config 'switch_vlan'
    option 'device' 'rtl8366s'
    option 'vlan' '2'
    option 'ports' '3'
...

After modification with port 3 assigned to a new vlan

After restarting the network, I tested this new configuration by running the swconfig command to make sure the ports were all where they were expected to be, and was delighted with the results:

swconfig dev rtl1886s vlan 1 show

VLAN 1: 
        info: VLAN 1: Ports: '0125', members=0027, untag=0027, fid=0
        fid: 0
        ports: 0 1 2 5

swconfig dev rtl866s vlan 2 show

VLAN 2:
        info: VLAN 2: Ports: '3', members=0008, untag=0008, fid=0
        fid: 0
        ports: 3

And just as would be expected port 3 is now on vlan2 and ports 0 1 2 and 5 are on vlan 1.

Now my new vlan has no ip address and I'm not entirely certain how to assign it one.

I looked at the lan configuration and it appears to be tied to a physical interface a few lines above in /etc/config/network:

config 'interface' 'lan'
          option 'ifname' 'eth0'
          option 'type' 'bridge'
          option 'proto' 'static'
          option 'ipaddr' '192.168.1.1'
          option 'netmask' '255.255.255.0'
          option 'ip6addr' '2001:470:1f0f:ea7::/64'

Upon seeing this and also looking at the dmz howto I tried to configure the new vlan in much the same way (even though I don't really understand how vlan 1 and lan are connected):

config 'interface' 'dmz'
          option 'ifname' 'eth0.2                 # Corresponds to vlan 2 (some how...)
          option 'ipaddr' 192.168.2.1          # Remember this is a separate network.
          option 'netmask' 255.255.255.0

With this I got the error interface type not supported

I also tried to take a look at the Interfaces under OpenWrt section of the wiki, but I'm having a difficult time translating it to my routers configuration.

I even tried making a diagram that would match my routers configuration, but the examples don't on that page don't appear to have any context, and thus I'm confused by them; for instance under Interface Configuration it lists some lines of configuration, but they dont' appear to be placed in a config block:

vlan0hwname=et0
vlan0ports="1 2 3 4 5*"
vlan1hwname=et0
vlan1ports="0 5*"

I guess my question is "What do I need to do to assign an ip address to my new vlan? And how do I associate the dmz interface with a port?"

Thank you,
Andrew J. Leer

(Last edited by leeand00 on 2 Nov 2011, 05:16)

Post #2

snk

2 Nov 2011, 07:34

leeand00 wrote:

Hello all,

...

config 'switch_vlan'
    option 'device' 'rtl8366s'
    option 'vlan' '1'
    option 'ports' '0 1 2 5'

config 'switch_vlan'
    option 'device' 'rtl8366s'
    option 'vlan' '2'
    option 'ports' '3'
...

Thank you,
Andrew J. Leer

You need to include the CPU port in the second VLAN as well, otherwise port 3 is not connected anywhere! Change it like this:

...

config 'switch_vlan'
    option 'device' 'rtl8366s'
    option 'vlan' '1'
    option 'ports' '0 1 2 5t'

config 'switch_vlan'
    option 'device' 'rtl8366s'
    option 'vlan' '2'
    option 'ports' '3 5t'
...

5t means that the traffic is tagged according to VLAN when going through.

Post #3

leeand00

2 Nov 2011, 20:35

Does port 5 always represent the CPU (where the tagging is done) no matter what router you're using?

Also I found the following bug listed that was in RC 4 of 10.03.1 for my particular router, and just wondered if it had been fixed or not, as it might be important to vlaning.

Post #4

Orca

2 Nov 2011, 20:47

leeand00 wrote:

Does port 5 always represent the CPU (where the tagging is done) no matter what router you're using?

NO.

Docu that states otherwise is simply so old, that it was written at a time, where very few devices were supported.

Post #5

snk

2 Nov 2011, 20:51

Probably not always. In WZR-HP-G300NH port 5 is CPU, though. In RC4 it was necessary to define also VLAN0 (lack of which, I think, is the reason for the bug you linked), but it is no longer needed in RC5.

Post #6

leeand00

2 Nov 2011, 20:56

But then again there's this...fixed but, it looks like it's in the trunk, not in a release candidate.

