I'm newbie, I'm using last openwrt with netgear DM200 works very well,
my configuration is "full bridge" back openwrt I have pfsense, I have 8 static IP.
Now my problem, openwrt is my "gateway" and has one static IP I can access inside or outsite my gateway, but I want access my gateway (openwrt) only from inside my LAN and without block https and ssh other my IP.
My goal is block people try login my gateway (openwrt with static IP) outside my network ( 8 static IP)
My firewall:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option mtu_fix '1'
option network 'wan'
option input 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
Even though I am not comprehending your setup and the problems may coming with it... from your initial question I highly suggest you read up on dropbear and uhttpd configuration.
There you can configure access to your needs. Also use SSH keys for logins. With that you are quite good to go. If you additionally want to limit access on the network layers then somebody else my be able to help.
thank you for help, but my problem doesn't find solution, sure I explain very bad my problem.
Now I try explain my configuration and problem easy way.
I have 8 static and public IP, my ISP give me, I'm using hardware "Netgear DM200" and installed
"OpenWrt 19.07.3 r11063-85e04e9f46 / LuCI openwrt-19.07 branch git-20.182.58453-b573f10"
I need connect with protocol PPPoE WAN (DSL side) I have ID, PW and VLANID, my ISP assign static fix IP (ex 4.3.2.1)
My ISP give me 8 static fix IP I can use 1.2.3.4/29
1.2.3.4 network
1.2.3.5 gateway (openwrt)
1.2.3.6, 1.2.3.7, 1.2.3.8, 1.2.3.9, 1.2.3.10 IP static and public I can use
1.2.3.11 broadcast
In openwrt LAN side I use IP 1.2.3.5 for LAN side (gateway) LAN is in bridge mode, now all works very well.
My problem is ip 1.2.3.5 my gateway run openwrt is public IP, it's normal, and I want block port 80, 443 and 22 for outside connetions but not for inside connection, ex with my compuer run IP 1.2.3.8 I want login in my gateway, in the same time I don't want my gateway block port 80, 443 and 22 on my computer run IP 1.2.3.8
OK, you want a transparent router with no firewall functions for your 1.2.3.4/29 network BUT you want to block incoming connections to the router itself from external IPs (the Internet)?
Assuming your WAN interface in in the firewall-zone "wan" (the default), you need to change:
config zone
option name 'wan'
option output 'ACCEPT'
option mtu_fix '1'
option network 'wan'
option input 'ACCEPT'
option forward 'ACCEPT'
to
option input 'REJECT'
This should block incoming connections to the router while still allowing access to the hosts behind it (ACCEPT forwarded packets).
If the user's hosts are in LAN this would be incorrect; and your description of what the Forward ACCEPT on WAN Zone is also wrong.
A better definition for Forward ACCEPT is: "Permit packets on one Interface in the Zone to forward to another."
An example would be: if a user placed both a VPN and their ISP connection into the WAN Zone - ACCEPTING Forward would permit VPN traffic Internet access. It would also allow the ISP WAN interface to initiate traffic thru the VPN (obviously using specific routing or another WAN interface).
@lleachii: I'm new to OpenWRT, also I'm using primarily Luci and that's different from what I see in /etc/config/firewall. Also I'm pretty sure the default settings deny connections from wan => lan. At least I really, really hope so, for the sake of everybody
@delfo2000: I think what you need is something like this in /etc/config/firewall:
config forwarding
option dest 'LAN'
option src 'WAN'
Your systems are almost certainly in the lan firewall zone, as long as they are connected to the Ethernet:
config interface 'lan'
option ifname 'eth0'
and
config zone
option name 'lan'
option network 'lan'
It doesn't matter that they have public IPs, OpenWrt seems to map interfaces to firewall zones for the default zones (e.g. lan&wan).
Can somebody in the know please elaborate, instead of just saying what I did wrong? At least I'm trying...
Correct, which is why I'm wondering why you give the OP instructions that will do nothing for the situation (or rather, didn't mention correcting it).
You stated:
This is what I'm referencing; and your definition about the FORWARD-ACCEPT on this Zone was incorrect. You properly described LAN to WAN forwarding in your subsequent post and was unrelated to my statement (since it obviously has nothing to do with what you posted).
I agree changing INPUT to REJECT is OK; but again, your definition of FORWARD on the WAN Zone was incorrect.