Allow service on local network only

anon44801567 · December 21, 2020, 1:42pm

Hi all,
I'm new on OpenWRT and I try to have some services only accessible from my private network (192.168.1.0/24) and other services that can be reached from outside, but I don't find out how.
I only have one zone:

config zone
        option name 'lan'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option network 'lan'

and ony one interface:

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option ipaddr '192.168.1.254'
        option netmask '255.255.255.0'
        option ipv6 '0'
        option gateway '192.168.1.1'
        option broadcast '192.168.1.255'

frollic · December 21, 2020, 1:48pm

Where's outside ?

Internet ? in that case you need to set up firewall rules, no need to touch the LAN.

anon44801567 · December 21, 2020, 1:50pm

Yup sorry I have done some but since I don't know what to do with the zones I don't think it's relevant.
For example I have this one (that I want to be accessible only from local network:

config rule
        option name 'Allow-SSH'
        option src 'lan'
        option dest_port '22'
        option proto 'tcp'
        option family 'ipv4'
        option target 'ACCEPT'

frollic · December 21, 2020, 1:52pm

if you only want to access things from you local network, then you don't have to do anything at all.
Coming in from internet requires rules, everything's open/allowed on the LAN side.

anon44801567 · December 21, 2020, 1:55pm

It's not the case for me, I probably fucked up somewhere, I will try with a fresh install, thank you ^^

frollic · December 21, 2020, 2:06pm

ssh into the router (if you're still able to) and run the firstboot command, or do a reset through LuCI in System -> Backup / Flash Firmware.

anon44801567 · December 21, 2020, 2:10pm

Well after resetting I am able to access my pi with ssh even from internet.
I only set my gateway and the IP of the interface

frollic · December 21, 2020, 2:15pm

How is the PI connected to the internet ?

anon44801567 · December 21, 2020, 2:17pm

my pi is connected to my ISP's router and the to internet so the wan and the lan are actually on the same interface (eth0, wireless is disabled).
I think the problem comes from the zones

frollic · December 21, 2020, 2:25pm

Ok,

in that case I understand what you're trying to do.

WAN and LAN on the same interface doesn't sound very healthy.
You don't have an USB network card you can plug into the Pi ?

What you should to is set the ethernet port as WAN (once applied you will not be able
to access it anymore), and then use a console to continue with your configuration.

If supported, you could set up its WiFi as an AP for devices to connect to on the LAN side.

mk24 · December 21, 2020, 2:27pm

To restrict someone on the Internet from reaching a device on your LAN is usually the job of the firewall in the main router. By default, almost every ISP router will block all incoming connections from going to the LAN unless you specifically open ports or set up a DMZ.

Your main router may NAT ports it has open to the Internet to be from it's LAN IP (usually x.x.x.1). So when it reaches the Pi it looks like LAN originated connections.

If NAT is not involved you would want a rule on the Pi to allow connections only from source IPs within the LAN, 192.168.1.0/24.

anon44801567 · December 21, 2020, 2:31pm

Okay I will try that ^^

anon44801567 · December 21, 2020, 2:38pm

Yep my pi is in the DMZ because I can't open some ports (443 is blocked for example) and it seems that the source IP is not changed for incoming packages.

This is my problem, I don't know how to do this, I added
option list subnet '192.168.1.0/24'
to the lan zone but it changed nothing

frollic · December 21, 2020, 2:45pm

OK,

we need to back up a little bit.

Your Pi, when/if you connect it to the ISPs router, what kind if IP does it get ?

When you wrote you could connect to it "from internet", how exactly did
you verify that ?

anon44801567 · December 21, 2020, 2:49pm

I have a static IPv4 that I set like like shown on the first message.

I add it to the DMZ on my router and I connect through SSH from my phone which is not connected to the same network. (I do the same test from my computer which is in the same network as the pi to check if it works too)

frollic · December 21, 2020, 2:57pm

Ok,

Have you forwarded/defined any ports from internet/WAN to your Pi in your router ?
If not, you shouldn't be able to connect to it from outside, even if it's in the DMZ.
Unless DMZ means all ports are open, in your router

If your router is acting FW, then you shouldn't have to set your Pi port to WAN, as I
stated previously.

anon44801567 · December 21, 2020, 3:00pm

Yes here by DMZ they mean that a packet is sent to it if it does not match a rule in port forwarding.

frollic · December 21, 2020, 3:04pm

Can you open ports and do port forward in the router ?
So skipping DMZ all together ?

Or create a rule matching all ports and protocols ....

vgaetera · December 21, 2020, 6:54pm

psherman · December 21, 2020, 7:57pm

If your lan and wan are on the same physical interface, you need a vlan aware (managed) switch to ‘break out’ the networks properly.

Can you draw a diagram of your physical network?