Hello,
my goal is to block access to Luci and SSH outside the Lan-Interface. I found the following solution: Block Luci access from Wifi
This works great, but when a client reconnects via WIFI, it is not able to get an IP adress. So there must be something wrong with DHCP.
So what I did: I changed the Input for each zone (not lan) to "reject" and created separate "Traffic rules" for each interface for DNS and DHCP.
Here is my Firewall configuration:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'lan'
option forward 'REJECT'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
option input 'DROP'
config forwarding
option src 'lan'
option dest 'wan'
config include
option path '/etc/firewall.user'
config zone
option network 'Lan3Xbox'
option forward 'REJECT'
option name 'xbox'
option output 'ACCEPT'
option input 'REJECT'
config zone
option network 'LAN2AmazonTV'
option forward 'REJECT'
option name 'amazontv'
option output 'ACCEPT'
option input 'REJECT'
config zone
option network 'WIFITrusted2'
option forward 'REJECT'
option output 'ACCEPT'
option name 'WIFIT2'
option input 'REJECT'
config forwarding
option dest 'wan'
option src 'xbox'
config forwarding
option dest 'wan'
option src 'amazontv'
config forwarding
option dest 'wan'
option src 'WIFIT2'
config zone
option network 'WIFIBUSINESS'
option forward 'REJECT'
option name 'WIFIBUS'
option output 'ACCEPT'
option input 'REJECT'
config zone
option network 'WIFIGUESTS'
option forward 'REJECT'
option name 'WIFIGUEST'
option output 'ACCEPT'
option input 'REJECT'
config forwarding
option dest 'wan'
option src 'WIFIBUS'
config forwarding
option dest 'wan'
option src 'WIFIGUEST'
config rule
option src 'WIFIT2'
option name 'AllowDNS-WIFI2'
option target 'ACCEPT'
option dest_port '53'
option dest 'lan'
config rule
option src 'WIFIT2'
option target 'ACCEPT'
option dest_port '67-68'
option name 'AllowDHCP-WIFI2'
option dest 'lan'
config rule
option dest_port '53'
option src 'xbox'
option name 'AllowDNS-xbox'
option dest 'lan'
option target 'ACCEPT'
config rule
option dest_port '67-68'
option src 'xbox'
option name 'AllowDHCP-xbox'
option dest 'lan'
option target 'ACCEPT'
config rule
option dest_port '53'
option src 'amazontv'
option name 'AllowDNS-amazontv'
option dest 'lan'
option target 'ACCEPT'
config rule
option dest_port '67-68'
option src 'amazontv'
option name 'AllowDHCP-amazontv'
option dest 'lan'
option target 'ACCEPT'
config rule
option dest_port '53'
option src 'WIFIBUS'
option name 'AllowDNS-WIFIBUSINESS'
option dest 'lan'
option target 'ACCEPT'
config rule
option dest_port '67-68'
option src 'WIFIBUS'
option name 'AllowDHCP-WIFIBUSINESS'
option dest 'lan'
option target 'ACCEPT'
config rule
option dest_port '53'
option src 'WIFIGUEST'
option name 'AllowDNS-WIFIGUEST'
option dest 'lan'
option target 'ACCEPT'
config rule
option dest_port '67-68'
option src 'WIFIGUEST'
option name 'AllowDHCP-WIFIGUEST'
option dest 'lan'
option target 'ACCEPT'
Thanks for your support.
Cheers,
Lasko