Hi There!
I have an openwrt router that I use as a dumb wifi AP + ethernet switch (I do not use any wan)
my internet access is managed by an other device (opnsense).
I have create a guest wifi AP and now I would like to block any access from this AP to my LAN.
I have created a dedicated AP, interface and firewall zone, following this howto:
So the configuration looks like this:
[Guest 192.168.4.107]------wifi----[192.168.4.1 guest ap (openwrt) 192.168.1.252LAN]----RJ45----[192.168.1.254 opnsense]----the internet
What I would like to do is blocking any access from 192.168.4.xxx to 192.168.1.xxx except, of course, the internet gateway 192.168.1.254.
I assume a couple of firewall rules could do the job, but I was not able to find which ones
That wording was somewhat confusing. It seems you do have a WAN somewhere.
Since you placed the AP on the LAN, there is no firewall involved, you will have to use WAN and then firewall what you desire.
Also, if you're not using WAN, I'm unclear on how you have 2 different numbered subnets - as there's no router for the 192.168.4.0/24 subnet to reach 192.168.1.0/24 network (and hence, no firewall either).
Hello @lleachii
Maybe I was confusing, sorry for that!
regarding WAN: I mean I do not use WAN port or anything related to WAN in my openwrt device.
I do not use it as a router, but as ethernet switch + dumb AP
I have made this little drawing to try to show how all this is connected, but maybe it's not so clear.
[Guest 192.168.4.107]------wifi----[192.168.4.1 guest ap (openwrt) 192.168.1.252LAN]----RJ45----[192.168.1.254 opnsense]----the internet
To be honest, I'm not sure to understand how is made the connexion internally to openwrt between my guest subnet 192.168.4.0 (on guest wifi) and the LAN.
I assume it's done by the inter-firewall zone parameters.
I mean this step of the howto:
in case you like to check the howto, I do have a similar setup, only adapted a couple of IP:
"192.168.2.2" which openwrt IP on LAN in the"Howto" is 192.168.1.252 on my side.
"192.168.2.1" which the internet gateway IP on LAN in the"Howto" is 192.168.1.254 on my side.
Everything's 100% clear...but if you are not routing on your AP, how do you expect traffic between 192.168.4.0/24 and 192.168.1.0/24 to pass?
Also, how do you expect to firewall it?
I hope you see the issue now.
But in your LAN AP config, you are not passing a router or firewall zone. Again, one suggestion is to configure your AP as a normal router with default OpenWrt configs, then you can firewall traffic as you desire between the 2 subnets.
You are forwarding from the .4.x guest network to the .1.x LAN, which acts as a WAN in this case. It's exactly the same as a typical default setup except the names and numbers have changed.
You can block guests from any dest_ip of 192.168.0.0/16 IP. Make holes for DNS and DHCP. This still works even though the gateway is in there somewhere, because it is the final destination that is checked. (Guest to guest links may be possible, though if they are all wifi, the wifi driver's isolation feature will isolate them).
The order of firewall rules is important. Put the DNS and DHCP exceptions in the list first before the catch all else block all 192.168.
