espressif / esp-iot-bridge

A smart bridge to make both ESP and the other MCU or smart device can access the Internet.
164 stars 54 forks source link

Blocking Access Point ports / Access Control List #2

Open guirespi opened 3 years ago

guirespi commented 3 years ago

Hi, I'm Guido.

I've been looking at this project and I really want to know if it's possible to add an access control list or restrict the connection ports when other devices connects to the ESP32 at AP MODE.

tswen commented 3 years ago

Hi Guido,

At present, we have just opened up the links between the various interfaces. You can save the MAC address obtained when the device is connected to the AP, and perform the corresponding operation by judging the MAC address.

static void wifi_event_handler(void* arg, esp_event_base_t event_base,
                                    int32_t event_id, void* event_data)
{
    if (event_id == WIFI_EVENT_AP_STACONNECTED) {
        wifi_event_ap_staconnected_t* event = (wifi_event_ap_staconnected_t*) event_data;
        ESP_LOGI(TAG, "station "MACSTR" join, AID=%d",
                 MAC2STR(event->mac), event->aid);
    }
}
guirespi commented 3 years ago

Thank you for your answer. I will try it soon! I have another question. I've been looking for the feature of open and close ports for ESP32 AP Mode. What I mean is for e.g. If a user tries to load a web page, he tries to communicate the port 80; but, it happens i recently set the ESP32 to deny all the petition to this port and the user receives no information. All this example is based using the ESP32 as a Modem or a Wifi Repeater just like this project.

Doing some research, I found out that lwip stack has an structure called netif. Netif has a function callback that receives input or output packets from an station to the ESP32 as an access point. Esp-gateway has this interface called esp_netif that results is the implementation of lwip's netif structure (I think). I was wondering if i'ts possible to add this callback function to the esp_netif structure or in which way I can implement this feature to this project. I'll really apreciate some guiddance about this.

Again, thank you so much for the MAC Address idea. I hope I get an answer about this feature I want to implement.

tswen commented 3 years ago

Hi Guido,

A simpler method is to offset the received packet at the bottom layer, read the corresponding port value and filter the packet. This method is suitable for TCP packets. You can use the packet capture tool to view the structure type of the package.

How to judge the frame type: by judging the type of the Ethernet packet header

flow_control_msg_t msg = {
                    .packet = rcv_buffer,
                    .length = size_read
                    };
commu_buffer = msg.packet;
if (commu_buffer->eth_header_packet.type == PP_HTONS(0x0800)) {
}

In addition, for the callback function you mentioned, I’m not sure if this is what you describe. https://github.com/espressif/esp-gateway/blob/master/components/gateway/src/gateway_eth.c#L357 https://github.com/espressif/esp-gateway/blob/master/components/gateway/src/gateway_eth.c#L239

guirespi commented 3 years ago

Thank you so much @tswen. You've been very helpful. I'm already able to see the packet's port!

guirespi commented 3 years ago

Hi @tswen. I got a question about the way the PPP netif instance it's used. I was wondering if the order in which the PPP netif instance it's set before the AP netif instance. What I mean it's, what if in the MODEM mode of this gateway project I initialize first the AP netif instance and after that the PPP netif instance. There would be any problem?

tswen commented 3 years ago

You can try it, it doesn't matter in theory

guirespi commented 3 years ago

Thank you @tswen. I've already tried and it works. One thing I've been noticed it's that sometimes when I run the project with the "optimization level" in "optimize for performance (O2)" in the Compiler options in the SDK config the synchronization step fails with the Sim Card. This doesn't happen when I put the optimization level in Debug (-Og). I'm using the Sim800L. I hope you can help me with this issue.