Thanks so much for all those great video Marc.. It's really helping me to go everyday a step further on my home network. It takes time, but I will get there...
great video, clear and amazingly helpful. in openwrt 22.03.5, the "bridge interfaces" checkbox in the "add new interface" menu is no longer there, is there something i need to do in this version to acheive the same thing?
They moved the functionality to the "devices" tab in Network > Interfaces. Create a new device. Select "bridge interface" in interface type and select the port/vlan you want.
Thank you very much for the video. It's a pitty, it is outdated. I cannot follow with the video, because in the new openwrt version things are different, starting with creating interfaces. Is it possible to update the instructions?
Really well organized and informative! Thanks so much! Just wanted to clarify around the 8:52 mark: If I want to separate these rules, wouldn’t DNS be using UDP and DHCP using TCP? I think you might have flipped them.
I am actually simplifying the rule in order to just use one. I open both protocols tcp and udp on both ports. But because there is nothing else on the opposite protocol there should be no risk to that.
@@OneMarcFifty According Wikipedia, looks only need open port 67 for DHCP cause port 68 only use to reply to client, so it not necessary. zh.wikipedia.org/wiki/%E5%8A%A8%E6%80%81%E4%B8%BB%E6%9C%BA%E8%AE%BE%E7%BD%AE%E5%8D%8F%E8%AE%AE
@@OneMarcFifty You said that DNS uses only TCP. False! DNS uses UDP unless answer is too big to be delivered over UDP, in which case server tells client to connect again using TCP.
Hi, you are a great trainer. Your explanations are clear and calm. I do have a problem.. I followed your steps but I run into some issues: 1) any cable I plug in the router LAN ports seem to be routed to guest lan. 2) also the normal wifi is routed to Guest lan. I checked and rechecked your video and I dont seem to do anything different. I use Luci 21.02. Do you think that has different settings? I must say that the GUI is just a bit different an so some of the options. Any chance you can review this tutorial with the latest Luci? or give me some suggestions? Thank you
Hi, first off - many thanks for your feed-back! Actually yes, things have changed in OpenWrt 21 and more importantly with Linux Kerne 5 and the way VLANs are handled - the new DSA architecture is customized on the interface itself, there is no "switch" menu item any more. I'l see if I can update the series.
Marc - great content really enjoyed it. Just one observation in relation to the OpenWrt firewall gui screen and your comments around 6:30. Earlier in the video you explained nicely about the different tables and chains involved but your comment about ignoring the forward chain setting on the right hand side of the screen threw me at first. You are basically saying ignore it (in fact I could just set the forward action to reject) as it has no effect at all as you should actually control forwarding through the edit menu function and by how you configure the two drop down menus at the bottom of the screen i.e. "allow forward to destination zones" and "allow forward from source zones". Just thought I would check my understanding is correct? thanks again
Hi - many thanks for asking ! I had to look it up before I made the video ;-) the third setting on the right is actually forwarding WITHIN the zone, i.e. if you had multiple networks inside the LAN zone and would want to allow or deny forwarding between them. So it's INSIDE one given zone. The setting that we change in the vieo is the forwarding BETWEEN zones, i.e. from one zone to another ;-) Great question - many thanks for your feedback !!!!
Hi, many thanks for the suggestion - following your comment I have re-watched the video - it's true that some things have changed in OpenWrt 21 - especially with bridging and how we assign the Wi-fi etc.... Need to think this over ;-)
Thanks for the great content. I followed the procedure and put iot devices as well as my printer into a different subnet. Now my computer can't find the printer. Could you please tell me how to make my printer accessible by my computer and mobile phones?
You'd need an mdns repeater/IGMP proxy style of software in order to use Airprint and the like so that your phone sees the printer. Omcproxy might do the trick or else mdns-repeater in a linux container or Avahi with echo function. Plus you need to allow ports 9100, 631, 443 TCP and 5353 UDP to the printer
I only have 2 radios, so I created my primary and Guest network as described in the video. I'd like an IOT network, so how can I create a second network on one of the radios?
You can create multiple networks on one radio just by clicking on "Add" next to the radio under Network-Wireless. I have 6 SSIDs running here per radio.
Hello a pretty nice walkthrough . But att the end you lost me you are saying to asign guest wifi to guest firewall zone. But the movie asigns something totaly different. Also this walkthrough is completely outdated since the new 23.3.3 handles the bridging in a completely different way. Would be nice if you could make a new video on that version.
Great channel, Great instruction too but for the life of me just could not get this tutorial to work on a Linksys EA3500 running OpenWRT 21.02.3. That said, OpenWRT's Guest WiFi Basics CLI command list also would not work which may mean the issue is with the router (or the seat to kybd interface).
Hi Greg, some things have changed in OpenWrt 21 (what you have) as opposed to 19 (the video). Mainly bridging is done on the device tab under network-interfaces and you would then select the bridge as a device under your interface. Your Wi-fi is then added to that network.
Great video helped out a lot as openwrt does things differently than other custom firmwares. One thing though my tv won’t connect to the IOT wifi I created is it due to way the forwarding because the tv needs an wan connection? Or am I understanding this wrong.
Hi Marc. First of all your videos are very helpful and I'm great full for you putting in the time in teaching. However, I'm having an issue that didn't work on my end (7:08 mark). I followed everything on the guest zone, then I tried on that zone with my laptop to see if it works but, it let me ssh. I must've missed a step. I watched the video over a bunch of times. And I can't seem to get out of this loop.
Hi Drew, are you saying that you _can_ ssh into the router's guest IP even though your expectation is that you can't ? Presumably then you are connecting to the router over the LAN and not the GUEST network ? Even connecting to another IP _on_ the router would NOT go through the forward chain but through the INPUT chain of the network that you are connecting from. So if you connect from LAN, then yes - you can ssh to the guest's IP address. ut you can't do that if you come FROM guest.
Yes, as Marc has said, simply put: your laptop needs to be connected ONLY on your Guest Network for this to work (well, not work for the SSH part heh) if you're plugged in with ethernet, you need to make sure that port is a Guest only port and not a LAN port (via Switch>VLAN ID).
The action is accept because we want to allow the devices to query DNS and get a DHCP address. The default is reject already and this rule is the exception. If you don't see network-switch and wireless - does your device _have_ a switch and wireless adapter ? Which hardware ? Which OpenWrt version ? You are running this on a router, not in a VM right ?
@@OneMarcFifty I got it. I confused the GuestZone with the IOTZone. Action must be accepted of course. Am actually running the OpenWrt on a VM. You mean this video explains the OpenWrt on a physical router only?
Well - you can do everything on a VM except hardware-related stuff. Unless you passed the hardware through to the VM. You can use all the firewall rules and parts in a VM but as you correctly stated if you want to do Wifi etc then you would need to pass through corresponding hardware
@@OneMarcFifty Got it. Thank you Marc. It would be great when you point to that explicitly in your video description to avoid any confusion. Also when you add in the description the link to your predecessor video. Because your videos build on each other so that we viewers can follow them through. Anyway you do a great job here. Thanks for that.
Would you mind sharing what router models you use/suggest for the Router/Firewall and Access Point Devices? Thanks for these videos, I've been struggling in vain to do a similar setup using dd-wrt.
Hi Andrew, in the video I had been using Archer C7's but I have replaced them with D-Link DIR-2660's these days. You might want to check my video on Router models here: ua-cam.com/video/wP1ZcQBLL1k/v-deo.html
Marc, do I need to add a new interface for each Vlan ID I want my router to recognize or is adding it on the "Switch" page enough? And also do i add firewall zone settings for each? I may be thinking too complicated for this and it's much simpler than I thought
Marc, I have a use case where a guest on the Guest lan needs access to a printer on the LAN lan. I've tried adding a firewall traffic rule to allow access to the printer ip address from the Guest lan. This doesn't work as it appears the general lan to guestZone forwarding rule is executed first and blocks all traffic from the Guest lan to the LAN lan. How do you handle forwarding exceptions to the general zone forwarding rules?
Hi there , At 01:07 in firewall rule WAN =Reject input = reject output= accept forward = reject . this rule means all incoming traffic to our network is blocked or reject but from inside of the network any one can access to the internet? am I right ??
Correct. the first setting (WAN => Reject) means that we do not forward from the WAN to any other zone. (Input=reject) means, that traffic from the WAN can't reach processes on the router. (Output=accept) means that processes running on the router can go to the WAN. (forward=reject) only means that we would not forward traffic from one segment in the WAN to another Segment in the WAN. Internet Access from the LAN is set in the line above, where we allow zone forwarding (LAN => WAN).
With regards to a guest network, how do you prevent non-guests clients that are in range to abuse your wifi? e.g. a neighbour permanently connecting and taking up valuable bandwith. Is there a way to mitigate this risk?
@@OneMarcFifty Darwine and FreeBSD are BSD-derivative of the original UNIX. But Linux isn't UNIX, but it's UNIX-oid. And nearly everyone would say that Linux = UNIX and/or UNIX=Linux. Linux= UNIX is a kind of correct, not fully correct. UNIX=Linux isn't correct.
Back at the time, Linksys used GNU licensed Software in the firmware of their WRT54G. They had to disclose the source code. OpenWRT built on this to provide an open source alternative to Consumer Wifi routers, mainly aftermarket.
I setup your configuration on a WRT610N running OpenWRT 19.07.7. Each of the 3 Wifi work perfectly as standalone but when I try to start all 3 together Radio0 fails on restart. Radio0 is 2.4 GHz. 5 GHz is not recognized by OpenWRT. Any suggestion as to what might be causing this problem would be appreciated. I suspect the router hardware cannot support this configuration.
It ooks like there is a hardware revision that has issues with 5 GHz - if your HW Revision is V1.0 (Serial number CTG01...) then it might not be possible as of now - please see openwrt.org/toh/linksys/wrt610n_v1
Guys, can anyone help me? I set up guest wi-fi as described in this tutorial (without IOT, i don't need it). everything works perfectly but only for one radio. I have 2.4 and 5 GHz radios. when I enabled both of them only one works (both set up as Access Points and connected to "GUEST" interface). So I enable 5 GHz and devices connected to 2.4 GHz stop working, then I restart and reconnect to 2.4 GHz, and 5 GHz devices disconnect.
