Block access from Interfaces to LAN

Lasko · December 21, 2020, 3:35pm

Hello,

my goal is to block access to Luci and SSH outside the Lan-Interface. I found the following solution: Block Luci access from Wifi

This works great, but when a client reconnects via WIFI, it is not able to get an IP adress. So there must be something wrong with DHCP.
So what I did: I changed the Input for each zone (not lan) to "reject" and created separate "Traffic rules" for each interface for DNS and DHCP.

Here is my Firewall configuration:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'lan'
	option forward 'REJECT'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'
	option input 'DROP'

config forwarding
	option src 'lan'
	option dest 'wan'

config include
	option path '/etc/firewall.user'

config zone
	option network 'Lan3Xbox'
	option forward 'REJECT'
	option name 'xbox'
	option output 'ACCEPT'
	option input 'REJECT'

config zone
	option network 'LAN2AmazonTV'
	option forward 'REJECT'
	option name 'amazontv'
	option output 'ACCEPT'
	option input 'REJECT'

config zone
	option network 'WIFITrusted2'
	option forward 'REJECT'
	option output 'ACCEPT'
	option name 'WIFIT2'
	option input 'REJECT'

config forwarding
	option dest 'wan'
	option src 'xbox'

config forwarding
	option dest 'wan'
	option src 'amazontv'

config forwarding
	option dest 'wan'
	option src 'WIFIT2'

config zone
	option network 'WIFIBUSINESS'
	option forward 'REJECT'
	option name 'WIFIBUS'
	option output 'ACCEPT'
	option input 'REJECT'

config zone
	option network 'WIFIGUESTS'
	option forward 'REJECT'
	option name 'WIFIGUEST'
	option output 'ACCEPT'
	option input 'REJECT'

config forwarding
	option dest 'wan'
	option src 'WIFIBUS'

config forwarding
	option dest 'wan'
	option src 'WIFIGUEST'

config rule
	option src 'WIFIT2'
	option name 'AllowDNS-WIFI2'
	option target 'ACCEPT'
	option dest_port '53'
	option dest 'lan'

config rule
	option src 'WIFIT2'
	option target 'ACCEPT'
	option dest_port '67-68'
	option name 'AllowDHCP-WIFI2'
	option dest 'lan'

config rule
	option dest_port '53'
	option src 'xbox'
	option name 'AllowDNS-xbox'
	option dest 'lan'
	option target 'ACCEPT'

config rule
	option dest_port '67-68'
	option src 'xbox'
	option name 'AllowDHCP-xbox'
	option dest 'lan'
	option target 'ACCEPT'

config rule
	option dest_port '53'
	option src 'amazontv'
	option name 'AllowDNS-amazontv'
	option dest 'lan'
	option target 'ACCEPT'

config rule
	option dest_port '67-68'
	option src 'amazontv'
	option name 'AllowDHCP-amazontv'
	option dest 'lan'
	option target 'ACCEPT'

config rule
	option dest_port '53'
	option src 'WIFIBUS'
	option name 'AllowDNS-WIFIBUSINESS'
	option dest 'lan'
	option target 'ACCEPT'

config rule
	option dest_port '67-68'
	option src 'WIFIBUS'
	option name 'AllowDHCP-WIFIBUSINESS'
	option dest 'lan'
	option target 'ACCEPT'

config rule
	option dest_port '53'
	option src 'WIFIGUEST'
	option name 'AllowDNS-WIFIGUEST'
	option dest 'lan'
	option target 'ACCEPT'

config rule
	option dest_port '67-68'
	option src 'WIFIGUEST'
	option name 'AllowDHCP-WIFIGUEST'
	option dest 'lan'
	option target 'ACCEPT'

Thanks for your support.

Cheers,
Lasko

trendy · December 21, 2020, 6:40pm

The destination is the router, not the lan. So all these rules are wrong. Use only source zone, without destination.

Lasko · December 21, 2020, 8:07pm

My bad Thank you very much!

Cheers,
Lasko

system · December 31, 2020, 8:07pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.