We have upgraded the community system as part of the upgrade a password reset is required for all users before login in.

Looking for input managing network connection interfaces



  • Hi everyone,

    We are developing a gateway device based on the Omega2S+. Our hardware supports WiFi, Ethernet, Cellular, and for web configuration of settings soft AP. We have everything fully functional and are on the home stretch. The last thing to do before we can release this thing is to manage internet connectivity.

    We plan to have the user prioritize internet connectivity interfaces and to disable them completely if they wish. So they would put the interfaces in order like:

    1. Ethernet
    2. WiFi
    3. Cellular

    I plan to use ping in a script to monitor internet connectivity of the interfaces like:

    ping -c 1 -n -w 1 -I eth0 www.google.com
    

    I'll do this on interval for all connectivity options the user has selected to enable. Once I find internet connection on the top priority connection I want to ensure that all internet based requests go over that particular interface. I'm not finding a conclusive way to do this. How can you tell OpenWRT to prioritize a particular interface for internet based requests?

    If this is outside the scope of this forum please let me know and I'll be happy to request this over on OpenWRT.

    Thank you



  • @IOTrav Take a look at this thread, Lazar points the user to a thread on the OpenWrt forum which may assist you.

    https://community.onion.io/topic/3709/making-ethernet-as-primary-connectivity/12?_=1593441015731


  • administrators

    @IOTrav @crispyoz Spent a little time experimenting and found the existing firewall on the OS can be used to enable/disable network traffic from specific interfaces

    Taking a look at /etc/config/firewall, you'll notice it has zones that control traffic flow of the network interfaces defined in /etc/config/firewall

    By default, the wan firewall zone is attached to the wwan network interface.

    Looking at /etc/config/network you'll see that the wwan network interface is apcli0, the Omega's WiFi client interface

    We can change the wan firewall zone configuration to enable or disable traffic through this interface.

    To start, my Omega is connected to WiFi and can ping the internet:

    root@Omega-F195:/# ping www.google.com
    PING www.google.com (172.217.164.196): 56 data bytes
    64 bytes from 172.217.164.196: seq=0 ttl=115 time=18.968 ms
    64 bytes from 172.217.164.196: seq=1 ttl=115 time=22.639 ms
    ...
    

    Then, I'll run these commands to REJECT input and output traffic for the wan zone:

    uci set firewall.@zone[1].output='REJECT'
    uci set firewall.@zone[1].input='REJECT'
    uci commit firewall
    

    Note: these changes can also be made by modifying the /etc/config/firewall file directly

    And restart the firewall:

    /etc/init.d/firewall restart
    

    I can no longer access the internet. The WiFi client interface is still associated with the network, but no traffic can go through:

    root@Omega-F195:/# ping www.google.com
    PING www.google.com (172.217.164.196): 56 data bytes
    ping: sendto: Operation not permitted
    root@Omega-F195:/# ping www.google.com
    PING www.google.com (172.217.164.196): 56 data bytes
    ping: sendto: Operation not permitted
    

    A few notes for your application @IOTrav :

    1. You'll need to add more zones to the firewall to control the ethernet and cellular network interfaces. But after that, you can programmatically control which interfaces act as the main connection to the internet
    2. Adjusting the zones manually may or may not be the best way of achieving what you're looking for. The firewall also supports creating Rules but I'm not too familiar with how they work. For a deeper dive into the firewall and rules, I suggest taking a look at the openwrt firewall documentation: https://openwrt.org/docs/guide-user/firewall/firewall_configuration


  • Great stuff @Lazar-Demin can we put that in the FAQ?



  • Awesome @Lazar-Demin! I never thought to mess around with Firewall. I was trying to do everything through Network but this is awesome because the connection stays active but no traffic can pass through it. This means I can maintain a cellular connection but disallow traffic through it. This is perfect! Thanks so much for looking into this. I'll be sure to let you know how it works for me. Also I'll be putting together a python script to monitor internet connectivity through the interfaces and enable/disable them so I'll be sure to share that script for others.



Looks like your connection to Community was lost, please wait while we try to reconnect.