Hi Antonio, difficult to give advice with the info provided... You might want to check in to our Discord server and ask the question with more detail ? discord.com/invite/DXnfBUG
Hello thank you for your videos! Great job! Can you please help me with a problem. I have 2 routers. One is a "Fritzbox 6591 Cable" and the other is a "TP-Link Archer C6" with OpenWRT 19. The Fritzbox is on LAN-Port 1 on 192.168.178.1 and on LAN-Port 4 via guest-lan on 192.168.179.1 available. The TP-Link is on LAN-Port 1 on 192.168.178.2 and on WAN-Port via guest-lan on 192.168.179.2 available. I have also an 8 Port Switch. Port 1 - 4 VLAN1, Port 5 -8 VLAN2. Switch-IP: 192.168.178.3 Switch-Gateway: 192.168.178.1 From Fritzbox LAN-Port 1 is a cable connected to the Switch Port 1 From Fritzbox LAN-Port 4 is a cable connected to the Switch Port 5. From TP-Link WAN-Port is a cable connected to the Switch Port 6. From TP-Link LAN-Port 1 is a cable connected to the Switch Port 2. My Laptop is connected to the Switch Port 3. IP: 192.168.178.40 Gateway: 192.168.178.1 So, i have some IoT-Equipments. For Example one via WLAN (Guestnet from Fritzbox) with 192.168.179.3 So what i have to change in the OpenWRT, that i can access the IoT-Equipment from the 192.168.178.0-Net to 192.168.179.0-Net and how should i configurate the interfaces (and maybe firewall - but i think the Fritzbox does this already). Thanks. If you want to answer in german, fine :)
You seem to have your two routers in the same subnets - not sure what you want to achieve - the best is probably if you get on my discord server and either post a drawing (what is the current setup and what should it look like) or alternatively we have interactive video chat sessions on Sunday.
@@OneMarcFifty This is not the issue, the issue is why people use the wrong netmask for the network they are using. A class for A class, B for B, so on and so forth.
@@coisasnatv OK, let me expand on this a bit. The 10.0.0.0/8 network is a class A network. That does NOT mean that you have to give /8 to any 10.x network. It just means that your router would never route e.g. any 10.x into the internet. 10.0.1.0/24 is a perfectly valid private network address, so is 10.0.0.128/25. (In fact you could have up to 4M subnets with two hosts in each ;-) )The only situation where I could see a class/subnet conflict is when someone would give a let's say /16 or /10 subnet to let's say a class C (e.g. 192.168.0.0/22) because that would include public IP addresses. The class and the subnet are related, but two different things. These days as networks are assigned to a CIDR mask anyhow, the classes are not important any more en.wikipedia.org/wiki/Classful_network
@@OneMarcFifty Your explanation falls under the same logic as people that start in electronics, for example, one might replace a blown 500 mA fuse with a nail. You demonstration about network class and CIDR is the same replacing a fuse with a nail, because in the end "it works". If you see the link you share, it show that the correct CIDR for a class A network is /8 or 255.0.0.0, *NOT* /24. It works, however, people might have routing issues in a complex network environments and not understand why the network configuration is not working.
What you say was true in 1998 but it is not true in 2022 - or to put it differently - for anyone using classful routing (RIPv1 and/or IGRP). RIPv1 has been retired in 1998. Even Cisco have retired all IGRP related CCNA exams and call IGRP an "obsolete protocol" please see en.wikipedia.org/wiki/Interior_Gateway_Routing_Protocol and en.wikipedia.org/wiki/Routing_Information_Protocol Again - there is no problem with SUBnetting here but rather with SUPERnetting. Hence 10.0.1.0/24 is OK, 192.168.0.0/16 is not. So to come back to your example with the fuse - I am not replacing the fuse with a nail but rather with an eFuse. I do partially agree on one thing though - that is in "complex" networks, i.e. networks where very old routers would not use EIGRP this could be an issue because the subnet boundaries would not be identified correctly (as IGRP does not carry a subnet mask).
@@OneMarcFifty 21 current version. but my Brlan port entered blocking state, br LAN port entere forwarding state, br LAN port become ready. this is happening conticuously. 😯😯😯 unstable connection. what is the problem?
Nice video and walkthrough, I have a question. I am using OpenWRT version 21 and I know you recorded this video using an older version. I left the interface devices as unspecified. I have the same router as you have, Linksys ACM3200. I followed the steps from the video but I am not able to add multiple networks (lan, guest, iot) under the same radio interface as you did. In the video you only show adding the first one (lan) and then in the next video (ua-cam.com/video/4t_S2oWsBpE/v-deo.html) it shows all 3 (lan, guest, iot) added under radio0. When I add another network under radio0, such as lan + guest, and enable the second, both show as 'disabled'. The only way for me to add guest is on radio1 (2.4GHz). Can you please help me understand what I am doing wrong?
You're doing nothing wrong. Wi-Fi on the ACM3200 is a big challenge. Check this out: forum.openwrt.org/t/users-needed-to-test-wi-fi-stability-on-linksys-wrt3200acm-wrt32x-on-openwrt-21-02/101700/8
Your explanations is really complicated, Please just use some pictures when you are about to explain some terms , for example show some diagrams for real devices you are talking about and how does they related to each other.
Thank you very much for your comment. Could you maybe give a time marker where you think the explanation is complicated and what it should have looked like ?
10.20.30.40 with 255.255.255.0 mask ??? This is absolutely wrong. You do not understand anything from IP subnets , right ? Let check with simple online IP subnet calculator - so we see that you need to sign really completely different subnet MASK so that this net to work correctly.
What exactly is wrong with subnetting a class A into /24 ? The .40 is not a net but an ip in the 10.20.30.0/24 subnet. I can’t see anything wrong here.
Hey man, are you a teacher?! This video is the one that I was looking for and Your explanations are GREAT! OpenWrt is not that simple (and the wiki is confusing IMO) but you make things easier. Keep it up, please !
This is such an incredibly helpful video for newcomers to OpenWRT. Very high quality an informative. The way you explain things is so clear. Thank you!
Hi - I'd like to add a comment that took me hours of frustration. The 'interface' names need to be created in lowercase - otherwise there will be no IP assigned even if it's setup properly. I didn't try all capital - but a mix of lower/upper case resulted in a connection to the guest network, but no internet/obtained IP. One thing I can't get working, is connecting over wifi to the "IOT" wifi network. Was that not the intention based on these instructions? Basically, I wanted a separate "guest" network for IOT devices that can't see my LAN. I can connect to the "GUEST" network fine, but not the "IOT" one.
This is a great video, and I used it to setup my home network with just a few customizations, but I just tried this again using OpenWRT 22.x and the changes are just too important, especially the missing "Bridge Interfaces" option which also breaks the wireless network setup. Can you please consider updating this video with a 22.x version? Thank you.
if I set up the IOT as described here, my IOT devices become useless as far as I understand. If I use Home Assistant or any other IOT server located in the home network, according to my understanding, the devices are now isolated in such a way that they cannot transmit information to the HA. How do you solve this problem?
Hi, it depends on what you want to achieve. If you want your devices to be discoverable by HA then HA needs to have a leg in that network segment. You could therefore assign an additional network interface to the HA Server and modify routes/forwarding etc. or you could define routes on the router allowing HA access into that segment. Alternatively (this is my use case with FHEM, but would work with any Home Automation that supports MQTT) - install Mosquitto on the router and have the IOT devices communicate with HA over MQTT. Mosquitto would listen and broadcast in all segments and hence be an application gateway or middleware for all home automation over all network segments without exposing devices or http interfaces and the like.
Hi Marc, quick question for you. @10:30 you mention to Bridge Interfaces, but now on latest 22.03 version that isn't there anymore. Do we need to do something different now? The only thing I could see in regards to bridging was to select the device to "Bridge: "br-lan" (lan)" but that seems to do something different...Thank you.
@@OneMarcFifty Thanks for looping back around to this! Is there any benefit to setting up a separate bridge for the guest and iot interfaces, or can they all safely use the same bridge? (i.e. why would you have set up separate ones in earlier versions?)
Thank you so much for this wonderful video! At 10:25, I'm not seeing a "Bridge Interfaces" option in the current version of Luci. Proceeding to create an interface without that option shows "Device: Not Present" under status. Any idea what could be wrong?
Kudos. Very informative video and without substantive errors on the topic, and showing the proper understanding of underlying mechanisms This is the proper way in which OpenWrt configuration should be explained.
Thanks, this was really helpful. Your explanations gave me enough info to be able to tailor everything to my own needs without being completely lost. The screens shown are a little out of date for the latest version of OpenWrt but are still quite usable.
@OneMarcFifty at the 10:39 mark you ticked the bridge interface box, in 22.03 that box no longer appears and we have to manually create a device to configure. What physical devices are you bridging by ticking that box?
Hi Randy - as such you're just creating an empty bridge where you can add devices later. In Versions 21 and later you would create a bridge under devices and then add the devices you want to the bridge.
Thanks for the videos! I am trying to follow you to achieve the dumb AP vlan over one cable, but when I try to create the new interface I do not see the "Bridge Interfaces" checkbox (video @ 10:44) and then when adding Interface my status shows "Device: Not Present" while you show "br-GUEST" (video @ 10:54). I am on the Belkin RT3200 snapshot r21517-d7876daf65. Anyhow, it seems maybe I missed where the device br-GUEST was created. Any ideas?
This has changed in OpenWrt 21. You now create a bridge device under Network-Interfaces-devices tab, add the Ethernet ports to it. Define an interface and attach it to the bridge. When you create a Wifi you can then attach it to the network.
i want to open the iot network for mqtt at port 1883 for the lan network, so that my iot devices can send packages to a mqtt broker which is in lan. I dont know how to handle it.
Hi Mark! In openwrt version 22.0.3, when creating a network interface, you need to select a device. Apparently for the guest and IOT you need to create a new device?
