Access luci Web(192.168.1.1:82) on Guest (192.168.3.1)

Dear All,
I need a help here, I have a Guest network configured with 192.168.3.1 with wlan0,
My requirement is to avoid luci admin (192.168.1.1:80) but need to access 192.168.1.1:82 using Guest network, what firewall rules need to add, please suggest.

One more thing i want to do, if on guest network, any user tries to open any site, he/she redirect to 192168.1.1:82 automatically.

Thanks

GIven that guest zone firewall blocks by default, you need a rule to allow input on tcp/82.
For the second you need a redirect from any packet going to port 80 to the router on port 82. It won't work with https, so don't bother trying it.

Thanks @trendy,
For now simply I've allowed 192.168.1.1 to guest as below, it should be allow all port from 192.168.1.1
but not able to open.

It's wrong, Destination zone must be the device, not a zone.

tried below as well, no luck

It's destination port 82, not source.

Sorry @trendy, Its not working, should I need to add Firewall - Port Forwards rules for it?

What exactly isn't working?
From guest zone, which address are you trying to access?
What is the output of ubus call system board; uci export firewall ?

I just want to access only 192.168.1.1:82 on guest wifi and other url if want to try then redirect to 192.168.1.1:82, that's it.
Output as below

**ubus call system board**
{
        "kernel": "5.10.138",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "D-Link DIR-2640 A1",
        "board_name": "dlink,dir-2640-a1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.0",
                "revision": "r19685-512e76967f",
                "target": "ramips/mt7621",
                "description": "OpenWrt 22.03.0 r19685-512e76967f"
        }
}
**uci export firewall**
package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone 'guest'
        option name 'guest'
        option network 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding 'guest_wan'
        option src 'guest'
        option dest 'wan'

config rule 'guest_dns'
        option name 'Allow-DNS-guest'
        option src 'guest'
        option dest_port '53'
        list proto 'tcp'
        list proto 'udp'
        option target 'ACCEPT'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-guest'
        option src 'guest'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Block-Internet-Guest'
        option target 'REJECT'
        list proto 'all'
        option src 'guest'
        option dest 'wan'

config rule
        option target 'ACCEPT'
        option name 'Allow-localhost-Guest'
        list proto 'tcp'
        option src 'guest'
        list src_ip '192.168.1.1'
        option src_port '82'
        list dest_ip '192.168.3.1'

config redirect
        option dest 'guest'
        option target 'DNAT'
        list proto 'tcp'
        option src 'lan'
        option src_dport '82'
        option dest_ip '192.168.3.1'

The redirect is not needed.
In the rule you added src_ip 192.168.1.1 which wrong and not needed.
From the browser you need to browse 192.168.3.1:82 , as this is the address you have allowed on the firewall.

Dear @trendy,
I have applied below settings and I am able to access luci 192.168.1.1 and 192.168.1.1:82 and
192.168.3.1 (luci) on guest network



but the requirement is access only 192.168.1.1:82, rest should be block for guest.

I have tried many things with above settings but no luck, if i change anything in firewall rule everything working stopped.

Please suggest for only 192.168.1.1:82 working rest should be stop

Thanks

I think it is quite clear that you should add 192.168.1.1 in the destination address and 82 in the destination port of the rule.

Yes, that is the problem. We are trying to fix one thing and in your next post you have changed some more things and it doesn't work. For example now you suddenly enabled the guest to lan forwarding for no apparent reason. Just stick to the changes that we suggest you here.

Okay, i understand. I reverted my changes and just performing only firewall rule to achieve it. I have also deleted the port forwarding from firewall. In my case the only firewall to allow lan to guest with port 80 is not working. Could you please suggest a full rule to apply which can work.

Thanks.

Let's see what is currently there.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export firewall; \
head -n -0 /etc/firewall.user

Thanks @trendy, You was right. its not needed zone forwarding, just below configuration sufficient, using this I am able to access luci 192.168.1.1 and 192.168.1.1:82 and
192.168.3.1 (luci) on guest network, but if i add/modify anything in below rule, its stopped working with all working ips


but the problem is same,
ubus call system board;

{
        "kernel": "5.10.138",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "D-Link DIR-2640 A1",
        "board_name": "dlink,dir-2640-a1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.0",
                "revision": "r19685-512e76967f",
                "target": "ramips/mt7621",
                "description": "OpenWrt 22.03.0 r19685-512e76967f"
        }
}

uci export network;

package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fdfb:556f:e005::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config device 'guest_dev'
        option type 'bridge'
        option name 'br-guest'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

uci export firewall

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config zone 'guest'
        option name 'guest'
        option network 'guest'
        list device 'br-guest'
        option forward 'REJECT'
        option input 'REJECT'
        option output 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'guest_dns'
        option name 'Allow-DNS-guest'
        option src 'guest'
        option dest_port '53'
        list proto 'tcp'
        list proto 'udp'
        option target 'ACCEPT'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-guest'
        option src 'guest'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Block-Internet-Guest'
        option target 'REJECT'
        list proto 'all'
        option src 'guest'
        option dest 'wan'

config rule
        option target 'ACCEPT'
        option name 'Allow-localhost-Guest'
        list proto 'tcp'
        option src 'guest'

config forwarding
        option src 'guest'
        option dest 'wan'

head -n -0 /etc/firewall.user

head: /etc/firewall.user: No such file or directory

As it is, hosts in guest zone can access all tcp ports on the router. Add a destination port 82 in this rule.
There is also the Block-Internet-Guest rule which is contradicting and shadowing the forwarding you have later.

config forwarding
        option src 'guest'
        option dest 'wan'

If you don't want to allow traffic from guest to wan, you can delete them both, as the default action is to reject interzone forwards.
You can also setup a redirect from lan zone to lan zone if the original destination port is 80 to redirect to the router on port 82, as you requested initially.

1 Like

Finally, I've achieve 1st point, many thanks @trendy .
for this I have shifted luci to port 81 and applied firewall rule
as below

config rule
	option target 'ACCEPT'
	option name 'Allow-Guest-Lan'
	option src 'guest'
	list dest_ip '192.168.3.1'

config rule                                              
        option name 'Drop-local-IP-81'                 
        option src '*'                                   
        option dest_ip '192.168.3.1' 
	option dest_port '81'                             
        option target 'REJECT'

now lets come on send point to forward any url to 192.168.3.1 on guest zone.
Please advise.

The second rule is not needed.
For the redirect you need this:

uci add firewall redirect
uci add_list firewall.@redirect[-1].proto='tcp'
uci set firewall.@redirect[-1].src_dport='80'
uci set firewall.@redirect[-1].dest_ip='192.168.3.1'
uci set firewall.@redirect[-1].dest_port='82'
uci set firewall.@redirect[-1].src='guest'
uci set firewall.@redirect[-1].name='guest redirect to 82'
uci set firewall.@redirect[-1].dest='guest'
uci set firewall.@redirect[-1].reflection='0'
uci set firewall.@redirect[-1].target='DNAT'
uci commit firewall
service firewall restart

Sorry @trendy ,
Its not working, for example, I am connecting with guest network and i am trying to open https://facebook.com or any website then it should be redirect to me on 192.168.1.1:80
This is what I am expecting.

Thanks

The redirect configured is for port 80, which is http.
https is port 443 but I doubt it will work.