medusa/the_information_nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
11247568fb18318cc18e6c7b9722149f4dadb4eb
the_information_nexus/docs/tech_docs/OPENwrt.md

5.8 KiB
Raw Blame History

To streamline your guide for setting up Proxmox containers with OpenWRT and configuring the necessary firewall rules for SSH and HTTPS access, heres a refined and concise approach:

Proxmox Container Creation

Below are the commands to create three different containers, each with a unique configuration for network interfaces:

Container 1 Setup:

pct create 101 /var/lib/vz/template/cache/openwrt-rootfs.tar.xz --unprivileged 1 --arch amd64 --ostype unmanaged --hostname openwrt-0 --storage local-lvm \
--net0 name=eth0,bridge=vmbr0,firewall=1 \
--net1 name=eth1,bridge=vmbr1,firewall=1

Container 2 Setup:

pct create 101 /var/lib/vz/template/cache/openwrt-rootfs.tar.xz --unprivileged 1 --arch amd64 --ostype unmanaged --hostname openwrt-1 --storage local-lvm \
--net0 name=eth0,bridge=vmbr0,firewall=1 \
--net1 name=eth1,bridge=vmbr2,firewall=1

Container 3 Setup:

pct create 102 /var/lib/vz/template/cache/openwrt-rootfs.tar.xz --unprivileged 1 --arch amd64 --ostype unmanaged --hostname openwrt-2 --storage local-lvm \
--net0 name=eth0,bridge=vmbr0,firewall=1 \
--net1 name=eth1,bridge=vmbr3,firewall=1

OpenWRT Firewall Configuration

You need to ensure that eth1 is recognized as the WAN interface on each OpenWRT container. Configure the network settings and define firewall rules to allow SSH and HTTPS access.

Define Network Interfaces:

Update the /etc/config/network to reflect eth1 as the WAN interface. This setup applies universally across your containers:

config interface 'wan'
    option ifname 'eth1'
    option proto 'dhcp'

Update Firewall Settings:

In /etc/config/firewall, append rules to allow SSH and HTTPS access. The following rules will enable connectivity for management via eth1:

config zone
    option name 'wan'
    list network 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'

config rule
    option name 'Allow-SSH'
    option src 'wan'
    option proto 'tcp'
    option dest_port '22'
    option target 'ACCEPT'

config rule
    option name 'Allow-HTTPS'
    option src 'wan'
    option proto 'tcp'
    option dest_port '443'
    option target 'ACCEPT'

Applying the Configuration

After updating the configuration files, you should apply the changes:

  • Restart Network Services:

    /etc/init.d/network restart

  • Reload Firewall Settings:

    /etc/init.d/firewall restart

Final Considerations

  • Security: Implement strong authentication methods, such as key-based SSH access.
  • Testing: Verify connectivity by accessing SSH and HTTPS from a network outside your LAN.
  • Backup Configurations: Always back up your configurations before making significant changes.

This streamlined guide provides a clear and effective method for deploying Proxmox containers with OpenWRT, configured for remote management access through SSH and HTTPS on the WAN interface.

Creating a Virtual Bridge (vmbr) in Proxmox via CLI

To create a new virtual bridge (vmbrX) on Proxmox using the command line, you need to edit the network configuration file located at /etc/network/interfaces. Heres how you can do it:

  1. Access the Proxmox Host: Connect to your Proxmox server via SSH.

  2. Edit the Network Configuration File: Open the /etc/network/interfaces file in a text editor, such as nano or vim.

    vim /etc/network/interfaces

  3. Add Configuration for a New Bridge: Add the following lines to the file to create a new bridge. Replace X with the appropriate number for your new bridge.

    auto vmbrX
iface vmbrX inet static
    address 192.168.X.1
    netmask 255.255.255.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0

  4. Save and Apply Changes: Save the changes and restart the networking service to apply them.

    systemctl restart networking

This setup creates a bridge with no physical interfaces attached (isolated bridge). If you want to attach physical interfaces, replace none in bridge_ports with the name of the interface (e.g., eth0).

Adjusting Network Interface Configuration in OpenWRT

To swap interfaces or change the DHCP setting to static IP or vice versa in OpenWRT, you can modify the /etc/config/network file. Here's how to make these adjustments:

Changing Interface Assignment (Swapping Interfaces)

If you want to change which physical interface (e.g., from eth0 to eth1) is used for WAN, modify the option ifname line under the corresponding section:

config interface 'wan'
    option ifname 'eth1'  # Changed from eth0 to eth1
    option proto 'dhcp'

Changing DHCP to Static IP (or Vice Versa)

To change an interface from DHCP to static IP:

  1. Change the option proto 'dhcp' to option proto 'static'.
  2. Specify the option ipaddr and option netmask (and optionally, option gateway and option dns).

Example for a static IP configuration:

config interface 'wan'
    option ifname 'eth0'
    option proto 'static'
    option ipaddr '192.168.1.2'
    option netmask '255.255.255.0'
    option gateway '192.168.1.1'
    option dns '192.168.1.1'

To revert to DHCP:

config interface 'wan'
    option ifname 'eth0'
    option proto 'dhcp'

Applying Changes in OpenWRT

After making changes to the /etc/config/network file:

  1. Restart the Network Service to apply the changes:

    /etc/init.d/network restart

  2. Test Connectivity to ensure that your network configurations work as expected.

These steps allow you to flexibly configure and manage network settings directly from the CLI, accommodating changes in network design or infrastructure requirements efficiently.