Either you create a device for each VLAN (eth0.44 or the like), add it to a new bridge or you can use Distributed Switch architecture DSA. There is a video about VLANs on version 21 on my channel page
This happens to me in Openwrt 22.03.2. I just came here again, to see what was my mistake. I'm setting up an old Netgear R6100 and this device does not create the proper bridge in order to wireless connection work. So I did create a bridge device, then attach it to the guest interface and finally, in the wireless section, attach it. After this, wireless devices start to obtain IP address.
I wish it worked on latest 22.03.2 version, but it doesnt. They took away an option to Bridge inerfaces, no matter what i try guest wifi does not get an IP address. by the way, could you post links to openwrt wifi setups. thank you
Hi, in Versions 21 and newer, the bridges are created under Network-Interfaces- Devices Tab. Please see this video ua-cam.com/video/qeuZqRqH-ug/v-deo.html for more details on DSA and Bridge VLAN filtering
Very enlightening! What if i have an NVR and connected it the IOT wifi, will it be able to notify me incase I turned on the Detect Motion and Notify me. Thanks and More Power!
Hi, thanks for your comment - I personally like to do notifications over network boundaries with MQTT - for this I have Mosquitto running on my router which is accessible from all network segments
Well explained and sumarized the firewall concept of openwrt, not available in utube though it is in openwrt forum scattered in bits and pieces. Looking for videos on : 1. parent contro traffic rules, esp this pandemic season it all the more imperative. Kids are smart with their whack a mole device outwits the tagged IP or MAC in traffic rules. 2. Access openwrt router from internet (we have one of the wifi tagged to OpenVPN). No videos on this in you tube. Hope there would be enough requests for these and would be helpful to mmany openwrt users. Thanks in advance.
Many thanks for your feedback @Ranish and thank you for the suggestions - port forwarding is on my list but parental control was not - I‘ll have a look into options (hint: give your kids a separate Wifi in a separate FW zone, this is resistant against ip/mac changes)
question, you said: "I do not expect an iot device to open the browser page on my router so we can leave input accepted", question is: why input accepted, it should not be reject to deny permission?
Thank you for the great content! I would like to know a bit more, how do you configure the provider's router LAN output and the first OpenWRT WAN input area? Do you allow the provider's router to make the NAT? Or will it be done also in the OperWRT?
In my case, I just set the WAN interface of OpenWrt to DHCP, i.e. I let the ISP do NAT. From a performance standpoint not the best solution but the easiest to implement as from the ISP router's standpoint it looks like there is just one client.
I have followed this guide to the letter multiple times (factory resetting and applying latest firmware) but can't seem to get the internet to work on the Guest wifi, even after entering 8.8.8.8 DNS server and using 255.255.255.0 netmask. Internet only works on the main wifi. Any ideas?
First of all, I would like to thank you. And I would like to ad just one small thing. I forgot the rule for the IOT-DHCP part in the firewall configuration section. Without it the IOT devices will never get the IP addresses 😀
Hey man, big big work...This is not a video. This is the bible 🙂 I have, if possible, a question. I have successfully implemented three vlans. One "Lan", one "Guest" and one for IOT devices. I have extended the implementation to WIFI as well. The Lan reaches the Internet and the other two zones, the Guest only reaches the Internet and the IOT does not reach any area including the web. Everything seems to work and the results of the various pings are consistent with the infrastructure. The problem is with IOT devices. I have a single smart plug correctly connected to the IOT (it receives the IP from the interface's DHCP server). I connect my mobile phone to the IOT network and the application, specifically SmartLife, sees the device and manages to interact with it. If I connect to the LAN the device goes offline but I can still ping it...I'm going crazy! Thank you so much for any advice.
You would need to figure out what ports and protocols the app is using to communicate with the devices and then open those for communication really ;-(
@@OneMarcFifty Many thanks for the reply. I am currently experimenting with the mDNS protocol implemented by the avahi package. But the results are disappointing ... I will try to understand, through tshark, what happens on the net :)
Thank you for this tutorial good Sir! This is verify helpful to me. Just want to add 1 question Sir. Is there a way to separate browsing (wanA) and gaming (wanB) on different wan interfaces with a failover option?
Yes you can do that. Just define two lan interfaces, attach a wifi to each one and define the same or different firewall rules for each (basically allow forward to wan)
Thank you very much for your videos, they were really helpful for setting up OpenWRT :) Quick question: How can we isolate devices from each other in the guest network? I have created a bridge device br-guest bridging br-lan.3 and bat0.3 (I use batman-adv) and added it to the guest network. Communication between lan and guest is blocked, however the devices in guest can see and access each other. Checking AP isolation on the radios and bat0 seems to change nothing. On DD-WRT i had to manually setup ebtables. Is there any way to set this up with luci? Thanks a lot!
I have not yet found a good way to do this. If you set up Wi-fi isolation, it will work on one AP but not over many APs. Firewall-wise you can't really define such a rule in LuCI. You would need to come up with some rule based on the MAC addresses (deny all traffic from GUEST except to the router itself).
@@OneMarcFifty Thanks for your response! I have researched a bit and found some ways to achieve this. One easy and efficient way would be to enable VLAN filtering in the br-guest settings and simply setting 1 PVID Egress untagged on each Port there. This would effectively deny all local communication on that bridge. However there are two problems: Using batman-adv on nodes, this would also deny communication to the gateway router via bat0.3. Also, there is currently a problem with the bcm4366 driver (?), where wifi does not work on bridges with VLAN filtering enabled. I did the following to achieve this goal: - Enable AP isolation on guest Wifis on each node - Install ebtables-nft and add the following to the startup of the gateway router: ebtables -A FORWARD -logical-in br-guest -logical-out br-guest -j DROP - Add this to the startup of all other nodes that are connected via batman-adv: ebtables -A FORWARD -logical-in br-guest -logical-out br-guest -in-if ! bat0.3 -out-if ! bat0.3 -j DROP I read a lot online that ebtables is quite inefficient, however this is the only way that worked for me. I didn’t notice any performance degradation doing this.
If you isolate devices on IOT network from the internet, how do you control them from an app on your mobile device? Case in point: I have IP cams I would like to 1) isolate from my LAN 2) stop from "phoning home" and 3) still control/receive notifications from when at and away from home LAN
Hi - the main reason for me isolating my IOT devices is that I didn't have any cloud based IOT devices at the time of making the video (All my IOT devices where more or less DIY solutions based on ESP8266 / ESP32 at the time). I do in the meantime have some cloud devices, but I moved them again to a separate VLAN - All you'd have to do in order to adapt is add internet access to the IOT zone really.
question, would you class android streaming boxes and Chromecast googletv as IOTZone worthy and what about making casting work in this type of configuration?
Hi, I have added my Multimedia devices (Kodi, bluray player, TV Sets and the like) into a separate Multimedia Zone. Getting mDNS and broadcasts to work requires a lot of fine tuning and configuration... not easy ;-(
Hi, that was more or less just an assumption. Looking at what 99% of the users are doing, they would presumably only have one subnet in the LAN zone. If you had for example 192.168.4.0/24 and 192.168.5.0/24 _both_ in the same zone and you would want to allow forwarding traffic from one zone to the other, then you would need to set forwarding to allowed. If not, set it to drop or reject. So it's more about network isolation _within_ one zone.
@10:30 what does the enabling "Bridge interfaces" here actually do? How did it help in the "next episode" and what would have happened if we didn't enable it? BTW: GREAT OpenWRT explanation. Firewall Zones on OpenWRT is a hard topic for me, but now I more or less get it.
Mainly "enabling bridge" in OpenWrt 19 links the interface to a bridge rather than one single interface. The advantage is that you can add multiple devices (Ethernet, VLANs, Wireless) to one single interface rather than have one single interface. Things have changed in OpenWrt 21 as well w/r to the separation of "interface" and "device"
Marc, great video, convinced me to move to OpenWRT with all my thought to restrict the local devices I have as much as possible. One question though - why not restricting IoT devices to access my router? I'm not an expert, but doesn't those smart plugs represent a trojan horse for someone who knows what to do with them once they can ssh to my router? What if we "reject their input" and create the same rules as for Guest Network with DHCP rule only?
Hi Vadim, valid approach. There is no 100% Security ;-) If someone takes over your router then you might have a whole bunch of other problems as well ;-)
Thanks for the useful diagram. Picking up OpenWRT compatible routers for $5 in the second hand market is one of my best decisions made as I can now use them as dedicated firewalls for my IoT devices even if the rest of the network runs on newer consumer grade hardware I have it in reverse where I have a mix of consumer grade router with stock firmware, dd-wrt and openwrt. The Stock firmware one has the best wifi so it stays in the center. One cable to another room is a DD-wrt box acting as an unmanaged switch with full gigabit speed, and one of the port is connected to a 100Mbps OpenWRT router with LAN firewall configured to be as strict as guest network for IoT devices only. It works great and I like the peace of mind that IoT devices cannot ping my computers Edit: I found out my DD-wrt box also supports OpenWRT and the firewall does not affect the unmanaged gigabit speed of the switch. Unified them to one device and added wireguard functionality
Hi, thanks for the video. Question for ua-cam.com/video/UvniZs8q3eU/v-deo.html, if we don't expect the IOT devices to access the webpage then shouldn't they be set to reject rather than accept?
Hi, if you set input to "reject" then no device in the IOT zone would be able to access services on the router. That would include DNS and DHCP which they need. So if you set input to reject then you would need to add rules for the protocols which you want to use (DHCP, DNS, possibly NTP)
Seems Openwrt, despite using the same terminology as iptables, works differently from it. I don't get why input and output are used in your video when routing between zones. As per your data flow diagram, input and output chains are not touched when forwarding.
Another great video. I've been reading documentation for days to find out what and how I have to configure a OpenWrt router. Just like Franceso Pocci, I find the OpenWrt documentary very confusing. Only when you understand how it works can you understand it :( And like Colin Nicholson, I'm excited about the expansion to include VLANs. You have a talent for explaining complicated things simply. Great. And that with the proverbial "German thoroughness" Last night I managed to flash my Archer C7 on OpenWrt. Had the latest TP-Link firmware and unfortunately only worked with TFTP. It took me a long time to find out that media sensing was the problem to get TFTP to work. :( I'm going to do the configuration right now. I will try myself to get VLAN working too... Many greetings from Braunschweig to Berlin
@@OneMarcFifty Got VLAN's for IOT / Guest work on my Archer C7 :) LAN Ports and Wireless works as expected. Thanks to your video "Building a managed switch with OpenWrt on old Wifi Router" Next step is to add an additional dump AP with VLAN support, fast roaming, ...
