Understand and document how to use WAN-WAN connections for connecting different clouds

[ilario]

Seems that some people are using an ethernet WAN-WAN connection for connecting two different LibreMesh clouds (two networks with different ap_name, that gets used for calculating batman-adv VLAN).

@nicopace can you tell us more on this?

In my opinion, with current LibreMesh to make a WAN-WAN connection or a LAN-LAN connection is equivalent as the WAN port is included in the br-lan bridge by lime-system, see the lime-report output here #951 (comment)

this will stop happening on routers with DSA with the merge of #959 as I didn't include wan interfaces in the protocols (including the LAN protocol).

Anyway the idea of connecting two clouds via a cable and that the ports used are not in a bridge with the rest of the network makes plenty of sense.

The default behavior of the WAN port should be to access the internet (and be protected by OpenWrt firewall, see #280 and libremesh/libremesh.github.io#139) which is the most common scenario, but the described alternative behavior should be possible to configure via interface-specific configuration.

The documentation of this could be something like:

---

• allow all incoming connections on WAN port changing this:

config zone
	option	name		'wan'
	option	network		'wan wan6'
	option	input		'REJECT'
	option	output		'ACCEPT'
	option	forward		'REJECT'
	option	masq		'1'
	option	mtu_fix		'1'

with this:

config zone
	option	name		'wan'
	option	network		'wan wan6'
	option	input		'ACCEPT'
	option	output		'ACCEPT'
	option	forward		'ACCEPT'
	option	mtu_fix		'1'

in the /etc/config/firewall file. See https://openwrt.org/docs/guide-user/firewall/firewall_configuration#zones for more.

• Include in /etc/config/lime-node the specific-interface configuration for the wan interface, something like:

config net wan-mesh
	option linux_name 'eth0.2'			# Put here the actual name of the interface, with DSA it should be just "wan"
	list protocols 'babeld'
	list protocols 'static'
	option static_ipv4 '192.168.1.2/24'
	option static_gateway_ipv4 '192.168.1.1'
	option static_ipv6 '2a00:1508:0a00::1234/64'
	option static_gateway_ipv6 'fe80::1'

maybe we need a new proto in https://github.com/libremesh/lime-packages/tree/master/packages/lime-system/files/usr/lib/lua/lime/proto for avoiding the need to specify a manual IP.

Which IP would make sense to set there? One in the subnet of the cloud to which the node belongs? Or one from the other cloud, the one the node is connecting to? Or one in a subnet from neither of the two? Or no IP is needed?

[ilario]

Just saw that lime-hwd-openwrt-wan not only activates proto/wan on the WAN port, but also adds all of the other protocols except LAN!

lime-packages/packages/lime-hwd-openwrt-wan/files/usr/lib/lua/lime/hwd/openwrt_wan.lua

Lines 32 to 39 in d81c12c

	for _, pArgs in pairs(config.get("network", "protocols")) do
	local pArr = utils.split(pArgs, net.protoParamsSeparator)
	if ( pArr[1] == "bmx6" or pArr[1] == "bmx7") then
	pArr[2] = 0
	pArgs = table.concat(pArr, net.protoParamsSeparator)
	table.insert(protos, pArgs)
	elseif ( pArr[1]~="lan" and pArr[1]~="wan" ) then
	table.insert(protos, pArgs)

(BMX6 and 7 are added without VLAN, but we cannot do the same with Babeld yet, see #631)

So what happens is that the WAN port is not inside br-lan but it has the routing protocols. With a bit of luck, the VLAN of Batman-adv in one cloud and in the neighboring will be different, so that the WAN-WAN connection does not sound like a terrible idea (just an undocumented one).

So, in order to use such connections, we just have to document how to disable OpenWrt firewall on the WAN port.

[ilario]

I added some documentation here: libremesh/libremesh.github.io@ab7491f
I have no idea if it works (never used it), and people using it never spoke up.
Closing until when someone asks for more documentation on this.

[ilario]

To be checked again.
The Babeld's interfaces are not in the list of WAN interfaces to be protected by the firewall, so it could be that it just works, without having to open the firewall on the WAN.