Hello,

I hope that there is someone willing to lend their experience with UCI's Firewall Configuration Options. I thank you in advance.

Since I cannot post links as a first time poster, you can see a basic network diagram at:

h_t_t_p[colon][forward slash][forward slash]i66[dot]tinypic[dot]com[forwardslash]2yl5ki1.png

There are two networks. The connection to the internet at large enters through Network A at 192.168.15.1, which is the upstream gateway router for the two networks. It runs proprietary firmware, for all intensive purposes that I have access to, but do not intend on replacing. Most wireless devices will connect to Network A using 192.168.15.1. It has 2.4GHz and 5.0GHz capabilities, and broadcasts two SSIDs, of which will be called 2.4_AP1 and 5.0_AP1, respectivley.

BusyBox v1.27.2 () built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt SNAPSHOT, r6349-9046e921af
 -----------------------------------------------------

The other network, Network B, connects to network A through the TP-Link Archer C7 v2, which has OpenWRT installed. The Archer C7 v2 is connected to network A using the 5.0_AP1 SSID, and has the address 192.168.15.127. 192.168.30.1 is on its other interface to network B.

What I want to do is allow ssh connections from devices on Network A, and the internet at large, to pass through into Network B. Port forwarding did work for me as long as I needed to connect to a single device on network B. However, as I have multiple devices with SSH behind network B that I wish to connect to from Network A, any request to a different device on network B would get redirected to the device specified in the port forward.


Below is the /etc/network/config for the Archer C7 v2:

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix '<some ipv6 address>::/48'

config interface 'lan'
    option type 'bridge'
    option ifname 'eth1'
    option proto 'static'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option ipaddr '192.168.30.1'

config interface 'wan'
    option proto 'static'
    option ipaddr '192.168.15.127'
    option netmask '255.255.255.0'
    option ifname 'wlan0'
    option gateway '192.168.15.1'

config interface 'wan6'
    option ifname 'eth0'
    option proto 'dhcpv6'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '2 3 4 5 0'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '1 6'

This is /etc/config/wireless:

config wifi-device 'radio0'
    option type 'mac80211'
    option channel '11'
    option hwmode '11g'
    option path 'platform/qca955x_wmac'
    option htmode 'HT20'
    option disabled '1'

config wifi-device 'radio1'
    option type 'mac80211'
    option channel '36'
    option hwmode '11a'
    option path 'pci0000:01/0000:01:00.0'
    option htmode 'VHT80'

config wifi-iface
    option device 'radio1'
    option mode 'sta'
    option network 'wan'
    option ssid '5.0_AP1
    option encryption 'psk2'
    option key 'wiFiSeecreet'

This is the current firewall configuration:

config defaults
    option syn_flood '1'
    option input 'DROP'
    option output 'DROP'
    option forward 'DROP'

config zone
    option name 'lan'
    list network 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'

config zone
    option name 'wan'
    list network 'wan'
    list network 'wan6'
    option output 'ACCEPT'
    option mtu_fix '1'
    option input 'ACCEPT'
    option masq '0'
    option forward 'REJECT'

config forwarding
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fc00::/6'
    option dest_ip 'fc00::/6'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user'

config rule
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

(Last edited by 7714846411 on 8 Apr 2018, 02:09)