I would like to see another episode on the topic. Extended firewall configuration according to the blacklist principle when using VLANs. E.g. allow HTTP / HTTPS from LAN / Guest zones, but stop sending SMB packets over the WAN interface.
Just the video I needed - can't wait for the VLAN to 2nd access point episode! I've just set up a two OpenWRT router system because of your fast roaming video.
Hey there. I know that this video is 3 years old. But I'm trying to add another IOT zone for things like smart tv that still needs to connect to internet. From my understanding from your video, I needed to create an IOT zone but with almost the same settings with guest. The problem I am having is I cannot cast from my main SSID to the SSID of the IOT with the internet.
Hi Marc, How do you create a lOT interface on OpenWrt 21.02? I have a GL-AX1800 router with Powered by LuCI openwrt-22.03 branch (git-21.284.67084-e4d24f0) / OpenWrt 21.02-SNAPSHOT r16399+157-c67509efd7 pre-installed. Thanks
Running 22.03, and setting up a zone to reject input, let's say from a guest network, is yielding all devices on the interface, in that zone, with the inability to get a IP from the DHCP server. In order for the devices to connect to the internet, they need to be configured on the device end to have a static IP within the range... I think openWRT in a update changed the way these firewall zone rules work?
why : config rule option name 'rbc' list dest_ip '204.74.99.100' list src_ip '192.168.1.105' option dest 'wan' option src 'lan' option dest_port '80 443' option target 'REJECT' is not blocking traffic from my pc (.105) to access royal bank (204.74.99.100)
Will my IOT devices continue to be able to perform firmware updates even without internet access? Also, after starting the Guest and IOT interfaces my AdGuard Home is no longer being used as main custom DNS Server by the LAN interface... I dont get it, i didnt change any setting on the LAN interface. On the Guest interface i manually set some custom DNS Servers of my preference, on Guest network i want to bypass the AdGuard Home
Can you install some Linux Containers or some virtualized machines with OpenWrt - e.g. by configuration of the different network settings for the Linux Containers such as Host, Bridge, MacVLAN, IPVLAN, Isolated, Custom etc. with OpenWrt?
@@OneMarcFifty How can I run Docker and/or Qemu or Linux Containers like Promox Containers on OpenWrt, if you use x86 or x86-64 hardware? If macVLAN is bad, because it can cause problems for securit reasons, how should I solve this problem?
Actually, it's not so much the MacVLAN network that would be bad, but rather you would need to make sure that you don't bind anything to the WAN adapter inadvertently. As long as you bind to the LAN you should be fine.
Sorry for bothering you. I am new to openWRT and I followed your video, but for a more simple setup. I have two 2.4 lan’s and the issue I have is when I finished in the IoT network the devices did not connect within each other. My cameras need to record the videos to a Sync device. I did not checked the isolation option. I will really appreciate if you can point me on the right direction. Thank you
Just to double check two things at 5:32 when you say that the output is set by default so the router may access all other zones, can you think of a scenario where you wouldn't wat that to happen? Also at 5:40 you mention that everything is kept its in own zone, do you mean that everything its kept in its own network within the zone that the forward policy is applied to? Want to make sure my understanding is correct, thanks again for the wonderful vids!
Hi, I am not sure if I understand your question - do you want to know how to configure firewall rules for Samba (that's basically just TCP port 445 plus maybe 137/138/139 depending on netbios y/n and/or mdns) or do you want to know how to install Samba on Openwrt (that's basically just selecting the package in System-Software or alternatively opkg install samba...)
This is such an awsome video! I am just getting started with OpenWRT and LUCI and I have been looking for this kind of video for weeks. Love the level of detail and the screen captures.
What happens of I set output of GuestZone to reject? Does the lan also lose DNS etc? OpenWrt can connect or not to wan and is not aware who is asking at application level anything. Right?
Great video again Marc :-) I have a question, is it possible to put one or more of the ethernet ports in a zone that way putting it on a seperate real network like you did with the firewall zones as opposed to a vlan?
Hey Mac, question you might be able to answer - I have my access point set to AC mode on 5Ghz, but my devices don't seem to connect on that mode. I have one device with an AX WiFi chip which connects via 802.11a band and a device with an AC WiFi chip which connects on 802.11n. How can I make them connect on AC, and how can I confirm my access point is correctly broadcasting AC?
Hi - in order to check what the access points are broadcasting I suggest running "iw scan" on a Linux workstation with Wifi hardware. That will show you everything.
Nice explanation. I just flashed openwrt to my router. I have a raspberry Pi running multiple applications on docker connected via ethernet. They all have unique IP's on my LAN ( by creating a macvlan network). Is it possible to isolate one application (using one unique lan ip) so that it cannot access other LAN devices?
Hi Aditya, that scenario would require the implementation of VLANs on the host and then binding the docker containers to the separate VLANs (e.g. eth0.3 / eth0.4)
Hi, great videos. One question though, why does your IoT network have access to the router interface/login page? I had a rogue IoT device previously attempting user/Pw combinations, I really want to avoid this. How would I block them from seeing my router? You also said you don't want devices on your IoT network to phone home. How would they continue to work if blocked from WAN? E.g blink cameras, nest doorbells etc as they need Internet?
Hi Will, mainly this was just for the sake of simplification. You could as well set the default Input to "drop" and then enable only needed services (such as DNS, DHCP, maybe NTP). W/r to internet access - the IOT devices that I use are no cloud devices. They are mainly DIY devices built with ESP8266 or ESP32 micro controllers and don't need internet access. My vacuum cleaner is an exception. It does need internet access and is in a separate DMZ.
![[UA] Eternal Fire проти NAVI | EPL Season 20 Malta](http://i.ytimg.com/vi/chvlsDygrZM/mqdefault.jpg)
You definitely have some of the best videos I have come across on OpenWRT.
Wow, thanks!
Still true! Great stuff.
Yeah! Far less UA-cam content on OpenWRT than on pfSense. Marc is a blessing!
Simple and effective explanation by covering the audience from beginners to advanced.
Thank you very much for your feedback ;-)
OMG! Your explanation of the firewall in OpenWRT was the final piece in the puzzle for me - it all clicked with this video, thank you
Awesome - I am glad it helped ;-)
I've been needing this video for months. I've found OpenWRT to be so confusing. This is explaining exactly what I wanted to know. Thank you so much.
To be honest, brilliant!
It's not only that you explain it simple and brilliant, in addition you really lern!
Hi Christian, many thanks - glad you like it ;-)
Definetly one of the best videos on OpenWrt Firewall settings. Thanks a lot! brillant.
Thank you very much !
Thanks so much for all those great video Marc.. It's really helping me to go everyday a step further on my home network. It takes time, but I will get there...
Awesome, many thanks for your feedback!
That was excellent - thank you for demystifying openwrt firewall settings
Thank you very much!
great video, clear and amazingly helpful. in openwrt 22.03.5, the "bridge interfaces" checkbox in the "add new interface" menu is no longer there, is there something i need to do in this version to acheive the same thing?
They moved the functionality to the "devices" tab in Network > Interfaces. Create a new device. Select "bridge interface" in interface type and select the port/vlan you want.
Thank you very much for the video. It's a pitty, it is outdated. I cannot follow with the video, because in the new openwrt version things are different, starting with creating interfaces. Is it possible to update the instructions?
Great openwrt videos,same case in my home,i want to trunk two openwrt routers with diferent vlans,thanks!!
Many thanks for your feedback!
Really well organized and informative! Thanks so much!
Just wanted to clarify around the 8:52 mark: If I want to separate these rules, wouldn’t DNS be using UDP and DHCP using TCP? I think you might have flipped them.
I am actually simplifying the rule in order to just use one. I open both protocols tcp and udp on both ports. But because there is nothing else on the opposite protocol there should be no risk to that.
@@OneMarcFifty According Wikipedia, looks only need open port 67 for DHCP cause port 68 only use to reply to client, so it not necessary. zh.wikipedia.org/wiki/%E5%8A%A8%E6%80%81%E4%B8%BB%E6%9C%BA%E8%AE%BE%E7%BD%AE%E5%8D%8F%E8%AE%AE
@@OneMarcFifty You said that DNS uses only TCP. False! DNS uses UDP unless answer is too big to be delivered over UDP, in which case server tells client to connect again using TCP.
Hi, you are a great trainer. Your explanations are clear and calm.
I do have a problem.. I followed your steps but I run into some issues:
1) any cable I plug in the router LAN ports seem to be routed to guest lan.
2) also the normal wifi is routed to Guest lan.
I checked and rechecked your video and I dont seem to do anything different.
I use Luci 21.02. Do you think that has different settings?
I must say that the GUI is just a bit different an so some of the options.
Any chance you can review this tutorial with the latest Luci? or give me some suggestions?
Thank you
That's true there is new framework called DSA instead swconfig from video. it's quite embarrassing for newcomers like me too.
Hi, first off - many thanks for your feed-back! Actually yes, things have changed in OpenWrt 21 and more importantly with Linux Kerne 5 and the way VLANs are handled - the new DSA architecture is customized on the interface itself, there is no "switch" menu item any more. I'l see if I can update the series.
Ah - saw your reply - yes correct - DSA requires configuration on the interface itself. I'll take a note of this and update as soon as I can.