Post #7

snk

3 Nov 2011, 07:51

Well, according to the last comment, it's fixed in backfire and trunk both.

Post #8

leeand00

3 Nov 2011, 16:47

@snk

Here's a diagram of how I am thinking this configuration should work...

I'm not entirely sure where the bridges go in the diagram...

And here's a configuration I attempted, that's as close as I could get

config 'interface' 'loopback'
    option 'ifname' 'lo'
    option 'proto' 'static'
    option 'ipaddr' '127.0.0.1'
    option 'netmask' '255.0.0.0'

config 'interface' 'lan'
    option 'ifname' 'eth0'
    option 'type' 'bridge'
    option 'proto' 'static'
    option 'ipaddr' '192.168.1.1'
    option 'netmask' '255.255.255.0'
    option 'ip6addr' '2001:470:1f0f:ea7::/64'

config 'interface' 'wan'
    option 'ifname' 'eth1'
    option 'proto' 'pppoe'
    option 'username' '------'
    option 'password' '------'

config 'switch'
    option 'name' 'rtl8366s'
        option 'enable' '1'
        option 'enable_vlan' '1'
        option 'reset' '1'

config 'switch_vlan' 'eth0_1'
        option 'ifname' 'eth0.1'
    option 'device' 'rtl8366s'
    option 'vlan' '1'
    option 'ports' '0 1 2 5t'

config 'switch_vlan' 'eth0_2'
        option 'ifname' 'eth0.2'
    option 'device' 'rtl8366s'
    option 'vlan' '2'
    option 'ports' '3 5t'

config 'interface' 'dmz'
       option 'type' 'bridge'
       option 'ifname' 'eth0.2 wan'
       option 'proto' 'static'
       option 'ipaddr' 192.168.2.1
       option 'netmask' 255.255.255.0

config 'interface' 'henet'
    option 'proto' '6in4'
    option 'tunnelid' '-------'
    option 'password' '------'
    option 'peeraddr' '216.218.224.42'
    option 'ip6addr' '2001:470:1f0e:ea7::2/64'
    option 'username' '---------'

When I run this configuration, the wired ports on both my lan and dmz cease communication, I can't even ping the router.

However, the wireless appears to work fine.

Here is the ifconfig output

6in4-hene Link encap:IPv6-in-IPv4  
          inet6 addr: 2001:470:1f0e:ea7::2/64 Scope:Global
          inet6 addr: fe80::485c:4a2c/128 Scope:Link
          UP POINTOPOINT RUNNING NOARP  MTU:1280  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

br-dmz    Link encap:Ethernet  HWaddr 00:24:A5:D8:53:95  
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::224:a5ff:fed8:5395/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:368 (368.0 B)

br-lan    Link encap:Ethernet  HWaddr 00:24:A5:D8:53:95  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: 2001:470:1f0f:ea7::/64 Scope:Global
          inet6 addr: fe80::224:a5ff:fed8:5395/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2615 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1221 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:324092 (316.4 KiB)  TX bytes:515405 (503.3 KiB)

eth0      Link encap:Ethernet  HWaddr 00:24:A5:D8:53:95  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:116283 errors:0 dropped:0 overruns:0 frame:0
          TX packets:72629 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:23364338 (22.2 MiB)  TX bytes:28639244 (27.3 MiB)
          Interrupt:4 

eth0.2    Link encap:Ethernet  HWaddr 00:24:A5:D8:53:95  
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:11 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:3641 (3.5 KiB)  TX bytes:944 (944.0 B)

eth1      Link encap:Ethernet  HWaddr 00:24:A5:D8:53:96  
          inet6 addr: fe80::224:a5ff:fed8:5396/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:132346 errors:0 dropped:0 overruns:0 frame:0
          TX packets:122737 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:70080687 (66.8 MiB)  TX bytes:20573002 (19.6 MiB)
          Interrupt:5 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1999 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1999 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:942559 (920.4 KiB)  TX bytes:942559 (920.4 KiB)

mon.wlan0 Link encap:UNSPEC  HWaddr 00-24-A5-D8-53-95-00-00-00-00-00-00-00-00-00-00  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:18664 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2076305 (1.9 MiB)  TX bytes:0 (0.0 B)

pppoe-wan Link encap:Point-to-Point Protocol  
          inet addr:72.92.74.44  P-t-P:10.7.49.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:313 errors:0 dropped:0 overruns:0 frame:0
          TX packets:324 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:149787 (146.2 KiB)  TX bytes:87804 (85.7 KiB)

wlan0     Link encap:Ethernet  HWaddr 00:24:A5:D8:53:95  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1088 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2752 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:195120 (190.5 KiB)  TX bytes:734867 (717.6 KiB)

