Block access https and ssh from outside LAN

Installing and Using OpenWrt Network and Wireless Configuration
1

Dear,

I'm newbie, I'm using last openwrt with netgear DM200 works very well,
my configuration is "full bridge" back openwrt I have pfsense, I have 8 static IP.
Now my problem, openwrt is my "gateway" and has one static IP I can access inside or outsite my gateway, but I want access my gateway (openwrt) only from inside my LAN and without block https and ssh other my IP.
My goal is block people try login my gateway (openwrt with static IP) outside my network ( 8 static IP)

My firewall:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option mtu_fix '1'
	option network 'wan'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

My network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd61:b19b:70d2::/48'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option annex 'a'
	option tone 'av'
	option ds_snr_offset '0'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option ip6assign '60'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	option netmask '255.255.255.248'
	option ipaddr 'x.x.x.x'
	option delegate '0'

config device 'lan_eth0_dev'
	option name 'eth0'
	option macaddr '08:02:8e:a6:5a:1d'

config interface 'wan'
	option ifname 'dsl0.835'
	option proto 'pppoe'
	option ipv6 '1'
	option username 'xxxxxxx@xxxxx.xxx'
	option password 'xxxxxxxxx'
	option delegate '0'

config device 'wan_dsl0_dev'
	option name 'dsl0'
	option macaddr '08:02:8e:a6:5a:1e'

I hope in little help.

Regards

2

Please use the "Preformatted text </>" button for logs, scripts, configs and general console output.
grafik
Please edit your post accordingly. Thank you! :slight_smile:

Sorry it's not clear from your post what is going on...

You want to block? or not-block?
The device is the edge-router? or it's "WAN" side is also within your network?

edit: ok, so dsl in you config means... it IS your gateway, and it is a DSL-bridge to an internal pfsense box?

sounds like you might be asking how to allow access to ports on the pfsense ( over your bridged-dsl-gateway )???

or maybe your having difficulty accessing the webinterfaces of both devices?

3

Even though I am not comprehending your setup and the problems may coming with it... from your initial question I highly suggest you read up on dropbear and uhttpd configuration.
There you can configure access to your needs. Also use SSH keys for logins. With that you are quite good to go. If you additionally want to limit access on the network layers then somebody else my be able to help.

4

You shouldn't have changed the default settings:

5

Dear,

thank you for help, but my problem doesn't find solution, sure I explain very bad my problem.
Now I try explain my configuration and problem easy way.
I have 8 static and public IP, my ISP give me, I'm using hardware "Netgear DM200" and installed
"OpenWrt 19.07.3 r11063-85e04e9f46 / LuCI openwrt-19.07 branch git-20.182.58453-b573f10"

  1. I need connect with protocol PPPoE WAN (DSL side) I have ID, PW and VLANID, my ISP assign static fix IP (ex 4.3.2.1)

  2. My ISP give me 8 static fix IP I can use 1.2.3.4/29

  • 1.2.3.4 network
  • 1.2.3.5 gateway (openwrt)
  • 1.2.3.6, 1.2.3.7, 1.2.3.8, 1.2.3.9, 1.2.3.10 IP static and public I can use
  • 1.2.3.11 broadcast
  1. In openwrt LAN side I use IP 1.2.3.5 for LAN side (gateway) LAN is in bridge mode, now all works very well.

My problem is ip 1.2.3.5 my gateway run openwrt is public IP, it's normal, and I want block port 80, 443 and 22 for outside connetions but not for inside connection, ex with my compuer run IP 1.2.3.8 I want login in my gateway, in the same time I don't want my gateway block port 80, 443 and 22 on my computer run IP 1.2.3.8

I hope clarified my problem.

Regards

6

OK, you want a transparent router with no firewall functions for your 1.2.3.4/29 network BUT you want to block incoming connections to the router itself from external IPs (the Internet)?
Assuming your WAN interface in in the firewall-zone "wan" (the default), you need to change:


config zone
	option name 'wan'
	option output 'ACCEPT'
	option mtu_fix '1'
	option network 'wan'
	option input 'ACCEPT'
	option forward 'ACCEPT'

to

option input 'REJECT'

This should block incoming connections to the router while still allowing access to the hosts behind it (ACCEPT forwarded packets).

7

???

If the user's hosts are in LAN this would be incorrect; and your description of what the Forward ACCEPT on WAN Zone is also wrong.

A better definition for Forward ACCEPT is: "Permit packets on one Interface in the Zone to forward to another."

An example would be: if a user placed both a VPN and their ISP connection into the WAN Zone - ACCEPTING Forward would permit VPN traffic Internet access. It would also allow the ISP WAN interface to initiate traffic thru the VPN (obviously using specific routing or another WAN interface).

Please see:

8

Dear,

thank you for help, but doesn't work. The problem after connected PPPoE my LAN is WAN with public IP.
Regards

9

@lleachii: I'm new to OpenWRT, also I'm using primarily Luci and that's different from what I see in /etc/config/firewall. Also I'm pretty sure the default settings deny connections from wan => lan. At least I really, really hope so, for the sake of everybody :slight_smile:

@delfo2000: I think what you need is something like this in /etc/config/firewall:

config forwarding
        option dest 'LAN'
        option src 'WAN'

Your systems are almost certainly in the lan firewall zone, as long as they are connected to the Ethernet:

config interface 'lan'
	option ifname 'eth0'

and

config zone
	option name 'lan'
	option network 'lan'

It doesn't matter that they have public IPs, OpenWrt seems to map interfaces to firewall zones for the default zones (e.g. lan&wan).

Can somebody in the know please elaborate, instead of just saying what I did wrong? At least I'm trying...

Is there a particular reason, you don't use Luci?

10

Correct, which is why I'm wondering why you give the OP instructions that will do nothing for the situation (or rather, didn't mention correcting it).

:confused:

You stated:

This is what I'm referencing; and your definition about the FORWARD-ACCEPT on this Zone was incorrect. You properly described LAN to WAN forwarding in your subsequent post and was unrelated to my statement (since it obviously has nothing to do with what you posted).

I agree changing INPUT to REJECT is OK; but again, your definition of FORWARD on the WAN Zone was incorrect.

11

Yeah, that's why I did further research and came up with another proposal... What did you do to actually help the OP?

12
  • Clarify not to leave the incorrect setting there.
  • Not provide OP incorrect information.
13

@delfo2000: I'm sorry, I gave you wrong information, it'll never happen again.

14

No problems. Thank you for try help me.

Regards