Marc - great content really enjoyed it. Just one observation in relation to the OpenWrt firewall gui screen and your comments around 6:30. Earlier in the video you explained nicely about the different tables and chains involved but your comment about ignoring the forward chain setting on the right hand side of the screen threw me at first. You are basically saying ignore it (in fact I could just set the forward action to reject) as it has no effect at all as you should actually control forwarding through the edit menu function and by how you configure the two drop down menus at the bottom of the screen i.e. "allow forward to destination zones" and "allow forward from source zones". Just thought I would check my understanding is correct? thanks again
Hi - many thanks for asking ! I had to look it up before I made the video ;-) the third setting on the right is actually forwarding WITHIN the zone, i.e. if you had multiple networks inside the LAN zone and would want to allow or deny forwarding between them. So it's INSIDE one given zone. The setting that we change in the vieo is the forwarding BETWEEN zones, i.e. from one zone to another ;-) Great question - many thanks for your feedback !!!!
I would always DROP from the internet not REJECT, no point telling the world you are there
That’s correct. In a production config it’s better to drop than to reject, hence becoming „stale“ to accesses from the outside.
Hey, Marc!
isn't it time to redo this episode with the latest OpenWRT version? Consider this a humble request...
Maybe just a quicky...
Hi, many thanks for the suggestion - following your comment I have re-watched the video - it's true that some things have changed in OpenWrt 21 - especially with bridging and how we assign the Wi-fi etc.... Need to think this over ;-)
@@OneMarcFifty I'll become a patreon if you do...
Would love to learn how to enable IPv6 on my Guest and IOT zones.
Hi Rafael, I will do IPv6 episodes this year.
@@OneMarcFifty I would also love to understand IPv6 in OpenWrt. It is very necessary today.
Thanks for the great content. I followed the procedure and put iot devices as well as my printer into a different subnet. Now my computer can't find the printer. Could you please tell me how to make my printer accessible by my computer and mobile phones?
You'd need an mdns repeater/IGMP proxy style of software in order to use Airprint and the like so that your phone sees the printer. Omcproxy might do the trick or else mdns-repeater in a linux container or Avahi with echo function. Plus you need to allow ports 9100, 631, 443 TCP and 5353 UDP to the printer
I only have 2 radios, so I created my primary and Guest network as described in the video. I'd like an IOT network, so how can I create a second network on one of the radios?
You can create multiple networks on one radio just by clicking on "Add" next to the radio under Network-Wireless. I have 6 SSIDs running here per radio.
Hello a pretty nice walkthrough . But att the end you lost me you are saying to asign guest wifi to guest firewall zone. But the movie asigns something totaly different. Also this walkthrough is completely outdated since the new 23.3.3 handles the bridging in a completely different way. Would be nice if you could make a new video on that version.
Hi PAtrik, if I remember it well, there are some bugs in the screen cams in this video - that's correct. Sorry for the confusion ;-)
Great channel, Great instruction too but for the life of me just could not get this tutorial to work on a Linksys EA3500 running OpenWRT 21.02.3. That said, OpenWRT's Guest WiFi Basics CLI command list also would not work which may mean the issue is with the router (or the seat to kybd interface).
Hi Greg, some things have changed in OpenWrt 21 (what you have) as opposed to 19 (the video). Mainly bridging is done on the device tab under network-interfaces and you would then select the bridge as a device under your interface. Your Wi-fi is then added to that network.
Great video helped out a lot as openwrt does things differently than other custom firmwares. One thing though my tv won’t connect to the IOT wifi I created is it due to way the forwarding because the tv needs an wan connection? Or am I understanding this wrong.
It might need a default gateway- or maybe it’s checking internet access? Dificult to say from a distance
Hi Marc. First of all your videos are very helpful and I'm great full for you putting in the time in teaching. However, I'm having an issue that didn't work on my end (7:08 mark). I followed everything on the guest zone, then I tried on that zone with my laptop to see if it works but, it let me ssh. I must've missed a step. I watched the video over a bunch of times. And I can't seem to get out of this loop.
Hi Drew, are you saying that you _can_ ssh into the router's guest IP even though your expectation is that you can't ? Presumably then you are connecting to the router over the LAN and not the GUEST network ? Even connecting to another IP _on_ the router would NOT go through the forward chain but through the INPUT chain of the network that you are connecting from. So if you connect from LAN, then yes - you can ssh to the guest's IP address. ut you can't do that if you come FROM guest.
Yes, as Marc has said, simply put: your laptop needs to be connected ONLY on your Guest Network for this to work (well, not work for the SSH part heh)
if you're plugged in with ethernet, you need to make sure that port is a Guest only port and not a LAN port (via Switch>VLAN ID).
9:12 Why is the Action "accepted"? Shouldn't it be "rejected"?
10:51 I don't see the menu items Network-> Wireless and Network -> Switch.
The action is accept because we want to allow the devices to query DNS and get a DHCP address. The default is reject already and this rule is the exception. If you don't see network-switch and wireless - does your device _have_ a switch and wireless adapter ? Which hardware ? Which OpenWrt version ? You are running this on a router, not in a VM right ?
@@OneMarcFifty I got it. I confused the GuestZone with the IOTZone. Action must be accepted of course. Am actually running the OpenWrt on a VM. You mean this video explains the OpenWrt on a physical router only?
Well - you can do everything on a VM except hardware-related stuff. Unless you passed the hardware through to the VM. You can use all the firewall rules and parts in a VM but as you correctly stated if you want to do Wifi etc then you would need to pass through corresponding hardware
@@OneMarcFifty Got it. Thank you Marc. It would be great when you point to that explicitly in your video description to avoid any confusion. Also when you add in the description the link to your predecessor video. Because your videos build on each other so that we viewers can follow them through. Anyway you do a great job here. Thanks for that.
Great tip, many thanks!
Would you mind sharing what router models you use/suggest for the Router/Firewall and Access Point Devices? Thanks for these videos, I've been struggling in vain to do a similar setup using dd-wrt.
Hi Andrew, in the video I had been using Archer C7's but I have replaced them with D-Link DIR-2660's these days. You might want to check my video on Router models here: ua-cam.com/video/wP1ZcQBLL1k/v-deo.html
Marc, do I need to add a new interface for each Vlan ID I want my router to recognize or is adding it on the "Switch" page enough?
And also do i add firewall zone settings for each? I may be thinking too complicated for this and it's much simpler than I thought
It depends on the OpenWrt version. I briefly touch on this in the "VLANs in OpenWrt 21" video.
Marc, I have a use case where a guest on the Guest lan needs access to a printer on the LAN lan. I've tried adding a firewall traffic rule to allow access to the printer ip address from the Guest lan. This doesn't work as it appears the general lan to guestZone forwarding rule is executed first and blocks all traffic from the Guest lan to the LAN lan. How do you handle forwarding exceptions to the general zone forwarding rules?
The general setting should not be evaluated before a traffic rule. However, if there is a traffic rule above then this goes first
@@OneMarcFifty You were spot on, there was another conflicting traffic rule.
Hi there , At 01:07 in firewall rule WAN =Reject input = reject output= accept forward = reject . this rule means all incoming traffic to our network is blocked or reject but from inside of the network any one can access to the internet? am I right ??
Correct. the first setting (WAN => Reject) means that we do not forward from the WAN to any other zone. (Input=reject) means, that traffic from the WAN can't reach processes on the router. (Output=accept) means that processes running on the router can go to the WAN. (forward=reject) only means that we would not forward traffic from one segment in the WAN to another Segment in the WAN. Internet Access from the LAN is set in the line above, where we allow zone forwarding (LAN => WAN).
@@OneMarcFifty thankyou for your answer
With regards to a guest network, how do you prevent non-guests clients that are in range to abuse your wifi? e.g. a neighbour permanently connecting and taking up valuable bandwith. Is there a way to mitigate this risk?
Put a password on the guest wifi ;-)
Which are the differences between OpenWrt and pfSense? Which are the differences between OpenWrt and opnSense?
Openwrt is Linux, the other two are FreeBSD. Pfsense started as a firewall appliance, OpenWrt was a firmware alternative for consumer Wifi routers.
@@OneMarcFifty Darwine and FreeBSD are BSD-derivative of the original UNIX. But Linux isn't UNIX, but it's UNIX-oid. And nearly everyone would say that Linux = UNIX and/or UNIX=Linux. Linux= UNIX is a kind of correct, not fully correct. UNIX=Linux isn't correct.
@@OneMarcFifty OpenWrt was a firmware alternative. Why was it a firmware alternative?
Back at the time, Linksys used GNU licensed Software in the firmware of their WRT54G. They had to disclose the source code. OpenWRT built on this to provide an open source alternative to Consumer Wifi routers, mainly aftermarket.
I setup your configuration on a WRT610N running OpenWRT 19.07.7. Each of the 3 Wifi work perfectly as standalone but when I try to start all 3 together Radio0 fails on restart. Radio0 is 2.4 GHz. 5 GHz is not recognized by OpenWRT. Any suggestion as to what might be causing this problem would be appreciated. I suspect the router hardware cannot support this configuration.
It ooks like there is a hardware revision that has issues with 5 GHz - if your HW Revision is V1.0 (Serial number CTG01...) then it might not be possible as of now - please see openwrt.org/toh/linksys/wrt610n_v1
Hello! How to pass VLANs via WDS?
Hi Franco, you would need to use GRETAP devices or the like and bridge them to your VLANs on both sides.
@@OneMarcFifty I was able to do it!
Please help, I'm getting a "Legacy Rules Detected" warning on 22.03
Guys, can anyone help me? I set up guest wi-fi as described in this tutorial (without IOT, i don't need it). everything works perfectly but only for one radio. I have 2.4 and 5 GHz radios. when I enabled both of them only one works (both set up as Access Points and connected to "GUEST" interface).
So I enable 5 GHz and devices connected to 2.4 GHz stop working, then I restart and reconnect to 2.4 GHz, and 5 GHz devices disconnect.
Maybe your Wi-fi config is faulty ? You may regenerate it by typing "wifi config" on a command line ssh'ed into the router.
@@OneMarcFifty i have set up two "guests" with different ip ranges for each of the radios and it started working
my setup:
RB750GR3 with OpenWRT 19.07 (PPPoE wan)
Ubiquiti UAP-PRO with OpenWRT 19.07 (acting as ap)
i can't get to work with you video, can you help?
Hi Antonio, difficult to give advice with the info provided... You might want to check in to our Discord server and ask the question with more detail ? discord.com/invite/DXnfBUG
Hello thank you for your videos! Great job!
