I have LAN, IoT, and Guest VLANs setup on a OpenWRT One. IoT network should not access the internet, and I created the IoT zone that prevents this. However, I have one device that needs to access the internet from time to time. Instead of periodically changing the IoT’s “output” to accept, how can I add a separate firewall rule to allow my one device (via IP or MAC address) to always have internet access? I spent many hours trying different traffic rules, but none seem to allow access to the internet. Below is my zone settings. Everything works as intended except allowing one devise in IoT to access the internet.
In most cases, the output zone rule should be set to ACCEPT.
From there, if you're blocking IoT > wan access, that should still work given that you don't have a forwarding rule for that purpose.
What you'll do for that one device is to setup a rule to accept a connection from the IP address of the device on the IoT zone with destination of the wan zone, protocol any/all and with the port fields empty (unless you know exactly what is required and can thus limit with more granularity, if desired).
1 Like
Thanks! This confirms that what I was doing was correct. The problem for me was a lack of understanding of protocols specifically as it relates to ‘ping’. As soon as I added ICMP to my rule, then ping immediately began working. Removing ICMP blocked ‘ping,’ but TCP/UDP was still allowed through. Trying other checks including curl, wget, and traceroute showed that my single IP had TCP/UDP network access. I’ll add ports to my rule since this IP is only accessing a single service port. Thanks again…
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.