(Last edited by leeand00 on 3 Nov 2011, 17:25)

Post #9

snk

3 Nov 2011, 21:19

Couple of possible issues:

Lines like

option 'ifname' 'eth0.2'

do not belong to the switch_vlan sections. Remove them.

Your dmz interface declaration is wrong. Try this:

config 'interface' 'dmz'
       option 'ifname' 'eth0.2'
       option 'proto' 'static'
       option 'ipaddr' 192.168.2.1
       option 'netmask' 255.255.255.0

If I remember correctly, you need to reboot for these to take effect. LAN and WAN should work right away. For DMZ you need to setup some firewall rules:

http://wiki.openwrt.org/doc/howto/dmz

Post #10

leeand00

3 Nov 2011, 22:48

I updated my configuration as you suggested and

(See changes below for 1. and 2.)
1. Removed the option 'ifname' 'eth0.2' as you suggested from two sections.
2. Changed the configuration of the dmz as you suggested.
3. Restarted the router

config 'interface' 'loopback'
    option 'ifname' 'lo'
    option 'proto' 'static'
    option 'ipaddr' '127.0.0.1'
    option 'netmask' '255.0.0.0'

config 'interface' 'lan'
    option 'ifname' 'eth0'
    option 'type' 'bridge'
    option 'proto' 'static'
    option 'ipaddr' '192.168.1.1'
    option 'netmask' '255.255.255.0'
    option 'ip6addr' '2001:470:1f0f:ea7::/64'

config 'interface' 'wan'
    option 'ifname' 'eth1'
    option 'proto' 'pppoe'
    option 'username' '----'
    option 'password' '-----'

config 'switch'
    option 'name' 'rtl8366s'
        option 'enable' '1'
        option 'enable_vlan' '1'
        option 'reset' '1'

config 'switch_vlan' 'eth0_1'
    option 'device' 'rtl8366s'
    option 'vlan' '1'
    option 'ports' '0 1 2 5t'

config 'switch_vlan' 'eth0_2'
    option 'device' 'rtl8366s'
    option 'vlan' '2'
    option 'ports' '3 5t'

config 'interface' 'dmz'
       option 'ifname' 'eth0.2'
       option 'proto' 'static'
       option 'ipaddr' 192.168.2.1
       option 'netmask' 255.255.255.0

config 'interface' 'henet'
    option 'proto' '6in4'
    option 'tunnelid' '------'
    option 'password' '-----'
    option 'peeraddr' '216.218.224.42'
    option 'ip6addr' '2001:470:1f0e:ea7::2/64'
    option 'username' '-----------------------------'

Wireless clients appear to be working fine.

----
Any wired connections to the lan on 192.168.1.1 don't appear to be getting ip addresses.
I've tried statically setting ips on the clients, to no avail. The WAN appears to work, but the LAN does not.

Additionally enabled dhcp on the router, and setting up client to obtain dhcp ip, but Windows 7 still reports Unidentified network.
----

I'm just gonna focus on the lan ip issues for now and get to the dmz issues later.

Thank you for your replies thus far!

(Last edited by leeand00 on 3 Nov 2011, 23:04)

Post #11

fyi

3 Nov 2011, 23:03

Run "uci export dhcp ; uci export firewall".