Can you please help me with a problem.
I have 2 routers.
One is a "Fritzbox 6591 Cable" and the other is a "TP-Link Archer C6" with OpenWRT 19.
The Fritzbox is on LAN-Port 1 on 192.168.178.1 and on LAN-Port 4 via guest-lan on 192.168.179.1 available.
The TP-Link is on LAN-Port 1 on 192.168.178.2 and on WAN-Port via guest-lan on 192.168.179.2 available.
I have also an 8 Port Switch. Port 1 - 4 VLAN1, Port 5 -8 VLAN2.
Switch-IP: 192.168.178.3
Switch-Gateway: 192.168.178.1
From Fritzbox LAN-Port 1 is a cable connected to the Switch Port 1
From Fritzbox LAN-Port 4 is a cable connected to the Switch Port 5.
From TP-Link WAN-Port is a cable connected to the Switch Port 6.
From TP-Link LAN-Port 1 is a cable connected to the Switch Port 2.
My Laptop is connected to the Switch Port 3. IP: 192.168.178.40 Gateway: 192.168.178.1
So, i have some IoT-Equipments. For Example one via WLAN (Guestnet from Fritzbox) with 192.168.179.3
So what i have to change in the OpenWRT, that i can access the IoT-Equipment from the 192.168.178.0-Net to 192.168.179.0-Net and how should i configurate the interfaces (and maybe firewall - but i think the Fritzbox does this already).
Thanks.
If you want to answer in german, fine :)
You seem to have your two routers in the same subnets - not sure what you want to achieve - the best is probably if you get on my discord server and either post a drawing (what is the current setup and what should it look like) or alternatively we have interactive video chat sessions on Sunday.
@@OneMarcFifty Hi, ok cool. I'm now on discord.
Man, why people still uses class C netmask into a class A IP address?
Why not ? It's a design choice. Do you really think US Postal or Ford or Apple don't subnet ?
@@OneMarcFifty This is not the issue, the issue is why people use the wrong netmask for the network they are using. A class for A class, B for B, so on and so forth.
@@coisasnatv OK, let me expand on this a bit. The 10.0.0.0/8 network is a class A network. That does NOT mean that you have to give /8 to any 10.x network. It just means that your router would never route e.g. any 10.x into the internet. 10.0.1.0/24 is a perfectly valid private network address, so is 10.0.0.128/25. (In fact you could have up to 4M subnets with two hosts in each ;-) )The only situation where I could see a class/subnet conflict is when someone would give a let's say /16 or /10 subnet to let's say a class C (e.g. 192.168.0.0/22) because that would include public IP addresses. The class and the subnet are related, but two different things. These days as networks are assigned to a CIDR mask anyhow, the classes are not important any more en.wikipedia.org/wiki/Classful_network
@@OneMarcFifty Your explanation falls under the same logic as people that start in electronics, for example, one might replace a blown 500 mA fuse with a nail.
You demonstration about network class and CIDR is the same replacing a fuse with a nail, because in the end "it works".
If you see the link you share, it show that the correct CIDR for a class A network is /8 or 255.0.0.0, *NOT* /24.
It works, however, people might have routing issues in a complex network environments and not understand why the network configuration is not working.
What you say was true in 1998 but it is not true in 2022 - or to put it differently - for anyone using classful routing (RIPv1 and/or IGRP). RIPv1 has been retired in 1998. Even Cisco have retired all IGRP related CCNA exams and call IGRP an "obsolete protocol" please see en.wikipedia.org/wiki/Interior_Gateway_Routing_Protocol and en.wikipedia.org/wiki/Routing_Information_Protocol Again - there is no problem with SUBnetting here but rather with SUPERnetting. Hence 10.0.1.0/24 is OK, 192.168.0.0/16 is not. So to come back to your example with the fuse - I am not replacing the fuse with a nail but rather with an eFuse. I do partially agree on one thing though - that is in "complex" networks, i.e. networks where very old routers would not use EIGRP this could be an issue because the subnet boundaries would not be identified correctly (as IGRP does not carry a subnet mask).
I can’t find switch in network menu. How can I install it in from my windows 7 pc?
Which version of OpenWrt are you using ? Things have changed in Version 21.
@@OneMarcFifty 21 current version. but my Brlan port entered blocking state, br LAN port entere forwarding state, br LAN port become ready.
this is happening conticuously. 😯😯😯 unstable connection. what is the problem?
Nice video and walkthrough, I have a question.
I am using OpenWRT version 21 and I know you recorded this video using an older version. I left the interface devices as unspecified. I have the same router as you have, Linksys ACM3200.
I followed the steps from the video but I am not able to add multiple networks (lan, guest, iot) under the same radio interface as you did.
In the video you only show adding the first one (lan) and then in the next video (ua-cam.com/video/4t_S2oWsBpE/v-deo.html) it shows all 3 (lan, guest, iot) added under radio0. When I add another network under radio0, such as lan + guest, and enable the second, both show as 'disabled'. The only way for me to add guest is on radio1 (2.4GHz).
Can you please help me understand what I am doing wrong?
You're doing nothing wrong. Wi-Fi on the ACM3200 is a big challenge. Check this out: forum.openwrt.org/t/users-needed-to-test-wi-fi-stability-on-linksys-wrt3200acm-wrt32x-on-openwrt-21-02/101700/8
Your explanations is really complicated, Please just use some pictures when you are about to explain some terms , for example show some diagrams for real devices you are talking about and how does they related to each other.
Thank you very much for your comment. Could you maybe give a time marker where you think the explanation is complicated and what it should have looked like ?
10.20.30.40 with 255.255.255.0 mask ??? This is absolutely wrong. You do not understand anything from IP subnets , right ? Let check with simple online IP subnet calculator - so we see that you need to sign really completely different subnet MASK so that this net to work correctly.
What exactly is wrong with subnetting a class A into /24 ? The .40 is not a net but an ip in the 10.20.30.0/24 subnet. I can’t see anything wrong here.
Hey man, are you a teacher?! This video is the one that I was looking for and Your explanations are GREAT! OpenWrt is not that simple (and the wiki is confusing IMO) but you make things easier. Keep it up, please !
Hi Francesco, no I am not a teacher 😉, I just love to explain things - all I’m doing on this channel is that I share my own learnings really.
This is such an incredibly helpful video for newcomers to OpenWRT. Very high quality an informative. The way you explain things is so clear. Thank you!
Many thanks Colin !
Please visit my channel page: ua-cam.com/users/onemarcfifty
Want to talk to me? Join my Discord Server: discord.com/invite/DXnfBUG
Hi - I'd like to add a comment that took me hours of frustration. The 'interface' names need to be created in lowercase - otherwise there will be no IP assigned even if it's setup properly. I didn't try all capital - but a mix of lower/upper case resulted in a connection to the guest network, but no internet/obtained IP.
One thing I can't get working, is connecting over wifi to the "IOT" wifi network. Was that not the intention based on these instructions? Basically, I wanted a separate "guest" network for IOT devices that can't see my LAN. I can connect to the "GUEST" network fine, but not the "IOT" one.
This is a great video, and I used it to setup my home network with just a few customizations, but I just tried this again using OpenWRT 22.x and the changes are just too important, especially the missing "Bridge Interfaces" option which also breaks the wireless network setup. Can you please consider updating this video with a 22.x version? Thank you.
It’s true - things have changed a bit. I’ll probably do some follow up as soon as the remaining dependencies to iptables will have been removed
@@OneMarcFifty Please confirm can we overcome this by using a specified bridge e.g. br-lan? or I am missing something
if I set up the IOT as described here, my IOT devices become useless as far as I understand. If I use Home Assistant or any other IOT server located in the home network, according to my understanding, the devices are now isolated in such a way that they cannot transmit information to the HA. How do you solve this problem?
Hi, it depends on what you want to achieve. If you want your devices to be discoverable by HA then HA needs to have a leg in that network segment. You could therefore assign an additional network interface to the HA Server and modify routes/forwarding etc. or you could define routes on the router allowing HA access into that segment. Alternatively (this is my use case with FHEM, but would work with any Home Automation that supports MQTT) - install Mosquitto on the router and have the IOT devices communicate with HA over MQTT. Mosquitto would listen and broadcast in all segments and hence be an application gateway or middleware for all home automation over all network segments without exposing devices or http interfaces and the like.
Hi Marc, quick question for you. @10:30 you mention to Bridge Interfaces, but now on latest 22.03 version that isn't there anymore. Do we need to do something different now? The only thing I could see in regards to bridging was to select the device to "Bridge: "br-lan" (lan)" but that seems to do something different...Thank you.
Yes, you can use br-lan or any other bridge that you create under the devices tab. That does the same.
@@OneMarcFifty Thanks for looping back around to this! Is there any benefit to setting up a separate bridge for the guest and iot interfaces, or can they all safely use the same bridge? (i.e. why would you have set up separate ones in earlier versions?)
Thank you so much for this wonderful video!
At 10:25, I'm not seeing a "Bridge Interfaces" option in the current version of Luci. Proceeding to create an interface without that option shows "Device: Not Present" under status. Any idea what could be wrong?
I have the same problem. Did you resolved?
Things have changed in OpenWrt 21 - video is in the making and will come out in December !
@@sidbyron210 Yes, I managed to resolve it. I created separate VLANs and used them.
@@OneMarcFifty Am I correct that I can just create a custom device named br-GUEST and br-IOT?
@@OneMarcFifty Hello, did you ever make this video? I am stuck at this part. Thank you!
Kudos. Very informative video and without substantive errors on the topic, and showing the proper understanding of underlying mechanisms This is the proper way in which OpenWrt configuration should be explained.
Many thanks for your friendly feedback!!!
Thanks, this was really helpful. Your explanations gave me enough info to be able to tailor everything to my own needs without being completely lost. The screens shown are a little out of date for the latest version of OpenWrt but are still quite usable.
Hi, many thanks for the feedback - there's newer videos on OpenWrt 21 on my channel https:/ua-cam.com/users/onemarcfifty
@OneMarcFifty at the 10:39 mark you ticked the bridge interface box, in 22.03 that box no longer appears and we have to manually create a device to configure. What physical devices are you bridging by ticking that box?
