Dear All,
I need a help here, I have a Guest network configured with 192.168.3.1 with wlan0,
My requirement is to avoid luci admin (192.168.1.1:80) but need to access 192.168.1.1:82 using Guest network, what firewall rules need to add, please suggest.
One more thing i want to do, if on guest network, any user tries to open any site, he/she redirect to 192168.1.1:82 automatically.
Thanks
GIven that guest zone firewall blocks by default, you need a rule to allow input on tcp/82.
For the second you need a redirect from any packet going to port 80 to the router on port 82. It won't work with https, so don't bother trying it.
Thanks @trendy,
For now simply I've allowed 192.168.1.1 to guest as below, it should be allow all port from 192.168.1.1
but not able to open.
It's wrong, Destination zone must be the device, not a zone.
It's destination port 82, not source.
Sorry @trendy, Its not working, should I need to add Firewall - Port Forwards rules for it?
What exactly isn't working?
From guest zone, which address are you trying to access?
What is the output of ubus call system board; uci export firewall ?
I just want to access only 192.168.1.1:82 on guest wifi and other url if want to try then redirect to 192.168.1.1:82, that's it.
Output as below
**ubus call system board**
{
"kernel": "5.10.138",
"hostname": "OpenWrt",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "D-Link DIR-2640 A1",
"board_name": "dlink,dir-2640-a1",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "22.03.0",
"revision": "r19685-512e76967f",
"target": "ramips/mt7621",
"description": "OpenWrt 22.03.0 r19685-512e76967f"
}
}
**uci export firewall**
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone 'guest'
option name 'guest'
option network 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config forwarding 'guest_wan'
option src 'guest'
option dest 'wan'
config rule 'guest_dns'
option name 'Allow-DNS-guest'
option src 'guest'
option dest_port '53'
list proto 'tcp'
list proto 'udp'
option target 'ACCEPT'
config rule 'guest_dhcp'
option name 'Allow-DHCP-guest'
option src 'guest'
option dest_port '67'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Block-Internet-Guest'
option target 'REJECT'
list proto 'all'
option src 'guest'
option dest 'wan'
config rule
option target 'ACCEPT'
option name 'Allow-localhost-Guest'
list proto 'tcp'
option src 'guest'
list src_ip '192.168.1.1'
option src_port '82'
list dest_ip '192.168.3.1'
config redirect
option dest 'guest'
option target 'DNAT'
list proto 'tcp'
option src 'lan'
option src_dport '82'
option dest_ip '192.168.3.1'
The redirect is not needed.
In the rule you added src_ip 192.168.1.1 which wrong and not needed.
From the browser you need to browse 192.168.3.1:82 , as this is the address you have allowed on the firewall.
Dear @trendy,
I have applied below settings and I am able to access luci 192.168.1.1 and 192.168.1.1:82 and
192.168.3.1 (luci) on guest network
I have tried many things with above settings but no luck, if i change anything in firewall rule everything working stopped.
Please suggest for only 192.168.1.1:82 working rest should be stop
Thanks
I think it is quite clear that you should add 192.168.1.1 in the destination address and 82 in the destination port of the rule.
Yes, that is the problem. We are trying to fix one thing and in your next post you have changed some more things and it doesn't work. For example now you suddenly enabled the guest to lan forwarding for no apparent reason. Just stick to the changes that we suggest you here.
Okay, i understand. I reverted my changes and just performing only firewall rule to achieve it. I have also deleted the port forwarding from firewall. In my case the only firewall to allow lan to guest with port 80 is not working. Could you please suggest a full rule to apply which can work.
Thanks.
Let's see what is currently there.
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export firewall; \
head -n -0 /etc/firewall.user
Thanks @trendy, You was right. its not needed zone forwarding, just below configuration sufficient, using this I am able to access luci 192.168.1.1 and 192.168.1.1:82 and
192.168.3.1 (luci) on guest network, but if i add/modify anything in below rule, its stopped working with all working ips
{
"kernel": "5.10.138",
"hostname": "OpenWrt",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "D-Link DIR-2640 A1",
"board_name": "dlink,dir-2640-a1",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "22.03.0",
"revision": "r19685-512e76967f",
"target": "ramips/mt7621",
"description": "OpenWrt 22.03.0 r19685-512e76967f"
}
}
uci export network;
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fdfb:556f:e005::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config device 'guest_dev'
option type 'bridge'
option name 'br-guest'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
uci export firewall
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config zone 'guest'
option name 'guest'
option network 'guest'
list device 'br-guest'
option forward 'REJECT'
option input 'REJECT'
option output 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule 'guest_dns'
option name 'Allow-DNS-guest'
option src 'guest'
option dest_port '53'
list proto 'tcp'
list proto 'udp'
option target 'ACCEPT'
config rule 'guest_dhcp'
option name 'Allow-DHCP-guest'
option src 'guest'
option dest_port '67'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Block-Internet-Guest'
option target 'REJECT'
list proto 'all'
option src 'guest'
option dest 'wan'
config rule
option target 'ACCEPT'
option name 'Allow-localhost-Guest'
list proto 'tcp'
option src 'guest'
config forwarding
option src 'guest'
option dest 'wan'
head -n -0 /etc/firewall.user
head: /etc/firewall.user: No such file or directory
As it is, hosts in guest zone can access all tcp ports on the router. Add a destination port 82 in this rule.
There is also the Block-Internet-Guest rule which is contradicting and shadowing the forwarding you have later.
config forwarding
option src 'guest'
option dest 'wan'
If you don't want to allow traffic from guest to wan, you can delete them both, as the default action is to reject interzone forwards.
You can also setup a redirect from lan zone to lan zone if the original destination port is 80 to redirect to the router on port 82, as you requested initially.
Finally, I've achieve 1st point, many thanks @trendy .
for this I have shifted luci to port 81 and applied firewall rule
as below
config rule
option target 'ACCEPT'
option name 'Allow-Guest-Lan'
option src 'guest'
list dest_ip '192.168.3.1'
config rule
option name 'Drop-local-IP-81'
option src '*'
option dest_ip '192.168.3.1'
option dest_port '81'
option target 'REJECT'
now lets come on send point to forward any url to 192.168.3.1 on guest zone.
Please advise.
The second rule is not needed.
For the redirect you need this:
uci add firewall redirect
uci add_list firewall.@redirect[-1].proto='tcp'
uci set firewall.@redirect[-1].src_dport='80'
uci set firewall.@redirect[-1].dest_ip='192.168.3.1'
uci set firewall.@redirect[-1].dest_port='82'
uci set firewall.@redirect[-1].src='guest'
uci set firewall.@redirect[-1].name='guest redirect to 82'
uci set firewall.@redirect[-1].dest='guest'
uci set firewall.@redirect[-1].reflection='0'
uci set firewall.@redirect[-1].target='DNAT'
uci commit firewall
service firewall restart
Sorry @trendy ,
Its not working, for example, I am connecting with guest network and i am trying to open https://facebook.com or any website then it should be redirect to me on 192.168.1.1:80
This is what I am expecting.
Thanks
The redirect configured is for port 80, which is http.
https is port 443 but I doubt it will work.