Post #12

leeand00

3 Nov 2011, 23:09

uci export dhcp:

package 'dhcp'

config 'dnsmasq'
    option 'domainneeded' '1'
    option 'boguspriv' '1'
    option 'filterwin2k' '0'
    option 'localise_queries' '1'
    option 'rebind_protection' '1'
    option 'rebind_localhost' '1'
    option 'local' '/lan/'
    option 'domain' 'lan'
    option 'expandhosts' '1'
    option 'nonegcache' '0'
    option 'authoritative' '1'
    option 'readethers' '1'
    option 'leasefile' '/tmp/dhcp.leases'
    option 'resolvfile' '/tmp/resolv.conf.auto'

config 'dhcp' 'lan'
    option 'interface' 'lan'
    option 'start' '100'
    option 'limit' '150'
    option 'leasetime' '12h'
    option 'ignore' '0'

config 'dhcp' 'wan'
    option 'interface' 'wan'
    option 'ignore' '1'

uci export firewall

package 'firewall'

config 'defaults'
    option 'syn_flood' '1'
    option 'input' 'ACCEPT'
    option 'output' 'ACCEPT'
    option 'forward' 'REJECT'

config 'zone'
    option 'name' 'dmz'
    option 'network' 'dmz'
    option 'input' 'ACCEPT'
    option 'output' 'ACCEPT'
    option 'foward' 'ACCEPT'

config 'zone'
    option 'name' 'lan'
    option 'network' 'lan'
    option 'input' 'ACCEPT'
    option 'output' 'ACCEPT'
    option 'forward' 'REJECT'

config 'zone'
    option 'name' 'wan'
    option 'input' 'REJECT'
    option 'output' 'ACCEPT'
    option 'forward' 'REJECT'
    option 'masq' '1'
    option 'mtu_fix' '1'
    option 'network' 'wan henet'

config 'zone'
    option 'name' 'wan6'
    option 'network' 'henet'
    option 'family' 'ipv6'
    option 'input' 'ACCEPT'
    option 'output' 'ACCEPT'
    option 'forward' 'REJECT'

config 'forwarding'
    option 'dest' 'lan'
    option 'src' 'wan6'

config 'forwarding'
    option 'dest' 'wan6'
    option 'src' 'lan'

config 'forwarding'
    option 'src' 'lan'
    option 'dest' 'wan'

config 'rule'
    option 'src' 'wan'
    option 'proto' 'udp'
    option 'dest_port' '68'
    option 'target' 'ACCEPT'
    option 'family' 'ipv4'

config 'rule'
    option 'src' 'wan'
    option 'proto' 'icmp'
    option 'icmp_type' 'echo-request'
    option 'target' 'ACCEPT'

config 'rule'
    option 'src' 'wan'
    option 'dest_port' '32'
    option 'target' 'ACCEPT'
    option 'proto' 'tcp'

config 'include'
    option 'path' '/etc/firewall.user'

Post #13

snk

4 Nov 2011, 06:39

Can you show your ifconfig output as well?

Post #14

fyi

4 Nov 2011, 08:21

leeand00 wrote:

Any wired connections to the lan on 192.168.1.1 don't appear to be getting ip addresses.

config 'interface' 'lan'
    option 'ifname' 'eth0.1'
    option 'type' 'bridge'
    option 'proto' 'static'
    option 'ipaddr' '192.168.1.1'
    option 'netmask' '255.255.255.0'
    option 'ip6addr' '2001:470:1f0f:ea7::/64'

Post #15

snk

4 Nov 2011, 09:53

Good catch. That must be the reason. That is, change eth0 to eth0.1 in ifname.

Post #16

leeand00

4 Nov 2011, 15:37

I saw that eth0.1 thing too, in other configs online but I was afraid to try it!

I don't have alot of experience configuring switches, and I was afraid if I messed with eth0, I'd lose lan connectivity with the router and be bricked out! Must be okay though, cause after the two of your confirmed it was okay to try, I tried it and it did the trick. Thank you!

Post #17

leeand00

4 Nov 2011, 15:43

I'm gonna checkout the dmz next and see what's going on there...

(Last edited by leeand00 on 4 Nov 2011, 15:44)

Post #18

fyi

5 Nov 2011, 12:52

It's all about /etc/config/network, /etc/config/firewall and /etc/config/dhcp. Duplicate every section containing "lan" to "dmz" and you're OK.

Post #19

leeand00

7 Nov 2011, 19:59

Added my config to the wiki let me know if anything is sub par, or needs fixed. Thank you again!

The discussion might have continued from here.

Page 1 of 1