Hi Randy - as such you're just creating an empty bridge where you can add devices later. In Versions 21 and later you would create a bridge under devices and then add the devices you want to the bridge.
Thanks for the videos! I am trying to follow you to achieve the dumb AP vlan over one cable, but when I try to create the new interface I do not see the "Bridge Interfaces" checkbox (video @ 10:44) and then when adding Interface my status shows "Device: Not Present" while you show "br-GUEST" (video @ 10:54). I am on the Belkin RT3200 snapshot r21517-d7876daf65. Anyhow, it seems maybe I missed where the device br-GUEST was created. Any ideas?
This has changed in OpenWrt 21. You now create a bridge device under Network-Interfaces-devices tab, add the Ethernet ports to it. Define an interface and attach it to the bridge. When you create a Wifi you can then attach it to the network.
i want to open the iot network for mqtt at port 1883 for the lan network, so that my iot devices can send packages to a mqtt broker which is in lan. I dont know how to handle it.
Hi Mark!
In openwrt version 22.0.3, when creating a network interface, you need to select a device. Apparently for the guest and IOT you need to create a new device?
Either you create a device for each VLAN (eth0.44 or the like), add it to a new bridge or you can use Distributed Switch architecture DSA. There is a video about VLANs on version 21 on my channel page
how could i add an exception? I want to give possibility from the guest (192.168.2.x) to reach the printer that is on 192.168.1.x
Hi Francesco, you can do that in the traffic rules (Network-Firewall-Traffic rules tab) and allow from, to or based on IP/MAC
This happens to me in Openwrt 22.03.2. I just came here again, to see what was my mistake. I'm setting up an old Netgear R6100 and this device does not create the proper bridge in order to wireless connection work. So I did create a bridge device, then attach it to the guest interface and finally, in the wireless section, attach it. After this, wireless devices start to obtain IP address.
Hi, many thanks for sharing ;-)
I wish it worked on latest 22.03.2 version, but it doesnt. They took away an option to Bridge inerfaces, no matter what i try guest wifi does not get an IP address.
by the way, could you post links to openwrt wifi setups. thank you
Hi, in Versions 21 and newer, the bridges are created under Network-Interfaces- Devices Tab. Please see this video ua-cam.com/video/qeuZqRqH-ug/v-deo.html for more details on DSA and Bridge VLAN filtering
Very enlightening! What if i have an NVR and connected it the IOT wifi, will it be able to notify me incase I turned on the Detect Motion and Notify me. Thanks and More Power!
Hi, thanks for your comment - I personally like to do notifications over network boundaries with MQTT - for this I have Mosquitto running on my router which is accessible from all network segments
You are doing exactly what I am trying to do. Thank you for the clear explanation!
Awesome- thanks a lot!
Well explained and sumarized the firewall concept of openwrt, not available in utube though it is in openwrt forum scattered in bits and pieces. Looking for videos on :
1. parent contro traffic rules, esp this pandemic season it all the more imperative. Kids are smart with their whack a mole device outwits the tagged IP or MAC in traffic rules.
2. Access openwrt router from internet (we have one of the wifi tagged to OpenVPN). No videos on this in you tube.
Hope there would be enough requests for these and would be helpful to mmany openwrt users. Thanks in advance.
Many thanks for your feedback @Ranish and thank you for the suggestions - port forwarding is on my list but parental control was not - I‘ll have a look into options (hint: give your kids a separate Wifi in a separate FW zone, this is resistant against ip/mac changes)
Is there to still block devices on the iot firewall from the internet, but also certain ones. For example a smart TV, Google home, or HA server
You could add another zone and call it "Multimedia" or the like
"Bridge interface" checkbox is no longer available in 22.03.
Hi Ethan, that's right - the settings have moved to the device tab.
question, you said: "I do not expect an iot device to open the browser page on my router so we can leave input accepted", question is: why input accepted, it should not be reject to deny permission?
You could do that. But then you need to add traffic rules for DNS and DHCP and possibly NTP
Thank you for the great content! I would like to know a bit more, how do you configure the provider's router LAN output and the first OpenWRT WAN input area? Do you allow the provider's router to make the NAT? Or will it be done also in the OperWRT?
In my case, I just set the WAN interface of OpenWrt to DHCP, i.e. I let the ISP do NAT. From a performance standpoint not the best solution but the easiest to implement as from the ISP router's standpoint it looks like there is just one client.
I have followed this guide to the letter multiple times (factory resetting and applying latest firmware) but can't seem to get the internet to work on the Guest wifi, even after entering 8.8.8.8 DNS server and using 255.255.255.0 netmask. Internet only works on the main wifi. Any ideas?
Hi, difficult to say from a distance without logs etc. Maybe hop on the discord server and ask there
@@OneMarcFiftythanks for your response I figured it out eventually was because I needed to set the access point IP on the same subnet as the router
First of all, I would like to thank you. And I would like to ad just one small thing. I forgot the rule for the IOT-DHCP part in the firewall configuration section. Without it the IOT devices will never get the IP addresses 😀
Hey man, big big work...This is not a video. This is the bible 🙂
I have, if possible, a question. I have successfully implemented three vlans. One "Lan", one "Guest" and one for IOT devices. I have extended the implementation to WIFI as well. The Lan reaches the Internet and the other two zones, the Guest only reaches the Internet and the IOT does not reach any area including the web. Everything seems to work and the results of the various pings are consistent with the infrastructure.
The problem is with IOT devices. I have a single smart plug correctly connected to the IOT (it receives the IP from the interface's DHCP server). I connect my mobile phone to the IOT network and the application, specifically SmartLife, sees the device and manages to interact with it.
If I connect to the LAN the device goes offline but I can still ping it...I'm going crazy! Thank you so much for any advice.
You would need to figure out what ports and protocols the app is using to communicate with the devices and then open those for communication really ;-(
@@OneMarcFifty Many thanks for the reply. I am currently experimenting with the mDNS protocol implemented by the avahi package. But the results are disappointing ... I will try to understand, through tshark, what happens on the net :)
Thank you for this tutorial good Sir! This is verify helpful to me. Just want to add 1 question Sir. Is there a way to separate browsing (wanA) and gaming (wanB) on different wan interfaces with a failover option?
Yes you can do that. Just define two lan interfaces, attach a wifi to each one and define the same or different firewall rules for each (basically allow forward to wan)
Thank you very much for your videos, they were really helpful for setting up OpenWRT :)
Quick question: How can we isolate devices from each other in the guest network? I have created a bridge device br-guest bridging br-lan.3 and bat0.3 (I use batman-adv) and added it to the guest network. Communication between lan and guest is blocked, however the devices in guest can see and access each other. Checking AP isolation on the radios and bat0 seems to change nothing. On DD-WRT i had to manually setup ebtables. Is there any way to set this up with luci? Thanks a lot!
I have not yet found a good way to do this. If you set up Wi-fi isolation, it will work on one AP but not over many APs. Firewall-wise you can't really define such a rule in LuCI. You would need to come up with some rule based on the MAC addresses (deny all traffic from GUEST except to the router itself).
@@OneMarcFifty Thanks for your response! I have researched a bit and found some ways to achieve this. One easy and efficient way would be to enable VLAN filtering in the br-guest settings and simply setting 1 PVID Egress untagged on each Port there. This would effectively deny all local communication on that bridge. However there are two problems: Using batman-adv on nodes, this would also deny communication to the gateway router via bat0.3. Also, there is currently a problem with the bcm4366 driver (?), where wifi does not work on bridges with VLAN filtering enabled.
I did the following to achieve this goal:
- Enable AP isolation on guest Wifis on each node
- Install ebtables-nft and add the following to the startup of the gateway router:
ebtables -A FORWARD -logical-in br-guest -logical-out br-guest -j DROP
- Add this to the startup of all other nodes that are connected via batman-adv:
ebtables -A FORWARD -logical-in br-guest -logical-out br-guest -in-if ! bat0.3 -out-if ! bat0.3 -j DROP
I read a lot online that ebtables is quite inefficient, however this is the only way that worked for me. I didn’t notice any performance degradation doing this.
Great one! I’ll add that to my router for testing as soon as I can - thanks for sharing!
If you isolate devices on IOT network from the internet, how do you control them from an app on your mobile device? Case in point: I have IP cams I would like to 1) isolate from my LAN 2) stop from "phoning home" and 3) still control/receive notifications from when at and away from home LAN
Hi - the main reason for me isolating my IOT devices is that I didn't have any cloud based IOT devices at the time of making the video (All my IOT devices where more or less DIY solutions based on ESP8266 / ESP32 at the time). I do in the meantime have some cloud devices, but I moved them again to a separate VLAN - All you'd have to do in order to adapt is add internet access to the IOT zone really.
@@OneMarcFiftyOk makes sense. Well done on all the OpenWrt videos. Very thorough and explained succinctly.
question, would you class android streaming boxes and Chromecast googletv as IOTZone worthy and what about making casting work in this type of configuration?
Hi, I have added my Multimedia devices (Kodi, bluray player, TV Sets and the like) into a separate Multimedia Zone. Getting mDNS and broadcasts to work requires a lot of fine tuning and configuration... not easy ;-(
Can you possibly cover how to set that up please?
6:20 What do you mean by "you won’t have different networks in one zone" ?
Hi, that was more or less just an assumption. Looking at what 99% of the users are doing, they would presumably only have one subnet in the LAN zone. If you had for example 192.168.4.0/24 and 192.168.5.0/24 _both_ in the same zone and you would want to allow forwarding traffic from one zone to the other, then you would need to set forwarding to allowed. If not, set it to drop or reject. So it's more about network isolation _within_ one zone.
@10:30 what does the enabling "Bridge interfaces" here actually do? How did it help in the "next episode" and what would have happened if we didn't enable it?
BTW: GREAT OpenWRT explanation. Firewall Zones on OpenWRT is a hard topic for me, but now I more or less get it.
