Seems that some people are using an ethernet WAN-WAN connection for connecting two different LibreMesh clouds (two networks with different ap_name, that gets used for calculating batman-adv VLAN).
@nicopace can you tell us more on this?
In my opinion, with current LibreMesh to make a WAN-WAN connection or a LAN-LAN connection is equivalent as the WAN port is included in the br-lan bridge by lime-system, see the lime-report output here #951 (comment)
this will stop happening on routers with DSA with the merge of #959 as I didn't include wan interfaces in the protocols (including the LAN protocol).
Anyway the idea of connecting two clouds via a cable and that the ports used are not in a bridge with the rest of the network makes plenty of sense.
The default behavior of the WAN port should be to access the internet (and be protected by OpenWrt firewall, see #280 and libremesh/libremesh.github.io#139) which is the most common scenario, but the described alternative behavior should be possible to configure via interface-specific configuration.
The documentation of this could be something like:
- allow all incoming connections on WAN port changing this:
config zone
option name 'wan'
option network 'wan wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
with this:
config zone
option name 'wan'
option network 'wan wan6'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
in the /etc/config/firewall file. See https://openwrt.org/docs/guide-user/firewall/firewall_configuration#zones for more.
- Include in
/etc/config/lime-node the specific-interface configuration for the wan interface, something like:
config net wan-mesh
option linux_name 'eth0.2' # Put here the actual name of the interface, with DSA it should be just "wan"
list protocols 'babeld'
list protocols 'static'
option static_ipv4 '192.168.1.2/24'
option static_gateway_ipv4 '192.168.1.1'
option static_ipv6 '2a00:1508:0a00::1234/64'
option static_gateway_ipv6 'fe80::1'
maybe we need a new proto in https://github.com/libremesh/lime-packages/tree/master/packages/lime-system/files/usr/lib/lua/lime/proto for avoiding the need to specify a manual IP.
Which IP would make sense to set there? One in the subnet of the cloud to which the node belongs? Or one from the other cloud, the one the node is connecting to? Or one in a subnet from neither of the two? Or no IP is needed?
Seems that some people are using an ethernet WAN-WAN connection for connecting two different LibreMesh clouds (two networks with different ap_name, that gets used for calculating batman-adv VLAN).
@nicopace can you tell us more on this?
In my opinion, with current LibreMesh to make a WAN-WAN connection or a LAN-LAN connection is equivalent as the WAN port is included in the br-lan bridge by lime-system, see the lime-report output here #951 (comment)
this will stop happening on routers with DSA with the merge of #959 as I didn't include
waninterfaces in the protocols (including the LAN protocol).Anyway the idea of connecting two clouds via a cable and that the ports used are not in a bridge with the rest of the network makes plenty of sense.
The default behavior of the WAN port should be to access the internet (and be protected by OpenWrt firewall, see #280 and libremesh/libremesh.github.io#139) which is the most common scenario, but the described alternative behavior should be possible to configure via interface-specific configuration.
The documentation of this could be something like:
with this:
in the
/etc/config/firewallfile. See https://openwrt.org/docs/guide-user/firewall/firewall_configuration#zones for more./etc/config/lime-nodethe specific-interface configuration for the wan interface, something like:maybe we need a new proto in https://github.com/libremesh/lime-packages/tree/master/packages/lime-system/files/usr/lib/lua/lime/proto for avoiding the need to specify a manual IP.
Which IP would make sense to set there? One in the subnet of the cloud to which the node belongs? Or one from the other cloud, the one the node is connecting to? Or one in a subnet from neither of the two? Or no IP is needed?