Allow internet access for only 2-3 IPs within subnet/zone

Using only fw4+luci, how do I set up rules to allow 2-3 IP addresses within a zone/subnet called "TestZone" to access the internet?

My "lan" zone already has access to the internet via default forwarding from "lan" to "wan" under the "general settings" tab.

Do I have to:

  1. Enable "TestZone" to "wan" forwarding on the "General Settings" tab
  2. Then, on the "traffic rules" tab, reject connections for all IPs in subnet/zone "TestZone" from TCP source port 80 except for the 2-3 IPs I want internet access?

Or is there a simpler way (for example)

  1. DON'T specify zone-to-zone forwarding from "TestZone" to "wan" in "General Settings"
  2. In "Traffic Rules", create one rule to accept forward from source zone "TestZone" on TCP Port 80 to "wan"

This is the easier method. Depending on how granular you want to get, you can set rules with specific port numbers, or you can just omit it and it'll allow all traffic.

You'll basically just have a rule that will accept a source zone (TestZone), source IP(s), and destination zone (wan).

This is also the method I wish to use, however, forwarding this way does not seem to work for me; I get several "Destination unreachable" and other errors when I try to run repository updates on the allowed IP/machine.

However, if I just simply forward the whole zone to "wan"; then all the usual repo updates and other commands I perform on that target machine works normally.

Let's see the configuration:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

Here is the output of /etc/config/network; regarding this question, please focus on the "not_vlan", that is the actual name of the subnet/interface in question.

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        option bridge_empty '1'
        option ipv6 '0'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config bridge-vlan
        option device 'br-lan'
        option vlan '115'
        list ports 'eth1:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '155'
        list ports 'eth1:t'
        list ports 'eth3:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '66'

config interface 'office_vlan'
        option proto 'static'
        option ipaddr '192.168.155.1'
        option netmask '255.255.255.0'
        option delegate '0'
        option device 'br-lan.155'

config interface 'iot_vlan'
        option device 'br-lan.115'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.115.1'

config device
        option name 'br-lan.66'
        option ipv6 '0'

config device
        option name 'br-lan.155'
        option type '8021q'
        option ifname 'br-lan'
        option vid '155'
        option ipv6 '0'

config device
        option name 'br-lan.115'
        option type '8021q'
        option ifname 'br-lan'
        option vid '115'
        option ipv6 '0'

config device
        option name 'eth0'
        option ipv6 '0'

config device
        option name 'eth1'

config device
        option name 'eth2'

config device
        option name 'eth3'

config bridge-vlan
        option device 'br-lan'
        option vlan '107'
        list ports 'eth2:u*'
        list ports 'eth4:u*'

config interface 'not_vlan'
        option device 'br-lan.107'
        option proto 'static'
        option ipaddr '10.107.115.1'
        option netmask '255.255.255.0'

config device
        option name 'br-lan.107'
        option type '8021q'
        option ifname 'br-lan'
        option vid '107'
        option ipv6 '1'

Here is the output of "cat /etc/config/dhcp", most other hosts (on other vlans) have been removed as they are not relevant to the question; the host that needs to connect has been renamed "test" below

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list server '1.1.1.1'
        list server '1.0.0.1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'office_vlan'
        option interface 'office_vlan'
        option leasetime '12h'
        option start '6'
        option limit '7'

config dhcp 'iot_vlan'
        option interface 'iot_vlan'
        option start '6'
        option limit '24'
        option leasetime '24h'

config dhcp 'not_vlan'
        option interface 'not_vlan'
        option start '6'
        option limit '24'
        option leasetime '24h'

config host
        option name 'test'
        option dns '1'
        option mac <redacted>
        option ip '10.107.115.28'

Here is the firewall config which does not currently work; it does not currently allow host "test" to do a "apt-get update" successfully.

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option proto 'esp'
        option target 'ACCEPT'
        option dest 'iot'
        option name 'Allow-IPSec-ESP (Streaming?)'

config rule
        option src 'wan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option name 'Allow-ISAKMP (Streaming?)'
        option dest 'iot'

config zone
        option name 'office'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'office_vlan'

config forwarding
        option src 'office'
        option dest 'wan'

config zone
        option name 'iot'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'iot_vlan'

config forwarding
        option src 'iot'
        option dest 'wan'

config zone
        option name 'not'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'not_vlan'
        option family 'ipv4'
        option forward 'REJECT'

config rule
        option name 'test rule'
        list proto 'tcp'
        option src 'not'
        list src_ip '10.107.115.28'
        option src_port '80'
        option dest 'wan'
        option target 'ACCEPT'
        option family 'ipv4'

This is very likely the issue. If you are trying to allow the host 10.107.115.28 to access plain web (http), the rule should be dest_port, not src_port.

Keep in mind that most services are no longer http. For example, the OpenWrt package repos are all https (port 443), so you may still get failures. But see if the change from src_port to dest_port fixes your issue.

2 Likes

Yea that was it. Thanks. Need to either get some coffee or get some sleep.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.