Mainly "enabling bridge" in OpenWrt 19 links the interface to a bridge rather than one single interface. The advantage is that you can add multiple devices (Ethernet, VLANs, Wireless) to one single interface rather than have one single interface. Things have changed in OpenWrt 21 as well w/r to the separation of "interface" and "device"
Marc, great video, convinced me to move to OpenWRT with all my thought to restrict the local devices I have as much as possible. One question though - why not restricting IoT devices to access my router? I'm not an expert, but doesn't those smart plugs represent a trojan horse for someone who knows what to do with them once they can ssh to my router? What if we "reject their input" and create the same rules as for Guest Network with DHCP rule only?
Hi Vadim, valid approach. There is no 100% Security ;-) If someone takes over your router then you might have a whole bunch of other problems as well ;-)
Thanks for the useful diagram. Picking up OpenWRT compatible routers for $5 in the second hand market is one of my best decisions made as I can now use them as dedicated firewalls for my IoT devices even if the rest of the network runs on newer consumer grade hardware
I have it in reverse where I have a mix of consumer grade router with stock firmware, dd-wrt and openwrt. The Stock firmware one has the best wifi so it stays in the center. One cable to another room is a DD-wrt box acting as an unmanaged switch with full gigabit speed, and one of the port is connected to a 100Mbps OpenWRT router with LAN firewall configured to be as strict as guest network for IoT devices only. It works great and I like the peace of mind that IoT devices cannot ping my computers
Edit: I found out my DD-wrt box also supports OpenWRT and the firewall does not affect the unmanaged gigabit speed of the switch. Unified them to one device and added wireguard functionality
Hi, thanks for the video. Question for ua-cam.com/video/UvniZs8q3eU/v-deo.html, if we don't expect the IOT devices to access the webpage then shouldn't they be set to reject rather than accept?
Hi, if you set input to "reject" then no device in the IOT zone would be able to access services on the router. That would include DNS and DHCP which they need. So if you set input to reject then you would need to add rules for the protocols which you want to use (DHCP, DNS, possibly NTP)
Seems Openwrt, despite using the same terminology as iptables, works differently from it. I don't get why input and output are used in your video when routing between zones. As per your data flow diagram, input and output chains are not touched when forwarding.
It doesn't work any different from IPTables. You can use the iptables CLI tools to query the status at any times.
can you make a video like these but tor + protonvpn?
Hi, I am sorry but ProtonVPN is a service provider. Usually I do not make videos about Service providers.
I would really like to know how to allow ipv6 on the guest network, I've been trying but with no succes as of right now.
Hi Eduardo, does your ISP allow Prefix delegation or do you only have one IPV6 address ?
@@OneMarcFifty it does allow, and it works on my lan interface, but i cant get it to work on guest vlan
Another great video.
I've been reading documentation for days to find out what and how I have to configure a OpenWrt router. Just like Franceso Pocci, I find the OpenWrt documentary very confusing. Only when you understand how it works can you understand it :(
And like Colin Nicholson, I'm excited about the expansion to include VLANs.
You have a talent for explaining complicated things simply. Great. And that with the proverbial "German thoroughness"
Last night I managed to flash my Archer C7 on OpenWrt. Had the latest TP-Link firmware and unfortunately only worked with TFTP. It took me a long time to find out that media sensing was the problem to get TFTP to work. :(
I'm going to do the configuration right now. I will try myself to get VLAN working too...
Many greetings from Braunschweig to Berlin
Many thanks for your kind feedback!
@@OneMarcFifty
Got VLAN's for IOT / Guest work on my Archer C7 :)
LAN Ports and Wireless works as expected. Thanks to your video "Building a managed switch with OpenWrt on old Wifi Router"
Next step is to add an additional dump AP with VLAN support, fast roaming, ...
I would like to see another episode on the topic. Extended firewall configuration according to the blacklist principle when using VLANs.
E.g. allow HTTP / HTTPS from LAN / Guest zones, but stop sending SMB packets over the WAN interface.
Just the video I needed - can't wait for the VLAN to 2nd access point episode! I've just set up a two OpenWRT router system because of your fast roaming video.
Many thanks Colin! Perfect timing ;-) I hope that I get this ready until next monday. But it will come _very_ soon.
Hey there. I know that this video is 3 years old. But I'm trying to add another IOT zone for things like smart tv that still needs to connect to internet. From my understanding from your video, I needed to create an IOT zone but with almost the same settings with guest. The problem I am having is I cannot cast from my main SSID to the SSID of the IOT with the internet.
Hi Marc, How do you create a lOT interface on OpenWrt 21.02? I have a GL-AX1800 router with Powered by LuCI openwrt-22.03 branch (git-21.284.67084-e4d24f0) / OpenWrt 21.02-SNAPSHOT r16399+157-c67509efd7 pre-installed. Thanks
Running 22.03, and setting up a zone to reject input, let's say from a guest network, is yielding all devices on the interface, in that zone, with the inability to get a IP from the DHCP server. In order for the devices to connect to the internet, they need to be configured on the device end to have a static IP within the range... I think openWRT in a update changed the way these firewall zone rules work?
why : config rule
option name 'rbc'
list dest_ip '204.74.99.100'
list src_ip '192.168.1.105'
option dest 'wan'
option src 'lan'
option dest_port '80 443'
option target 'REJECT'
is not blocking traffic from my pc (.105) to access royal bank (204.74.99.100)
Difficult to say with the few infos - maybe jump on the discord server and create a support thread there
Will my IOT devices continue to be able to perform firmware updates even without internet access?
Also, after starting the Guest and IOT interfaces my AdGuard Home is no longer being used as main custom DNS Server by the LAN interface...
I dont get it, i didnt change any setting on the LAN interface. On the Guest interface i manually set some custom DNS Servers of my preference, on Guest network i want to bypass the AdGuard Home
Can you install some Linux Containers or some virtualized machines with OpenWrt - e.g. by configuration of the different network settings for the Linux Containers such as Host, Bridge, MacVLAN, IPVLAN, Isolated, Custom etc. with OpenWrt?
You can run Docker and/or Qemu on OpenWrt- if you use x86 hardware. I wouldn’t use Macvlan or the like though for security reasons
@@OneMarcFifty How can I run Docker and/or Qemu or Linux Containers like Promox Containers on OpenWrt, if you use x86 or x86-64 hardware? If macVLAN is bad, because it can cause problems for securit reasons, how should I solve this problem?
Actually, it's not so much the MacVLAN network that would be bad, but rather you would need to make sure that you don't bind anything to the WAN adapter inadvertently. As long as you bind to the LAN you should be fine.
@@OneMarcFifty Is Cloudflare with its own idea of Zero Trust Tunnel a good idea for this issue?
Would you please me about openwrt auto disconnect from isp? I'm using asus rtn12+b1 with openwrt v22.03.05 and my wan type pppoe .
Sorry for bothering you.
I am new to openWRT and I followed your video, but for a more simple setup. I have two 2.4 lan’s and the issue I have is when I finished in the IoT network the devices did not connect within each other. My cameras need to record the videos to a Sync device. I did not checked the isolation option.
I will really appreciate if you can point me on the right direction.
Thank you
Just to double check two things at 5:32 when you say that the output is set by default so the router may access all other zones, can you think of a scenario where you wouldn't wat that to happen?
Also at 5:40 you mention that everything is kept its in own zone, do you mean that everything its kept in its own network within the zone that the forward policy is applied to?
Want to make sure my understanding is correct, thanks again for the wonderful vids!
what configure samba in openwrt??????????
Hi, I am not sure if I understand your question - do you want to know how to configure firewall rules for Samba (that's basically just TCP port 445 plus maybe 137/138/139 depending on netbios y/n and/or mdns) or do you want to know how to install Samba on Openwrt (that's basically just selecting the package in System-Software or alternatively opkg install samba...)
This is such an awsome video! I am just getting started with OpenWRT and LUCI and I have been looking for this kind of video for weeks. Love the level of detail and the screen captures.
Hi Lionel, many thanks - I am glad that you like it !
I think I should follow all the instructions in the video, even liking and subscribing hahaha
What happens of I set output of GuestZone to reject? Does the lan also lose DNS etc? OpenWrt can connect or not to wan and is not aware who is asking at application level anything. Right?
Great video again Marc :-) I have a question, is it possible to put one or more of the ethernet ports in a zone that way putting it on a seperate real network like you did with the firewall zones as opposed to a vlan?
Thanks mate! What you are looking for _is_ effectively VLAN, you can‘t assign a switch port to a firewall zone without eth.x interface.
Hey Mac, question you might be able to answer - I have my access point set to AC mode on 5Ghz, but my devices don't seem to connect on that mode. I have one device with an AX WiFi chip which connects via 802.11a band and a device with an AC WiFi chip which connects on 802.11n. How can I make them connect on AC, and how can I confirm my access point is correctly broadcasting AC?
Hi - in order to check what the access points are broadcasting I suggest running "iw scan" on a Linux workstation with Wifi hardware. That will show you everything.
how do we do this in the new 22.x.x version of open wrt, the
"physical settings" disappeared and now we have the "devices" tab
Nice explanation. I just flashed openwrt to my router. I have a raspberry Pi running multiple applications on docker connected via ethernet. They all have unique IP's on my LAN ( by creating a macvlan network). Is it possible to isolate one application (using one unique lan ip) so that it cannot access other LAN devices?
Hi Aditya, that scenario would require the implementation of VLANs on the host and then binding the docker containers to the separate VLANs (e.g. eth0.3 / eth0.4)
Hi, great videos. One question though, why does your IoT network have access to the router interface/login page? I had a rogue IoT device previously attempting user/Pw combinations, I really want to avoid this. How would I block them from seeing my router?
You also said you don't want devices on your IoT network to phone home. How would they continue to work if blocked from WAN? E.g blink cameras, nest doorbells etc as they need Internet?
Hi Will, mainly this was just for the sake of simplification. You could as well set the default Input to "drop" and then enable only needed services (such as DNS, DHCP, maybe NTP). W/r to internet access - the IOT devices that I use are no cloud devices. They are mainly DIY devices built with ESP8266 or ESP32 micro controllers and don't need internet access. My vacuum cleaner is an exception. It does need internet access and is in a separate DMZ.